The Tor Browser: security/nss/lib/certdb/genname.c@b8a032363ba2 (annotated)

security/nss/lib/certdb/genname.c@b8a032363ba2 (annotated)

security/nss/lib/certdb/genname.c

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "plarena.h"
 #include "seccomon.h"
 #include "secitem.h"
 #include "secoidt.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "certt.h"
 #include "cert.h"
 #include "certi.h"
 #include "xconst.h"
 #include "secerr.h"
 #include "secoid.h"
 #include "prprf.h"
 #include "genname.h"
 SEC_ASN1_MKSUB(SEC_AnyTemplate)
 SEC_ASN1_MKSUB(SEC_IntegerTemplate)
 SEC_ASN1_MKSUB(SEC_IA5StringTemplate)
 SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
 SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
 static const SEC_ASN1Template CERTNameConstraintTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraint) },
     { SEC_ASN1_ANY, offsetof(CERTNameConstraint, DERName) },
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
           offsetof(CERTNameConstraint, min),
           SEC_ASN1_SUB(SEC_IntegerTemplate) },
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
           offsetof(CERTNameConstraint, max),
           SEC_ASN1_SUB(SEC_IntegerTemplate) },
     { 0, }
 };
 const SEC_ASN1Template CERT_NameConstraintSubtreeSubTemplate[] = {
     { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
 };
 static const SEC_ASN1Template CERTNameConstraintsTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraints) },
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
           offsetof(CERTNameConstraints, DERPermited),
 	  CERT_NameConstraintSubtreeSubTemplate},
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
           offsetof(CERTNameConstraints, DERExcluded),
 	  CERT_NameConstraintSubtreeSubTemplate},
     { 0, }
 };
 static const SEC_ASN1Template CERTOthNameTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OtherName) },
     { SEC_ASN1_OBJECT_ID,
 	  offsetof(OtherName, oid) },
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
           SEC_ASN1_XTRN | 0, offsetof(OtherName, name),
           SEC_ASN1_SUB(SEC_AnyTemplate) },
     { 0, }
 };
 static const SEC_ASN1Template CERTOtherNameTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0 ,
       offsetof(CERTGeneralName, name.OthName), CERTOthNameTemplate,
       sizeof(CERTGeneralName) }
 };
 static const SEC_ASN1Template CERTOtherName2Template[] = {
     { SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
 , NULL, sizeof(CERTGeneralName) },
     { SEC_ASN1_OBJECT_ID,
 	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) },
     { SEC_ASN1_ANY,
 	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) },
     { 0, }
 };
 static const SEC_ASN1Template CERT_RFC822NameTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1 ,
           offsetof(CERTGeneralName, name.other),
           SEC_ASN1_SUB(SEC_IA5StringTemplate),
           sizeof (CERTGeneralName)}
 };
 static const SEC_ASN1Template CERT_DNSNameTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2 ,
           offsetof(CERTGeneralName, name.other),
           SEC_ASN1_SUB(SEC_IA5StringTemplate),
           sizeof (CERTGeneralName)}
 };
 static const SEC_ASN1Template CERT_X400AddressTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 3,
           offsetof(CERTGeneralName, name.other), SEC_ASN1_SUB(SEC_AnyTemplate),
           sizeof (CERTGeneralName)}
 };
 static const SEC_ASN1Template CERT_DirectoryNameTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
           SEC_ASN1_XTRN | 4, offsetof(CERTGeneralName, derDirectoryName),
           SEC_ASN1_SUB(SEC_AnyTemplate), sizeof (CERTGeneralName)}
 };
 static const SEC_ASN1Template CERT_EDIPartyNameTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 5,
           offsetof(CERTGeneralName, name.other), SEC_ASN1_SUB(SEC_AnyTemplate),
           sizeof (CERTGeneralName)}
 };
 static const SEC_ASN1Template CERT_URITemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 6 ,
           offsetof(CERTGeneralName, name.other),
           SEC_ASN1_SUB(SEC_IA5StringTemplate),
           sizeof (CERTGeneralName)}
 };
 static const SEC_ASN1Template CERT_IPAddressTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 7 ,
           offsetof(CERTGeneralName, name.other),
           SEC_ASN1_SUB(SEC_OctetStringTemplate),
           sizeof (CERTGeneralName)}
 };
 static const SEC_ASN1Template CERT_RegisteredIDTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 8 ,
           offsetof(CERTGeneralName, name.other),
           SEC_ASN1_SUB(SEC_ObjectIDTemplate),
           sizeof (CERTGeneralName)}
 };
 const SEC_ASN1Template CERT_GeneralNamesTemplate[] = {
     { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN , 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
 };
 static struct {
     CERTGeneralNameType type;
     char *name;
 } typesArray[] = {
     { certOtherName, "other" },
     { certRFC822Name, "email" },
     { certRFC822Name, "rfc822" },
     { certDNSName, "dns" },
     { certX400Address, "x400" },
     { certX400Address, "x400addr" },
     { certDirectoryName, "directory" },
     { certDirectoryName, "dn" },
     { certEDIPartyName, "edi" },
     { certEDIPartyName, "ediparty" },
     { certURI, "uri" },
     { certIPAddress, "ip" },
     { certIPAddress, "ipaddr" },
     { certRegisterID, "registerid" }
 };
 CERTGeneralNameType
 CERT_GetGeneralNameTypeFromString(const char *string)
 {
     int types_count = sizeof(typesArray)/sizeof(typesArray[0]);
     int i;
     for (i=0; i < types_count; i++) {
         if (PORT_Strcasecmp(string, typesArray[i].name) == 0) {
             return typesArray[i].type;
         }
     }
     return 0;
 }
 CERTGeneralName *
 CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type)
 {
     CERTGeneralName *name = arena
                             ? PORT_ArenaZNew(arena, CERTGeneralName)
 	                    : PORT_ZNew(CERTGeneralName);
     if (name) {
 	name->type = type;
 	name->l.prev = name->l.next = &name->l;
     }
     return name;
 }
 /* Copy content of one General Name to another.
 ** Caller has allocated destination general name.
 ** This function does not change the destinate's GeneralName's list linkage.
 */
 SECStatus
 cert_CopyOneGeneralName(PLArenaPool      *arena,
 		        CERTGeneralName  *dest,
 		        CERTGeneralName  *src)
 {
     SECStatus rv;
     void *mark = NULL;
     PORT_Assert(dest != NULL);
     dest->type = src->type;
     mark = PORT_ArenaMark(arena);
     switch (src->type) {
     case certDirectoryName:
 	rv = SECITEM_CopyItem(arena, &dest->derDirectoryName,
 				      &src->derDirectoryName);
 	if (rv == SECSuccess)
 	    rv = CERT_CopyName(arena, &dest->name.directoryName,
 				       &src->name.directoryName);
 	break;
     case certOtherName:
 	rv = SECITEM_CopyItem(arena, &dest->name.OthName.name,
 				      &src->name.OthName.name);
 	if (rv == SECSuccess)
 	    rv = SECITEM_CopyItem(arena, &dest->name.OthName.oid,
 					  &src->name.OthName.oid);
 	break;
     default:
 	rv = SECITEM_CopyItem(arena, &dest->name.other,
 				      &src->name.other);
 	break;
     }
     if (rv != SECSuccess) {
         PORT_ArenaRelease(arena, mark);
     } else {
         PORT_ArenaUnmark(arena, mark);
     }
     return rv;
 }
 void
 CERT_DestroyGeneralNameList(CERTGeneralNameList *list)
 {
     PZLock *lock;
     if (list != NULL) {
 	lock = list->lock;
 	PZ_Lock(lock);
 	if (--list->refCount <= 0 && list->arena != NULL) {
 	    PORT_FreeArena(list->arena, PR_FALSE);
 	    PZ_Unlock(lock);
 	    PZ_DestroyLock(lock);
 	} else {
 	    PZ_Unlock(lock);
 	}
     }
     return;
 }
 CERTGeneralNameList *
 CERT_CreateGeneralNameList(CERTGeneralName *name) {
     PLArenaPool *arena;
     CERTGeneralNameList *list = NULL;
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (arena == NULL) {
 	goto done;
     }
     list = PORT_ArenaZNew(arena, CERTGeneralNameList);
     if (!list)
     	goto loser;
     if (name != NULL) {
 	SECStatus rv;
 	list->name = CERT_NewGeneralName(arena, (CERTGeneralNameType)0);
 	if (!list->name)
 	    goto loser;
 	rv = CERT_CopyGeneralName(arena, list->name, name);
 	if (rv != SECSuccess)
 	    goto loser;
     }
     list->lock = PZ_NewLock(nssILockList);
     if (!list->lock)
     	goto loser;
     list->arena = arena;
     list->refCount = 1;
 done:
     return list;
 loser:
     PORT_FreeArena(arena, PR_FALSE);
     return NULL;
 }
 CERTGeneralName *
 CERT_GetNextGeneralName(CERTGeneralName *current)
 {
     PRCList *next;
     next = current->l.next;
     return (CERTGeneralName *) (((char *) next) - offsetof(CERTGeneralName, l));
 }
 CERTGeneralName *
 CERT_GetPrevGeneralName(CERTGeneralName *current)
 {
     PRCList *prev;
     prev = current->l.prev;
     return (CERTGeneralName *) (((char *) prev) - offsetof(CERTGeneralName, l));
 }
 CERTNameConstraint *
 CERT_GetNextNameConstraint(CERTNameConstraint *current)
 {
     PRCList *next;
     next = current->l.next;
     return (CERTNameConstraint *) (((char *) next) - offsetof(CERTNameConstraint, l));
 }
 CERTNameConstraint *
 CERT_GetPrevNameConstraint(CERTNameConstraint *current)
 {
     PRCList *prev;
     prev = current->l.prev;
     return (CERTNameConstraint *) (((char *) prev) - offsetof(CERTNameConstraint, l));
 }
 SECItem *
 CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PLArenaPool *arena)
 {
     const SEC_ASN1Template * template;
     PORT_Assert(arena);
     if (arena == NULL) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     /* TODO: mark arena */
     if (dest == NULL) {
 	dest = PORT_ArenaZNew(arena, SECItem);
 	if (!dest)
 	    goto loser;
     }
     if (genName->type == certDirectoryName) {
 	if (genName->derDirectoryName.data == NULL) {
 	    /* The field hasn't been encoded yet. */
             SECItem * pre_dest =
             SEC_ASN1EncodeItem (arena, &(genName->derDirectoryName),
                                 &(genName->name.directoryName),
                                 CERT_NameTemplate);
             if (!pre_dest)
                 goto loser;
 	}
 	if (genName->derDirectoryName.data == NULL) {
 	    goto loser;
 	}
     }
     switch (genName->type) {
     case certURI:           template = CERT_URITemplate;           break;
     case certRFC822Name:    template = CERT_RFC822NameTemplate;    break;
     case certDNSName:       template = CERT_DNSNameTemplate;       break;
     case certIPAddress:     template = CERT_IPAddressTemplate;     break;
     case certOtherName:     template = CERTOtherNameTemplate;      break;
     case certRegisterID:    template = CERT_RegisteredIDTemplate;  break;
          /* for this type, we expect the value is already encoded */
     case certEDIPartyName:  template = CERT_EDIPartyNameTemplate;  break;
 	 /* for this type, we expect the value is already encoded */
     case certX400Address:   template = CERT_X400AddressTemplate;   break;
     case certDirectoryName: template = CERT_DirectoryNameTemplate; break;
     default:
 	PORT_Assert(0); goto loser;
     }
     dest = SEC_ASN1EncodeItem(arena, dest, genName, template);
     if (!dest) {
 	goto loser;
     }
     /* TODO: unmark arena */
     return dest;
 loser:
     /* TODO: release arena back to mark */
     return NULL;
 }
 SECItem **
 cert_EncodeGeneralNames(PLArenaPool *arena, CERTGeneralName *names)
 {
     CERTGeneralName  *current_name;
     SECItem          **items = NULL;
     int              count = 0;
     int              i;
     PRCList          *head;
     PORT_Assert(arena);
     /* TODO: mark arena */
     current_name = names;
     if (names != NULL) {
 	count = 1;
     }
     head = &(names->l);
     while (current_name->l.next != head) {
 	current_name = CERT_GetNextGeneralName(current_name);
 	++count;
     }
     current_name = CERT_GetNextGeneralName(current_name);
     items = PORT_ArenaNewArray(arena, SECItem *, count + 1);
     if (items == NULL) {
 	goto loser;
     }
     for (i = 0; i < count; i++) {
 	items[i] = CERT_EncodeGeneralName(current_name, (SECItem *)NULL, arena);
 	if (items[i] == NULL) {
 	    goto loser;
 	}
 	current_name = CERT_GetNextGeneralName(current_name);
     }
     items[i] = NULL;
     /* TODO: unmark arena */
     return items;
 loser:
     /* TODO: release arena to mark */
     return NULL;
 }
 CERTGeneralName *
 CERT_DecodeGeneralName(PLArenaPool      *reqArena,
 		       SECItem          *encodedName,
 		       CERTGeneralName  *genName)
 {
     const SEC_ASN1Template *         template;
     CERTGeneralNameType              genNameType;
     SECStatus                        rv = SECSuccess;
     SECItem* newEncodedName;
     if (!reqArena) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     /* make a copy for decoding so the data decoded with QuickDER doesn't
        point to temporary memory */
     newEncodedName = SECITEM_ArenaDupItem(reqArena, encodedName);
     if (!newEncodedName) {
         return NULL;
     }
     /* TODO: mark arena */
     genNameType = (CERTGeneralNameType)((*(newEncodedName->data) & 0x0f) + 1);
     if (genName == NULL) {
 	genName = CERT_NewGeneralName(reqArena, genNameType);
 	if (!genName)
 	    goto loser;
     } else {
 	genName->type = genNameType;
 	genName->l.prev = genName->l.next = &genName->l;
     }
     switch (genNameType) {
     case certURI: 		template = CERT_URITemplate;           break;
     case certRFC822Name: 	template = CERT_RFC822NameTemplate;    break;
     case certDNSName: 		template = CERT_DNSNameTemplate;       break;
     case certIPAddress: 	template = CERT_IPAddressTemplate;     break;
     case certOtherName: 	template = CERTOtherNameTemplate;      break;
     case certRegisterID: 	template = CERT_RegisteredIDTemplate;  break;
     case certEDIPartyName: 	template = CERT_EDIPartyNameTemplate;  break;
     case certX400Address: 	template = CERT_X400AddressTemplate;   break;
     case certDirectoryName: 	template = CERT_DirectoryNameTemplate; break;
     default:
         goto loser;
     }
     rv = SEC_QuickDERDecodeItem(reqArena, genName, template, newEncodedName);
     if (rv != SECSuccess)
 	goto loser;
     if (genNameType == certDirectoryName) {
 	rv = SEC_QuickDERDecodeItem(reqArena, &(genName->name.directoryName),
 				CERT_NameTemplate,
 				&(genName->derDirectoryName));
         if (rv != SECSuccess)
 	    goto loser;
     }
     /* TODO: unmark arena */
     return genName;
 loser:
     /* TODO: release arena to mark */
     return NULL;
 }
 CERTGeneralName *
 cert_DecodeGeneralNames (PLArenaPool  *arena,
 			 SECItem      **encodedGenName)
 {
     PRCList                           *head = NULL;
     PRCList                           *tail = NULL;
     CERTGeneralName                   *currentName = NULL;
     PORT_Assert(arena);
     if (!encodedGenName || !arena) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     /* TODO: mark arena */
     while (*encodedGenName != NULL) {
 	currentName = CERT_DecodeGeneralName(arena, *encodedGenName, NULL);
 	if (currentName == NULL)
 	    break;
 	if (head == NULL) {
 	    head = &(currentName->l);
 	    tail = head;
 	}
 	currentName->l.next = head;
 	currentName->l.prev = tail;
 	tail = head->prev = tail->next = &(currentName->l);
 	encodedGenName++;
     }
     if (currentName) {
 	/* TODO: unmark arena */
 	return CERT_GetNextGeneralName(currentName);
     }
     /* TODO: release arena to mark */
     return NULL;
 }
 void
 CERT_DestroyGeneralName(CERTGeneralName *name)
 {
     cert_DestroyGeneralNames(name);
 }
 SECStatus
 cert_DestroyGeneralNames(CERTGeneralName *name)
 {
     CERTGeneralName    *first;
     CERTGeneralName    *next = NULL;
     first = name;
     do {
 	next = CERT_GetNextGeneralName(name);
 	PORT_Free(name);
 	name = next;
     } while (name != first);
     return SECSuccess;
 }
 static SECItem *
 cert_EncodeNameConstraint(CERTNameConstraint  *constraint,
 			 SECItem             *dest,
 			 PLArenaPool         *arena)
 {
     PORT_Assert(arena);
     if (dest == NULL) {
 	dest = PORT_ArenaZNew(arena, SECItem);
 	if (dest == NULL) {
 	    return NULL;
 	}
     }
     CERT_EncodeGeneralName(&(constraint->name), &(constraint->DERName), arena);
     dest = SEC_ASN1EncodeItem (arena, dest, constraint,
 			       CERTNameConstraintTemplate);
     return dest;
 }
 SECStatus
 cert_EncodeNameConstraintSubTree(CERTNameConstraint  *constraints,
 			         PLArenaPool         *arena,
 				 SECItem             ***dest,
 				 PRBool              permited)
 {
     CERTNameConstraint  *current_constraint = constraints;
     SECItem             **items = NULL;
     int                 count = 0;
     int                 i;
     PRCList             *head;
     PORT_Assert(arena);
     /* TODO: mark arena */
     if (constraints != NULL) {
 	count = 1;
     }
     head = &constraints->l;
     while (current_constraint->l.next != head) {
 	current_constraint = CERT_GetNextNameConstraint(current_constraint);
 	++count;
     }
     current_constraint = CERT_GetNextNameConstraint(current_constraint);
     items = PORT_ArenaZNewArray(arena, SECItem *, count + 1);
     if (items == NULL) {
 	goto loser;
     }
     for (i = 0; i < count; i++) {
 	items[i] = cert_EncodeNameConstraint(current_constraint,
 					     (SECItem *) NULL, arena);
 	if (items[i] == NULL) {
 	    goto loser;
 	}
 	current_constraint = CERT_GetNextNameConstraint(current_constraint);
     }
     *dest = items;
     if (*dest == NULL) {
 	goto loser;
     }
     /* TODO: unmark arena */
     return SECSuccess;
 loser:
     /* TODO: release arena to mark */
     return SECFailure;
 }
 SECStatus
 cert_EncodeNameConstraints(CERTNameConstraints  *constraints,
 			   PLArenaPool          *arena,
 			   SECItem              *dest)
 {
     SECStatus    rv = SECSuccess;
     PORT_Assert(arena);
     /* TODO: mark arena */
     if (constraints->permited != NULL) {
 	rv = cert_EncodeNameConstraintSubTree(constraints->permited, arena,
 					      &constraints->DERPermited,
 					      PR_TRUE);
 	if (rv == SECFailure) {
 	    goto loser;
 	}
     }
     if (constraints->excluded != NULL) {
 	rv = cert_EncodeNameConstraintSubTree(constraints->excluded, arena,
 					      &constraints->DERExcluded,
 					      PR_FALSE);
 	if (rv == SECFailure) {
 	    goto loser;
 	}
     }
     dest = SEC_ASN1EncodeItem(arena, dest, constraints,
 			      CERTNameConstraintsTemplate);
     if (dest == NULL) {
 	goto loser;
     }
     /* TODO: unmark arena */
     return SECSuccess;
 loser:
     /* TODO: release arena to mark */
     return SECFailure;
 }
 CERTNameConstraint *
 cert_DecodeNameConstraint(PLArenaPool       *reqArena,
 			  SECItem           *encodedConstraint)
 {
     CERTNameConstraint     *constraint;
     SECStatus              rv = SECSuccess;
     CERTGeneralName        *temp;
     SECItem*               newEncodedConstraint;
     if (!reqArena) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     newEncodedConstraint = SECITEM_ArenaDupItem(reqArena, encodedConstraint);
     if (!newEncodedConstraint) {
         return NULL;
     }
     /* TODO: mark arena */
     constraint = PORT_ArenaZNew(reqArena, CERTNameConstraint);
     if (!constraint)
     	goto loser;
     rv = SEC_QuickDERDecodeItem(reqArena, constraint,
                                 CERTNameConstraintTemplate,
                                 newEncodedConstraint);
     if (rv != SECSuccess) {
 	goto loser;
     }
     temp = CERT_DecodeGeneralName(reqArena, &(constraint->DERName),
                                   &(constraint->name));
     if (temp != &(constraint->name)) {
 	goto loser;
     }
     /* ### sjlee: since the name constraint contains only one
      *            CERTGeneralName, the list within CERTGeneralName shouldn't
      *            point anywhere else.  Otherwise, bad things will happen.
      */
     constraint->name.l.prev = constraint->name.l.next = &(constraint->name.l);
     /* TODO: unmark arena */
     return constraint;
 loser:
     /* TODO: release arena back to mark */
     return NULL;
 }
 CERTNameConstraint *
 cert_DecodeNameConstraintSubTree(PLArenaPool   *arena,
 				 SECItem       **subTree,
 				 PRBool        permited)
 {
     CERTNameConstraint   *current = NULL;
     CERTNameConstraint   *first = NULL;
     CERTNameConstraint   *last = NULL;
     int                  i = 0;
     PORT_Assert(arena);
     /* TODO: mark arena */
     while (subTree[i] != NULL) {
 	current = cert_DecodeNameConstraint(arena, subTree[i]);
 	if (current == NULL) {
 	    goto loser;
 	}
 	if (last == NULL) {
 	    first = last = current;
 	}
 	current->l.prev = &(last->l);
 	current->l.next = last->l.next;
 	last->l.next = &(current->l);
 	i++;
     }
     first->l.prev = &(current->l);
     /* TODO: unmark arena */
     return first;
 loser:
     /* TODO: release arena back to mark */
     return NULL;
 }
 CERTNameConstraints *
 cert_DecodeNameConstraints(PLArenaPool   *reqArena,
 			   const SECItem *encodedConstraints)
 {
     CERTNameConstraints   *constraints;
     SECStatus             rv;
     SECItem*              newEncodedConstraints;
     if (!reqArena) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     PORT_Assert(encodedConstraints);
     newEncodedConstraints = SECITEM_ArenaDupItem(reqArena, encodedConstraints);
     /* TODO: mark arena */
     constraints = PORT_ArenaZNew(reqArena, CERTNameConstraints);
     if (constraints == NULL) {
 	goto loser;
     }
     rv = SEC_QuickDERDecodeItem(reqArena, constraints,
                                 CERTNameConstraintsTemplate,
                                 newEncodedConstraints);
     if (rv != SECSuccess) {
 	goto loser;
     }
     if (constraints->DERPermited != NULL &&
         constraints->DERPermited[0] != NULL) {
 	constraints->permited =
 	    cert_DecodeNameConstraintSubTree(reqArena,
                                              constraints->DERPermited,
                                              PR_TRUE);
 	if (constraints->permited == NULL) {
 	    goto loser;
 	}
     }
     if (constraints->DERExcluded != NULL &&
         constraints->DERExcluded[0] != NULL) {
 	constraints->excluded =
 	    cert_DecodeNameConstraintSubTree(reqArena,
                                              constraints->DERExcluded,
                                              PR_FALSE);
 	if (constraints->excluded == NULL) {
 	    goto loser;
 	}
     }
     /* TODO: unmark arena */
     return constraints;
 loser:
     /* TODO: release arena back to mark */
     return NULL;
 }
 /* Copy a chain of one or more general names to a destination chain.
 ** Caller has allocated at least the first destination GeneralName struct.
 ** Both source and destination chains are circular doubly-linked lists.
 ** The first source struct is copied to the first destination struct.
 ** If the source chain has more than one member, and the destination chain
 ** has only one member, then this function allocates new structs for all but
 ** the first copy from the arena and links them into the destination list.
 ** If the destination struct is part of a list with more than one member,
 ** then this function traverses both the source and destination lists,
 ** copying each source struct to the corresponding dest struct.
 ** In that case, the destination list MUST contain at least as many
 ** structs as the source list or some dest entries will be overwritten.
 */
 SECStatus
 CERT_CopyGeneralName(PLArenaPool      *arena,
 		     CERTGeneralName  *dest,
 		     CERTGeneralName  *src)
 {
     SECStatus rv;
     CERTGeneralName *destHead = dest;
     CERTGeneralName *srcHead = src;
     PORT_Assert(dest != NULL);
     if (!dest) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     /* TODO: mark arena */
     do {
 	rv = cert_CopyOneGeneralName(arena, dest, src);
 	if (rv != SECSuccess)
 	    goto loser;
 	src = CERT_GetNextGeneralName(src);
 	/* if there is only one general name, we shouldn't do this */
 	if (src != srcHead) {
 	    if (dest->l.next == &destHead->l) {
 		CERTGeneralName *temp;
 		temp = CERT_NewGeneralName(arena, (CERTGeneralNameType)0);
 		if (!temp)
 		    goto loser;
 		temp->l.next = &destHead->l;
 		temp->l.prev = &dest->l;
 		destHead->l.prev = &temp->l;
 		dest->l.next = &temp->l;
 		dest = temp;
 	    } else {
 		dest = CERT_GetNextGeneralName(dest);
 	    }
 	}
     } while (src != srcHead && rv == SECSuccess);
     /* TODO: unmark arena */
     return rv;
 loser:
     /* TODO: release back to mark */
     return SECFailure;
 }
 CERTGeneralNameList *
 CERT_DupGeneralNameList(CERTGeneralNameList *list)
 {
     if (list != NULL) {
 	PZ_Lock(list->lock);
 	list->refCount++;
 	PZ_Unlock(list->lock);
     }
     return list;
 }
 /* Allocate space and copy CERTNameConstraint from src to dest */
 CERTNameConstraint *
 CERT_CopyNameConstraint(PLArenaPool         *arena,
 			CERTNameConstraint  *dest,
 			CERTNameConstraint  *src)
 {
     SECStatus  rv;
     /* TODO: mark arena */
     if (dest == NULL) {
 	dest = PORT_ArenaZNew(arena, CERTNameConstraint);
 	if (!dest)
 	    goto loser;
 	/* mark that it is not linked */
 	dest->name.l.prev = dest->name.l.next = &(dest->name.l);
     }
     rv = CERT_CopyGeneralName(arena, &dest->name, &src->name);
     if (rv != SECSuccess) {
 	goto loser;
     }
     rv = SECITEM_CopyItem(arena, &dest->DERName, &src->DERName);
     if (rv != SECSuccess) {
 	goto loser;
     }
     rv = SECITEM_CopyItem(arena, &dest->min, &src->min);
     if (rv != SECSuccess) {
 	goto loser;
     }
     rv = SECITEM_CopyItem(arena, &dest->max, &src->max);
     if (rv != SECSuccess) {
 	goto loser;
     }
     dest->l.prev = dest->l.next = &dest->l;
     /* TODO: unmark arena */
     return dest;
 loser:
     /* TODO: release arena to mark */
     return NULL;
 }
 CERTGeneralName *
 cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2)
 {
     PRCList *begin1;
     PRCList *begin2;
     PRCList *end1;
     PRCList *end2;
     if (list1 == NULL){
 	return list2;
     } else if (list2 == NULL) {
 	return list1;
     } else {
 	begin1 = &list1->l;
 	begin2 = &list2->l;
 	end1 = list1->l.prev;
 	end2 = list2->l.prev;
 	end1->next = begin2;
 	end2->next = begin1;
 	begin1->prev = end2;
 	begin2->prev = end1;
 	return list1;
     }
 }
 CERTNameConstraint *
 cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2)
 {
     PRCList *begin1;
     PRCList *begin2;
     PRCList *end1;
     PRCList *end2;
     if (list1 == NULL){
 	return list2;
     } else if (list2 == NULL) {
 	return list1;
     } else {
 	begin1 = &list1->l;
 	begin2 = &list2->l;
 	end1 = list1->l.prev;
 	end2 = list2->l.prev;
 	end1->next = begin2;
 	end2->next = begin1;
 	begin1->prev = end2;
 	begin2->prev = end1;
 	return list1;
     }
 }
 /* Add a CERTNameConstraint to the CERTNameConstraint list */
 CERTNameConstraint *
 CERT_AddNameConstraint(CERTNameConstraint *list,
 		       CERTNameConstraint *constraint)
 {
     PORT_Assert(constraint != NULL);
     constraint->l.next = constraint->l.prev = &constraint->l;
     list = cert_CombineConstraintsLists(list, constraint);
     return list;
 }
 SECStatus
 CERT_GetNameConstraintByType (CERTNameConstraint *constraints,
 			      CERTGeneralNameType type,
 			      CERTNameConstraint **returnList,
 			      PLArenaPool *arena)
 {
     CERTNameConstraint *current = NULL;
     void               *mark = NULL;
     *returnList = NULL;
     if (!constraints)
 	return SECSuccess;
     mark = PORT_ArenaMark(arena);
     current = constraints;
     do {
 	PORT_Assert(current->name.type);
 	if (current->name.type == type) {
 	    CERTNameConstraint *temp;
 	    temp = CERT_CopyNameConstraint(arena, NULL, current);
 	    if (temp == NULL)
 		goto loser;
 	    *returnList = CERT_AddNameConstraint(*returnList, temp);
 	}
 	current = CERT_GetNextNameConstraint(current);
     } while (current != constraints);
     PORT_ArenaUnmark(arena, mark);
     return SECSuccess;
 loser:
     PORT_ArenaRelease(arena, mark);
     return SECFailure;
 }
 void *
 CERT_GetGeneralNameByType (CERTGeneralName *genNames,
 			   CERTGeneralNameType type, PRBool derFormat)
 {
     CERTGeneralName *current;
     if (!genNames)
 	return NULL;
     current = genNames;
     do {
 	if (current->type == type) {
 	    switch (type) {
 	    case certDNSName:
 	    case certEDIPartyName:
 	    case certIPAddress:
 	    case certRegisterID:
 	    case certRFC822Name:
 	    case certX400Address:
 	    case certURI:
 		return (void *)&current->name.other;           /* SECItem * */
 	    case certOtherName:
 		return (void *)&current->name.OthName;         /* OthName * */
 	    case certDirectoryName:
 		return derFormat
 		       ? (void *)&current->derDirectoryName    /* SECItem * */
 		       : (void *)&current->name.directoryName; /* CERTName * */
 	    }
 	    PORT_Assert(0);
 	    return NULL;
 	}
 	current = CERT_GetNextGeneralName(current);
     } while (current != genNames);
     return NULL;
 }
 int
 CERT_GetNamesLength(CERTGeneralName *names)
 {
     int              length = 0;
     CERTGeneralName  *first;
     first = names;
     if (names != NULL) {
 	do {
 	    length++;
 	    names = CERT_GetNextGeneralName(names);
 	} while (names != first);
     }
     return length;
 }
 /* Creates new GeneralNames for any email addresses found in the
 ** input DN, and links them onto the list for the DN.
 */
 SECStatus
 cert_ExtractDNEmailAddrs(CERTGeneralName *name, PLArenaPool *arena)
 {
     CERTGeneralName *nameList = NULL;
     const CERTRDN  **nRDNs = (const CERTRDN **)(name->name.directoryName.rdns);
     SECStatus        rv        = SECSuccess;
     PORT_Assert(name->type == certDirectoryName);
     if (name->type != certDirectoryName) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     /* TODO: mark arena */
     while (nRDNs && *nRDNs) { /* loop over RDNs */
 	const CERTRDN *nRDN = *nRDNs++;
 	CERTAVA **nAVAs = nRDN->avas;
 	while (nAVAs && *nAVAs) { /* loop over AVAs */
 	    int tag;
 	    CERTAVA *nAVA = *nAVAs++;
 	    tag = CERT_GetAVATag(nAVA);
 	    if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS ||
 		 tag == SEC_OID_RFC1274_MAIL) { /* email AVA */
 		CERTGeneralName *newName = NULL;
 		SECItem *avaValue = CERT_DecodeAVAValue(&nAVA->value);
 		if (!avaValue)
 		    goto loser;
 		rv = SECFailure;
                 newName = CERT_NewGeneralName(arena, certRFC822Name);
 		if (newName) {
 		   rv = SECITEM_CopyItem(arena, &newName->name.other, avaValue);
 		}
 		SECITEM_FreeItem(avaValue, PR_TRUE);
 		if (rv != SECSuccess)
 		    goto loser;
 		nameList = cert_CombineNamesLists(nameList, newName);
 	    } /* handle one email AVA */
 	} /* loop over AVAs */
     } /* loop over RDNs */
     /* combine new names with old one. */
     name = cert_CombineNamesLists(name, nameList);
     /* TODO: unmark arena */
     return SECSuccess;
 loser:
     /* TODO: release arena back to mark */
     return SECFailure;
 }
 /* Extract all names except Subject Common Name from a cert
 ** in preparation for a name constraints test.
 */
 CERTGeneralName *
 CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena)
 {
     return CERT_GetConstrainedCertificateNames(cert, arena, PR_FALSE);
 }
 /* This function is called by CERT_VerifyCertChain to extract all
 ** names from a cert in preparation for a name constraints test.
 */
 CERTGeneralName *
 CERT_GetConstrainedCertificateNames(const CERTCertificate *cert,
                                     PLArenaPool *arena,
                                     PRBool includeSubjectCommonName)
 {
     CERTGeneralName  *DN;
     CERTGeneralName  *SAN;
     PRUint32         numDNSNames = 0;
     SECStatus        rv;
     if (!arena) {
     	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     /* TODO: mark arena */
     DN = CERT_NewGeneralName(arena, certDirectoryName);
     if (DN == NULL) {
 	goto loser;
     }
     rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject);
     if (rv != SECSuccess) {
 	goto loser;
     }
     rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject);
     if (rv != SECSuccess) {
 	goto loser;
     }
     /* Extract email addresses from DN, construct CERTGeneralName structs
     ** for them, add them to the name list
     */
     rv = cert_ExtractDNEmailAddrs(DN, arena);
     if (rv != SECSuccess)
         goto loser;
     /* Now extract any GeneralNames from the subject name names extension. */
     SAN = cert_GetSubjectAltNameList(cert, arena);
     if (SAN) {
 	numDNSNames = cert_CountDNSPatterns(SAN);
 	DN = cert_CombineNamesLists(DN, SAN);
     }
     if (!numDNSNames && includeSubjectCommonName) {
 	char *cn = CERT_GetCommonName(&cert->subject);
 	if (cn) {
 	    CERTGeneralName *CN = CERT_NewGeneralName(arena, certDNSName);
 	    if (CN) {
 		SECItem cnItem = {siBuffer, NULL, 0};
 		cnItem.data = (unsigned char *)cn;
 		cnItem.len  = strlen(cn);
 		rv = SECITEM_CopyItem(arena, &CN->name.other, &cnItem);
 		if (rv == SECSuccess) {
 		    DN = cert_CombineNamesLists(DN, CN);
 	        }
 	    }
 	    PORT_Free(cn);
 	}
     }
     if (rv == SECSuccess) {
 	/* TODO: unmark arena */
 	return DN;
     }
 loser:
     /* TODO: release arena to mark */
     return NULL;
 }
 /* Returns SECSuccess if name matches constraint per RFC 3280 rules for
 ** URI name constraints.  SECFailure otherwise.
 ** If the constraint begins with a dot, it is a domain name, otherwise
 ** It is a host name.  Examples:
 **  Constraint            Name             Result
 ** ------------      ---------------      --------
 **  foo.bar.com          foo.bar.com      matches
 **  foo.bar.com          FoO.bAr.CoM      matches
 **  foo.bar.com      www.foo.bar.com      no match
 **  foo.bar.com        nofoo.bar.com      no match
 ** .foo.bar.com      www.foo.bar.com      matches
 ** .foo.bar.com        nofoo.bar.com      no match
 ** .foo.bar.com          foo.bar.com      no match
 ** .foo.bar.com     www..foo.bar.com      no match
 */
 static SECStatus
 compareURIN2C(const SECItem *name, const SECItem *constraint)
 {
     int offset;
     /* The spec is silent on intepreting zero-length constraints.
     ** We interpret them as matching no URI names.
     */
     if (!constraint->len)
         return SECFailure;
     if (constraint->data[0] != '.') {
     	/* constraint is a host name. */
     	if (name->len != constraint->len ||
 	    PL_strncasecmp((char *)name->data,
 			   (char *)constraint->data, constraint->len))
 	    return SECFailure;
     	return SECSuccess;
     }
     /* constraint is a domain name. */
     if (name->len < constraint->len)
         return SECFailure;
     offset = name->len - constraint->len;
     if (PL_strncasecmp((char *)(name->data + offset),
 		       (char *)constraint->data, constraint->len))
         return SECFailure;
     if (!offset ||
         (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
 	return SECSuccess;
     return SECFailure;
 }
 /* for DNSname constraints, RFC 3280 says, (section 4.2.1.11, page 38)
 **
 ** DNS name restrictions are expressed as foo.bar.com.  Any DNS name
 ** that can be constructed by simply adding to the left hand side of the
 ** name satisfies the name constraint.  For example, www.foo.bar.com
 ** would satisfy the constraint but foo1.bar.com would not.
 **
 ** But NIST's PKITS test suite requires that the constraint be treated
 ** as a domain name, and requires that any name added to the left hand
 ** side end in a dot ".".  Sensible, but not strictly following the RFC.
 **
 **  Constraint            Name            RFC 3280  NIST PKITS
 ** ------------      ---------------      --------  ----------
 **  foo.bar.com          foo.bar.com      matches    matches
 **  foo.bar.com          FoO.bAr.CoM      matches    matches
 **  foo.bar.com      www.foo.bar.com      matches    matches
 **  foo.bar.com        nofoo.bar.com      MATCHES    NO MATCH
 ** .foo.bar.com      www.foo.bar.com      matches    matches? disallowed?
 ** .foo.bar.com          foo.bar.com      no match   no match
 ** .foo.bar.com     www..foo.bar.com      matches    probably not
 **
 ** We will try to conform to NIST's PKITS tests, and the unstated
 ** rules they imply.
 */
 static SECStatus
 compareDNSN2C(const SECItem *name, const SECItem *constraint)
 {
     int offset;
     /* The spec is silent on intepreting zero-length constraints.
     ** We interpret them as matching all DNSnames.
     */
     if (!constraint->len)
         return SECSuccess;
     if (name->len < constraint->len)
         return SECFailure;
     offset = name->len - constraint->len;
     if (PL_strncasecmp((char *)(name->data + offset),
 		       (char *)constraint->data, constraint->len))
         return SECFailure;
     if (!offset ||
         (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
 	return SECSuccess;
     return SECFailure;
 }
 /* Returns SECSuccess if name matches constraint per RFC 3280 rules for
 ** internet email addresses.  SECFailure otherwise.
 ** If constraint contains a '@' then the two strings much match exactly.
 ** Else if constraint starts with a '.'. then it must match the right-most
 ** substring of the name,
 ** else constraint string must match entire name after the name's '@'.
 ** Empty constraint string matches all names. All comparisons case insensitive.
 */
 static SECStatus
 compareRFC822N2C(const SECItem *name, const SECItem *constraint)
 {
     int offset;
     if (!constraint->len)
         return SECSuccess;
     if (name->len < constraint->len)
         return SECFailure;
     if (constraint->len == 1 && constraint->data[0] == '.')
         return SECSuccess;
     for (offset = constraint->len - 1; offset >= 0; --offset) {
     	if (constraint->data[offset] == '@') {
 	    return (name->len == constraint->len &&
 	        !PL_strncasecmp((char *)name->data,
 				(char *)constraint->data, constraint->len))
 		? SECSuccess : SECFailure;
 	}
     }
     offset = name->len - constraint->len;
     if (PL_strncasecmp((char *)(name->data + offset),
 		       (char *)constraint->data, constraint->len))
         return SECFailure;
     if (constraint->data[0] == '.')
         return SECSuccess;
     if (offset > 0 && name->data[offset - 1] == '@')
         return SECSuccess;
     return SECFailure;
 }
 /* name contains either a 4 byte IPv4 address or a 16 byte IPv6 address.
 ** constraint contains an address of the same length, and a subnet mask
 ** of the same length.  Compare name's address to the constraint's
 ** address, subject to the mask.
 ** Return SECSuccess if they match, SECFailure if they don't.
 */
 static SECStatus
 compareIPaddrN2C(const SECItem *name, const SECItem *constraint)
 {
     int i;
     if (name->len == 4 && constraint->len == 8) { /* ipv4 addr */
         for (i = 0; i < 4; i++) {
 	    if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+4])
 	        goto loser;
 	}
 	return SECSuccess;
     }
     if (name->len == 16 && constraint->len == 32) { /* ipv6 addr */
         for (i = 0; i < 16; i++) {
 	    if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+16])
 	        goto loser;
 	}
 	return SECSuccess;
     }
 loser:
     return SECFailure;
 }
 /* start with a SECItem that points to a URI.  Parse it lookingg for
 ** a hostname.  Modify item->data and item->len to define the hostname,
 ** but do not modify and data at item->data.
 ** If anything goes wrong, the contents of *item are undefined.
 */
 static SECStatus
 parseUriHostname(SECItem * item)
 {
     int i;
     PRBool found = PR_FALSE;
     for (i = 0; (unsigned)(i+2) < item->len; ++i) {
 	if (item->data[i  ] == ':' &&
 	    item->data[i+1] == '/' &&
 	    item->data[i+2] == '/') {
 	    i += 3;
 	    item->data += i;
 	    item->len  -= i;
 	    found = PR_TRUE;
 	    break;
 	}
     }
     if (!found)
         return SECFailure;
     /* now look for a '/', which is an upper bound in the end of the name */
     for (i = 0; (unsigned)i < item->len; ++i) {
 	if (item->data[i] == '/') {
 	    item->len = i;
 	    break;
 	}
     }
     /* now look for a ':', which marks the end of the name */
     for (i = item->len; --i >= 0; ) {
         if (item->data[i] == ':') {
 	    item->len = i;
 	    break;
 	}
     }
     /* now look for an '@', which marks the beginning of the hostname */
     for (i = 0; (unsigned)i < item->len; ++i) {
 	if (item->data[i] == '@') {
 	    ++i;
 	    item->data += i;
 	    item->len  -= i;
 	    break;
 	}
     }
     return item->len ? SECSuccess : SECFailure;
 }
 /* This function takes one name, and a list of constraints.
 ** It searches the constraints looking for a match.
 ** It returns SECSuccess if the name satisfies the constraints, i.e.,
 ** if excluded, then the name does not match any constraint,
 ** if permitted, then the name matches at least one constraint.
 ** It returns SECFailure if the name fails to satisfy the constraints,
 ** or if some code fails (e.g. out of memory, or invalid constraint)
 */
 SECStatus
 cert_CompareNameWithConstraints(const CERTGeneralName     *name,
 				const CERTNameConstraint  *constraints,
 				PRBool              excluded)
 {
     SECStatus           rv     = SECSuccess;
     SECStatus           matched = SECFailure;
     const CERTNameConstraint *current;
     PORT_Assert(constraints);  /* caller should not call with NULL */
     if (!constraints) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     current = constraints;
     do {
 	rv = SECSuccess;
 	matched = SECFailure;
 	PORT_Assert(name->type == current->name.type);
 	switch (name->type) {
 	case certDNSName:
 	    matched = compareDNSN2C(&name->name.other,
 	                            &current->name.name.other);
 	    break;
 	case certRFC822Name:
 	    matched = compareRFC822N2C(&name->name.other,
 	                               &current->name.name.other);
 	    break;
 	case certURI:
 	    {
 		/* make a modifiable copy of the URI SECItem. */
 		SECItem uri = name->name.other;
 		/* find the hostname in the URI */
 		rv = parseUriHostname(&uri);
 		if (rv == SECSuccess) {
 		    /* does our hostname meet the constraint? */
 		    matched = compareURIN2C(&uri, &current->name.name.other);
 		}
 	    }
 	    break;
 	case certDirectoryName:
 	    /* Determine if the constraint directory name is a "prefix"
 	    ** for the directory name being tested.
 	    */
 	  {
 	    /* status defaults to SECEqual, so that a constraint with
 	    ** no AVAs will be a wildcard, matching all directory names.
 	    */
 	    SECComparison   status = SECEqual;
 	    const CERTRDN **cRDNs =
 		    (const CERTRDN **)current->name.name.directoryName.rdns;
 	    const CERTRDN **nRDNs =
 		    (const CERTRDN **)name->name.directoryName.rdns;
 	    while (cRDNs && *cRDNs && nRDNs && *nRDNs) {
 		/* loop over name RDNs and constraint RDNs in lock step */
 		const CERTRDN *cRDN = *cRDNs++;
 		const CERTRDN *nRDN = *nRDNs++;
 		CERTAVA **cAVAs = cRDN->avas;
 		while (cAVAs && *cAVAs) { /* loop over constraint AVAs */
 		    CERTAVA *cAVA = *cAVAs++;
 		    CERTAVA **nAVAs = nRDN->avas;
 		    while (nAVAs && *nAVAs) { /* loop over name AVAs */
 			CERTAVA *nAVA = *nAVAs++;
 			status = CERT_CompareAVA(cAVA, nAVA);
 			if (status == SECEqual)
 			    break;
 		    } /* loop over name AVAs */
 		    if (status != SECEqual)
 			break;
 		} /* loop over constraint AVAs */
 		if (status != SECEqual)
 		    break;
 	    } /* loop over name RDNs and constraint RDNs */
 	    matched = (status == SECEqual) ? SECSuccess : SECFailure;
 	    break;
 	  }
 	case certIPAddress:	/* type 8 */
 	    matched = compareIPaddrN2C(&name->name.other,
 	                               &current->name.name.other);
 	    break;
 	/* NSS does not know how to compare these "Other" type names with
 	** their respective constraints.  But it does know how to tell
 	** if the constraint applies to the type of name (by comparing
 	** the constraint OID to the name OID).  NSS makes no use of "Other"
 	** type names at all, so NSS errs on the side of leniency for these
 	** types, provided that their OIDs match.  So, when an "Other"
 	** name constraint appears in an excluded subtree, it never causes
 	** a name to fail.  When an "Other" name constraint appears in a
 	** permitted subtree, AND the constraint's OID matches the name's
 	** OID, then name is treated as if it matches the constraint.
 	*/
 	case certOtherName:	/* type 1 */
 	    matched = (!excluded &&
 		       name->type == current->name.type &&
 		       SECITEM_ItemsAreEqual(&name->name.OthName.oid,
 					     &current->name.name.OthName.oid))
 		 ? SECSuccess : SECFailure;
 	    break;
 	/* NSS does not know how to compare these types of names with their
 	** respective constraints.  But NSS makes no use of these types of
 	** names at all, so it errs on the side of leniency for these types.
 	** Constraints for these types of names never cause the name to
 	** fail the constraints test.  NSS behaves as if the name matched
 	** for permitted constraints, and did not match for excluded ones.
 	*/
 	case certX400Address:	/* type 4 */
 	case certEDIPartyName:  /* type 6 */
 	case certRegisterID:	/* type 9 */
 	    matched = excluded ? SECFailure : SECSuccess;
 	    break;
 	default: /* non-standard types are not supported */
 	    rv = SECFailure;
 	    break;
 	}
 	if (matched == SECSuccess || rv != SECSuccess)
 	    break;
 	current = CERT_GetNextNameConstraint((CERTNameConstraint*)current);
     } while (current != constraints);
     if (rv == SECSuccess) {
         if (matched == SECSuccess)
 	    rv = excluded ? SECFailure : SECSuccess;
 	else
 	    rv = excluded ? SECSuccess : SECFailure;
 	return rv;
     }
     return SECFailure;
 }
 /* Add and link a CERTGeneralName to a CERTNameConstraint list. Most
 ** likely the CERTNameConstraint passed in is either the permitted
 ** list or the excluded list of a CERTNameConstraints.
 */
 SECStatus
 CERT_AddNameConstraintByGeneralName(PLArenaPool *arena,
                                     CERTNameConstraint **constraints,
                                     CERTGeneralName *name)
 {
     SECStatus rv;
     CERTNameConstraint *current = NULL;
     CERTNameConstraint *first = *constraints;
     void *mark = NULL;
     mark = PORT_ArenaMark(arena);
     current = PORT_ArenaZNew(arena, CERTNameConstraint);
     if (current == NULL) {
         rv = SECFailure;
         goto done;
     }
     rv = cert_CopyOneGeneralName(arena, &current->name, name);
     if (rv != SECSuccess) {
         goto done;
     }
     current->name.l.prev = current->name.l.next = &(current->name.l);
     if (first == NULL) {
         *constraints = current;
         PR_INIT_CLIST(&current->l);
     } else {
         PR_INSERT_BEFORE(&current->l, &first->l);
     }
 done:
     if (rv == SECFailure) {
         PORT_ArenaRelease(arena, mark);
     } else {
         PORT_ArenaUnmark(arena, mark);
     }
     return rv;
 }
 /* Add name constraints to certain certs that do not include name constraints
  * This is the core of the implementation for bug 952572.
  */
 static SECStatus
 getNameExtensionsBuiltIn(CERTCertificate  *cert,
                          SECItem *extensions)
 {
   const char constraintFranceGov[] = "\x30\x5D" /* sequence len = 93*/
                                      "\xA0\x5B" /* element len =91 */
                                      "\x30\x05" /* sequence len 5 */
                                      "\x82\x03" /* entry len 3 */
                                      ".fr"
                                      "\x30\x05\x82\x03" /* sequence len5, entry len 3 */
                                      ".gp"
                                      "\x30\x05\x82\x03"
                                      ".gf"
                                      "\x30\x05\x82\x03"
                                      ".mq"
                                      "\x30\x05\x82\x03"
                                      ".re"
                                      "\x30\x05\x82\x03"
                                      ".yt"
                                      "\x30\x05\x82\x03"
                                      ".pm"
                                      "\x30\x05\x82\x03"
                                      ".bl"
                                      "\x30\x05\x82\x03"
                                      ".mf"
                                      "\x30\x05\x82\x03"
                                      ".wf"
                                      "\x30\x05\x82\x03"
                                      ".pf"
                                      "\x30\x05\x82\x03"
                                      ".nc"
                                      "\x30\x05\x82\x03"
                                      ".tf";
   /* The stringified value for the subject is:
      E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
    */
   const char rawANSSISubject[] = "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04"
                                  "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03"
                                  "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65"
                                  "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05"
                                  "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03"
                                  "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44"
                                  "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13"
                                  "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06"
                                  "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41"
                                  "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7"
                                  "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40"
                                  "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75"
                                  "\x76\x2E\x66\x72";
   const SECItem anssi_subject = {0, (unsigned char *) rawANSSISubject,
                                  sizeof(rawANSSISubject)-1};
   const SECItem permitFranceGovNC = {0, (unsigned char *) constraintFranceGov,
                                      sizeof(constraintFranceGov)-1};
   if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) {
     SECStatus rv;
     rv = SECITEM_CopyItem(NULL, extensions, &permitFranceGovNC);
     return rv;
   }
   PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
   return SECFailure;
 }
 /* Extract the name constraints extension from the CA cert. */
 SECStatus
 CERT_FindNameConstraintsExten(PLArenaPool      *arena,
                               CERTCertificate  *cert,
                               CERTNameConstraints **constraints)
 {
     SECStatus            rv = SECSuccess;
     SECItem              constraintsExtension;
     void                *mark = NULL;
     *constraints = NULL;
     rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS,
                                 &constraintsExtension);
     if (rv != SECSuccess) {
         if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
             return rv;
         }
         rv = getNameExtensionsBuiltIn(cert, &constraintsExtension);
         if (rv != SECSuccess) {
           if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
             return SECSuccess;
           }
           return rv;
         }
     }
     mark = PORT_ArenaMark(arena);
     *constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
     if (*constraints == NULL) { /* decode failed */
         rv = SECFailure;
     }
     PORT_Free (constraintsExtension.data);
     if (rv == SECFailure) {
         PORT_ArenaRelease(arena, mark);
     } else {
         PORT_ArenaUnmark(arena, mark);
     }
     return rv;
 }
 /* Verify name against all the constraints relevant to that type of
 ** the name.
 */
 SECStatus
 CERT_CheckNameSpace(PLArenaPool          *arena,
                     const CERTNameConstraints *constraints,
                     const CERTGeneralName     *currentName)
 {
     CERTNameConstraint  *matchingConstraints;
     SECStatus            rv = SECSuccess;
     if (constraints->excluded != NULL) {
         rv = CERT_GetNameConstraintByType(constraints->excluded,
                                           currentName->type,
                                           &matchingConstraints, arena);
         if (rv == SECSuccess && matchingConstraints != NULL) {
             rv = cert_CompareNameWithConstraints(currentName,
                                                  matchingConstraints,
                                                  PR_TRUE);
         }
         if (rv != SECSuccess) {
             return(rv);
         }
     }
     if (constraints->permited != NULL) {
         rv = CERT_GetNameConstraintByType(constraints->permited,
                                           currentName->type,
                                           &matchingConstraints, arena);
         if (rv == SECSuccess && matchingConstraints != NULL) {
             rv = cert_CompareNameWithConstraints(currentName,
                                                  matchingConstraints,
                                                  PR_FALSE);
         }
         if (rv != SECSuccess) {
             return(rv);
         }
     }
     return(SECSuccess);
 }
 /* Extract the name constraints extension from the CA cert.
 ** Test each and every name in namesList against all the constraints
 ** relevant to that type of name.
 ** Returns NULL in pBadCert for success, if all names are acceptable.
 ** If some name is not acceptable, returns a pointer to the cert that
 ** contained that name.
 */
 SECStatus
 CERT_CompareNameSpace(CERTCertificate  *cert,
 		      CERTGeneralName  *namesList,
  		      CERTCertificate **certsList,
  		      PLArenaPool      *reqArena,
  		      CERTCertificate **pBadCert)
 {
     SECStatus            rv = SECSuccess;
     CERTNameConstraints  *constraints;
     CERTGeneralName      *currentName;
     int                  count = 0;
     CERTCertificate      *badCert = NULL;
     /* If no names to check, then no names can be bad. */
     if (!namesList)
     	goto done;
     rv = CERT_FindNameConstraintsExten(reqArena, cert, &constraints);
     if (rv != SECSuccess) {
 	count = -1;
 	goto done;
     }
     currentName = namesList;
     do {
 	if (constraints){
 	    rv = CERT_CheckNameSpace(reqArena, constraints, currentName);
 	    if (rv != SECSuccess) {
 		break;
 	    }
 	}
  	currentName = CERT_GetNextGeneralName(currentName);
  	count ++;
     } while (currentName != namesList);
 done:
     if (rv != SECSuccess) {
 	badCert = (count >= 0) ? certsList[count] : cert;
     }
     if (pBadCert)
 	*pBadCert = badCert;
     return rv;
 }
 #if 0
 /* not exported from shared libs, not used.  Turn on if we ever need it. */
 SECStatus
 CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b)
 {
     CERTGeneralName *currentA;
     CERTGeneralName *currentB;
     PRBool found;
     currentA = a;
     currentB = b;
     if (a != NULL) {
 	do {
 	    if (currentB == NULL) {
 		return SECFailure;
 	    }
 	    currentB = CERT_GetNextGeneralName(currentB);
 	    currentA = CERT_GetNextGeneralName(currentA);
 	} while (currentA != a);
     }
     if (currentB != b) {
 	return SECFailure;
     }
     currentA = a;
     do {
 	currentB = b;
 	found = PR_FALSE;
 	do {
 	    if (currentB->type == currentA->type) {
 		switch (currentB->type) {
 		  case certDNSName:
 		  case certEDIPartyName:
 		  case certIPAddress:
 		  case certRegisterID:
 		  case certRFC822Name:
 		  case certX400Address:
 		  case certURI:
 		    if (SECITEM_CompareItem(&currentA->name.other,
 					    &currentB->name.other)
 			== SECEqual) {
 			found = PR_TRUE;
 		    }
 		    break;
 		  case certOtherName:
 		    if (SECITEM_CompareItem(&currentA->name.OthName.oid,
 					    &currentB->name.OthName.oid)
 			== SECEqual &&
 			SECITEM_CompareItem(&currentA->name.OthName.name,
 					    &currentB->name.OthName.name)
 			== SECEqual) {
 			found = PR_TRUE;
 		    }
 		    break;
 		  case certDirectoryName:
 		    if (CERT_CompareName(&currentA->name.directoryName,
 					 &currentB->name.directoryName)
 			== SECEqual) {
 			found = PR_TRUE;
 		    }
 		}
 	    }
 	    currentB = CERT_GetNextGeneralName(currentB);
 	} while (currentB != b && found != PR_TRUE);
 	if (found != PR_TRUE) {
 	    return SECFailure;
 	}
 	currentA = CERT_GetNextGeneralName(currentA);
     } while (currentA != a);
     return SECSuccess;
 }
 SECStatus
 CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b)
 {
     SECStatus rv;
     if (a == b) {
 	return SECSuccess;
     }
     if (a != NULL && b != NULL) {
 	PZ_Lock(a->lock);
 	PZ_Lock(b->lock);
 	rv = CERT_CompareGeneralName(a->name, b->name);
 	PZ_Unlock(a->lock);
 	PZ_Unlock(b->lock);
     } else {
 	rv = SECFailure;
     }
     return rv;
 }
 #endif
 #if 0
 /* This function is not exported from NSS shared libraries, and is not
 ** used inside of NSS.
 ** XXX it doesn't check for failed allocations. :-(
 */
 void *
 CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
 				  CERTGeneralNameType type,
 				  PLArenaPool *arena)
 {
     CERTName *name = NULL;
     SECItem *item = NULL;
     OtherName *other = NULL;
     OtherName *tmpOther = NULL;
     void *data;
     PZ_Lock(list->lock);
     data = CERT_GetGeneralNameByType(list->name, type, PR_FALSE);
     if (data != NULL) {
 	switch (type) {
 	  case certDNSName:
 	  case certEDIPartyName:
 	  case certIPAddress:
 	  case certRegisterID:
 	  case certRFC822Name:
 	  case certX400Address:
 	  case certURI:
 	    if (arena != NULL) {
 		item = PORT_ArenaNew(arena, SECItem);
 		if (item != NULL) {
 XXX		    SECITEM_CopyItem(arena, item, (SECItem *) data);
 		}
 	    } else {
 		item = SECITEM_DupItem((SECItem *) data);
 	    }
 	    PZ_Unlock(list->lock);
 	    return item;
 	  case certOtherName:
 	    other = (OtherName *) data;
 	    if (arena != NULL) {
 		tmpOther = PORT_ArenaNew(arena, OtherName);
 	    } else {
 		tmpOther = PORT_New(OtherName);
 	    }
 	    if (tmpOther != NULL) {
 XXX		SECITEM_CopyItem(arena, &tmpOther->oid, &other->oid);
 XXX		SECITEM_CopyItem(arena, &tmpOther->name, &other->name);
 	    }
 	    PZ_Unlock(list->lock);
 	    return tmpOther;
 	  case certDirectoryName:
 	    if (arena) {
 		name = PORT_ArenaZNew(list->arena, CERTName);
 		if (name) {
 XXX		    CERT_CopyName(arena, name, (CERTName *) data);
 		}
 	    }
 	    PZ_Unlock(list->lock);
 	    return name;
 	}
     }
     PZ_Unlock(list->lock);
     return NULL;
 }
 #endif
 #if 0
 /* This function is not exported from NSS shared libraries, and is not
 ** used inside of NSS.
 ** XXX it should NOT be a void function, since it does allocations
 ** that can fail.
 */
 void
 CERT_AddGeneralNameToList(CERTGeneralNameList *list,
 			  CERTGeneralNameType type,
 			  void *data, SECItem *oid)
 {
     CERTGeneralName *name;
     if (list != NULL && data != NULL) {
 	PZ_Lock(list->lock);
 	name = CERT_NewGeneralName(list->arena, type);
 	if (!name)
 	    goto done;
 	switch (type) {
 	  case certDNSName:
 	  case certEDIPartyName:
 	  case certIPAddress:
 	  case certRegisterID:
 	  case certRFC822Name:
 	  case certX400Address:
 	  case certURI:
 XXX	    SECITEM_CopyItem(list->arena, &name->name.other, (SECItem *)data);
 	    break;
 	  case certOtherName:
 XXX	    SECITEM_CopyItem(list->arena, &name->name.OthName.name,
 			     (SECItem *) data);
 XXX	    SECITEM_CopyItem(list->arena, &name->name.OthName.oid,
 			     oid);
 	    break;
 	  case certDirectoryName:
 XXX	    CERT_CopyName(list->arena, &name->name.directoryName,
 			  (CERTName *) data);
 	    break;
 	}
 	list->name = cert_CombineNamesLists(list->name, name);
 	list->len++;
 done:
 	PZ_Unlock(list->lock);
     }
     return;
 }
 #endif

The Tor Browser / annotate

security/nss/lib/certdb/genname.c@b8a032363ba2 (annotated)

security/nss/lib/certdb/genname.c