The Tor Browser: security/nss/lib/certhigh/certreq.c@b8a032363ba2 (annotated)

security/nss/lib/certhigh/certreq.c@b8a032363ba2 (annotated)

security/nss/lib/certhigh/certreq.c

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "cert.h"
 #include "certt.h"
 #include "secder.h"
 #include "key.h"
 #include "secitem.h"
 #include "secasn1.h"
 #include "secerr.h"
 SEC_ASN1_MKSUB(SEC_AnyTemplate)
 const SEC_ASN1Template CERT_AttributeTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 , NULL, sizeof(CERTAttribute) },
     { SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) },
     { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(CERTAttribute, attrValue),
 	SEC_ASN1_SUB(SEC_AnyTemplate) },
     { 0 }
 };
 const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = {
     { SEC_ASN1_SET_OF, 0, CERT_AttributeTemplate },
 };
 const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 , NULL, sizeof(CERTCertificateRequest) },
     { SEC_ASN1_INTEGER,
 	  offsetof(CERTCertificateRequest,version) },
     { SEC_ASN1_INLINE,
 	  offsetof(CERTCertificateRequest,subject),
 	  CERT_NameTemplate },
     { SEC_ASN1_INLINE,
 	  offsetof(CERTCertificateRequest,subjectPublicKeyInfo),
 	  CERT_SubjectPublicKeyInfoTemplate },
     { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
 	  offsetof(CERTCertificateRequest,attributes),
 	  CERT_SetOfAttributeTemplate },
     { 0 }
 };
 SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate)
 CERTCertificate *
 CERT_CreateCertificate(unsigned long serialNumber,
 		      CERTName *issuer,
 		      CERTValidity *validity,
 		      CERTCertificateRequest *req)
 {
     CERTCertificate *c;
     int rv;
     PLArenaPool *arena;
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if ( !arena ) {
 	return(0);
     }
     c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
     if (!c) {
 	PORT_FreeArena(arena, PR_FALSE);
 	return 0;
     }
     c->referenceCount = 1;
     c->arena = arena;
     /*
      * Default is a plain version 1.
      * If extensions are added, it will get changed as appropriate.
      */
     rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1);
     if (rv) goto loser;
     rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber);
     if (rv) goto loser;
     rv = CERT_CopyName(arena, &c->issuer, issuer);
     if (rv) goto loser;
     rv = CERT_CopyValidity(arena, &c->validity, validity);
     if (rv) goto loser;
     rv = CERT_CopyName(arena, &c->subject, &req->subject);
     if (rv) goto loser;
     rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo,
 					 &req->subjectPublicKeyInfo);
     if (rv) goto loser;
     return c;
  loser:
     CERT_DestroyCertificate(c);
     return 0;
 }
 /************************************************************************/
 /* It's clear from the comments that the original author of this
  * function expected the template for certificate requests to treat
  * the attributes as a SET OF ANY.  This function expected to be
  * passed an array of SECItems each of which contained an already encoded
  * Attribute.  But the cert request template does not treat the
  * Attributes as a SET OF ANY, and AFAIK never has.  Instead the template
  * encodes attributes as a SET OF xxxxxxx.  That is, it expects to encode
  * each of the Attributes, not have them pre-encoded.  Consequently an
  * array of SECItems containing encoded Attributes is of no value to this
  * function.  But we cannot change the signature of this public function.
  * It must continue to take SECItems.
  *
  * I have recoded this function so that each SECItem contains an
  * encoded cert extension.  The encoded cert extensions form the list for the
  * single attribute of the cert request. In this implementation there is at most
  * one attribute and it is always of type SEC_OID_PKCS9_EXTENSION_REQUEST.
  */
 CERTCertificateRequest *
 CERT_CreateCertificateRequest(CERTName *subject,
 			     CERTSubjectPublicKeyInfo *spki,
 			     SECItem **attributes)
 {
     CERTCertificateRequest *certreq;
     PLArenaPool *arena;
     CERTAttribute * attribute;
     SECOidData * oidData;
     SECStatus rv;
     int i = 0;
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if ( arena == NULL ) {
 	return NULL;
     }
     certreq = PORT_ArenaZNew(arena, CERTCertificateRequest);
     if (!certreq) {
 	PORT_FreeArena(arena, PR_FALSE);
 	return NULL;
     }
     /* below here it is safe to goto loser */
     certreq->arena = arena;
     rv = DER_SetUInteger(arena, &certreq->version,
 			 SEC_CERTIFICATE_REQUEST_VERSION);
     if (rv != SECSuccess)
 	goto loser;
     rv = CERT_CopyName(arena, &certreq->subject, subject);
     if (rv != SECSuccess)
 	goto loser;
     rv = SECKEY_CopySubjectPublicKeyInfo(arena,
 				      &certreq->subjectPublicKeyInfo,
 				      spki);
     if (rv != SECSuccess)
 	goto loser;
     certreq->attributes = PORT_ArenaZNewArray(arena, CERTAttribute*, 2);
     if(!certreq->attributes)
 	goto loser;
     /* Copy over attribute information */
     if (!attributes || !attributes[0]) {
 	/*
 	 ** Invent empty attribute information. According to the
 	 ** pkcs#10 spec, attributes has this ASN.1 type:
 	 **
 	 ** attributes [0] IMPLICIT Attributes
 	 **
 	 ** Which means, we should create a NULL terminated list
 	 ** with the first entry being NULL;
 	 */
 	certreq->attributes[0] = NULL;
 	return certreq;
     }
     /* allocate space for attributes */
     attribute = PORT_ArenaZNew(arena, CERTAttribute);
     if (!attribute)
 	goto loser;
     oidData = SECOID_FindOIDByTag( SEC_OID_PKCS9_EXTENSION_REQUEST );
     PORT_Assert(oidData);
     if (!oidData)
 	goto loser;
     rv = SECITEM_CopyItem(arena, &attribute->attrType, &oidData->oid);
     if (rv != SECSuccess)
 	goto loser;
     for (i = 0; attributes[i] != NULL ; i++)
 	;
     attribute->attrValue = PORT_ArenaZNewArray(arena, SECItem *, i+1);
     if (!attribute->attrValue)
 	goto loser;
     /* copy attributes */
     for (i = 0; attributes[i]; i++) {
 	/*
 	** Attributes are a SetOf Attribute which implies
 	** lexigraphical ordering.  It is assumes that the
 	** attributes are passed in sorted.  If we need to
 	** add functionality to sort them, there is an
 	** example in the PKCS 7 code.
 	*/
 	attribute->attrValue[i] = SECITEM_ArenaDupItem(arena, attributes[i]);
 	if(!attribute->attrValue[i])
 	    goto loser;
     }
     certreq->attributes[0] = attribute;
     return certreq;
 loser:
     CERT_DestroyCertificateRequest(certreq);
     return NULL;
 }
 void
 CERT_DestroyCertificateRequest(CERTCertificateRequest *req)
 {
     if (req && req->arena) {
 	PORT_FreeArena(req->arena, PR_FALSE);
     }
     return;
 }
 static void
 setCRExt(void *o, CERTCertExtension **exts)
 {
     ((CERTCertificateRequest *)o)->attributes = (struct CERTAttributeStr **)exts;
 }
 /*
 ** Set up to start gathering cert extensions for a cert request.
 ** The list is created as CertExtensions and converted to an
 ** attribute list by CERT_FinishCRAttributes().
  */
 extern void *cert_StartExtensions(void *owner, PLArenaPool *ownerArena,
                        void (*setExts)(void *object, CERTCertExtension **exts));
 void *
 CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req)
 {
     return (cert_StartExtensions ((void *)req, req->arena, setCRExt));
 }
 /*
 ** At entry req->attributes actually contains an list of cert extensions--
 ** req-attributes is overloaded until the list is DER encoded (the first
 ** ...EncodeItem() below).
 ** We turn this into an attribute list by encapsulating it
 ** in a PKCS 10 Attribute structure
  */
 SECStatus
 CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req)
 {   SECItem *extlist;
     SECOidData *oidrec;
     CERTAttribute *attribute;
     if (!req || !req->arena) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     if (req->attributes == NULL || req->attributes[0] == NULL)
         return SECSuccess;
     extlist = SEC_ASN1EncodeItem(req->arena, NULL, &req->attributes,
                             SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate));
     if (extlist == NULL)
         return(SECFailure);
     oidrec = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
     if (oidrec == NULL)
 	return SECFailure;
     /* now change the list of cert extensions into a list of attributes
      */
     req->attributes = PORT_ArenaZNewArray(req->arena, CERTAttribute*, 2);
     attribute = PORT_ArenaZNew(req->arena, CERTAttribute);
     if (req->attributes == NULL || attribute == NULL ||
         SECITEM_CopyItem(req->arena, &attribute->attrType, &oidrec->oid) != 0) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return SECFailure;
     }
     attribute->attrValue = PORT_ArenaZNewArray(req->arena, SECItem*, 2);
     if (attribute->attrValue == NULL)
         return SECFailure;
     attribute->attrValue[0] = extlist;
     attribute->attrValue[1] = NULL;
     req->attributes[0] = attribute;
     req->attributes[1] = NULL;
     return SECSuccess;
 }
 SECStatus
 CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
                                         CERTCertExtension ***exts)
 {
     if (req == NULL || exts == NULL) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     if (req->attributes == NULL || *req->attributes == NULL)
         return SECSuccess;
     if ((*req->attributes)->attrValue == NULL) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     return(SEC_ASN1DecodeItem(req->arena, exts,
             SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate),
             (*req->attributes)->attrValue[0]));
 }

The Tor Browser / annotate

security/nss/lib/certhigh/certreq.c@b8a032363ba2 (annotated)

security/nss/lib/certhigh/certreq.c