The Tor Browser / annotate

security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c@b8a032363ba2 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4 /*
michael@0 5 * pkix_basicconstraintschecker.c
michael@0 6 *
michael@0 7 * Functions for basic constraints validation
michael@0 8 *
michael@0 9 */
michael@0 10
michael@0 11 #include "pkix_basicconstraintschecker.h"
michael@0 12
michael@0 13 /* --Private-BasicConstraintsCheckerState-Functions------------------------- */
michael@0 14
michael@0 15 /*
michael@0 16 * FUNCTION: pkix_BasicConstraintsCheckerState_Destroy
michael@0 17 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
michael@0 18 */
michael@0 19 static PKIX_Error *
michael@0 20 pkix_BasicConstraintsCheckerState_Destroy(
michael@0 21 PKIX_PL_Object *object,
michael@0 22 void *plContext)
michael@0 23 {
michael@0 24 pkix_BasicConstraintsCheckerState *state = NULL;
michael@0 25
michael@0 26 PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
michael@0 27 "pkix_BasicConstraintsCheckerState_Destroy");
michael@0 28
michael@0 29 PKIX_NULLCHECK_ONE(object);
michael@0 30
michael@0 31 /* Check that this object is a basic constraints checker state */
michael@0 32 PKIX_CHECK(pkix_CheckType
michael@0 33 (object, PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE, plContext),
michael@0 34 PKIX_OBJECTNOTBASICCONSTRAINTSCHECKERSTATE);
michael@0 35
michael@0 36 state = (pkix_BasicConstraintsCheckerState *)object;
michael@0 37
michael@0 38 PKIX_DECREF(state->basicConstraintsOID);
michael@0 39
michael@0 40 cleanup:
michael@0 41
michael@0 42 PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
michael@0 43 }
michael@0 44
michael@0 45 /*
michael@0 46 * FUNCTION: pkix_BasicConstraintsCheckerState_RegisterSelf
michael@0 47 * DESCRIPTION:
michael@0 48 * Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
michael@0 49 * THREAD SAFETY:
michael@0 50 * Not Thread Safe - for performance and complexity reasons
michael@0 51 *
michael@0 52 * Since this function is only called by PKIX_PL_Initialize, which should
michael@0 53 * only be called once, it is acceptable that this function is not
michael@0 54 * thread-safe.
michael@0 55 */
michael@0 56 PKIX_Error *
michael@0 57 pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext)
michael@0 58 {
michael@0 59 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
michael@0 60 pkix_ClassTable_Entry entry;
michael@0 61
michael@0 62 PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
michael@0 63 "pkix_BasicConstraintsCheckerState_RegisterSelf");
michael@0 64
michael@0 65 entry.description = "BasicConstraintsCheckerState";
michael@0 66 entry.objCounter = 0;
michael@0 67 entry.typeObjectSize = sizeof(pkix_BasicConstraintsCheckerState);
michael@0 68 entry.destructor = pkix_BasicConstraintsCheckerState_Destroy;
michael@0 69 entry.equalsFunction = NULL;
michael@0 70 entry.hashcodeFunction = NULL;
michael@0 71 entry.toStringFunction = NULL;
michael@0 72 entry.comparator = NULL;
michael@0 73 entry.duplicateFunction = NULL;
michael@0 74
michael@0 75 systemClasses[PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE] = entry;
michael@0 76
michael@0 77 PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
michael@0 78 }
michael@0 79
michael@0 80 /*
michael@0 81 * FUNCTION: pkix_BasicConstraintsCheckerState_Create
michael@0 82 * DESCRIPTION:
michael@0 83 *
michael@0 84 * Creates a new BasicConstraintsCheckerState using the number of certs in
michael@0 85 * the chain represented by "certsRemaining" and stores it at "pState".
michael@0 86 *
michael@0 87 * PARAMETERS:
michael@0 88 * "certsRemaining"
michael@0 89 * Number of certificates in the chain.
michael@0 90 * "pState"
michael@0 91 * Address where object pointer will be stored. Must be non-NULL.
michael@0 92 * "plContext"
michael@0 93 * Platform-specific context pointer.
michael@0 94 * THREAD SAFETY:
michael@0 95 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
michael@0 96 * RETURNS:
michael@0 97 * Returns NULL if the function succeeds.
michael@0 98 * Returns a BasicConstraintsCheckerState Error if the function fails in a
michael@0 99 * non-fatal way.
michael@0 100 * Returns a Fatal Error if the function fails in an unrecoverable way.
michael@0 101 */
michael@0 102 static PKIX_Error *
michael@0 103 pkix_BasicConstraintsCheckerState_Create(
michael@0 104 PKIX_UInt32 certsRemaining,
michael@0 105 pkix_BasicConstraintsCheckerState **pState,
michael@0 106 void *plContext)
michael@0 107 {
michael@0 108 pkix_BasicConstraintsCheckerState *state = NULL;
michael@0 109
michael@0 110 PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
michael@0 111 "pkix_BasicConstraintsCheckerState_Create");
michael@0 112
michael@0 113 PKIX_NULLCHECK_ONE(pState);
michael@0 114
michael@0 115 PKIX_CHECK(PKIX_PL_Object_Alloc
michael@0 116 (PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE,
michael@0 117 sizeof (pkix_BasicConstraintsCheckerState),
michael@0 118 (PKIX_PL_Object **)&state,
michael@0 119 plContext),
michael@0 120 PKIX_COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT);
michael@0 121
michael@0 122 /* initialize fields */
michael@0 123 state->certsRemaining = certsRemaining;
michael@0 124 state->maxPathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
michael@0 125
michael@0 126 PKIX_CHECK(PKIX_PL_OID_Create
michael@0 127 (PKIX_BASICCONSTRAINTS_OID,
michael@0 128 &state->basicConstraintsOID,
michael@0 129 plContext),
michael@0 130 PKIX_OIDCREATEFAILED);
michael@0 131
michael@0 132 *pState = state;
michael@0 133 state = NULL;
michael@0 134
michael@0 135 cleanup:
michael@0 136
michael@0 137 PKIX_DECREF(state);
michael@0 138
michael@0 139 PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
michael@0 140 }
michael@0 141
michael@0 142 /* --Private-BasicConstraintsChecker-Functions------------------------------ */
michael@0 143
michael@0 144 /*
michael@0 145 * FUNCTION: pkix_BasicConstraintsChecker_Check
michael@0 146 * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
michael@0 147 */
michael@0 148 PKIX_Error *
michael@0 149 pkix_BasicConstraintsChecker_Check(
michael@0 150 PKIX_CertChainChecker *checker,
michael@0 151 PKIX_PL_Cert *cert,
michael@0 152 PKIX_List *unresolvedCriticalExtensions, /* list of PKIX_PL_OID */
michael@0 153 void **pNBIOContext,
michael@0 154 void *plContext)
michael@0 155 {
michael@0 156 PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
michael@0 157 pkix_BasicConstraintsCheckerState *state = NULL;
michael@0 158 PKIX_Boolean caFlag = PKIX_FALSE;
michael@0 159 PKIX_Int32 pathLength = 0;
michael@0 160 PKIX_Int32 maxPathLength_now;
michael@0 161 PKIX_Boolean isSelfIssued = PKIX_FALSE;
michael@0 162
michael@0 163 PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Check");
michael@0 164 PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
michael@0 165
michael@0 166 *pNBIOContext = NULL; /* we never block on pending I/O */
michael@0 167
michael@0 168 PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
michael@0 169 (checker, (PKIX_PL_Object **)&state, plContext),
michael@0 170 PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
michael@0 171
michael@0 172 state->certsRemaining--;
michael@0 173
michael@0 174 if (state->certsRemaining != 0) {
michael@0 175
michael@0 176 PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
michael@0 177 (cert, &basicConstraints, plContext),
michael@0 178 PKIX_CERTGETBASICCONSTRAINTSFAILED);
michael@0 179
michael@0 180 /* get CA Flag and path length */
michael@0 181 if (basicConstraints != NULL) {
michael@0 182 PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
michael@0 183 (basicConstraints,
michael@0 184 &caFlag,
michael@0 185 plContext),
michael@0 186 PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
michael@0 187
michael@0 188 if (caFlag == PKIX_TRUE) {
michael@0 189 PKIX_CHECK
michael@0 190 (PKIX_PL_BasicConstraints_GetPathLenConstraint
michael@0 191 (basicConstraints,
michael@0 192 &pathLength,
michael@0 193 plContext),
michael@0 194 PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
michael@0 195 }
michael@0 196
michael@0 197 }else{
michael@0 198 caFlag = PKIX_FALSE;
michael@0 199 pathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
michael@0 200 }
michael@0 201
michael@0 202 PKIX_CHECK(pkix_IsCertSelfIssued
michael@0 203 (cert,
michael@0 204 &isSelfIssued,
michael@0 205 plContext),
michael@0 206 PKIX_ISCERTSELFISSUEDFAILED);
michael@0 207
michael@0 208 maxPathLength_now = state->maxPathLength;
michael@0 209
michael@0 210 if (isSelfIssued != PKIX_TRUE) {
michael@0 211
michael@0 212 /* Not last CA Cert, but maxPathLength is down to zero */
michael@0 213 if (maxPathLength_now == 0) {
michael@0 214 PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDLN);
michael@0 215 }
michael@0 216
michael@0 217 if (caFlag == PKIX_FALSE) {
michael@0 218 PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDCA);
michael@0 219 }
michael@0 220
michael@0 221 if (maxPathLength_now > 0) { /* can be unlimited (-1) */
michael@0 222 maxPathLength_now--;
michael@0 223 }
michael@0 224
michael@0 225 }
michael@0 226
michael@0 227 if (caFlag == PKIX_TRUE) {
michael@0 228 if (maxPathLength_now == PKIX_UNLIMITED_PATH_CONSTRAINT){
michael@0 229 maxPathLength_now = pathLength;
michael@0 230 } else {
michael@0 231 /* If pathLength is not specified, don't set */
michael@0 232 if (pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) {
michael@0 233 maxPathLength_now =
michael@0 234 (maxPathLength_now > pathLength)?
michael@0 235 pathLength:maxPathLength_now;
michael@0 236 }
michael@0 237 }
michael@0 238 }
michael@0 239
michael@0 240 state->maxPathLength = maxPathLength_now;
michael@0 241 }
michael@0 242
michael@0 243 /* Remove Basic Constraints Extension OID from list */
michael@0 244 if (unresolvedCriticalExtensions != NULL) {
michael@0 245
michael@0 246 PKIX_CHECK(pkix_List_Remove
michael@0 247 (unresolvedCriticalExtensions,
michael@0 248 (PKIX_PL_Object *) state->basicConstraintsOID,
michael@0 249 plContext),
michael@0 250 PKIX_LISTREMOVEFAILED);
michael@0 251 }
michael@0 252
michael@0 253
michael@0 254 PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
michael@0 255 (checker, (PKIX_PL_Object *)state, plContext),
michael@0 256 PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
michael@0 257
michael@0 258
michael@0 259 cleanup:
michael@0 260 PKIX_DECREF(state);
michael@0 261 PKIX_DECREF(basicConstraints);
michael@0 262 PKIX_RETURN(CERTCHAINCHECKER);
michael@0 263
michael@0 264 }
michael@0 265
michael@0 266 /*
michael@0 267 * FUNCTION: pkix_BasicConstraintsChecker_Initialize
michael@0 268 * DESCRIPTION:
michael@0 269 * Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
michael@0 270 * THREAD SAFETY:
michael@0 271 * Not Thread Safe - for performance and complexity reasons
michael@0 272 *
michael@0 273 * Since this function is only called by PKIX_PL_Initialize, which should
michael@0 274 * only be called once, it is acceptable that this function is not
michael@0 275 * thread-safe.
michael@0 276 */
michael@0 277 PKIX_Error *
michael@0 278 pkix_BasicConstraintsChecker_Initialize(
michael@0 279 PKIX_UInt32 certsRemaining,
michael@0 280 PKIX_CertChainChecker **pChecker,
michael@0 281 void *plContext)
michael@0 282 {
michael@0 283 pkix_BasicConstraintsCheckerState *state = NULL;
michael@0 284
michael@0 285 PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Initialize");
michael@0 286 PKIX_NULLCHECK_ONE(pChecker);
michael@0 287
michael@0 288 PKIX_CHECK(pkix_BasicConstraintsCheckerState_Create
michael@0 289 (certsRemaining, &state, plContext),
michael@0 290 PKIX_BASICCONSTRAINTSCHECKERSTATECREATEFAILED);
michael@0 291
michael@0 292 PKIX_CHECK(PKIX_CertChainChecker_Create
michael@0 293 (pkix_BasicConstraintsChecker_Check,
michael@0 294 PKIX_FALSE,
michael@0 295 PKIX_FALSE,
michael@0 296 NULL,
michael@0 297 (PKIX_PL_Object *)state,
michael@0 298 pChecker,
michael@0 299 plContext),
michael@0 300 PKIX_CERTCHAINCHECKERCHECKFAILED);
michael@0 301
michael@0 302 cleanup:
michael@0 303 PKIX_DECREF(state);
michael@0 304
michael@0 305 PKIX_RETURN(CERTCHAINCHECKER);
michael@0 306 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial