• file
• revisions
• annotate
• diff
• comparison
• raw

security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.c@b8a032363ba2 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.c

Thu, 22 Jan 2015 13:21:57 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Thu, 22 Jan 2015 13:21:57 +0100

branch

TOR_BUG_9701

changeset 15

b8a032363ba2

permissions

-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0	1	/* This Source Code Form is subject to the terms of the Mozilla Public
michael@0	2	* License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0	3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0	4	/*
michael@0	5	* pkix_namechainingchecker.c
michael@0	6	*
michael@0	7	* Functions for name chaining validation
michael@0	8	*
michael@0	9	*/
michael@0	10
michael@0	11
michael@0	12	#include "pkix_namechainingchecker.h"
michael@0	13
michael@0	14	/* --Private-Functions-------------------------------------------- */
michael@0	15
michael@0	16	/*
michael@0	17	* FUNCTION: pkix_NameChainingChecker_Check
michael@0	18	* (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
michael@0	19	*/
michael@0	20	PKIX_Error *
michael@0	21	pkix_NameChainingChecker_Check(
michael@0	22	PKIX_CertChainChecker *checker,
michael@0	23	PKIX_PL_Cert *cert,
michael@0	24	PKIX_List *unresolvedCriticalExtensions,
michael@0	25	void **pNBIOContext,
michael@0	26	void *plContext)
michael@0	27	{
michael@0	28	PKIX_PL_X500Name *prevSubject = NULL;
michael@0	29	PKIX_PL_X500Name *currIssuer = NULL;
michael@0	30	PKIX_PL_X500Name *currSubject = NULL;
michael@0	31	PKIX_Boolean result;
michael@0	32
michael@0	33	PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameChainingChecker_Check");
michael@0	34	PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
michael@0	35
michael@0	36	*pNBIOContext = NULL; /* we never block on pending I/O */
michael@0	37
michael@0	38	PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
michael@0	39	(checker, (PKIX_PL_Object **)&prevSubject, plContext),
michael@0	40	PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
michael@0	41
michael@0	42	PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &currIssuer, plContext),
michael@0	43	PKIX_CERTGETISSUERFAILED);
michael@0	44
michael@0	45	if (prevSubject){
michael@0	46	PKIX_CHECK(PKIX_PL_X500Name_Match
michael@0	47	(prevSubject, currIssuer, &result, plContext),
michael@0	48	PKIX_X500NAMEMATCHFAILED);
michael@0	49	if (!result){
michael@0	50	PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
michael@0	51	}
michael@0	52	} else {
michael@0	53	PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
michael@0	54	}
michael@0	55
michael@0	56	PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &currSubject, plContext),
michael@0	57	PKIX_CERTGETSUBJECTFAILED);
michael@0	58
michael@0	59	PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
michael@0	60	(checker, (PKIX_PL_Object *)currSubject, plContext),
michael@0	61	PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
michael@0	62
michael@0	63	cleanup:
michael@0	64
michael@0	65	PKIX_DECREF(prevSubject);
michael@0	66	PKIX_DECREF(currIssuer);
michael@0	67	PKIX_DECREF(currSubject);
michael@0	68
michael@0	69	PKIX_RETURN(CERTCHAINCHECKER);
michael@0	70
michael@0	71	}
michael@0	72
michael@0	73	/*
michael@0	74	* FUNCTION: pkix_NameChainingChecker_Initialize
michael@0	75	* DESCRIPTION:
michael@0	76	*
michael@0	77	* Creates a new CertChainChecker and stores it at "pChecker", where it will
michael@0	78	* be used by pkix_NameChainingChecker_Check to check that the issuer name
michael@0	79	* of the certificate matches the subject name in the checker's state. The
michael@0	80	* X500Name pointed to by "trustedCAName" is used to initialize the checker's
michael@0	81	* state.
michael@0	82	*
michael@0	83	* PARAMETERS:
michael@0	84	* "trustedCAName"
michael@0	85	* Address of X500Name representing the trusted CA Name used to
michael@0	86	* initialize the state of this checker. Must be non-NULL.
michael@0	87	* "pChecker"
michael@0	88	* Address where object pointer will be stored. Must be non-NULL.
michael@0	89	* "plContext"
michael@0	90	* Platform-specific context pointer.
michael@0	91	* THREAD SAFETY:
michael@0	92	* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
michael@0	93	* RETURNS:
michael@0	94	* Returns NULL if the function succeeds.
michael@0	95	* Returns a CertChainChecker Error if the function fails in a non-fatal way.
michael@0	96	* Returns a Fatal Error if the function fails in an unrecoverable way.
michael@0	97	*/
michael@0	98	PKIX_Error *
michael@0	99	pkix_NameChainingChecker_Initialize(
michael@0	100	PKIX_PL_X500Name *trustedCAName,
michael@0	101	PKIX_CertChainChecker **pChecker,
michael@0	102	void *plContext)
michael@0	103	{
michael@0	104	PKIX_ENTER(CERTCHAINCHECKER, "PKIX_NameChainingChecker_Initialize");
michael@0	105	PKIX_NULLCHECK_TWO(pChecker, trustedCAName);
michael@0	106
michael@0	107	PKIX_CHECK(PKIX_CertChainChecker_Create
michael@0	108	(pkix_NameChainingChecker_Check,
michael@0	109	PKIX_FALSE,
michael@0	110	PKIX_FALSE,
michael@0	111	NULL,
michael@0	112	(PKIX_PL_Object *)trustedCAName,
michael@0	113	pChecker,
michael@0	114	plContext),
michael@0	115	PKIX_CERTCHAINCHECKERCREATEFAILED);
michael@0	116
michael@0	117	cleanup:
michael@0	118
michael@0	119	PKIX_RETURN(CERTCHAINCHECKER);
michael@0	120
michael@0	121	}