The Tor Browser: security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c@b8a032363ba2 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c@b8a032363ba2 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * pkix_policychecker.c
  *
  * Functions for Policy Checker
  *
  */
 #include "pkix_policychecker.h"
 /* --Forward declarations----------------------------------------------- */
 static PKIX_Error *
 pkix_PolicyChecker_MakeSingleton(
         PKIX_PL_Object *listItem,
         PKIX_Boolean immutability,
         PKIX_List **pList,
         void *plContext);
 /* --Private-PolicyCheckerState-Functions---------------------------------- */
 /*
  * FUNCTION:pkix_PolicyCheckerState_Destroy
  * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
  */
 static PKIX_Error *
 pkix_PolicyCheckerState_Destroy(
         PKIX_PL_Object *object,
         void *plContext)
 {
         PKIX_PolicyCheckerState *checkerState = NULL;
         PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy");
         PKIX_NULLCHECK_ONE(object);
         PKIX_CHECK(pkix_CheckType
                 (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
                 PKIX_OBJECTNOTPOLICYCHECKERSTATE);
         checkerState = (PKIX_PolicyCheckerState *)object;
         PKIX_DECREF(checkerState->certPoliciesExtension);
         PKIX_DECREF(checkerState->policyMappingsExtension);
         PKIX_DECREF(checkerState->policyConstraintsExtension);
         PKIX_DECREF(checkerState->inhibitAnyPolicyExtension);
         PKIX_DECREF(checkerState->anyPolicyOID);
         PKIX_DECREF(checkerState->validPolicyTree);
         PKIX_DECREF(checkerState->userInitialPolicySet);
         PKIX_DECREF(checkerState->mappedUserInitialPolicySet);
         checkerState->policyQualifiersRejected = PKIX_FALSE;
         checkerState->explicitPolicy = 0;
         checkerState->inhibitAnyPolicy = 0;
         checkerState->policyMapping = 0;
         checkerState->numCerts = 0;
         checkerState->certsProcessed = 0;
         checkerState->certPoliciesCritical = PKIX_FALSE;
         PKIX_DECREF(checkerState->anyPolicyNodeAtBottom);
         PKIX_DECREF(checkerState->newAnyPolicyNode);
         PKIX_DECREF(checkerState->mappedPolicyOIDs);
 cleanup:
         PKIX_RETURN(CERTPOLICYCHECKERSTATE);
 }
 /*
  * FUNCTION: pkix_PolicyCheckerState_ToString
  * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
  */
 static PKIX_Error *
 pkix_PolicyCheckerState_ToString(
         PKIX_PL_Object *object,
         PKIX_PL_String **pCheckerStateString,
         void *plContext)
 {
         PKIX_PolicyCheckerState *state = NULL;
         PKIX_PL_String *resultString = NULL;
         PKIX_PL_String *policiesExtOIDString = NULL;
         PKIX_PL_String *policyMapOIDString = NULL;
         PKIX_PL_String *policyConstrOIDString = NULL;
         PKIX_PL_String *inhAnyPolOIDString = NULL;
         PKIX_PL_String *anyPolicyOIDString = NULL;
         PKIX_PL_String *validPolicyTreeString = NULL;
         PKIX_PL_String *userInitialPolicySetString = NULL;
         PKIX_PL_String *mappedUserPolicySetString = NULL;
         PKIX_PL_String *mappedPolicyOIDsString = NULL;
         PKIX_PL_String *anyAtBottomString = NULL;
         PKIX_PL_String *newAnyPolicyString = NULL;
         PKIX_PL_String *formatString = NULL;
         PKIX_PL_String *trueString = NULL;
         PKIX_PL_String *falseString = NULL;
         PKIX_PL_String *nullString = NULL;
         PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
         PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
         PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
         PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE;
         PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
         PKIX_Boolean certPoliciesCritical = PKIX_FALSE;
         char *asciiFormat =
                 "{\n"
                 "\tcertPoliciesExtension:    \t%s\n"
                 "\tpolicyMappingsExtension:  \t%s\n"
                 "\tpolicyConstraintsExtension:\t%s\n"
                 "\tinhibitAnyPolicyExtension:\t%s\n"
                 "\tanyPolicyOID:             \t%s\n"
                 "\tinitialIsAnyPolicy:       \t%s\n"
                 "\tvalidPolicyTree:          \t%s\n"
                 "\tuserInitialPolicySet:     \t%s\n"
                 "\tmappedUserPolicySet:      \t%s\n"
                 "\tpolicyQualifiersRejected: \t%s\n"
                 "\tinitialPolMappingInhibit: \t%s\n"
                 "\tinitialExplicitPolicy:    \t%s\n"
                 "\tinitialAnyPolicyInhibit:  \t%s\n"
                 "\texplicitPolicy:           \t%d\n"
                 "\tinhibitAnyPolicy:         \t%d\n"
                 "\tpolicyMapping:            \t%d\n"
                 "\tnumCerts:                 \t%d\n"
                 "\tcertsProcessed:           \t%d\n"
                 "\tanyPolicyNodeAtBottom:    \t%s\n"
                 "\tnewAnyPolicyNode:         \t%s\n"
                 "\tcertPoliciesCritical:     \t%s\n"
                 "\tmappedPolicyOIDs:         \t%s\n"
                 "}";
         PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString");
         PKIX_NULLCHECK_TWO(object, pCheckerStateString);
         PKIX_CHECK(pkix_CheckType
                 (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
                 PKIX_OBJECTNOTPOLICYCHECKERSTATE);
         state = (PKIX_PolicyCheckerState *)object;
         PKIX_NULLCHECK_THREE
                 (state->certPoliciesExtension,
                 state->policyMappingsExtension,
                 state->policyConstraintsExtension);
         PKIX_NULLCHECK_THREE
                 (state->inhibitAnyPolicyExtension,
                 state->anyPolicyOID,
                 state->userInitialPolicySet);
         PKIX_CHECK(PKIX_PL_String_Create
                 (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
                 PKIX_STRINGCREATEFAILED);
         /*
          * Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a
          * PKIX_PL_String is complicated enough, it's worth checking, for
          * each, to make sure the string is needed.
          */
         initialPolicyMappingInhibit = state->initialPolicyMappingInhibit;
         initialExplicitPolicy = state->initialExplicitPolicy;
         initialAnyPolicyInhibit = state->initialAnyPolicyInhibit;
         initialIsAnyPolicy = state->initialIsAnyPolicy;
         policyQualifiersRejected = state->policyQualifiersRejected;
         certPoliciesCritical = state->certPoliciesCritical;
         if (initialPolicyMappingInhibit || initialExplicitPolicy ||
             initialAnyPolicyInhibit || initialIsAnyPolicy ||
             policyQualifiersRejected || certPoliciesCritical) {
                 PKIX_CHECK(PKIX_PL_String_Create
                         (PKIX_ESCASCII, "TRUE", 0, &trueString, plContext),
                         PKIX_STRINGCREATEFAILED);
         }
         if (!initialPolicyMappingInhibit || !initialExplicitPolicy ||
             !initialAnyPolicyInhibit || !initialIsAnyPolicy ||
             !policyQualifiersRejected || !certPoliciesCritical) {
                 PKIX_CHECK(PKIX_PL_String_Create
                         (PKIX_ESCASCII, "FALSE", 0, &falseString, plContext),
                         PKIX_STRINGCREATEFAILED);
         }
         if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) {
                 PKIX_CHECK(PKIX_PL_String_Create
                         (PKIX_ESCASCII, "(null)", 0, &nullString, plContext),
                         PKIX_STRINGCREATEFAILED);
         }
         PKIX_TOSTRING
                 (state->certPoliciesExtension, &policiesExtOIDString, plContext,
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_TOSTRING
                 (state->policyMappingsExtension,
                 &policyMapOIDString,
                 plContext,
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_TOSTRING
                 (state->policyConstraintsExtension,
                 &policyConstrOIDString,
                 plContext,
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_TOSTRING
                 (state->inhibitAnyPolicyExtension,
                 &inhAnyPolOIDString,
                 plContext,
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext,
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext,
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_TOSTRING
                 (state->userInitialPolicySet,
                 &userInitialPolicySetString,
                 plContext,
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_TOSTRING
                 (state->mappedUserInitialPolicySet,
                 &mappedUserPolicySetString,
                 plContext,
                 PKIX_OBJECTTOSTRINGFAILED);
         if (state->anyPolicyNodeAtBottom) {
                 PKIX_CHECK(pkix_SinglePolicyNode_ToString
                         (state->anyPolicyNodeAtBottom,
                         &anyAtBottomString,
                         plContext),
                         PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
         } else {
                 PKIX_INCREF(nullString);
                 anyAtBottomString = nullString;
         }
         if (state->newAnyPolicyNode) {
                 PKIX_CHECK(pkix_SinglePolicyNode_ToString
                         (state->newAnyPolicyNode,
                         &newAnyPolicyString,
                         plContext),
                         PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
         } else {
                 PKIX_INCREF(nullString);
                 newAnyPolicyString = nullString;
         }
         PKIX_TOSTRING
                 (state->mappedPolicyOIDs,
                 &mappedPolicyOIDsString,
                 plContext,
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_CHECK(PKIX_PL_Sprintf
                 (&resultString,
                 plContext,
                 formatString,
                 policiesExtOIDString,
                 policyMapOIDString,
                 policyConstrOIDString,
                 inhAnyPolOIDString,
                 anyPolicyOIDString,
                 initialIsAnyPolicy?trueString:falseString,
                 validPolicyTreeString,
                 userInitialPolicySetString,
                 mappedUserPolicySetString,
                 policyQualifiersRejected?trueString:falseString,
                 initialPolicyMappingInhibit?trueString:falseString,
                 initialExplicitPolicy?trueString:falseString,
                 initialAnyPolicyInhibit?trueString:falseString,
                 state->explicitPolicy,
                 state->inhibitAnyPolicy,
                 state->policyMapping,
                 state->numCerts,
                 state->certsProcessed,
                 anyAtBottomString,
                 newAnyPolicyString,
                 certPoliciesCritical?trueString:falseString,
                 mappedPolicyOIDsString),
                 PKIX_SPRINTFFAILED);
         *pCheckerStateString = resultString;
 cleanup:
         PKIX_DECREF(policiesExtOIDString);
         PKIX_DECREF(policyMapOIDString);
         PKIX_DECREF(policyConstrOIDString);
         PKIX_DECREF(inhAnyPolOIDString);
         PKIX_DECREF(anyPolicyOIDString);
         PKIX_DECREF(validPolicyTreeString);
         PKIX_DECREF(userInitialPolicySetString);
         PKIX_DECREF(mappedUserPolicySetString);
         PKIX_DECREF(anyAtBottomString);
         PKIX_DECREF(newAnyPolicyString);
         PKIX_DECREF(mappedPolicyOIDsString);
         PKIX_DECREF(formatString);
         PKIX_DECREF(trueString);
         PKIX_DECREF(falseString);
         PKIX_DECREF(nullString);
         PKIX_RETURN(CERTPOLICYCHECKERSTATE);
 }
 /*
  * FUNCTION: pkix_PolicyCheckerState_RegisterSelf
  * DESCRIPTION:
  *
  *  Registers PKIX_POLICYCHECKERSTATE_TYPE and its related functions
  *      with systemClasses[]
  *
  * PARAMETERS:
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Not Thread Safe - for performance and complexity reasons
  *
  *  Since this function is only called by PKIX_PL_Initialize, which should
  *  only be called once, it is acceptable that this function is not
  *  thread-safe.
  */
 PKIX_Error *
 pkix_PolicyCheckerState_RegisterSelf(void *plContext)
 {
         extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
         pkix_ClassTable_Entry entry;
         PKIX_ENTER
                 (CERTPOLICYCHECKERSTATE,
                 "pkix_PolicyCheckerState_RegisterSelf");
         entry.description = "PolicyCheckerState";
         entry.objCounter = 0;
         entry.typeObjectSize = sizeof(PKIX_PolicyCheckerState);
         entry.destructor = pkix_PolicyCheckerState_Destroy;
         entry.equalsFunction = NULL;
         entry.hashcodeFunction = NULL;
         entry.toStringFunction = pkix_PolicyCheckerState_ToString;
         entry.comparator = NULL;
         entry.duplicateFunction = NULL;
         systemClasses[PKIX_CERTPOLICYCHECKERSTATE_TYPE] = entry;
         PKIX_RETURN(CERTPOLICYCHECKERSTATE);
 }
 /*
  * FUNCTION:pkix_PolicyCheckerState_Create
  * DESCRIPTION:
  *
  *  Creates a PolicyCheckerState Object, using the List pointed to
  *  by "initialPolicies" for the user-initial-policy-set, the Boolean value
  *  of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
  *  the Boolean value of "initialPolicyMappingInhibit" for the
  *  inhibitPolicyMappings parameter, the Boolean value of
  *  "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
  *  Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
  *  parameter, and the UInt32 value of "numCerts" as the number of
  *  certificates in the chain; and stores the Object at "pCheckerState".
  *
  * PARAMETERS:
  *  "initialPolicies"
  *      Address of List of OIDs comprising the user-initial-policy-set; the List
  *      may be empty, but must be non-NULL
  *  "policyQualifiersRejected"
  *      Boolean value of the policyQualifiersRejected parameter
  *  "initialPolicyMappingInhibit"
  *      Boolean value of the inhibitPolicyMappings parameter
  *  "initialExplicitPolicy"
  *      Boolean value of the initialExplicitPolicy parameter
  *  "initialAnyPolicyInhibit"
  *      Boolean value of the inhibitAnyPolicy parameter
  *  "numCerts"
  *      Number of certificates in the chain to be validated
  *  "pCheckerState"
  *      Address where PolicyCheckerState will be stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertPolicyCheckerState Error if the functions fails in a
  *      non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyCheckerState_Create(
         PKIX_List *initialPolicies,
         PKIX_Boolean policyQualifiersRejected,
         PKIX_Boolean initialPolicyMappingInhibit,
         PKIX_Boolean initialExplicitPolicy,
         PKIX_Boolean initialAnyPolicyInhibit,
         PKIX_UInt32 numCerts,
         PKIX_PolicyCheckerState **pCheckerState,
         void *plContext)
 {
         PKIX_PolicyCheckerState *checkerState = NULL;
         PKIX_PolicyNode *policyNode = NULL;
         PKIX_List *anyPolicyList = NULL;
         PKIX_Boolean initialPoliciesIsEmpty = PKIX_FALSE;
         PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Create");
         PKIX_NULLCHECK_TWO(initialPolicies, pCheckerState);
         PKIX_CHECK(PKIX_PL_Object_Alloc
                 (PKIX_CERTPOLICYCHECKERSTATE_TYPE,
                 sizeof (PKIX_PolicyCheckerState),
                 (PKIX_PL_Object **)&checkerState,
                 plContext),
                 PKIX_COULDNOTCREATEPOLICYCHECKERSTATEOBJECT);
         /* Create constant PKIX_PL_OIDs: */
         PKIX_CHECK(PKIX_PL_OID_Create
                 (PKIX_CERTIFICATEPOLICIES_OID,
                 &(checkerState->certPoliciesExtension),
                 plContext),
                 PKIX_OIDCREATEFAILED);
         PKIX_CHECK(PKIX_PL_OID_Create
                 (PKIX_POLICYMAPPINGS_OID,
                 &(checkerState->policyMappingsExtension),
                 plContext),
                 PKIX_OIDCREATEFAILED);
         PKIX_CHECK(PKIX_PL_OID_Create
                 (PKIX_POLICYCONSTRAINTS_OID,
                 &(checkerState->policyConstraintsExtension),
                 plContext),
                 PKIX_OIDCREATEFAILED);
         PKIX_CHECK(PKIX_PL_OID_Create
                 (PKIX_INHIBITANYPOLICY_OID,
                 &(checkerState->inhibitAnyPolicyExtension),
                 plContext),
                 PKIX_OIDCREATEFAILED);
         PKIX_CHECK(PKIX_PL_OID_Create
                 (PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID,
                 &(checkerState->anyPolicyOID),
                 plContext),
                 PKIX_OIDCREATEFAILED);
         /* Create an initial policy set from argument supplied */
         PKIX_INCREF(initialPolicies);
         checkerState->userInitialPolicySet = initialPolicies;
         PKIX_INCREF(initialPolicies);
         checkerState->mappedUserInitialPolicySet = initialPolicies;
         PKIX_CHECK(PKIX_List_IsEmpty
                 (initialPolicies,
                 &initialPoliciesIsEmpty,
                 plContext),
                 PKIX_LISTISEMPTYFAILED);
         if (initialPoliciesIsEmpty) {
                 checkerState->initialIsAnyPolicy = PKIX_TRUE;
         } else {
                 PKIX_CHECK(pkix_List_Contains
                         (initialPolicies,
                         (PKIX_PL_Object *)(checkerState->anyPolicyOID),
                         &(checkerState->initialIsAnyPolicy),
                         plContext),
                         PKIX_LISTCONTAINSFAILED);
         }
         checkerState->policyQualifiersRejected =
                 policyQualifiersRejected;
         checkerState->initialExplicitPolicy = initialExplicitPolicy;
         checkerState->explicitPolicy =
                 (initialExplicitPolicy? 0: numCerts + 1);
         checkerState->initialAnyPolicyInhibit = initialAnyPolicyInhibit;
         checkerState->inhibitAnyPolicy =
                 (initialAnyPolicyInhibit? 0: numCerts + 1);
         checkerState->initialPolicyMappingInhibit = initialPolicyMappingInhibit;
         checkerState->policyMapping =
                 (initialPolicyMappingInhibit? 0: numCerts + 1);
                 ;
         checkerState->numCerts = numCerts;
         checkerState->certsProcessed = 0;
         checkerState->certPoliciesCritical = PKIX_FALSE;
         /* Create a valid_policy_tree as in RFC3280 6.1.2(a) */
         PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
                 ((PKIX_PL_Object *)(checkerState->anyPolicyOID),
                 PKIX_TRUE,
                 &anyPolicyList,
                 plContext),
                 PKIX_POLICYCHECKERMAKESINGLETONFAILED);
         PKIX_CHECK(pkix_PolicyNode_Create
                 (checkerState->anyPolicyOID,    /* validPolicy */
                 NULL,                           /* qualifier set */
                 PKIX_FALSE,                     /* criticality */
                 anyPolicyList,                  /* expectedPolicySet */
                 &policyNode,
                 plContext),
                 PKIX_POLICYNODECREATEFAILED);
         checkerState->validPolicyTree = policyNode;
         /*
          * Since the initial validPolicyTree specifies
          * ANY_POLICY, begin with a pointer to the root node.
          */
         PKIX_INCREF(policyNode);
         checkerState->anyPolicyNodeAtBottom = policyNode;
         checkerState->newAnyPolicyNode = NULL;
         checkerState->mappedPolicyOIDs = NULL;
         *pCheckerState = checkerState;
         checkerState = NULL;
 cleanup:
         PKIX_DECREF(checkerState);
         PKIX_DECREF(anyPolicyList);
         PKIX_RETURN(CERTPOLICYCHECKERSTATE);
 }
 /* --Private-PolicyChecker-Functions--------------------------------------- */
 /*
  * FUNCTION: pkix_PolicyChecker_MapContains
  * DESCRIPTION:
  *
  *  Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to
  *  determine whether the OID pointed to by "policy" is among the
  *  issuerDomainPolicies or subjectDomainPolicies of "certPolicyMaps", and
  *  stores the result in "pFound".
  *
  *  This function is intended to allow an efficient check that the proscription
  *  against anyPolicy being mapped, described in RFC3280 Section 6.1.4(a), is
  *  not violated.
  *
  * PARAMETERS:
  *  "certPolicyMaps"
  *      Address of List of CertPolicyMaps to be searched. May be empty, but
  *      must be non-NULL
  *  "policy"
  *      Address of OID to be checked for. Must be non-NULL
  *  "pFound"
  *      Address where the result of the search will be stored. Must be non-NULL.
  *  "plContext"
  *      platform-specific context pointer
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 PKIX_Error *
 pkix_PolicyChecker_MapContains(
         PKIX_List *certPolicyMaps,
         PKIX_PL_OID *policy,
         PKIX_Boolean *pFound,
         void *plContext)
 {
         PKIX_PL_CertPolicyMap *map = NULL;
         PKIX_UInt32 numEntries = 0;
         PKIX_UInt32 index = 0;
         PKIX_Boolean match = PKIX_FALSE;
         PKIX_PL_OID *issuerDomainPolicy = NULL;
         PKIX_PL_OID *subjectDomainPolicy = NULL;
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MapContains");
         PKIX_NULLCHECK_THREE(certPolicyMaps, policy, pFound);
         PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
                 PKIX_LISTGETLENGTHFAILED);
         for (index = 0; (!match) && (index < numEntries); index++) {
                 PKIX_CHECK(PKIX_List_GetItem
                     (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
                     PKIX_LISTGETITEMFAILED);
                 PKIX_NULLCHECK_ONE(map);
                 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
                         (map, &issuerDomainPolicy, plContext),
                         PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
                 PKIX_EQUALS
                         (policy, issuerDomainPolicy, &match, plContext,
                         PKIX_OBJECTEQUALSFAILED);
                 if (!match) {
                         PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
                                 (map, &subjectDomainPolicy, plContext),
                                 PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
                         PKIX_EQUALS
                                 (policy, subjectDomainPolicy, &match, plContext,
                                 PKIX_OBJECTEQUALSFAILED);
                 }
                 PKIX_DECREF(map);
                 PKIX_DECREF(issuerDomainPolicy);
                 PKIX_DECREF(subjectDomainPolicy);
         }
         *pFound = match;
 cleanup:
         PKIX_DECREF(map);
         PKIX_DECREF(issuerDomainPolicy);
         PKIX_DECREF(subjectDomainPolicy);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_MapGetSubjectDomainPolicies
  * DESCRIPTION:
  *
  *  Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to create
  *  a list of all SubjectDomainPolicies for which the IssuerDomainPolicy is the
  *  policy pointed to by "policy", and stores the result in
  *  "pSubjectDomainPolicies".
  *
  *  If the List of CertPolicyMaps provided in "certPolicyMaps" is NULL, the
  *  resulting List will be NULL. If there are CertPolicyMaps, but none that
  *  include "policy" as an IssuerDomainPolicy, the returned List pointer will
  *  be NULL. Otherwise, the returned List will contain the SubjectDomainPolicies
  *  of all CertPolicyMaps for which "policy" is the IssuerDomainPolicy. If a
  *  List is returned it will be immutable.
  *
  * PARAMETERS:
  *  "certPolicyMaps"
  *      Address of List of CertPolicyMaps to be searched. May be empty or NULL.
  *  "policy"
  *      Address of OID to be checked for. Must be non-NULL
  *  "pSubjectDomainPolicies"
  *      Address where the result of the search will be stored. Must be non-NULL.
  *  "plContext"
  *      platform-specific context pointer
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 PKIX_Error *
 pkix_PolicyChecker_MapGetSubjectDomainPolicies(
         PKIX_List *certPolicyMaps,
         PKIX_PL_OID *policy,
         PKIX_List **pSubjectDomainPolicies,
         void *plContext)
 {
         PKIX_PL_CertPolicyMap *map = NULL;
         PKIX_List *subjectList = NULL;
         PKIX_UInt32 numEntries = 0;
         PKIX_UInt32 index = 0;
         PKIX_Boolean match = PKIX_FALSE;
         PKIX_PL_OID *issuerDomainPolicy = NULL;
         PKIX_PL_OID *subjectDomainPolicy = NULL;
         PKIX_ENTER
                 (CERTCHAINCHECKER,
                 "pkix_PolicyChecker_MapGetSubjectDomainPolicies");
         PKIX_NULLCHECK_TWO(policy, pSubjectDomainPolicies);
         if (certPolicyMaps) {
                 PKIX_CHECK(PKIX_List_GetLength
                     (certPolicyMaps,
                     &numEntries,
                     plContext),
                     PKIX_LISTGETLENGTHFAILED);
         }
         for (index = 0; index < numEntries; index++) {
                 PKIX_CHECK(PKIX_List_GetItem
                     (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
                     PKIX_LISTGETITEMFAILED);
                 PKIX_NULLCHECK_ONE(map);
                 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
                         (map, &issuerDomainPolicy, plContext),
                         PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
                 PKIX_EQUALS
                     (policy, issuerDomainPolicy, &match, plContext,
                     PKIX_OBJECTEQUALSFAILED);
                 if (match) {
                     if (!subjectList) {
                         PKIX_CHECK(PKIX_List_Create(&subjectList, plContext),
                                 PKIX_LISTCREATEFAILED);
                     }
                     PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
                         (map, &subjectDomainPolicy, plContext),
                         PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
                     PKIX_CHECK(PKIX_List_AppendItem
                         (subjectList,
                         (PKIX_PL_Object *)subjectDomainPolicy,
                         plContext),
                         PKIX_LISTAPPENDITEMFAILED);
                 }
                 PKIX_DECREF(map);
                 PKIX_DECREF(issuerDomainPolicy);
                 PKIX_DECREF(subjectDomainPolicy);
         }
         if (subjectList) {
                 PKIX_CHECK(PKIX_List_SetImmutable(subjectList, plContext),
                         PKIX_LISTSETIMMUTABLEFAILED);
         }
         *pSubjectDomainPolicies = subjectList;
 cleanup:
         if (PKIX_ERROR_RECEIVED) {
                 PKIX_DECREF(subjectList);
         }
         PKIX_DECREF(map);
         PKIX_DECREF(issuerDomainPolicy);
         PKIX_DECREF(subjectDomainPolicy);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_MapGetMappedPolicies
  * DESCRIPTION:
  *
  *  Checks the List of CertPolicyMaps pointed to by "certPolicyMaps" to create a
  *  List of all IssuerDomainPolicies, and stores the result in
  * "pMappedPolicies".
  *
  *  The caller may not rely on the IssuerDomainPolicies to be in any particular
  *  order. IssuerDomainPolicies that appear in more than one CertPolicyMap will
  *  only appear once in "pMappedPolicies". If "certPolicyMaps" is empty the
  *  result will be an empty List. The created List is mutable.
  *
  * PARAMETERS:
  *  "certPolicyMaps"
  *      Address of List of CertPolicyMaps to be searched. May be empty, but
  *      must be non-NULL.
  *  "pMappedPolicies"
  *      Address where the result will be stored. Must be non-NULL.
  *  "plContext"
  *      platform-specific context pointer
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 PKIX_Error *
 pkix_PolicyChecker_MapGetMappedPolicies(
         PKIX_List *certPolicyMaps,
         PKIX_List **pMappedPolicies,
         void *plContext)
 {
         PKIX_PL_CertPolicyMap *map = NULL;
         PKIX_List *mappedList = NULL;
         PKIX_UInt32 numEntries = 0;
         PKIX_UInt32 index = 0;
         PKIX_Boolean isContained = PKIX_FALSE;
         PKIX_PL_OID *issuerDomainPolicy = NULL;
         PKIX_ENTER
                 (CERTCHAINCHECKER, "pkix_PolicyChecker_MapGetMappedPolicies");
         PKIX_NULLCHECK_TWO(certPolicyMaps, pMappedPolicies);
         PKIX_CHECK(PKIX_List_Create(&mappedList, plContext),
                 PKIX_LISTCREATEFAILED);
         PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
                 PKIX_LISTGETLENGTHFAILED);
         for (index = 0; index < numEntries; index++) {
                 PKIX_CHECK(PKIX_List_GetItem
                     (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
                     PKIX_LISTGETITEMFAILED);
                 PKIX_NULLCHECK_ONE(map);
                 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
                         (map, &issuerDomainPolicy, plContext),
                         PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
                 PKIX_CHECK(pkix_List_Contains
                         (mappedList,
                         (PKIX_PL_Object *)issuerDomainPolicy,
                         &isContained,
                         plContext),
                         PKIX_LISTCONTAINSFAILED);
                 if (isContained == PKIX_FALSE) {
                         PKIX_CHECK(PKIX_List_AppendItem
                                 (mappedList,
                                 (PKIX_PL_Object *)issuerDomainPolicy,
                                 plContext),
                                 PKIX_LISTAPPENDITEMFAILED);
                 }
                 PKIX_DECREF(map);
                 PKIX_DECREF(issuerDomainPolicy);
         }
         *pMappedPolicies = mappedList;
 cleanup:
         if (PKIX_ERROR_RECEIVED) {
                 PKIX_DECREF(mappedList);
         }
         PKIX_DECREF(map);
         PKIX_DECREF(issuerDomainPolicy);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_MakeMutableCopy
  * DESCRIPTION:
  *
  *  Creates a mutable copy of the List pointed to by "list", which may or may
  *  not be immutable, and stores the address at "pMutableCopy".
  *
  * PARAMETERS:
  *  "list"
  *      Address of List to be copied. Must be non-NULL.
  *  "pMutableCopy"
  *      Address where mutable copy will be stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyChecker_MakeMutableCopy(
         PKIX_List *list,
         PKIX_List **pMutableCopy,
         void *plContext)
 {
         PKIX_List *newList = NULL;
         PKIX_UInt32 listLen = 0;
         PKIX_UInt32 listIx = 0;
         PKIX_PL_Object *object = NULL;
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeMutableCopy");
         PKIX_NULLCHECK_TWO(list, pMutableCopy);
         PKIX_CHECK(PKIX_List_Create(&newList, plContext),
                 PKIX_LISTCREATEFAILED);
         PKIX_CHECK(PKIX_List_GetLength(list, &listLen, plContext),
                 PKIX_LISTGETLENGTHFAILED);
         for (listIx = 0; listIx < listLen; listIx++) {
                 PKIX_CHECK(PKIX_List_GetItem(list, listIx, &object, plContext),
                         PKIX_LISTGETITEMFAILED);
                 PKIX_CHECK(PKIX_List_AppendItem(newList, object, plContext),
                         PKIX_LISTAPPENDITEMFAILED);
                 PKIX_DECREF(object);
         }
         *pMutableCopy = newList;
         newList = NULL;
 cleanup:
         PKIX_DECREF(newList);
         PKIX_DECREF(object);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_MakeSingleton
  * DESCRIPTION:
  *
  *  Creates a new List containing the Object pointed to by "listItem", using
  *  the Boolean value of "immutability" to determine whether to set the List
  *  immutable, and stores the address at "pList".
  *
  * PARAMETERS:
  *  "listItem"
  *      Address of Object to be inserted into the new List. Must be non-NULL.
  *  "immutability"
  *      Boolean value indicating whether new List is to be immutable
  *  "pList"
  *      Address where List will be stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyChecker_MakeSingleton(
         PKIX_PL_Object *listItem,
         PKIX_Boolean immutability,
         PKIX_List **pList,
         void *plContext)
 {
         PKIX_List *newList = NULL;
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeSingleton");
         PKIX_NULLCHECK_TWO(listItem, pList);
         PKIX_CHECK(PKIX_List_Create(&newList, plContext),
                 PKIX_LISTCREATEFAILED);
         PKIX_CHECK(PKIX_List_AppendItem
                 (newList, (PKIX_PL_Object *)listItem, plContext),
                 PKIX_LISTAPPENDITEMFAILED);
         if (immutability) {
                 PKIX_CHECK(PKIX_List_SetImmutable(newList, plContext),
                         PKIX_LISTSETIMMUTABLEFAILED);
         }
         *pList = newList;
 cleanup:
         if (PKIX_ERROR_RECEIVED) {
                 PKIX_DECREF(newList);
         }
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_Spawn
  * DESCRIPTION:
  *
  *  Creates a new childNode for the parent pointed to by "parent", using
  *  the OID pointed to by "policyOID", the List of CertPolicyQualifiers
  *  pointed to by "qualifiers", the List of OIDs pointed to by
  *  "subjectDomainPolicies", and the PolicyCheckerState pointed to by
  *  "state". The new node will be added to "parent".
  *
  *  The validPolicy of the new node is set from the OID pointed to by
  *  "policyOID". The policy qualifiers for the new node is set from the
  *  List of qualifiers pointed to by "qualifiers", and may be NULL or
  *  empty if the argument provided was NULL or empty. The criticality is
  *  set according to the criticality obtained from the PolicyCheckerState.
  *  If "subjectDomainPolicies" is NULL, the expectedPolicySet of the
  *  child is set to contain the same policy as the validPolicy. If
  *  "subjectDomainPolicies" is not NULL, it is used as the value for
  *  the expectedPolicySet.
  *
  *  The PolicyCheckerState also contains a constant, anyPolicy, which is
  *  compared to "policyOID". If they match, the address of the childNode
  * is saved in the state's newAnyPolicyNode.
  *
  * PARAMETERS:
  *  "parent"
  *      Address of PolicyNode to which the child will be linked. Must be
  *      non-NULL.
  *  "policyOID"
  *      Address of OID of the new child's validPolicy and also, if
  *      subjectDomainPolicies is NULL, of the new child's expectedPolicySet.
  *      Must be non-NULL.
  *  "qualifiers"
  *      Address of List of CertPolicyQualifiers. May be NULL or empty.
  *  "subjectDomainPolicies"
  *      Address of List of OIDs indicating the policies to which "policy" is
  *      mapped. May be empty or NULL.
  *  "state"
  *      Address of the current PKIX_PolicyCheckerState. Must be non-NULL..
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyChecker_Spawn(
         PKIX_PolicyNode *parent,
         PKIX_PL_OID *policyOID,
         PKIX_List *qualifiers,  /* CertPolicyQualifiers */
         PKIX_List *subjectDomainPolicies,
         PKIX_PolicyCheckerState *state,
         void *plContext)
 {
         PKIX_List *expectedSet = NULL; /* OIDs */
         PKIX_PolicyNode *childNode = NULL;
         PKIX_Boolean match = PKIX_FALSE;
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Spawn");
         PKIX_NULLCHECK_THREE(policyOID, parent, state);
         if (subjectDomainPolicies) {
                 PKIX_INCREF(subjectDomainPolicies);
                 expectedSet = subjectDomainPolicies;
         } else {
                 /* Create the child's ExpectedPolicy Set */
                 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
                         ((PKIX_PL_Object *)policyOID,
                         PKIX_TRUE,      /* make expectedPolicySet immutable */
                         &expectedSet,
                         plContext),
                         PKIX_POLICYCHECKERMAKESINGLETONFAILED);
         }
         PKIX_CHECK(pkix_PolicyNode_Create
                 (policyOID,
                 qualifiers,
                 state->certPoliciesCritical,
                 expectedSet,
                 &childNode,
                 plContext),
                 PKIX_POLICYNODECREATEFAILED);
         /*
          * If we had a non-empty mapping, we know the new node could not
          * have been created with a validPolicy of anyPolicy. Otherwise,
          * check whether we just created a new node with anyPolicy, because
          * in that case we want to save the child pointer in newAnyPolicyNode.
          */
         if (!subjectDomainPolicies) {
                 PKIX_EQUALS(policyOID, state->anyPolicyOID, &match, plContext,
                         PKIX_OBJECTEQUALSFAILED);
                 if (match) {
                         PKIX_DECREF(state->newAnyPolicyNode);
                         PKIX_INCREF(childNode);
                         state->newAnyPolicyNode = childNode;
                 }
         }
         PKIX_CHECK(pkix_PolicyNode_AddToParent(parent, childNode, plContext),
                 PKIX_POLICYNODEADDTOPARENTFAILED);
         PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                 ((PKIX_PL_Object *)state, plContext),
                 PKIX_OBJECTINVALIDATECACHEFAILED);
 cleanup:
         PKIX_DECREF(childNode);
         PKIX_DECREF(expectedSet);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_CheckPolicyRecursive
  * DESCRIPTION:
  *
  *  Performs policy processing for the policy whose OID is pointed to by
  *  "policyOID" and whose List of CertPolicyQualifiers is pointed to by
  *  "policyQualifiers", using the List of policy OIDs pointed to by
  *  "subjectDomainPolicies" and the PolicyNode pointed to by "currentNode",
  *  in accordance with the current PolicyCheckerState pointed to by "state",
  *  and setting "pChildNodeCreated" to TRUE if a new childNode is created.
  *  Note: "pChildNodeCreated" is not set to FALSE if no childNode is created.
  *  The intent of the design is that the caller can set a variable to FALSE
  *  initially, prior to a recursive set of calls. At the end, the variable
  *  can be tested to see whether *any* of the calls created a child node.
  *
  *  If the currentNode is not at the bottom of the tree, this function
  *  calls itself recursively for each child of currentNode. At the bottom of
  *  the tree, it creates new child nodes as appropriate. This function will
  *  never be called with policy = anyPolicy.
  *
  *  This function implements the processing described in RFC3280
  *  Section 6.1.3(d)(1)(i).
  *
  * PARAMETERS:
  *  "policyOID"
  *      Address of OID of the policy to be checked for. Must be non-NULL.
  *  "policyQualifiers"
  *      Address of List of CertPolicyQualifiers of the policy to be checked for.
  *      May be empty or NULL.
  *  "subjectDomainPolicies"
  *      Address of List of OIDs indicating the policies to which "policy" is
  *      mapped. May be empty or NULL.
  *  "currentNode"
  *      Address of PolicyNode whose descendants will be checked, if not at the
  *      bottom of the tree; or whose expectedPolicySet will be compared to
  *      "policy", if at the bottom. Must be non-NULL.
  *  "state"
  *      Address of PolicyCheckerState of the current PolicyChecker. Must be
  *      non-NULL.
  *  "pChildNodeCreated"
  *      Address of the Boolean that will be set TRUE if this function
  *      creates a child node. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyChecker_CheckPolicyRecursive(
         PKIX_PL_OID *policyOID,
         PKIX_List *policyQualifiers,
         PKIX_List *subjectDomainPolicies,
         PKIX_PolicyNode *currentNode,
         PKIX_PolicyCheckerState *state,
         PKIX_Boolean *pChildNodeCreated,
         void *plContext)
 {
         PKIX_UInt32 depth = 0;
         PKIX_UInt32 numChildren = 0;
         PKIX_UInt32 childIx = 0;
         PKIX_Boolean isIncluded = PKIX_FALSE;
         PKIX_List *children = NULL;     /* PolicyNodes */
         PKIX_PolicyNode *childNode = NULL;
         PKIX_List *expectedPolicies = NULL; /* OIDs */
         PKIX_ENTER
                 (CERTCHAINCHECKER,
                 "pkix_PolicyChecker_CheckPolicyRecursive");
         PKIX_NULLCHECK_FOUR(policyOID, currentNode, state, pChildNodeCreated);
         /* if not at the bottom of the tree */
         PKIX_CHECK(PKIX_PolicyNode_GetDepth
                 (currentNode, &depth, plContext),
                 PKIX_POLICYNODEGETDEPTHFAILED);
         if (depth < (state->certsProcessed)) {
                 PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
                         (currentNode, &children, plContext),
                         PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
                 if (children) {
                         PKIX_CHECK(PKIX_List_GetLength
                                 (children, &numChildren, plContext),
                                 PKIX_LISTGETLENGTHFAILED);
                 }
                 for (childIx = 0; childIx < numChildren; childIx++) {
                         PKIX_CHECK(PKIX_List_GetItem
                             (children,
                             childIx,
                             (PKIX_PL_Object **)&childNode,
                             plContext),
                             PKIX_LISTGETITEMFAILED);
                         PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
                             (policyOID,
                             policyQualifiers,
                             subjectDomainPolicies,
                             childNode,
                             state,
                             pChildNodeCreated,
                             plContext),
                             PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
                         PKIX_DECREF(childNode);
                 }
         } else { /* if at the bottom of the tree */
                 /* Check whether policy is in this node's expectedPolicySet */
                 PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
                         (currentNode, &expectedPolicies, plContext),
                         PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
                 PKIX_NULLCHECK_ONE(expectedPolicies);
                 PKIX_CHECK(pkix_List_Contains
                         (expectedPolicies,
                         (PKIX_PL_Object *)policyOID,
                         &isIncluded,
                         plContext),
                         PKIX_LISTCONTAINSFAILED);
                 if (isIncluded) {
                         PKIX_CHECK(pkix_PolicyChecker_Spawn
                                 (currentNode,
                                 policyOID,
                                 policyQualifiers,
                                 subjectDomainPolicies,
                                 state,
                                 plContext),
                                 PKIX_POLICYCHECKERSPAWNFAILED);
                         *pChildNodeCreated = PKIX_TRUE;
                 }
         }
 cleanup:
         PKIX_DECREF(children);
         PKIX_DECREF(childNode);
         PKIX_DECREF(expectedPolicies);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_CheckPolicy
  * DESCRIPTION:
  *
  *  Performs the non-recursive portion of the policy processing for the policy
  *  whose OID is pointed to by "policyOID" and whose List of
  *  CertPolicyQualifiers is pointed to by "policyQualifiers", for the
  *  Certificate pointed to by "cert" with the List of CertPolicyMaps pointed
  *  to by "maps", in accordance with the current PolicyCheckerState pointed
  *  to by "state".
  *
  *  This function implements the processing described in RFC3280
  *  Section 6.1.3(d)(1)(i).
  *
  * PARAMETERS:
  *  "policyOID"
  *      Address of OID of the policy to be checked for. Must be non-NULL.
  *  "policyQualifiers"
  *      Address of List of CertPolicyQualifiers of the policy to be checked for.
  *      May be empty or NULL.
  *  "cert"
  *      Address of the current certificate. Must be non-NULL.
  *  "maps"
  *      Address of List of CertPolicyMaps for the current certificate
  *  "state"
  *      Address of PolicyCheckerState of the current PolicyChecker. Must be
  *      non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyChecker_CheckPolicy(
         PKIX_PL_OID *policyOID,
         PKIX_List *policyQualifiers,
         PKIX_PL_Cert *cert,
         PKIX_List *maps,
         PKIX_PolicyCheckerState *state,
         void *plContext)
 {
         PKIX_Boolean childNodeCreated = PKIX_FALSE;
         PKIX_Boolean okToSpawn = PKIX_FALSE;
         PKIX_Boolean found = PKIX_FALSE;
         PKIX_List *subjectDomainPolicies = NULL;
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckPolicy");
         PKIX_NULLCHECK_THREE(policyOID, cert, state);
         /*
          * If this is not the last certificate, get the set of
          * subjectDomainPolicies that "policy" maps to, according to the
          * current cert's policy mapping extension. That set will be NULL
          * if the current cert does not have a policy mapping extension,
          * or if the current policy is not mapped.
          */
         if (state->certsProcessed != (state->numCerts - 1)) {
             PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
                 (maps, policyOID, &subjectDomainPolicies, plContext),
                 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
         }
         /*
          * Section 6.1.4(b)(2) tells us that if policyMapping is zero, we
          * will have to delete any nodes created with validPolicies equal to
          * policies that appear as issuerDomainPolicies in a policy mapping
          * extension. Let's avoid creating any such nodes.
          */
         if ((state->policyMapping) == 0) {
                 if (subjectDomainPolicies) {
                         goto cleanup;
                 }
         }
         PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
                 (policyOID,
                 policyQualifiers,
                 subjectDomainPolicies,
                 state->validPolicyTree,
                 state,
                 &childNodeCreated,
                 plContext),
                 PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
         if (!childNodeCreated) {
                 /*
                  * Section 6.1.3(d)(1)(ii)
                  * There was no match. If there was a node at
                  * depth i-1 with valid policy anyPolicy,
                  * generate a node subordinate to that.
                  *
                  * But that means this created node would be in
                  * the valid-policy-node-set, and will be
                  * pruned in 6.1.5(g)(iii)(2) unless it is in
                  * the user-initial-policy-set or the user-
                  * initial-policy-set is {anyPolicy}. So check,
                  * and don't create it if it will be pruned.
                  */
                 if (state->anyPolicyNodeAtBottom) {
                         if (state->initialIsAnyPolicy) {
                                 okToSpawn = PKIX_TRUE;
                         } else {
                                 PKIX_CHECK(pkix_List_Contains
                                         (state->mappedUserInitialPolicySet,
                                         (PKIX_PL_Object *)policyOID,
                                         &okToSpawn,
                                         plContext),
                                         PKIX_LISTCONTAINSFAILED);
                         }
                         if (okToSpawn) {
                                 PKIX_CHECK(pkix_PolicyChecker_Spawn
                                         (state->anyPolicyNodeAtBottom,
                                         policyOID,
                                         policyQualifiers,
                                         subjectDomainPolicies,
                                         state,
                                         plContext),
                                         PKIX_POLICYCHECKERSPAWNFAILED);
                                 childNodeCreated = PKIX_TRUE;
                         }
                 }
         }
         if (childNodeCreated) {
                 /*
                  * If this policy had qualifiers, and the certificate policies
                  * extension was marked critical, and the user cannot deal with
                  * policy qualifiers, throw an error.
                  */
                 if (policyQualifiers &&
                     state->certPoliciesCritical &&
                     state->policyQualifiersRejected) {
                     PKIX_ERROR
                         (PKIX_QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION);
                 }
                 /*
                  * If the policy we just propagated was in the list of mapped
                  * policies, remove it from the list. That list is used, at the
                  * end, to determine policies that have not been propagated.
                  */
                 if (state->mappedPolicyOIDs) {
                         PKIX_CHECK(pkix_List_Contains
                                 (state->mappedPolicyOIDs,
                                 (PKIX_PL_Object *)policyOID,
                                 &found,
                                 plContext),
                                 PKIX_LISTCONTAINSFAILED);
                         if (found) {
                                 PKIX_CHECK(pkix_List_Remove
                                         (state->mappedPolicyOIDs,
                                         (PKIX_PL_Object *)policyOID,
                                         plContext),
                                         PKIX_LISTREMOVEFAILED);
                         }
                 }
         }
 cleanup:
         PKIX_DECREF(subjectDomainPolicies);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_CheckAny
  * DESCRIPTION:
  *  Performs the creation of PolicyNodes, for the PolicyNode pointed to by
  *  "currentNode" and PolicyNodes subordinate to it, using the List of
  *  qualifiers pointed to by "qualsOfAny", in accordance with the current
  *  certificate's PolicyMaps pointed to by "policyMaps" and the current
  *  PolicyCheckerState pointed to by "state".
  *
  *  If the currentNode is not just above the bottom of the validPolicyTree, this
  *  function calls itself recursively for each child of currentNode. At the
  *  level just above the bottom, for each policy in the currentNode's
  *  expectedPolicySet not already present in a child node, it creates a new
  *  child node. The validPolicy of the child created, and its expectedPolicySet,
  *  will be the policy from the currentNode's expectedPolicySet. The policy
  *  qualifiers will be the qualifiers from the current certificate's anyPolicy,
  *  the "qualsOfAny" parameter. If the currentNode's expectedSet includes
  *  anyPolicy, a childNode will be created with a policy of anyPolicy. This is
  *  the only way such a node can be created.
  *
  *  This function is called only when anyPolicy is one of the current
  *  certificate's policies. This function implements the processing described
  *  in RFC3280 Section 6.1.3(d)(2).
  *
  * PARAMETERS:
  *  "currentNode"
  *      Address of PolicyNode whose descendants will be checked, if not at the
  *      bottom of the tree; or whose expectedPolicySet will be compared to those
  *      in "alreadyPresent", if at the bottom. Must be non-NULL.
  *  "qualsOfAny"
  *      Address of List of qualifiers of the anyPolicy in the current
  *      certificate. May be empty or NULL.
  *  "policyMaps"
  *      Address of the List of PolicyMaps of the current certificate. May be
  *      empty or NULL.
  *  "state"
  *      Address of the current state of the PKIX_PolicyChecker.
  *      Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyChecker_CheckAny(
         PKIX_PolicyNode *currentNode,
         PKIX_List *qualsOfAny,  /* CertPolicyQualifiers */
         PKIX_List *policyMaps,  /* CertPolicyMaps */
         PKIX_PolicyCheckerState *state,
         void *plContext)
 {
         PKIX_UInt32 depth = 0;
         PKIX_UInt32 numChildren = 0;
         PKIX_UInt32 childIx = 0;
         PKIX_UInt32 numPolicies = 0;
         PKIX_UInt32 polx = 0;
         PKIX_Boolean isIncluded = PKIX_FALSE;
         PKIX_List *children = NULL;     /* PolicyNodes */
         PKIX_PolicyNode *childNode = NULL;
         PKIX_List *expectedPolicies = NULL; /* OIDs */
         PKIX_PL_OID *policyOID = NULL;
         PKIX_PL_OID *childPolicy = NULL;
         PKIX_List *subjectDomainPolicies = NULL;  /* OIDs */
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckAny");
         PKIX_NULLCHECK_TWO(currentNode, state);
         PKIX_CHECK(PKIX_PolicyNode_GetDepth
                 (currentNode, &depth, plContext),
                 PKIX_POLICYNODEGETDEPTHFAILED);
         PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
                 (currentNode, &children, plContext),
                 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
         if (children) {
                 PKIX_CHECK(PKIX_List_GetLength
                         (children, &numChildren, plContext),
                         PKIX_LISTGETLENGTHFAILED);
         }
         if (depth < (state->certsProcessed)) {
                 for (childIx = 0; childIx < numChildren; childIx++) {
                         PKIX_CHECK(PKIX_List_GetItem
                                 (children,
                                 childIx,
                                 (PKIX_PL_Object **)&childNode,
                                 plContext),
                                 PKIX_LISTGETITEMFAILED);
                         PKIX_NULLCHECK_ONE(childNode);
                         PKIX_CHECK(pkix_PolicyChecker_CheckAny
                                 (childNode,
                                 qualsOfAny,
                                 policyMaps,
                                 state,
                                 plContext),
                                 PKIX_POLICYCHECKERCHECKANYFAILED);
                         PKIX_DECREF(childNode);
                 }
         } else { /* if at the bottom of the tree */
             PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
                 (currentNode, &expectedPolicies, plContext),
                 PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
             /* Expected Policy Set is not allowed to be NULL */
             PKIX_NULLCHECK_ONE(expectedPolicies);
             PKIX_CHECK(PKIX_List_GetLength
                 (expectedPolicies, &numPolicies, plContext),
                 PKIX_LISTGETLENGTHFAILED);
             for (polx = 0; polx < numPolicies; polx++) {
                 PKIX_CHECK(PKIX_List_GetItem
                     (expectedPolicies,
                     polx,
                     (PKIX_PL_Object **)&policyOID,
                     plContext),
                     PKIX_LISTGETITEMFAILED);
                 PKIX_NULLCHECK_ONE(policyOID);
                 isIncluded = PKIX_FALSE;
                 for (childIx = 0;
                     (!isIncluded && (childIx < numChildren));
                     childIx++) {
                     PKIX_CHECK(PKIX_List_GetItem
                         (children,
                         childIx,
                         (PKIX_PL_Object **)&childNode,
                         plContext),
                         PKIX_LISTGETITEMFAILED);
                     PKIX_NULLCHECK_ONE(childNode);
                     PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
                         (childNode, &childPolicy, plContext),
                         PKIX_POLICYNODEGETVALIDPOLICYFAILED);
                     PKIX_NULLCHECK_ONE(childPolicy);
                     PKIX_EQUALS(policyOID, childPolicy, &isIncluded, plContext,
                         PKIX_OBJECTEQUALSFAILED);
                     PKIX_DECREF(childNode);
                     PKIX_DECREF(childPolicy);
                 }
                 if (!isIncluded) {
                     if (policyMaps) {
                         PKIX_CHECK
                           (pkix_PolicyChecker_MapGetSubjectDomainPolicies
                           (policyMaps,
                           policyOID,
                           &subjectDomainPolicies,
                           plContext),
                           PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
                     }
                     PKIX_CHECK(pkix_PolicyChecker_Spawn
                         (currentNode,
                         policyOID,
                         qualsOfAny,
                         subjectDomainPolicies,
                         state,
                         plContext),
                         PKIX_POLICYCHECKERSPAWNFAILED);
                     PKIX_DECREF(subjectDomainPolicies);
                 }
                 PKIX_DECREF(policyOID);
             }
         }
 cleanup:
         PKIX_DECREF(children);
         PKIX_DECREF(childNode);
         PKIX_DECREF(expectedPolicies);
         PKIX_DECREF(policyOID);
         PKIX_DECREF(childPolicy);
         PKIX_DECREF(subjectDomainPolicies);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_CalculateIntersection
  * DESCRIPTION:
  *
  *  Processes the PolicyNode pointed to by "currentNode", and its descendants,
  *  using the PolicyCheckerState pointed to by "state", using the List at
  *  the address pointed to by "nominees" the OIDs of policies that are in the
  *  user-initial-policy-set but are not represented among the nodes at the
  *  bottom of the tree, and storing at "pShouldBePruned" the value TRUE if
  *  currentNode is childless at the end of this processing, FALSE if it has
  *  children or is at the bottom of the tree.
  *
  *  When this function is called at the top level, "nominees" should be the List
  *  of all policies in the user-initial-policy-set. Policies that are
  *  represented in the valid-policy-node-set are removed from this List. As a
  *  result when nodes are created according to 6.1.5.(g)(iii)(3)(b), a node will
  *  be created for each policy remaining in this List.
  *
  *  This function implements the calculation of the intersection of the
  *  validPolicyTree with the user-initial-policy-set, as described in
  *  RFC 3280 6.1.5(g)(iii).
  *
  * PARAMETERS:
  *  "currentNode"
  *      Address of PolicyNode whose descendants will be processed as described.
  *      Must be non-NULL.
  *  "state"
  *      Address of the current state of the PKIX_PolicyChecker. Must be non-NULL
  *  "nominees"
  *      Address of List of the OIDs for which nodes should be created to replace
  *      anyPolicy nodes. Must be non-NULL but may be empty.
  *  "pShouldBePruned"
  *      Address where Boolean return value, set to TRUE if this PolicyNode
  *      should be deleted, is stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyChecker_CalculateIntersection(
         PKIX_PolicyNode *currentNode,
         PKIX_PolicyCheckerState *state,
         PKIX_List *nominees, /* OIDs */
         PKIX_Boolean *pShouldBePruned,
         void *plContext)
 {
         PKIX_Boolean currentPolicyIsAny = PKIX_FALSE;
         PKIX_Boolean parentPolicyIsAny = PKIX_FALSE;
         PKIX_Boolean currentPolicyIsValid = PKIX_FALSE;
         PKIX_Boolean shouldBePruned = PKIX_FALSE;
         PKIX_Boolean priorCriticality = PKIX_FALSE;
         PKIX_UInt32 depth = 0;
         PKIX_UInt32 numChildren = 0;
         PKIX_UInt32 childIndex = 0;
         PKIX_UInt32 numNominees = 0;
         PKIX_UInt32 polIx = 0;
         PKIX_PL_OID *currentPolicy = NULL;
         PKIX_PL_OID *parentPolicy = NULL;
         PKIX_PL_OID *substPolicy = NULL;
         PKIX_PolicyNode *parent = NULL;
         PKIX_PolicyNode *child = NULL;
         PKIX_List *children = NULL; /* PolicyNodes */
         PKIX_List *policyQualifiers = NULL;
         PKIX_ENTER
                 (CERTCHAINCHECKER,
                 "pkix_PolicyChecker_CalculateIntersection");
         /*
          * We call this function if the valid_policy_tree is not NULL and
          * the user-initial-policy-set is not any-policy.
          */
         if (!state->validPolicyTree || state->initialIsAnyPolicy) {
                 PKIX_ERROR(PKIX_PRECONDITIONFAILED);
         }
         PKIX_NULLCHECK_FOUR(currentNode, state, nominees, pShouldBePruned);
         PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
                 (currentNode, &currentPolicy, plContext),
                 PKIX_POLICYNODEGETVALIDPOLICYFAILED);
         PKIX_NULLCHECK_TWO(state->anyPolicyOID, currentPolicy);
         PKIX_EQUALS
                 (state->anyPolicyOID,
                 currentPolicy,
                 &currentPolicyIsAny,
                 plContext,
                 PKIX_OBJECTEQUALSFAILED);
         PKIX_CHECK(PKIX_PolicyNode_GetParent(currentNode, &parent, plContext),
                 PKIX_POLICYNODEGETPARENTFAILED);
         if (currentPolicyIsAny == PKIX_FALSE) {
                 /*
                  * If we are at the top of the tree, or if our
                  * parent's validPolicy is anyPolicy, we are in
                  * the valid policy node set.
                  */
                 if (parent) {
                         PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
                                 (parent, &parentPolicy, plContext),
                                 PKIX_POLICYNODEGETVALIDPOLICYFAILED);
                         PKIX_NULLCHECK_ONE(parentPolicy);
                         PKIX_EQUALS
                                 (state->anyPolicyOID,
                                 parentPolicy,
                                 &parentPolicyIsAny,
                                 plContext,
                                 PKIX_OBJECTEQUALSFAILED);
                 }
                 /*
                  * Section 6.1.5(g)(iii)(2)
                  * If this node's policy is not in the user-initial-policy-set,
                  * it is not in the intersection. Prune it.
                  */
                 if (!parent || parentPolicyIsAny) {
                         PKIX_CHECK(pkix_List_Contains
                                 (state->userInitialPolicySet,
                                 (PKIX_PL_Object *)currentPolicy,
                                 &currentPolicyIsValid,
                                 plContext),
                                 PKIX_LISTCONTAINSFAILED);
                         if (!currentPolicyIsValid) {
                                 *pShouldBePruned = PKIX_TRUE;
                                 goto cleanup;
                         }
                         /*
                          * If this node's policy is in the user-initial-policy-
                          * set, it will propagate that policy into the next
                          * level of the tree. Remove the policy from the list
                          * of policies that an anyPolicy will spawn.
                          */
                         PKIX_CHECK(pkix_List_Remove
                                 (nominees,
                                 (PKIX_PL_Object *)currentPolicy,
                                 plContext),
                                 PKIX_LISTREMOVEFAILED);
                 }
         }
         /* Are we at the bottom of the tree? */
         PKIX_CHECK(PKIX_PolicyNode_GetDepth
                 (currentNode, &depth, plContext),
                 PKIX_POLICYNODEGETDEPTHFAILED);
         if (depth == (state->numCerts)) {
                 /*
                  * Section 6.1.5(g)(iii)(3)
                  * Replace anyPolicy nodes...
                  */
                 if (currentPolicyIsAny == PKIX_TRUE) {
                         /* replace this node */
                         PKIX_CHECK(PKIX_List_GetLength
                             (nominees, &numNominees, plContext),
                             PKIX_LISTGETLENGTHFAILED);
                         if (numNominees) {
                             PKIX_CHECK(PKIX_PolicyNode_GetPolicyQualifiers
                                 (currentNode,
                                 &policyQualifiers,
                                 plContext),
                                 PKIX_POLICYNODEGETPOLICYQUALIFIERSFAILED);
                             PKIX_CHECK(PKIX_PolicyNode_IsCritical
                                 (currentNode, &priorCriticality, plContext),
                                 PKIX_POLICYNODEISCRITICALFAILED);
                         }
                         PKIX_NULLCHECK_ONE(parent);
                         for (polIx = 0; polIx < numNominees; polIx++) {
                             PKIX_CHECK(PKIX_List_GetItem
                                 (nominees,
                                 polIx,
                                 (PKIX_PL_Object **)&substPolicy,
                                 plContext),
                                 PKIX_LISTGETITEMFAILED);
                             PKIX_CHECK(pkix_PolicyChecker_Spawn
                                 (parent,
                                 substPolicy,
                                 policyQualifiers,
                                 NULL,
                                 state,
                                 plContext),
                                 PKIX_POLICYCHECKERSPAWNFAILED);
                             PKIX_DECREF(substPolicy);
                         }
                         /* remove currentNode from parent */
                         *pShouldBePruned = PKIX_TRUE;
                         /*
                          * We can get away with augmenting the parent's List
                          * of children because we started at the end and went
                          * toward the beginning. New nodes are added at the end.
                          */
                 }
         } else {
                 /*
                  * Section 6.1.5(g)(iii)(4)
                  * Prune any childless nodes above the bottom level
                  */
                 PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
                         (currentNode, &children, plContext),
                         PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
                 /* CurrentNode should have been pruned if childless. */
                 PKIX_NULLCHECK_ONE(children);
                 PKIX_CHECK(PKIX_List_GetLength
                         (children, &numChildren, plContext),
                         PKIX_LISTGETLENGTHFAILED);
                 for (childIndex = numChildren; childIndex > 0; childIndex--) {
                     PKIX_CHECK(PKIX_List_GetItem
                         (children,
                         childIndex - 1,
                         (PKIX_PL_Object **)&child,
                         plContext),
                         PKIX_LISTGETITEMFAILED);
                     PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
                         (child, state, nominees, &shouldBePruned, plContext),
                         PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
                     if (PKIX_TRUE == shouldBePruned) {
                         PKIX_CHECK(PKIX_List_DeleteItem
                                 (children, childIndex - 1, plContext),
                                 PKIX_LISTDELETEITEMFAILED);
                         PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                                 ((PKIX_PL_Object *)state, plContext),
                                 PKIX_OBJECTINVALIDATECACHEFAILED);
                     }
                     PKIX_DECREF(child);
                 }
                 PKIX_CHECK(PKIX_List_GetLength
                         (children, &numChildren, plContext),
                         PKIX_LISTGETLENGTHFAILED);
                 if (numChildren == 0) {
                         *pShouldBePruned = PKIX_TRUE;
                 }
         }
 cleanup:
         PKIX_DECREF(currentPolicy);
         PKIX_DECREF(parentPolicy);
         PKIX_DECREF(substPolicy);
         PKIX_DECREF(parent);
         PKIX_DECREF(child);
         PKIX_DECREF(children);
         PKIX_DECREF(policyQualifiers);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_PolicyMapProcessing
  * DESCRIPTION:
  *
  *  Performs the processing of Policies in the List of CertPolicyMaps pointed
  *  to by "policyMaps", using and updating the PolicyCheckerState pointed to by
  *  "state".
  *
  *  This function implements the policyMap processing described in RFC3280
  *  Section 6.1.4(b)(1), after certificate i has been processed, in preparation
  *  for certificate i+1. Section references are to that document.
  *
  * PARAMETERS:
  *  "policyMaps"
  *      Address of the List of CertPolicyMaps presented by certificate i.
  *      Must be non-NULL.
  *  "certPoliciesIncludeAny"
  *      Boolean value which is PKIX_TRUE if the current certificate asserts
  *      anyPolicy, PKIX_FALSE otherwise.
  *  "qualsOfAny"
  *      Address of List of qualifiers of the anyPolicy in the current
  *      certificate. May be empty or NULL.
  *  "state"
  *      Address of the current state of the PKIX_PolicyChecker.
  *      Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyChecker_PolicyMapProcessing(
         PKIX_List *policyMaps,  /* CertPolicyMaps */
         PKIX_Boolean certPoliciesIncludeAny,
         PKIX_List *qualsOfAny,
         PKIX_PolicyCheckerState *state,
         void *plContext)
 {
         PKIX_UInt32 numPolicies = 0;
         PKIX_UInt32 polX = 0;
         PKIX_PL_OID *policyOID = NULL;
         PKIX_List *newMappedPolicies = NULL;  /* OIDs */
         PKIX_List *subjectDomainPolicies = NULL;  /* OIDs */
         PKIX_ENTER
                 (CERTCHAINCHECKER,
                 "pkix_PolicyChecker_PolicyMapProcessing");
         PKIX_NULLCHECK_THREE
                 (policyMaps,
                 state,
                 state->mappedUserInitialPolicySet);
         /*
          * For each policy in mappedUserInitialPolicySet, if it is not mapped,
          * append it to new policySet; if it is mapped, append its
          * subjectDomainPolicies to new policySet. When done, this new
          * policySet will replace mappedUserInitialPolicySet.
          */
         PKIX_CHECK(PKIX_List_Create
                 (&newMappedPolicies, plContext),
                 PKIX_LISTCREATEFAILED);
         PKIX_CHECK(PKIX_List_GetLength
                 (state->mappedUserInitialPolicySet,
                 &numPolicies,
                 plContext),
                 PKIX_LISTGETLENGTHFAILED);
         for (polX = 0; polX < numPolicies; polX++) {
             PKIX_CHECK(PKIX_List_GetItem
                 (state->mappedUserInitialPolicySet,
                 polX,
                 (PKIX_PL_Object **)&policyOID,
                 plContext),
                 PKIX_LISTGETITEMFAILED);
             PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
                 (policyMaps,
                 policyOID,
                 &subjectDomainPolicies,
                 plContext),
                 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
             if (subjectDomainPolicies) {
                 PKIX_CHECK(pkix_List_AppendUnique
                         (newMappedPolicies,
                         subjectDomainPolicies,
                         plContext),
                         PKIX_LISTAPPENDUNIQUEFAILED);
                 PKIX_DECREF(subjectDomainPolicies);
             } else {
                 PKIX_CHECK(PKIX_List_AppendItem
                         (newMappedPolicies,
                         (PKIX_PL_Object *)policyOID,
                         plContext),
                         PKIX_LISTAPPENDITEMFAILED);
             }
             PKIX_DECREF(policyOID);
         }
         /*
          * For each policy ID-P remaining in mappedPolicyOIDs, it has not been
          * propagated to the bottom of the tree (depth i). If policyMapping
          * is greater than zero and this cert contains anyPolicy and the tree
          * contains an anyPolicy node at depth i-1, then we must create a node
          * with validPolicy ID-P, the policy qualifiers of anyPolicy in
          * this certificate, and expectedPolicySet the subjectDomainPolicies
          * that ID-P maps to. We also then add those subjectDomainPolicies to
          * the list of policies that will be accepted in the next certificate,
          * the mappedUserInitialPolicySet.
          */
         if ((state->policyMapping > 0) && (certPoliciesIncludeAny) &&
             (state->anyPolicyNodeAtBottom) && (state->mappedPolicyOIDs)) {
                 PKIX_CHECK(PKIX_List_GetLength
                     (state->mappedPolicyOIDs,
                     &numPolicies,
                     plContext),
                     PKIX_LISTGETLENGTHFAILED);
                 for (polX = 0; polX < numPolicies; polX++) {
                     PKIX_CHECK(PKIX_List_GetItem
                         (state->mappedPolicyOIDs,
                         polX,
                         (PKIX_PL_Object **)&policyOID,
                         plContext),
                         PKIX_LISTGETITEMFAILED);
                     PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
                         (policyMaps,
                         policyOID,
                         &subjectDomainPolicies,
                         plContext),
                         PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
                     PKIX_CHECK(pkix_PolicyChecker_Spawn
                         (state->anyPolicyNodeAtBottom,
                         policyOID,
                         qualsOfAny,
                         subjectDomainPolicies,
                         state,
                         plContext),
                         PKIX_POLICYCHECKERSPAWNFAILED);
                     PKIX_CHECK(pkix_List_AppendUnique
                         (newMappedPolicies,
                         subjectDomainPolicies,
                         plContext),
                         PKIX_LISTAPPENDUNIQUEFAILED);
                     PKIX_DECREF(subjectDomainPolicies);
                     PKIX_DECREF(policyOID);
                 }
         }
         PKIX_CHECK(PKIX_List_SetImmutable(newMappedPolicies, plContext),
                 PKIX_LISTSETIMMUTABLEFAILED);
         PKIX_DECREF(state->mappedUserInitialPolicySet);
         PKIX_INCREF(newMappedPolicies);
         state->mappedUserInitialPolicySet = newMappedPolicies;
 cleanup:
         PKIX_DECREF(policyOID);
         PKIX_DECREF(newMappedPolicies);
         PKIX_DECREF(subjectDomainPolicies);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_WrapUpProcessing
  * DESCRIPTION:
  *
  *  Performs the wrap-up processing for the Cert pointed to by "cert",
  *  using and updating the PolicyCheckerState pointed to by "state".
  *
  *  This function implements the wrap-up processing described in RFC3280
  *  Section 6.1.5, after the final certificate has been processed. Section
  *  references in the comments are to that document.
  *
  * PARAMETERS:
  *  "cert"
  *      Address of the current (presumably the end entity) certificate.
  *      Must be non-NULL.
  *  "state"
  *      Address of the current state of the PKIX_PolicyChecker.
  *      Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 static PKIX_Error *
 pkix_PolicyChecker_WrapUpProcessing(
         PKIX_PL_Cert *cert,
         PKIX_PolicyCheckerState *state,
         void *plContext)
 {
         PKIX_Int32 explicitPolicySkipCerts = 0;
         PKIX_Boolean isSelfIssued = PKIX_FALSE;
         PKIX_Boolean shouldBePruned = PKIX_FALSE;
         PKIX_List *nominees = NULL; /* OIDs */
 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
         PKIX_PL_String *stateString = NULL;
         char *stateAscii = NULL;
         PKIX_UInt32 length;
 #endif
         PKIX_ENTER
                 (CERTCHAINCHECKER,
                 "pkix_PolicyChecker_WrapUpProcessing");
         PKIX_NULLCHECK_THREE(cert, state, state->userInitialPolicySet);
 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
         PKIX_CHECK(PKIX_PL_Object_ToString
                 ((PKIX_PL_Object*)state, &stateString, plContext),
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_CHECK(PKIX_PL_String_GetEncoded
                     (stateString,
                     PKIX_ESCASCII,
                     (void **)&stateAscii,
                     &length,
                     plContext),
                     PKIX_STRINGGETENCODEDFAILED);
         PKIX_DEBUG_ARG("%s\n", stateAscii);
         PKIX_FREE(stateAscii);
         PKIX_DECREF(stateString);
 #endif
         /* Section 6.1.5(a) ... */
         PKIX_CHECK(pkix_IsCertSelfIssued
                 (cert, &isSelfIssued, plContext),
                 PKIX_ISCERTSELFISSUEDFAILED);
         if (!isSelfIssued) {
                 if (state->explicitPolicy > 0) {
                         state->explicitPolicy--;
                         PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                                 ((PKIX_PL_Object *)state, plContext),
                                 PKIX_OBJECTINVALIDATECACHEFAILED);
                 }
         }
         /* Section 6.1.5(b) ... */
         PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
                 (cert, &explicitPolicySkipCerts, plContext),
                 PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
         if (explicitPolicySkipCerts  == 0) {
                 state->explicitPolicy = 0;
         }
         /* Section 6.1.5(g)(i) ... */
         if (!(state->validPolicyTree)) {
                 goto cleanup;
         }
         /* Section 6.1.5(g)(ii) ... */
         if (state->initialIsAnyPolicy) {
                 goto cleanup;
         }
         /*
          * Section 6.1.5(g)(iii) ...
          * Create a list of policies which could be substituted for anyPolicy.
          * Start with a (mutable) copy of user-initial-policy-set.
          */
         PKIX_CHECK(pkix_PolicyChecker_MakeMutableCopy
                 (state->userInitialPolicySet, &nominees, plContext),
                 PKIX_POLICYCHECKERMAKEMUTABLECOPYFAILED);
         PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
                 (state->validPolicyTree, /* node at top of tree */
                 state,
                 nominees,
                 &shouldBePruned,
                 plContext),
                 PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
         if (PKIX_TRUE == shouldBePruned) {
                 PKIX_DECREF(state->validPolicyTree);
         }
         if (state->validPolicyTree) {
                 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                         ((PKIX_PL_Object *)state->validPolicyTree, plContext),
                         PKIX_OBJECTINVALIDATECACHEFAILED);
         }
         PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                 ((PKIX_PL_Object *)state, plContext),
                 PKIX_OBJECTINVALIDATECACHEFAILED);
 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
         if (state->validPolicyTree) {
                 PKIX_CHECK(PKIX_PL_Object_ToString
                         ((PKIX_PL_Object*)state, &stateString, plContext),
                         PKIX_OBJECTTOSTRINGFAILED);
                 PKIX_CHECK(PKIX_PL_String_GetEncoded
                             (stateString,
                             PKIX_ESCASCII,
                             (void **)&stateAscii,
                             &length,
                             plContext),
                             PKIX_STRINGGETENCODEDFAILED);
                 PKIX_DEBUG_ARG
                         ("After CalculateIntersection:\n%s\n", stateAscii);
                 PKIX_FREE(stateAscii);
                 PKIX_DECREF(stateString);
         } else {
                 PKIX_DEBUG("validPolicyTree is NULL\n");
         }
 #endif
         /* Section 6.1.5(g)(iii)(4) ... */
         if (state->validPolicyTree) {
                 PKIX_CHECK(pkix_PolicyNode_Prune
                         (state->validPolicyTree,
                         state->numCerts,
                         &shouldBePruned,
                         plContext),
                         PKIX_POLICYNODEPRUNEFAILED);
                 if (shouldBePruned) {
                         PKIX_DECREF(state->validPolicyTree);
                 }
         }
         if (state->validPolicyTree) {
                 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                         ((PKIX_PL_Object *)state->validPolicyTree, plContext),
                         PKIX_OBJECTINVALIDATECACHEFAILED);
         }
         PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                 ((PKIX_PL_Object *)state, plContext),
                 PKIX_OBJECTINVALIDATECACHEFAILED);
 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
         PKIX_CHECK(PKIX_PL_Object_ToString
                 ((PKIX_PL_Object*)state, &stateString, plContext),
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_CHECK(PKIX_PL_String_GetEncoded
                     (stateString,
                     PKIX_ESCASCII,
                     (void **)&stateAscii,
                     &length,
                     plContext),
                     PKIX_STRINGGETENCODEDFAILED);
         PKIX_DEBUG_ARG("%s\n", stateAscii);
         PKIX_FREE(stateAscii);
         PKIX_DECREF(stateString);
 #endif
 cleanup:
         PKIX_DECREF(nominees);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_Check
  * (see comments in pkix_checker.h for PKIX_CertChainChecker_CheckCallback)
  *
  * Labels referring to sections, such as "Section 6.1.3(d)", refer to
  * sections of RFC3280, Section 6.1.3 Basic Certificate Processing.
  *
  * If a non-fatal error occurs, it is unlikely that policy processing can
  * continue. But it is still possible that chain validation could succeed if
  * policy processing is non-critical. So if this function receives a non-fatal
  * error from a lower level routine, it aborts policy processing by setting
  * the validPolicyTree to NULL and tries to continue.
  *
  */
 static PKIX_Error *
 pkix_PolicyChecker_Check(
         PKIX_CertChainChecker *checker,
         PKIX_PL_Cert *cert,
         PKIX_List *unresolvedCriticals,  /* OIDs */
         void **pNBIOContext,
         void *plContext)
 {
         PKIX_UInt32 numPolicies = 0;
         PKIX_UInt32 polX = 0;
         PKIX_Boolean result = PKIX_FALSE;
         PKIX_Int32 inhibitMappingSkipCerts = 0;
         PKIX_Int32 explicitPolicySkipCerts = 0;
         PKIX_Int32 inhibitAnyPolicySkipCerts = 0;
         PKIX_Boolean shouldBePruned = PKIX_FALSE;
         PKIX_Boolean isSelfIssued = PKIX_FALSE;
         PKIX_Boolean certPoliciesIncludeAny = PKIX_FALSE;
         PKIX_Boolean doAnyPolicyProcessing = PKIX_FALSE;
         PKIX_PolicyCheckerState *state = NULL;
         PKIX_List *certPolicyInfos = NULL; /* CertPolicyInfos */
         PKIX_PL_CertPolicyInfo *policy = NULL;
         PKIX_PL_OID *policyOID = NULL;
         PKIX_List *qualsOfAny = NULL; /* CertPolicyQualifiers */
         PKIX_List *policyQualifiers = NULL; /* CertPolicyQualifiers */
         PKIX_List *policyMaps = NULL; /* CertPolicyMaps */
         PKIX_List *mappedPolicies = NULL; /* OIDs */
         PKIX_Error *subroutineErr = NULL;
 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
         PKIX_PL_String *stateString = NULL;
         char *stateAscii = NULL;
         PKIX_PL_String *certString = NULL;
         char *certAscii = NULL;
         PKIX_UInt32 length;
 #endif
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Check");
         PKIX_NULLCHECK_FOUR(checker, cert, unresolvedCriticals, pNBIOContext);
         *pNBIOContext = NULL; /* we never block on pending I/O */
         PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
                     (checker, (PKIX_PL_Object **)&state, plContext),
                     PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
         PKIX_NULLCHECK_TWO(state, state->certPoliciesExtension);
 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
         PKIX_CHECK(PKIX_PL_Object_ToString
                 ((PKIX_PL_Object*)state, &stateString, plContext),
                 PKIX_OBJECTTOSTRINGFAILED);
         PKIX_CHECK(PKIX_PL_String_GetEncoded
                     (stateString,
                     PKIX_ESCASCII,
                     (void **)&stateAscii,
                     &length,
                     plContext),
                     PKIX_STRINGGETENCODEDFAILED);
         PKIX_DEBUG_ARG("On entry %s\n", stateAscii);
         PKIX_FREE(stateAscii);
         PKIX_DECREF(stateString);
 #endif
         /*
          * Section 6.1.4(a)
          * If this is not the last certificate, and if
          * policyMapping extension is present, check that no
          * issuerDomainPolicy or subjectDomainPolicy is equal to the
          * special policy anyPolicy.
          */
         if (state->certsProcessed != (state->numCerts - 1)) {
                 PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings
                         (cert, &policyMaps, plContext),
                         PKIX_CERTGETPOLICYMAPPINGSFAILED);
         }
         if (policyMaps) {
                 PKIX_CHECK(pkix_PolicyChecker_MapContains
                         (policyMaps, state->anyPolicyOID, &result, plContext),
                         PKIX_POLICYCHECKERMAPCONTAINSFAILED);
                 if (result) {
                         PKIX_ERROR(PKIX_INVALIDPOLICYMAPPINGINCLUDESANYPOLICY);
                 }
                 PKIX_CHECK(pkix_PolicyChecker_MapGetMappedPolicies
                         (policyMaps, &mappedPolicies, plContext),
                         PKIX_POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED);
                 PKIX_DECREF(state->mappedPolicyOIDs);
                 PKIX_INCREF(mappedPolicies);
                 state->mappedPolicyOIDs = mappedPolicies;
         }
         /* Section 6.1.3(d) */
         if (state->validPolicyTree) {
             PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
                 (cert, &certPolicyInfos, plContext),
                 PKIX_CERTGETPOLICYINFORMATIONFAILED);
             if (certPolicyInfos) {
                 PKIX_CHECK(PKIX_List_GetLength
                         (certPolicyInfos, &numPolicies, plContext),
                         PKIX_LISTGETLENGTHFAILED);
             }
             if (numPolicies > 0) {
                 PKIX_CHECK(PKIX_PL_Cert_AreCertPoliciesCritical
                         (cert, &(state->certPoliciesCritical), plContext),
                         PKIX_CERTARECERTPOLICIESCRITICALFAILED);
                 /* Section 6.1.3(d)(1) For each policy not equal to anyPolicy */
                 for (polX = 0; polX < numPolicies; polX++) {
                     PKIX_CHECK(PKIX_List_GetItem
                         (certPolicyInfos,
                         polX,
                         (PKIX_PL_Object **)&policy,
                         plContext),
                         PKIX_LISTGETITEMFAILED);
                     PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
                         (policy, &policyOID, plContext),
                         PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
                     PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolQualifiers
                         (policy, &policyQualifiers, plContext),
                         PKIX_CERTPOLICYINFOGETPOLQUALIFIERSFAILED);
                     PKIX_EQUALS
                         (state->anyPolicyOID,
                         policyOID,
                         &result,
                         plContext,
                         PKIX_OIDEQUALFAILED);
                     if (result == PKIX_FALSE) {
                         /* Section 6.1.3(d)(1)(i) */
                         subroutineErr = pkix_PolicyChecker_CheckPolicy
                                 (policyOID,
                                 policyQualifiers,
                                 cert,
                                 policyMaps,
                                 state,
                                 plContext);
                         if (subroutineErr) {
                                 goto subrErrorCleanup;
                         }
                     } else {
                         /*
                          * No descent (yet) for anyPolicy, but we will need
                          * the policyQualifiers for anyPolicy in 6.1.3(d)(2)
                          */
                         PKIX_DECREF(qualsOfAny);
                         PKIX_INCREF(policyQualifiers);
                         qualsOfAny = policyQualifiers;
                         certPoliciesIncludeAny = PKIX_TRUE;
                     }
                     PKIX_DECREF(policy);
                     PKIX_DECREF(policyOID);
                     PKIX_DECREF(policyQualifiers);
                 }
                 /* Section 6.1.3(d)(2) */
                 if (certPoliciesIncludeAny == PKIX_TRUE) {
                         if (state->inhibitAnyPolicy > 0) {
                                 doAnyPolicyProcessing = PKIX_TRUE;
                         } else {
                             /* We haven't yet counted the current cert */
                             if (((state->certsProcessed) + 1) <
                                 (state->numCerts)) {
                                 PKIX_CHECK(pkix_IsCertSelfIssued
                                         (cert,
                                         &doAnyPolicyProcessing,
                                         plContext),
                                         PKIX_ISCERTSELFISSUEDFAILED);
                             }
                         }
                         if (doAnyPolicyProcessing) {
                             subroutineErr = pkix_PolicyChecker_CheckAny
                                 (state->validPolicyTree,
                                 qualsOfAny,
                                 policyMaps,
                                 state,
                                 plContext);
                             if (subroutineErr) {
                                 goto subrErrorCleanup;
                             }
                         }
                 }
                 /* Section 6.1.3(d)(3) */
                 if (state->validPolicyTree) {
                         subroutineErr = pkix_PolicyNode_Prune
                                 (state->validPolicyTree,
                                 state->certsProcessed + 1,
                                 &shouldBePruned,
                                 plContext);
                         if (subroutineErr) {
                                 goto subrErrorCleanup;
                         }
                         if (shouldBePruned) {
                                 PKIX_DECREF(state->validPolicyTree);
                                 PKIX_DECREF(state->anyPolicyNodeAtBottom);
                         }
                 }
                 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                         ((PKIX_PL_Object *)state, plContext),
                         PKIX_OBJECTINVALIDATECACHEFAILED);
             } else {
                 /* Section 6.1.3(e) */
                 PKIX_DECREF(state->validPolicyTree);
                 PKIX_DECREF(state->anyPolicyNodeAtBottom);
                 PKIX_DECREF(state->newAnyPolicyNode);
                 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                         ((PKIX_PL_Object *)state, plContext),
                         PKIX_OBJECTINVALIDATECACHEFAILED);
             }
         }
         /* Section 6.1.3(f) */
         if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
                 PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
         }
         /*
          * Remove Policy OIDs from list of unresolved critical
          * extensions, if present.
          */
         PKIX_CHECK(pkix_List_Remove
                 (unresolvedCriticals,
                 (PKIX_PL_Object *)state->certPoliciesExtension,
                 plContext),
                 PKIX_LISTREMOVEFAILED);
         PKIX_CHECK(pkix_List_Remove
                 (unresolvedCriticals,
                 (PKIX_PL_Object *)state->policyMappingsExtension,
                 plContext),
                 PKIX_LISTREMOVEFAILED);
         PKIX_CHECK(pkix_List_Remove
                 (unresolvedCriticals,
                 (PKIX_PL_Object *)state->policyConstraintsExtension,
                 plContext),
                 PKIX_LISTREMOVEFAILED);
         PKIX_CHECK(pkix_List_Remove
                 (unresolvedCriticals,
                 (PKIX_PL_Object *)state->inhibitAnyPolicyExtension,
                 plContext),
                 PKIX_LISTREMOVEFAILED);
         state->certsProcessed++;
         /* If this was not the last certificate, do next-cert preparation */
         if (state->certsProcessed != state->numCerts) {
                 if (policyMaps) {
                         subroutineErr = pkix_PolicyChecker_PolicyMapProcessing
                                 (policyMaps,
                                 certPoliciesIncludeAny,
                                 qualsOfAny,
                                 state,
                                 plContext);
                         if (subroutineErr) {
                                 goto subrErrorCleanup;
                         }
                 }
                 /* update anyPolicyNodeAtBottom pointer */
                 PKIX_DECREF(state->anyPolicyNodeAtBottom);
                 state->anyPolicyNodeAtBottom = state->newAnyPolicyNode;
                 state->newAnyPolicyNode = NULL;
                 /* Section 6.1.4(h) */
                 PKIX_CHECK(pkix_IsCertSelfIssued
                         (cert, &isSelfIssued, plContext),
                         PKIX_ISCERTSELFISSUEDFAILED);
                 if (!isSelfIssued) {
                         if (state->explicitPolicy > 0) {
                             state->explicitPolicy--;
                         }
                         if (state->policyMapping > 0) {
                             state->policyMapping--;
                         }
                         if (state->inhibitAnyPolicy > 0) {
                             state->inhibitAnyPolicy--;
                         }
                 }
                 /* Section 6.1.4(i) */
                 PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
                         (cert, &explicitPolicySkipCerts, plContext),
                         PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
                 if (explicitPolicySkipCerts != -1) {
                         if (((PKIX_UInt32)explicitPolicySkipCerts) <
                             (state->explicitPolicy)) {
                                 state->explicitPolicy =
                                    ((PKIX_UInt32) explicitPolicySkipCerts);
                         }
                 }
                 PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited
                         (cert, &inhibitMappingSkipCerts, plContext),
                         PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED);
                 if (inhibitMappingSkipCerts != -1) {
                         if (((PKIX_UInt32)inhibitMappingSkipCerts) <
                             (state->policyMapping)) {
                                 state->policyMapping =
                                     ((PKIX_UInt32)inhibitMappingSkipCerts);
                         }
                 }
                 PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy
                         (cert, &inhibitAnyPolicySkipCerts, plContext),
                         PKIX_CERTGETINHIBITANYPOLICYFAILED);
                 if (inhibitAnyPolicySkipCerts != -1) {
                         if (((PKIX_UInt32)inhibitAnyPolicySkipCerts) <
                             (state->inhibitAnyPolicy)) {
                                 state->inhibitAnyPolicy =
                                     ((PKIX_UInt32)inhibitAnyPolicySkipCerts);
                         }
                 }
                 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                         ((PKIX_PL_Object *)state, plContext),
                         PKIX_OBJECTINVALIDATECACHEFAILED);
         } else { /* If this was the last certificate, do wrap-up processing */
                 /* Section 6.1.5 */
                 subroutineErr = pkix_PolicyChecker_WrapUpProcessing
                         (cert, state, plContext);
                 if (subroutineErr) {
                         goto subrErrorCleanup;
                 }
                 if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
                     PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
                 }
                 PKIX_DECREF(state->anyPolicyNodeAtBottom);
                 PKIX_DECREF(state->newAnyPolicyNode);
         }
         if (subroutineErr) {
 subrErrorCleanup:
                 /* We had an error. Was it a fatal error? */
                 pkixErrorClass = subroutineErr->errClass;
                 if (pkixErrorClass == PKIX_FATAL_ERROR) {
                     pkixErrorResult = subroutineErr;
                     subroutineErr = NULL;
                     goto cleanup;
                 }
                 /*
                  * Abort policy processing, and then determine whether
                  * we can continue without policy processing.
                  */
                 PKIX_DECREF(state->validPolicyTree);
                 PKIX_DECREF(state->anyPolicyNodeAtBottom);
                 PKIX_DECREF(state->newAnyPolicyNode);
                 if (state->explicitPolicy == 0) {
                     PKIX_ERROR
                         (PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
                 }
         }
         /* Checking is complete. Save state for the next certificate. */
         PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
                 (checker, (PKIX_PL_Object *)state, plContext),
                 PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
 cleanup:
 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
         if (cert) {
                 PKIX_CHECK(PKIX_PL_Object_ToString
                         ((PKIX_PL_Object*)cert, &certString, plContext),
                         PKIX_OBJECTTOSTRINGFAILED);
                 PKIX_CHECK(PKIX_PL_String_GetEncoded
                             (certString,
                             PKIX_ESCASCII,
                             (void **)&certAscii,
                             &length,
                             plContext),
                             PKIX_STRINGGETENCODEDFAILED);
                 PKIX_DEBUG_ARG("Cert was %s\n", certAscii);
                 PKIX_FREE(certAscii);
                 PKIX_DECREF(certString);
         }
         if (state) {
                 PKIX_CHECK(PKIX_PL_Object_ToString
                         ((PKIX_PL_Object*)state, &stateString, plContext),
                         PKIX_OBJECTTOSTRINGFAILED);
                 PKIX_CHECK(PKIX_PL_String_GetEncoded
                             (stateString,
                             PKIX_ESCASCII,
                             (void **)&stateAscii,
                             &length,
                             plContext),
                             PKIX_STRINGGETENCODEDFAILED);
                 PKIX_DEBUG_ARG("On exit %s\n", stateAscii);
                 PKIX_FREE(stateAscii);
                 PKIX_DECREF(stateString);
         }
 #endif
         PKIX_DECREF(state);
         PKIX_DECREF(certPolicyInfos);
         PKIX_DECREF(policy);
         PKIX_DECREF(qualsOfAny);
         PKIX_DECREF(policyQualifiers);
         PKIX_DECREF(policyOID);
         PKIX_DECREF(subroutineErr);
         PKIX_DECREF(policyMaps);
         PKIX_DECREF(mappedPolicies);
         PKIX_RETURN(CERTCHAINCHECKER);
 }
 /*
  * FUNCTION: pkix_PolicyChecker_Initialize
  * DESCRIPTION:
  *
  *  Creates and initializes a PolicyChecker, using the List pointed to
  *  by "initialPolicies" for the user-initial-policy-set, the Boolean value
  *  of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
  *  the Boolean value of "initialPolicyMappingInhibit" for the
  *  inhibitPolicyMappings parameter, the Boolean value of
  *  "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
  *  Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
  *  parameter, and the UInt32 value of "numCerts" as the number of
  *  certificates in the chain; and stores the Checker at "pChecker".
  *
  * PARAMETERS:
  *  "initialPolicies"
  *      Address of List of OIDs comprising the user-initial-policy-set; the List
  *      may be empty or NULL
  *  "policyQualifiersRejected"
  *      Boolean value of the policyQualifiersRejected parameter
  *  "initialPolicyMappingInhibit"
  *      Boolean value of the inhibitPolicyMappings parameter
  *  "initialExplicitPolicy"
  *      Boolean value of the initialExplicitPolicy parameter
  *  "initialAnyPolicyInhibit"
  *      Boolean value of the inhibitAnyPolicy parameter
  *  "numCerts"
  *      Number of certificates in the chain to be validated
  *  "pChecker"
  *      Address to store the created PolicyChecker. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds
  *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way
  */
 PKIX_Error *
 pkix_PolicyChecker_Initialize(
         PKIX_List *initialPolicies,
         PKIX_Boolean policyQualifiersRejected,
         PKIX_Boolean initialPolicyMappingInhibit,
         PKIX_Boolean initialExplicitPolicy,
         PKIX_Boolean initialAnyPolicyInhibit,
         PKIX_UInt32 numCerts,
         PKIX_CertChainChecker **pChecker,
         void *plContext)
 {
         PKIX_PolicyCheckerState *polCheckerState = NULL;
         PKIX_List *policyExtensions = NULL;     /* OIDs */
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Initialize");
         PKIX_NULLCHECK_ONE(pChecker);
         PKIX_CHECK(pkix_PolicyCheckerState_Create
                 (initialPolicies,
                 policyQualifiersRejected,
                 initialPolicyMappingInhibit,
                 initialExplicitPolicy,
                 initialAnyPolicyInhibit,
                 numCerts,
                 &polCheckerState,
                 plContext),
                 PKIX_POLICYCHECKERSTATECREATEFAILED);
         /* Create the list of extensions that we handle */
         PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
                 ((PKIX_PL_Object *)(polCheckerState->certPoliciesExtension),
                 PKIX_TRUE,
                 &policyExtensions,
                 plContext),
                 PKIX_POLICYCHECKERMAKESINGLETONFAILED);
         PKIX_CHECK(PKIX_CertChainChecker_Create
                 (pkix_PolicyChecker_Check,
                 PKIX_FALSE,     /* forwardCheckingSupported */
                 PKIX_FALSE,
                 policyExtensions,
                 (PKIX_PL_Object *)polCheckerState,
                 pChecker,
                 plContext),
                 PKIX_CERTCHAINCHECKERCREATEFAILED);
 cleanup:
         PKIX_DECREF(polCheckerState);
         PKIX_DECREF(policyExtensions);
         PKIX_RETURN(CERTCHAINCHECKER);
 }

The Tor Browser / annotate

security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c@b8a032363ba2 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c