The Tor Browser / annotate

security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c@b8a032363ba2 (annotated)

security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4 /*
michael@0 5 * pkix_crlselector.c
michael@0 6 *
michael@0 7 * CRLSelector Function Definitions
michael@0 8 *
michael@0 9 */
michael@0 10
michael@0 11 #include "pkix_crlselector.h"
michael@0 12
michael@0 13 /* --CRLSelector Private-Functions-------------------------------------- */
michael@0 14
michael@0 15 /*
michael@0 16 * FUNCTION: pkix_CRLSelector_Destroy
michael@0 17 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
michael@0 18 */
michael@0 19 static PKIX_Error *
michael@0 20 pkix_CRLSelector_Destroy(
michael@0 21 PKIX_PL_Object *object,
michael@0 22 void *plContext)
michael@0 23 {
michael@0 24 PKIX_CRLSelector *selector = NULL;
michael@0 25
michael@0 26 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Destroy");
michael@0 27 PKIX_NULLCHECK_ONE(object);
michael@0 28
michael@0 29 PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
michael@0 30 PKIX_OBJECTNOTCRLSELECTOR);
michael@0 31
michael@0 32 selector = (PKIX_CRLSelector *)object;
michael@0 33
michael@0 34 selector->matchCallback = NULL;
michael@0 35
michael@0 36 PKIX_DECREF(selector->params);
michael@0 37 PKIX_DECREF(selector->context);
michael@0 38
michael@0 39 cleanup:
michael@0 40
michael@0 41 PKIX_RETURN(CRLSELECTOR);
michael@0 42 }
michael@0 43
michael@0 44 /*
michael@0 45 * FUNCTION: pkix_CRLSelector_ToString_Helper
michael@0 46 *
michael@0 47 * DESCRIPTION:
michael@0 48 * Helper function that creates a string representation of CRLSelector
michael@0 49 * pointed to by "crlParams" and stores its address in the object pointed to
michael@0 50 * by "pString".
michael@0 51 *
michael@0 52 * PARAMETERS
michael@0 53 * "list"
michael@0 54 * Address of CRLSelector whose string representation is desired.
michael@0 55 * Must be non-NULL.
michael@0 56 * "pString"
michael@0 57 * Address of object pointer's destination. Must be non-NULL.
michael@0 58 * "plContext" - Platform-specific context pointer.
michael@0 59 *
michael@0 60 * THREAD SAFETY:
michael@0 61 * Conditionally Thread Safe
michael@0 62 * (see Thread Safety Definitions in Programmer's Guide)
michael@0 63 *
michael@0 64 * RETURNS:
michael@0 65 * Returns NULL if the function succeeds.
michael@0 66 * Returns a CRLSelector Error if the function fails in a non-fatal way.
michael@0 67 * Returns a Fatal Error if the function fails in an unrecoverable way.
michael@0 68 */
michael@0 69 static PKIX_Error *
michael@0 70 pkix_CRLSelector_ToString_Helper(
michael@0 71 PKIX_CRLSelector *crlSelector,
michael@0 72 PKIX_PL_String **pString,
michael@0 73 void *plContext)
michael@0 74 {
michael@0 75 PKIX_PL_String *crlSelectorString = NULL;
michael@0 76 PKIX_PL_String *formatString = NULL;
michael@0 77 PKIX_PL_String *crlParamsString = NULL;
michael@0 78 PKIX_PL_String *crlContextString = NULL;
michael@0 79 char *asciiFormat = NULL;
michael@0 80
michael@0 81 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString_Helper");
michael@0 82 PKIX_NULLCHECK_TWO(crlSelector, pString);
michael@0 83 PKIX_NULLCHECK_ONE(crlSelector->params);
michael@0 84
michael@0 85 asciiFormat =
michael@0 86 "\n\t[\n"
michael@0 87 "\tMatchCallback: 0x%x\n"
michael@0 88 "\tParams: %s\n"
michael@0 89 "\tContext: %s\n"
michael@0 90 "\t]\n";
michael@0 91
michael@0 92 PKIX_CHECK(PKIX_PL_String_Create
michael@0 93 (PKIX_ESCASCII,
michael@0 94 asciiFormat,
michael@0 95 0,
michael@0 96 &formatString,
michael@0 97 plContext),
michael@0 98 PKIX_STRINGCREATEFAILED);
michael@0 99
michael@0 100 /* Params */
michael@0 101 PKIX_TOSTRING
michael@0 102 ((PKIX_PL_Object *)crlSelector->params,
michael@0 103 &crlParamsString,
michael@0 104 plContext,
michael@0 105 PKIX_COMCRLSELPARAMSTOSTRINGFAILED);
michael@0 106
michael@0 107 /* Context */
michael@0 108 PKIX_TOSTRING(crlSelector->context, &crlContextString, plContext,
michael@0 109 PKIX_LISTTOSTRINGFAILED);
michael@0 110
michael@0 111 PKIX_CHECK(PKIX_PL_Sprintf
michael@0 112 (&crlSelectorString,
michael@0 113 plContext,
michael@0 114 formatString,
michael@0 115 crlSelector->matchCallback,
michael@0 116 crlParamsString,
michael@0 117 crlContextString),
michael@0 118 PKIX_SPRINTFFAILED);
michael@0 119
michael@0 120 *pString = crlSelectorString;
michael@0 121
michael@0 122 cleanup:
michael@0 123
michael@0 124 PKIX_DECREF(crlParamsString);
michael@0 125 PKIX_DECREF(crlContextString);
michael@0 126 PKIX_DECREF(formatString);
michael@0 127
michael@0 128 PKIX_RETURN(CRLSELECTOR);
michael@0 129 }
michael@0 130
michael@0 131 /*
michael@0 132 * FUNCTION: pkix_CRLSelector_ToString
michael@0 133 * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
michael@0 134 */
michael@0 135 static PKIX_Error *
michael@0 136 pkix_CRLSelector_ToString(
michael@0 137 PKIX_PL_Object *object,
michael@0 138 PKIX_PL_String **pString,
michael@0 139 void *plContext)
michael@0 140 {
michael@0 141 PKIX_PL_String *crlSelectorString = NULL;
michael@0 142 PKIX_CRLSelector *crlSelector = NULL;
michael@0 143
michael@0 144 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString");
michael@0 145 PKIX_NULLCHECK_TWO(object, pString);
michael@0 146
michael@0 147 PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
michael@0 148 PKIX_OBJECTNOTCRLSELECTOR);
michael@0 149
michael@0 150 crlSelector = (PKIX_CRLSelector *) object;
michael@0 151
michael@0 152 PKIX_CHECK(pkix_CRLSelector_ToString_Helper
michael@0 153 (crlSelector, &crlSelectorString, plContext),
michael@0 154 PKIX_CRLSELECTORTOSTRINGHELPERFAILED);
michael@0 155
michael@0 156 *pString = crlSelectorString;
michael@0 157
michael@0 158 cleanup:
michael@0 159
michael@0 160 PKIX_RETURN(CRLSELECTOR);
michael@0 161 }
michael@0 162
michael@0 163 /*
michael@0 164 * FUNCTION: pkix_CRLSelector_Hashcode
michael@0 165 * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
michael@0 166 */
michael@0 167 static PKIX_Error *
michael@0 168 pkix_CRLSelector_Hashcode(
michael@0 169 PKIX_PL_Object *object,
michael@0 170 PKIX_UInt32 *pHashcode,
michael@0 171 void *plContext)
michael@0 172 {
michael@0 173 PKIX_UInt32 paramsHash = 0;
michael@0 174 PKIX_UInt32 contextHash = 0;
michael@0 175 PKIX_UInt32 hash = 0;
michael@0 176
michael@0 177 PKIX_CRLSelector *crlSelector = NULL;
michael@0 178
michael@0 179 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Hashcode");
michael@0 180 PKIX_NULLCHECK_TWO(object, pHashcode);
michael@0 181
michael@0 182 PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
michael@0 183 PKIX_OBJECTNOTCRLSELECTOR);
michael@0 184
michael@0 185 crlSelector = (PKIX_CRLSelector *)object;
michael@0 186
michael@0 187 PKIX_HASHCODE(crlSelector->params, &paramsHash, plContext,
michael@0 188 PKIX_OBJECTHASHCODEFAILED);
michael@0 189
michael@0 190 PKIX_HASHCODE(crlSelector->context, &contextHash, plContext,
michael@0 191 PKIX_OBJECTHASHCODEFAILED);
michael@0 192
michael@0 193 hash = 31 * ((PKIX_UInt32)crlSelector->matchCallback +
michael@0 194 (contextHash << 3)) + paramsHash;
michael@0 195
michael@0 196 *pHashcode = hash;
michael@0 197
michael@0 198 cleanup:
michael@0 199
michael@0 200 PKIX_RETURN(CRLSELECTOR);
michael@0 201 }
michael@0 202
michael@0 203 /*
michael@0 204 * FUNCTION: pkix_CRLSelector_Equals
michael@0 205 * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
michael@0 206 */
michael@0 207 static PKIX_Error *
michael@0 208 pkix_CRLSelector_Equals(
michael@0 209 PKIX_PL_Object *firstObject,
michael@0 210 PKIX_PL_Object *secondObject,
michael@0 211 PKIX_Boolean *pResult,
michael@0 212 void *plContext)
michael@0 213 {
michael@0 214 PKIX_CRLSelector *firstCrlSelector = NULL;
michael@0 215 PKIX_CRLSelector *secondCrlSelector = NULL;
michael@0 216 PKIX_UInt32 secondType;
michael@0 217 PKIX_Boolean cmpResult = PKIX_FALSE;
michael@0 218
michael@0 219 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Equals");
michael@0 220 PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
michael@0 221
michael@0 222 /* test that firstObject is a CRLSelector */
michael@0 223 PKIX_CHECK(pkix_CheckType
michael@0 224 (firstObject, PKIX_CRLSELECTOR_TYPE, plContext),
michael@0 225 PKIX_FIRSTOBJECTNOTCRLSELECTOR);
michael@0 226
michael@0 227 firstCrlSelector = (PKIX_CRLSelector *)firstObject;
michael@0 228 secondCrlSelector = (PKIX_CRLSelector *)secondObject;
michael@0 229
michael@0 230 /*
michael@0 231 * Since we know firstObject is a CRLSelector, if both references are
michael@0 232 * identical, they must be equal
michael@0 233 */
michael@0 234 if (firstCrlSelector == secondCrlSelector){
michael@0 235 *pResult = PKIX_TRUE;
michael@0 236 goto cleanup;
michael@0 237 }
michael@0 238
michael@0 239 /*
michael@0 240 * If secondCRLSelector isn't a CRLSelector, we don't throw an error.
michael@0 241 * We simply return a Boolean result of FALSE
michael@0 242 */
michael@0 243 *pResult = PKIX_FALSE;
michael@0 244 PKIX_CHECK(PKIX_PL_Object_GetType
michael@0 245 ((PKIX_PL_Object *)secondCrlSelector,
michael@0 246 &secondType,
michael@0 247 plContext),
michael@0 248 PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
michael@0 249
michael@0 250 if (secondType != PKIX_CRLSELECTOR_TYPE) {
michael@0 251 goto cleanup;
michael@0 252 }
michael@0 253
michael@0 254 /* Compare MatchCallback address */
michael@0 255 cmpResult = (firstCrlSelector->matchCallback ==
michael@0 256 secondCrlSelector->matchCallback);
michael@0 257
michael@0 258 if (cmpResult == PKIX_FALSE) {
michael@0 259 goto cleanup;
michael@0 260 }
michael@0 261
michael@0 262 /* Compare Common CRL Selector Params */
michael@0 263 PKIX_EQUALS
michael@0 264 (firstCrlSelector->params,
michael@0 265 secondCrlSelector->params,
michael@0 266 &cmpResult,
michael@0 267 plContext,
michael@0 268 PKIX_COMCRLSELPARAMSEQUALSFAILED);
michael@0 269
michael@0 270
michael@0 271 if (cmpResult == PKIX_FALSE) {
michael@0 272 goto cleanup;
michael@0 273 }
michael@0 274
michael@0 275 /* Compare Context */
michael@0 276 PKIX_EQUALS
michael@0 277 (firstCrlSelector->context,
michael@0 278 secondCrlSelector->context,
michael@0 279 &cmpResult,
michael@0 280 plContext,
michael@0 281 PKIX_COMCRLSELPARAMSEQUALSFAILED);
michael@0 282
michael@0 283 *pResult = cmpResult;
michael@0 284
michael@0 285 cleanup:
michael@0 286
michael@0 287 PKIX_RETURN(CRLSELECTOR);
michael@0 288 }
michael@0 289
michael@0 290 /*
michael@0 291 * FUNCTION: pkix_CRLSelector_Duplicate
michael@0 292 * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
michael@0 293 */
michael@0 294 static PKIX_Error *
michael@0 295 pkix_CRLSelector_Duplicate(
michael@0 296 PKIX_PL_Object *object,
michael@0 297 PKIX_PL_Object **pNewObject,
michael@0 298 void *plContext)
michael@0 299 {
michael@0 300 PKIX_CRLSelector *old;
michael@0 301 PKIX_CRLSelector *new = NULL;
michael@0 302
michael@0 303 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Duplicate");
michael@0 304 PKIX_NULLCHECK_TWO(object, pNewObject);
michael@0 305
michael@0 306 PKIX_CHECK(pkix_CheckType
michael@0 307 (object, PKIX_CRLSELECTOR_TYPE, plContext),
michael@0 308 PKIX_OBJECTNOTCRLSELECTOR);
michael@0 309
michael@0 310 old = (PKIX_CRLSelector *)object;
michael@0 311
michael@0 312 PKIX_CHECK(PKIX_PL_Object_Alloc
michael@0 313 (PKIX_CRLSELECTOR_TYPE,
michael@0 314 (PKIX_UInt32)(sizeof (PKIX_CRLSelector)),
michael@0 315 (PKIX_PL_Object **)&new,
michael@0 316 plContext),
michael@0 317 PKIX_CREATECRLSELECTORDUPLICATEOBJECTFAILED);
michael@0 318
michael@0 319 new->matchCallback = old->matchCallback;
michael@0 320
michael@0 321 PKIX_DUPLICATE(old->params, &new->params, plContext,
michael@0 322 PKIX_OBJECTDUPLICATEPARAMSFAILED);
michael@0 323
michael@0 324 PKIX_DUPLICATE(old->context, &new->context, plContext,
michael@0 325 PKIX_OBJECTDUPLICATECONTEXTFAILED);
michael@0 326
michael@0 327 *pNewObject = (PKIX_PL_Object *)new;
michael@0 328
michael@0 329 cleanup:
michael@0 330
michael@0 331 if (PKIX_ERROR_RECEIVED){
michael@0 332 PKIX_DECREF(new);
michael@0 333 }
michael@0 334
michael@0 335 PKIX_RETURN(CRLSELECTOR);
michael@0 336 }
michael@0 337
michael@0 338 /*
michael@0 339 * FUNCTION: pkix_CRLSelector_DefaultMatch
michael@0 340 *
michael@0 341 * DESCRIPTION:
michael@0 342 * This function compares the parameter values (Issuer, date, and CRL number)
michael@0 343 * set in the ComCRLSelParams of the CRLSelector pointed to by "selector" with
michael@0 344 * the corresponding values in the CRL pointed to by "crl". When all the
michael@0 345 * criteria set in the parameter values match the values in "crl", PKIX_TRUE is
michael@0 346 * stored at "pMatch". If the CRL does not match the CRLSelector's criteria,
michael@0 347 * PKIX_FALSE is stored at "pMatch".
michael@0 348 *
michael@0 349 * PARAMETERS
michael@0 350 * "selector"
michael@0 351 * Address of CRLSelector which is verified for a match
michael@0 352 * Must be non-NULL.
michael@0 353 * "crl"
michael@0 354 * Address of the CRL object to be verified. Must be non-NULL.
michael@0 355 * "pMatch"
michael@0 356 * Address at which Boolean result is stored. Must be non-NULL.
michael@0 357 * "plContext"
michael@0 358 * Platform-specific context pointer.
michael@0 359 *
michael@0 360 * THREAD SAFETY:
michael@0 361 * Conditionally Thread Safe
michael@0 362 * (see Thread Safety Definitions in Programmer's Guide)
michael@0 363 *
michael@0 364 * RETURNS:
michael@0 365 * Returns NULL if the function succeeds.
michael@0 366 * Returns a CRLSelector Error if the function fails in a non-fatal way.
michael@0 367 * Returns a Fatal Error if the function fails in an unrecoverable way.
michael@0 368 */
michael@0 369 static PKIX_Error *
michael@0 370 pkix_CRLSelector_DefaultMatch(
michael@0 371 PKIX_CRLSelector *selector,
michael@0 372 PKIX_PL_CRL *crl,
michael@0 373 PKIX_Boolean *pMatch,
michael@0 374 void *plContext)
michael@0 375 {
michael@0 376 PKIX_ComCRLSelParams *params = NULL;
michael@0 377 PKIX_PL_X500Name *crlIssuerName = NULL;
michael@0 378 PKIX_PL_X500Name *issuerName = NULL;
michael@0 379 PKIX_List *selIssuerNames = NULL;
michael@0 380 PKIX_PL_Date *selDate = NULL;
michael@0 381 PKIX_Boolean result = PKIX_TRUE;
michael@0 382 PKIX_UInt32 numIssuers = 0;
michael@0 383 PKIX_UInt32 i;
michael@0 384 PKIX_PL_BigInt *minCRLNumber = NULL;
michael@0 385 PKIX_PL_BigInt *maxCRLNumber = NULL;
michael@0 386 PKIX_PL_BigInt *crlNumber = NULL;
michael@0 387 PKIX_Boolean nistPolicyEnabled = PKIX_FALSE;
michael@0 388
michael@0 389 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_DefaultMatch");
michael@0 390 PKIX_NULLCHECK_TWO(selector, crl);
michael@0 391
michael@0 392 *pMatch = PKIX_TRUE;
michael@0 393 params = selector->params;
michael@0 394
michael@0 395 /* No matching parameter provided, just a match */
michael@0 396 if (params == NULL) {
michael@0 397 goto cleanup;
michael@0 398 }
michael@0 399
michael@0 400 PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames
michael@0 401 (params, &selIssuerNames, plContext),
michael@0 402 PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED);
michael@0 403
michael@0 404 /* Check for Issuers */
michael@0 405 if (selIssuerNames != NULL){
michael@0 406
michael@0 407 result = PKIX_FALSE;
michael@0 408
michael@0 409 PKIX_CHECK(PKIX_PL_CRL_GetIssuer
michael@0 410 (crl, &crlIssuerName, plContext),
michael@0 411 PKIX_CRLGETISSUERFAILED);
michael@0 412
michael@0 413 PKIX_CHECK(PKIX_List_GetLength
michael@0 414 (selIssuerNames, &numIssuers, plContext),
michael@0 415 PKIX_LISTGETLENGTHFAILED);
michael@0 416
michael@0 417 for (i = 0; i < numIssuers; i++){
michael@0 418
michael@0 419 PKIX_CHECK(PKIX_List_GetItem
michael@0 420 (selIssuerNames,
michael@0 421 i,
michael@0 422 (PKIX_PL_Object **)&issuerName,
michael@0 423 plContext),
michael@0 424 PKIX_LISTGETITEMFAILED);
michael@0 425
michael@0 426 PKIX_CHECK(PKIX_PL_X500Name_Match
michael@0 427 (crlIssuerName,
michael@0 428 issuerName,
michael@0 429 &result,
michael@0 430 plContext),
michael@0 431 PKIX_X500NAMEMATCHFAILED);
michael@0 432
michael@0 433 PKIX_DECREF(issuerName);
michael@0 434
michael@0 435 if (result == PKIX_TRUE) {
michael@0 436 break;
michael@0 437 }
michael@0 438 }
michael@0 439
michael@0 440 if (result == PKIX_FALSE) {
michael@0 441 PKIX_CRLSELECTOR_DEBUG("Issuer Match Failed\N");
michael@0 442 *pMatch = PKIX_FALSE;
michael@0 443 goto cleanup;
michael@0 444 }
michael@0 445
michael@0 446 }
michael@0 447
michael@0 448 PKIX_CHECK(PKIX_ComCRLSelParams_GetDateAndTime
michael@0 449 (params, &selDate, plContext),
michael@0 450 PKIX_COMCRLSELPARAMSGETDATEANDTIMEFAILED);
michael@0 451
michael@0 452 /* Check for Date */
michael@0 453 if (selDate != NULL){
michael@0 454
michael@0 455 PKIX_CHECK(PKIX_ComCRLSelParams_GetNISTPolicyEnabled
michael@0 456 (params, &nistPolicyEnabled, plContext),
michael@0 457 PKIX_COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED);
michael@0 458
michael@0 459 /* check crl dates only for if NIST policies enforced */
michael@0 460 if (nistPolicyEnabled) {
michael@0 461 result = PKIX_FALSE;
michael@0 462
michael@0 463 PKIX_CHECK(PKIX_PL_CRL_VerifyUpdateTime
michael@0 464 (crl, selDate, &result, plContext),
michael@0 465 PKIX_CRLVERIFYUPDATETIMEFAILED);
michael@0 466
michael@0 467 if (result == PKIX_FALSE) {
michael@0 468 *pMatch = PKIX_FALSE;
michael@0 469 goto cleanup;
michael@0 470 }
michael@0 471 }
michael@0 472
michael@0 473 }
michael@0 474
michael@0 475 /* Check for CRL number in range */
michael@0 476 PKIX_CHECK(PKIX_PL_CRL_GetCRLNumber(crl, &crlNumber, plContext),
michael@0 477 PKIX_CRLGETCRLNUMBERFAILED);
michael@0 478
michael@0 479 if (crlNumber != NULL) {
michael@0 480 result = PKIX_FALSE;
michael@0 481
michael@0 482 PKIX_CHECK(PKIX_ComCRLSelParams_GetMinCRLNumber
michael@0 483 (params, &minCRLNumber, plContext),
michael@0 484 PKIX_COMCRLSELPARAMSGETMINCRLNUMBERFAILED);
michael@0 485
michael@0 486 if (minCRLNumber != NULL) {
michael@0 487
michael@0 488 PKIX_CHECK(PKIX_PL_Object_Compare
michael@0 489 ((PKIX_PL_Object *)minCRLNumber,
michael@0 490 (PKIX_PL_Object *)crlNumber,
michael@0 491 &result,
michael@0 492 plContext),
michael@0 493 PKIX_OBJECTCOMPARATORFAILED);
michael@0 494
michael@0 495 if (result == 1) {
michael@0 496 PKIX_CRLSELECTOR_DEBUG
michael@0 497 ("CRL MinNumber Range Match Failed\n");
michael@0 498 *pMatch = PKIX_FALSE;
michael@0 499 goto cleanup;
michael@0 500 }
michael@0 501 }
michael@0 502
michael@0 503 PKIX_CHECK(PKIX_ComCRLSelParams_GetMaxCRLNumber
michael@0 504 (params, &maxCRLNumber, plContext),
michael@0 505 PKIX_COMCRLSELPARAMSGETMAXCRLNUMBERFAILED);
michael@0 506
michael@0 507 if (maxCRLNumber != NULL) {
michael@0 508
michael@0 509 PKIX_CHECK(PKIX_PL_Object_Compare
michael@0 510 ((PKIX_PL_Object *)crlNumber,
michael@0 511 (PKIX_PL_Object *)maxCRLNumber,
michael@0 512 &result,
michael@0 513 plContext),
michael@0 514 PKIX_OBJECTCOMPARATORFAILED);
michael@0 515
michael@0 516 if (result == 1) {
michael@0 517 PKIX_CRLSELECTOR_DEBUG
michael@0 518 (PKIX_CRLMAXNUMBERRANGEMATCHFAILED);
michael@0 519 *pMatch = PKIX_FALSE;
michael@0 520 goto cleanup;
michael@0 521 }
michael@0 522 }
michael@0 523 }
michael@0 524
michael@0 525 cleanup:
michael@0 526
michael@0 527 PKIX_DECREF(selIssuerNames);
michael@0 528 PKIX_DECREF(selDate);
michael@0 529 PKIX_DECREF(crlIssuerName);
michael@0 530 PKIX_DECREF(issuerName);
michael@0 531 PKIX_DECREF(crlNumber);
michael@0 532 PKIX_DECREF(minCRLNumber);
michael@0 533 PKIX_DECREF(maxCRLNumber);
michael@0 534
michael@0 535 PKIX_RETURN(CRLSELECTOR);
michael@0 536 }
michael@0 537
michael@0 538 /*
michael@0 539 * FUNCTION: pkix_CRLSelector_RegisterSelf
michael@0 540 * DESCRIPTION:
michael@0 541 * Registers PKIX_CRLSELECTOR_TYPE and its related functions with
michael@0 542 * systemClasses[]
michael@0 543 * THREAD SAFETY:
michael@0 544 * Not Thread Safe - for performance and complexity reasons
michael@0 545 *
michael@0 546 * Since this function is only called by PKIX_PL_Initialize, which should
michael@0 547 * only be called once, it is acceptable that this function is not
michael@0 548 * thread-safe.
michael@0 549 */
michael@0 550 PKIX_Error *
michael@0 551 pkix_CRLSelector_RegisterSelf(void *plContext)
michael@0 552 {
michael@0 553 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
michael@0 554 pkix_ClassTable_Entry entry;
michael@0 555
michael@0 556 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_RegisterSelf");
michael@0 557
michael@0 558 entry.description = "CRLSelector";
michael@0 559 entry.objCounter = 0;
michael@0 560 entry.typeObjectSize = sizeof(PKIX_CRLSelector);
michael@0 561 entry.destructor = pkix_CRLSelector_Destroy;
michael@0 562 entry.equalsFunction = pkix_CRLSelector_Equals;
michael@0 563 entry.hashcodeFunction = pkix_CRLSelector_Hashcode;
michael@0 564 entry.toStringFunction = pkix_CRLSelector_ToString;
michael@0 565 entry.comparator = NULL;
michael@0 566 entry.duplicateFunction = pkix_CRLSelector_Duplicate;
michael@0 567
michael@0 568 systemClasses[PKIX_CRLSELECTOR_TYPE] = entry;
michael@0 569
michael@0 570 PKIX_RETURN(CRLSELECTOR);
michael@0 571 }
michael@0 572
michael@0 573 /* --CRLSelector-Public-Functions---------------------------------------- */
michael@0 574 PKIX_Error *
michael@0 575 pkix_CRLSelector_Create(
michael@0 576 PKIX_CRLSelector_MatchCallback callback,
michael@0 577 PKIX_PL_Object *crlSelectorContext,
michael@0 578 PKIX_CRLSelector **pSelector,
michael@0 579 void *plContext)
michael@0 580 {
michael@0 581 PKIX_CRLSelector *selector = NULL;
michael@0 582
michael@0 583 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Create");
michael@0 584 PKIX_NULLCHECK_ONE(pSelector);
michael@0 585
michael@0 586 PKIX_CHECK(PKIX_PL_Object_Alloc
michael@0 587 (PKIX_CRLSELECTOR_TYPE,
michael@0 588 sizeof (PKIX_CRLSelector),
michael@0 589 (PKIX_PL_Object **)&selector,
michael@0 590 plContext),
michael@0 591 PKIX_COULDNOTCREATECRLSELECTOROBJECT);
michael@0 592
michael@0 593 /*
michael@0 594 * if user specified a particular match callback, we use that one.
michael@0 595 * otherwise, we use the default match provided.
michael@0 596 */
michael@0 597
michael@0 598 if (callback != NULL){
michael@0 599 selector->matchCallback = callback;
michael@0 600 } else {
michael@0 601 selector->matchCallback = pkix_CRLSelector_DefaultMatch;
michael@0 602 }
michael@0 603
michael@0 604 /* initialize other fields */
michael@0 605 selector->params = NULL;
michael@0 606
michael@0 607 PKIX_INCREF(crlSelectorContext);
michael@0 608 selector->context = crlSelectorContext;
michael@0 609
michael@0 610 *pSelector = selector;
michael@0 611 selector = NULL;
michael@0 612
michael@0 613 cleanup:
michael@0 614
michael@0 615 PKIX_DECREF(selector);
michael@0 616
michael@0 617 PKIX_RETURN(CRLSELECTOR);
michael@0 618 }
michael@0 619
michael@0 620 /*
michael@0 621 * FUNCTION: PKIX_CRLSelector_Create (see comments in pkix_crlsel.h)
michael@0 622 */
michael@0 623 PKIX_Error *
michael@0 624 PKIX_CRLSelector_Create(
michael@0 625 PKIX_PL_Cert *issuer,
michael@0 626 PKIX_List *crldpList,
michael@0 627 PKIX_PL_Date *date,
michael@0 628 PKIX_CRLSelector **pCrlSelector,
michael@0 629 void *plContext)
michael@0 630 {
michael@0 631 PKIX_PL_X500Name *issuerName = NULL;
michael@0 632 PKIX_PL_Date *nowDate = NULL;
michael@0 633 PKIX_ComCRLSelParams *comCrlSelParams = NULL;
michael@0 634 PKIX_CRLSelector *crlSelector = NULL;
michael@0 635
michael@0 636 PKIX_ENTER(CERTCHAINCHECKER, "PKIX_CrlSelector_Create");
michael@0 637 PKIX_NULLCHECK_ONE(issuer);
michael@0 638
michael@0 639 PKIX_CHECK(
michael@0 640 PKIX_PL_Cert_GetSubject(issuer, &issuerName, plContext),
michael@0 641 PKIX_CERTGETISSUERFAILED);
michael@0 642
michael@0 643 if (date != NULL) {
michael@0 644 PKIX_INCREF(date);
michael@0 645 nowDate = date;
michael@0 646 } else {
michael@0 647 PKIX_CHECK(
michael@0 648 PKIX_PL_Date_Create_UTCTime(NULL, &nowDate, plContext),
michael@0 649 PKIX_DATECREATEUTCTIMEFAILED);
michael@0 650 }
michael@0 651
michael@0 652 PKIX_CHECK(
michael@0 653 PKIX_ComCRLSelParams_Create(&comCrlSelParams, plContext),
michael@0 654 PKIX_COMCRLSELPARAMSCREATEFAILED);
michael@0 655
michael@0 656 PKIX_CHECK(
michael@0 657 PKIX_ComCRLSelParams_AddIssuerName(comCrlSelParams, issuerName,
michael@0 658 plContext),
michael@0 659 PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
michael@0 660
michael@0 661 PKIX_CHECK(
michael@0 662 PKIX_ComCRLSelParams_SetCrlDp(comCrlSelParams, crldpList,
michael@0 663 plContext),
michael@0 664 PKIX_COMCRLSELPARAMSSETCERTFAILED);
michael@0 665
michael@0 666 PKIX_CHECK(
michael@0 667 PKIX_ComCRLSelParams_SetDateAndTime(comCrlSelParams, nowDate,
michael@0 668 plContext),
michael@0 669 PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
michael@0 670
michael@0 671 PKIX_CHECK(
michael@0 672 pkix_CRLSelector_Create(NULL, NULL, &crlSelector, plContext),
michael@0 673 PKIX_CRLSELECTORCREATEFAILED);
michael@0 674
michael@0 675 PKIX_CHECK(
michael@0 676 PKIX_CRLSelector_SetCommonCRLSelectorParams(crlSelector,
michael@0 677 comCrlSelParams,
michael@0 678 plContext),
michael@0 679 PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
michael@0 680
michael@0 681 *pCrlSelector = crlSelector;
michael@0 682 crlSelector = NULL;
michael@0 683
michael@0 684 cleanup:
michael@0 685
michael@0 686 PKIX_DECREF(issuerName);
michael@0 687 PKIX_DECREF(nowDate);
michael@0 688 PKIX_DECREF(comCrlSelParams);
michael@0 689 PKIX_DECREF(crlSelector);
michael@0 690
michael@0 691 PKIX_RETURN(CERTCHAINCHECKER);
michael@0 692 }
michael@0 693
michael@0 694 /*
michael@0 695 * FUNCTION: PKIX_CRLSelector_GetMatchCallback (see comments in pkix_crlsel.h)
michael@0 696 */
michael@0 697 PKIX_Error *
michael@0 698 PKIX_CRLSelector_GetMatchCallback(
michael@0 699 PKIX_CRLSelector *selector,
michael@0 700 PKIX_CRLSelector_MatchCallback *pCallback,
michael@0 701 void *plContext)
michael@0 702 {
michael@0 703 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetMatchCallback");
michael@0 704 PKIX_NULLCHECK_TWO(selector, pCallback);
michael@0 705
michael@0 706 *pCallback = selector->matchCallback;
michael@0 707
michael@0 708 PKIX_RETURN(CRLSELECTOR);
michael@0 709 }
michael@0 710
michael@0 711
michael@0 712 /*
michael@0 713 * FUNCTION: PKIX_CRLSelector_GetCRLSelectorContext
michael@0 714 * (see comments in pkix_crlsel.h)
michael@0 715 */
michael@0 716 PKIX_Error *
michael@0 717 PKIX_CRLSelector_GetCRLSelectorContext(
michael@0 718 PKIX_CRLSelector *selector,
michael@0 719 void **pCrlSelectorContext,
michael@0 720 void *plContext)
michael@0 721 {
michael@0 722 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCRLSelectorContext");
michael@0 723 PKIX_NULLCHECK_TWO(selector, pCrlSelectorContext);
michael@0 724
michael@0 725 PKIX_INCREF(selector->context);
michael@0 726
michael@0 727 *pCrlSelectorContext = selector->context;
michael@0 728
michael@0 729 cleanup:
michael@0 730 PKIX_RETURN(CRLSELECTOR);
michael@0 731 }
michael@0 732
michael@0 733 /*
michael@0 734 * FUNCTION: PKIX_CRLSelector_GetCommonCRLSelectorParams
michael@0 735 * (see comments in pkix_crlsel.h)
michael@0 736 */
michael@0 737 PKIX_Error *
michael@0 738 PKIX_CRLSelector_GetCommonCRLSelectorParams(
michael@0 739 PKIX_CRLSelector *selector,
michael@0 740 PKIX_ComCRLSelParams **pParams,
michael@0 741 void *plContext)
michael@0 742 {
michael@0 743 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCommonCRLSelectorParams");
michael@0 744 PKIX_NULLCHECK_TWO(selector, pParams);
michael@0 745
michael@0 746 PKIX_INCREF(selector->params);
michael@0 747
michael@0 748 *pParams = selector->params;
michael@0 749
michael@0 750 cleanup:
michael@0 751 PKIX_RETURN(CRLSELECTOR);
michael@0 752 }
michael@0 753
michael@0 754 /*
michael@0 755 * FUNCTION: PKIX_CRLSelector_SetCommonCRLSelectorParams
michael@0 756 * (see comments in pkix_crlsel.h)
michael@0 757 */
michael@0 758 PKIX_Error *
michael@0 759 PKIX_CRLSelector_SetCommonCRLSelectorParams(
michael@0 760 PKIX_CRLSelector *selector,
michael@0 761 PKIX_ComCRLSelParams *params,
michael@0 762 void *plContext)
michael@0 763 {
michael@0 764 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_SetCommonCRLSelectorParams");
michael@0 765 PKIX_NULLCHECK_TWO(selector, params);
michael@0 766
michael@0 767 PKIX_DECREF(selector->params);
michael@0 768
michael@0 769 PKIX_INCREF(params);
michael@0 770 selector->params = params;
michael@0 771
michael@0 772 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
michael@0 773 ((PKIX_PL_Object *)selector, plContext),
michael@0 774 PKIX_OBJECTINVALIDATECACHEFAILED);
michael@0 775
michael@0 776 cleanup:
michael@0 777
michael@0 778 PKIX_RETURN(CRLSELECTOR);
michael@0 779 }
michael@0 780
michael@0 781 /*
michael@0 782 * FUNCTION: pkix_CRLSelector_Select
michael@0 783 * DESCRIPTION:
michael@0 784 *
michael@0 785 * This function applies the selector pointed to by "selector" to each CRL,
michael@0 786 * in turn, in the List pointed to by "before", and creates a List containing
michael@0 787 * all the CRLs that matched, or passed the selection process, storing that
michael@0 788 * List at "pAfter". If no CRLs match, an empty List is stored at "pAfter".
michael@0 789 *
michael@0 790 * The List returned in "pAfter" is immutable.
michael@0 791 *
michael@0 792 * PARAMETERS:
michael@0 793 * "selector"
michael@0 794 * Address of CRLSelelector to be applied to the List. Must be non-NULL.
michael@0 795 * "before"
michael@0 796 * Address of List that is to be filtered. Must be non-NULL.
michael@0 797 * "pAfter"
michael@0 798 * Address at which resulting List, possibly empty, is stored. Must be
michael@0 799 * non-NULL.
michael@0 800 * "plContext"
michael@0 801 * Platform-specific context pointer.
michael@0 802 * THREAD SAFETY:
michael@0 803 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
michael@0 804 * RETURNS:
michael@0 805 * Returns NULL if the function succeeds.
michael@0 806 * Returns a CRLSelector Error if the function fails in a non-fatal way.
michael@0 807 * Returns a Fatal Error if the function fails in an unrecoverable way.
michael@0 808 */
michael@0 809 PKIX_Error *
michael@0 810 pkix_CRLSelector_Select(
michael@0 811 PKIX_CRLSelector *selector,
michael@0 812 PKIX_List *before,
michael@0 813 PKIX_List **pAfter,
michael@0 814 void *plContext)
michael@0 815 {
michael@0 816 PKIX_Boolean match = PKIX_FALSE;
michael@0 817 PKIX_UInt32 numBefore = 0;
michael@0 818 PKIX_UInt32 i = 0;
michael@0 819 PKIX_List *filtered = NULL;
michael@0 820 PKIX_PL_CRL *candidate = NULL;
michael@0 821
michael@0 822 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Select");
michael@0 823 PKIX_NULLCHECK_THREE(selector, before, pAfter);
michael@0 824
michael@0 825 PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
michael@0 826 PKIX_LISTCREATEFAILED);
michael@0 827
michael@0 828 PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
michael@0 829 PKIX_LISTGETLENGTHFAILED);
michael@0 830
michael@0 831 for (i = 0; i < numBefore; i++) {
michael@0 832
michael@0 833 PKIX_CHECK(PKIX_List_GetItem
michael@0 834 (before, i, (PKIX_PL_Object **)&candidate, plContext),
michael@0 835 PKIX_LISTGETITEMFAILED);
michael@0 836
michael@0 837 PKIX_CHECK_ONLY_FATAL(selector->matchCallback
michael@0 838 (selector, candidate, &match, plContext),
michael@0 839 PKIX_CRLSELECTORMATCHCALLBACKFAILED);
michael@0 840
michael@0 841 if (!(PKIX_ERROR_RECEIVED) && match == PKIX_TRUE) {
michael@0 842
michael@0 843 PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
michael@0 844 (filtered,
michael@0 845 (PKIX_PL_Object *)candidate,
michael@0 846 plContext),
michael@0 847 PKIX_LISTAPPENDITEMFAILED);
michael@0 848 }
michael@0 849
michael@0 850 pkixTempErrorReceived = PKIX_FALSE;
michael@0 851 PKIX_DECREF(candidate);
michael@0 852 }
michael@0 853
michael@0 854 PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
michael@0 855 PKIX_LISTSETIMMUTABLEFAILED);
michael@0 856
michael@0 857 /* Don't throw away the list if one CRL was bad! */
michael@0 858 pkixTempErrorReceived = PKIX_FALSE;
michael@0 859
michael@0 860 *pAfter = filtered;
michael@0 861 filtered = NULL;
michael@0 862
michael@0 863 cleanup:
michael@0 864
michael@0 865 PKIX_DECREF(filtered);
michael@0 866 PKIX_DECREF(candidate);
michael@0 867
michael@0 868 PKIX_RETURN(CRLSELECTOR);
michael@0 869
michael@0 870 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial