The Tor Browser / annotate

security/nss/lib/ssl/cmpcert.c@b8a032363ba2 (annotated)

security/nss/lib/ssl/cmpcert.c

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /*
michael@0 2 * NSS utility functions
michael@0 3 *
michael@0 4 * This Source Code Form is subject to the terms of the Mozilla Public
michael@0 5 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 7
michael@0 8 #include <stdio.h>
michael@0 9 #include <string.h>
michael@0 10 #include "prerror.h"
michael@0 11 #include "secitem.h"
michael@0 12 #include "prnetdb.h"
michael@0 13 #include "cert.h"
michael@0 14 #include "nspr.h"
michael@0 15 #include "secder.h"
michael@0 16 #include "key.h"
michael@0 17 #include "nss.h"
michael@0 18
michael@0 19 /*
michael@0 20 * Look to see if any of the signers in the cert chain for "cert" are found
michael@0 21 * in the list of caNames.
michael@0 22 * Returns SECSuccess if so, SECFailure if not.
michael@0 23 */
michael@0 24 SECStatus
michael@0 25 NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
michael@0 26 {
michael@0 27 SECItem * caname;
michael@0 28 CERTCertificate * curcert;
michael@0 29 CERTCertificate * oldcert;
michael@0 30 PRInt32 contentlen;
michael@0 31 int j;
michael@0 32 int headerlen;
michael@0 33 int depth;
michael@0 34 SECStatus rv;
michael@0 35 SECItem issuerName;
michael@0 36 SECItem compatIssuerName;
michael@0 37
michael@0 38 if (!cert || !caNames || !caNames->nnames || !caNames->names ||
michael@0 39 !caNames->names->data)
michael@0 40 return SECFailure;
michael@0 41 depth=0;
michael@0 42 curcert = CERT_DupCertificate(cert);
michael@0 43
michael@0 44 while( curcert ) {
michael@0 45 issuerName = curcert->derIssuer;
michael@0 46
michael@0 47 /* compute an alternate issuer name for compatibility with 2.0
michael@0 48 * enterprise server, which send the CA names without
michael@0 49 * the outer layer of DER header
michael@0 50 */
michael@0 51 rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
michael@0 52 if ( rv == SECSuccess ) {
michael@0 53 compatIssuerName.data = &issuerName.data[headerlen];
michael@0 54 compatIssuerName.len = issuerName.len - headerlen;
michael@0 55 } else {
michael@0 56 compatIssuerName.data = NULL;
michael@0 57 compatIssuerName.len = 0;
michael@0 58 }
michael@0 59
michael@0 60 for (j = 0; j < caNames->nnames; j++) {
michael@0 61 caname = &caNames->names[j];
michael@0 62 if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
michael@0 63 rv = SECSuccess;
michael@0 64 CERT_DestroyCertificate(curcert);
michael@0 65 goto done;
michael@0 66 } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
michael@0 67 rv = SECSuccess;
michael@0 68 CERT_DestroyCertificate(curcert);
michael@0 69 goto done;
michael@0 70 }
michael@0 71 }
michael@0 72 if ( ( depth <= 20 ) &&
michael@0 73 ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject)
michael@0 74 != SECEqual ) ) {
michael@0 75 oldcert = curcert;
michael@0 76 curcert = CERT_FindCertByName(curcert->dbhandle,
michael@0 77 &curcert->derIssuer);
michael@0 78 CERT_DestroyCertificate(oldcert);
michael@0 79 depth++;
michael@0 80 } else {
michael@0 81 CERT_DestroyCertificate(curcert);
michael@0 82 curcert = NULL;
michael@0 83 }
michael@0 84 }
michael@0 85 rv = SECFailure;
michael@0 86
michael@0 87 done:
michael@0 88 return rv;
michael@0 89 }
michael@0 90

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial