1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/certdb/certdb.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,3275 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +/*
1.9 + * Certificate handling code
1.10 + */
1.11 +
1.12 +#include "nssilock.h"
1.13 +#include "prmon.h"
1.14 +#include "prtime.h"
1.15 +#include "cert.h"
1.16 +#include "certi.h"
1.17 +#include "secder.h"
1.18 +#include "secoid.h"
1.19 +#include "secasn1.h"
1.20 +#include "genname.h"
1.21 +#include "keyhi.h"
1.22 +#include "secitem.h"
1.23 +#include "certdb.h"
1.24 +#include "prprf.h"
1.25 +#include "sechash.h"
1.26 +#include "prlong.h"
1.27 +#include "certxutl.h"
1.28 +#include "portreg.h"
1.29 +#include "secerr.h"
1.30 +#include "sslerr.h"
1.31 +#include "pk11func.h"
1.32 +#include "xconst.h" /* for CERT_DecodeAltNameExtension */
1.33 +
1.34 +#include "pki.h"
1.35 +#include "pki3hack.h"
1.36 +
1.37 +SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
1.38 +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
1.39 +SEC_ASN1_MKSUB(SEC_BitStringTemplate)
1.40 +SEC_ASN1_MKSUB(SEC_IntegerTemplate)
1.41 +SEC_ASN1_MKSUB(SEC_SkipTemplate)
1.42 +
1.43 +/*
1.44 + * Certificate database handling code
1.45 + */
1.46 +
1.47 +
1.48 +const SEC_ASN1Template CERT_CertExtensionTemplate[] = {
1.49 + { SEC_ASN1_SEQUENCE,
1.50 + 0, NULL, sizeof(CERTCertExtension) },
1.51 + { SEC_ASN1_OBJECT_ID,
1.52 + offsetof(CERTCertExtension,id) },
1.53 + { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */
1.54 + offsetof(CERTCertExtension,critical) },
1.55 + { SEC_ASN1_OCTET_STRING,
1.56 + offsetof(CERTCertExtension,value) },
1.57 + { 0, }
1.58 +};
1.59 +
1.60 +const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[] = {
1.61 + { SEC_ASN1_SEQUENCE_OF, 0, CERT_CertExtensionTemplate }
1.62 +};
1.63 +
1.64 +const SEC_ASN1Template CERT_TimeChoiceTemplate[] = {
1.65 + { SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) },
1.66 + { SEC_ASN1_UTC_TIME, 0, 0, siUTCTime },
1.67 + { SEC_ASN1_GENERALIZED_TIME, 0, 0, siGeneralizedTime },
1.68 + { 0 }
1.69 +};
1.70 +
1.71 +const SEC_ASN1Template CERT_ValidityTemplate[] = {
1.72 + { SEC_ASN1_SEQUENCE,
1.73 + 0, NULL, sizeof(CERTValidity) },
1.74 + { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
1.75 + offsetof(CERTValidity,notBefore),
1.76 + SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 },
1.77 + { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
1.78 + offsetof(CERTValidity,notAfter),
1.79 + SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 },
1.80 + { 0 }
1.81 +};
1.82 +
1.83 +const SEC_ASN1Template CERT_CertificateTemplate[] = {
1.84 + { SEC_ASN1_SEQUENCE,
1.85 + 0, NULL, sizeof(CERTCertificate) },
1.86 + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
1.87 + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, /* XXX DER_DEFAULT */
1.88 + offsetof(CERTCertificate,version),
1.89 + SEC_ASN1_SUB(SEC_IntegerTemplate) },
1.90 + { SEC_ASN1_INTEGER,
1.91 + offsetof(CERTCertificate,serialNumber) },
1.92 + { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
1.93 + offsetof(CERTCertificate,signature),
1.94 + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
1.95 + { SEC_ASN1_SAVE,
1.96 + offsetof(CERTCertificate,derIssuer) },
1.97 + { SEC_ASN1_INLINE,
1.98 + offsetof(CERTCertificate,issuer),
1.99 + CERT_NameTemplate },
1.100 + { SEC_ASN1_INLINE,
1.101 + offsetof(CERTCertificate,validity),
1.102 + CERT_ValidityTemplate },
1.103 + { SEC_ASN1_SAVE,
1.104 + offsetof(CERTCertificate,derSubject) },
1.105 + { SEC_ASN1_INLINE,
1.106 + offsetof(CERTCertificate,subject),
1.107 + CERT_NameTemplate },
1.108 + { SEC_ASN1_SAVE,
1.109 + offsetof(CERTCertificate,derPublicKey) },
1.110 + { SEC_ASN1_INLINE,
1.111 + offsetof(CERTCertificate,subjectPublicKeyInfo),
1.112 + CERT_SubjectPublicKeyInfoTemplate },
1.113 + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
1.114 + offsetof(CERTCertificate,issuerID),
1.115 + SEC_ASN1_SUB(SEC_BitStringTemplate) },
1.116 + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
1.117 + offsetof(CERTCertificate,subjectID),
1.118 + SEC_ASN1_SUB(SEC_BitStringTemplate) },
1.119 + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
1.120 + SEC_ASN1_CONTEXT_SPECIFIC | 3,
1.121 + offsetof(CERTCertificate,extensions),
1.122 + CERT_SequenceOfCertExtensionTemplate },
1.123 + { 0 }
1.124 +};
1.125 +
1.126 +const SEC_ASN1Template SEC_SignedCertificateTemplate[] =
1.127 +{
1.128 + { SEC_ASN1_SEQUENCE,
1.129 + 0, NULL, sizeof(CERTCertificate) },
1.130 + { SEC_ASN1_SAVE,
1.131 + offsetof(CERTCertificate,signatureWrap.data) },
1.132 + { SEC_ASN1_INLINE,
1.133 + 0, CERT_CertificateTemplate },
1.134 + { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
1.135 + offsetof(CERTCertificate,signatureWrap.signatureAlgorithm),
1.136 + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
1.137 + { SEC_ASN1_BIT_STRING,
1.138 + offsetof(CERTCertificate,signatureWrap.signature) },
1.139 + { 0 }
1.140 +};
1.141 +
1.142 +/*
1.143 + * Find the subjectName in a DER encoded certificate
1.144 + */
1.145 +const SEC_ASN1Template SEC_CertSubjectTemplate[] = {
1.146 + { SEC_ASN1_SEQUENCE,
1.147 + 0, NULL, sizeof(SECItem) },
1.148 + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
1.149 + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
1.150 + 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */
1.151 + { SEC_ASN1_SKIP }, /* serial number */
1.152 + { SEC_ASN1_SKIP }, /* signature algorithm */
1.153 + { SEC_ASN1_SKIP }, /* issuer */
1.154 + { SEC_ASN1_SKIP }, /* validity */
1.155 + { SEC_ASN1_ANY, 0, NULL }, /* subject */
1.156 + { SEC_ASN1_SKIP_REST },
1.157 + { 0 }
1.158 +};
1.159 +
1.160 +/*
1.161 + * Find the issuerName in a DER encoded certificate
1.162 + */
1.163 +const SEC_ASN1Template SEC_CertIssuerTemplate[] = {
1.164 + { SEC_ASN1_SEQUENCE,
1.165 + 0, NULL, sizeof(SECItem) },
1.166 + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
1.167 + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
1.168 + 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */
1.169 + { SEC_ASN1_SKIP }, /* serial number */
1.170 + { SEC_ASN1_SKIP }, /* signature algorithm */
1.171 + { SEC_ASN1_ANY, 0, NULL }, /* issuer */
1.172 + { SEC_ASN1_SKIP_REST },
1.173 + { 0 }
1.174 +};
1.175 +/*
1.176 + * Find the subjectName in a DER encoded certificate
1.177 + */
1.178 +const SEC_ASN1Template SEC_CertSerialNumberTemplate[] = {
1.179 + { SEC_ASN1_SEQUENCE,
1.180 + 0, NULL, sizeof(SECItem) },
1.181 + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
1.182 + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
1.183 + 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */
1.184 + { SEC_ASN1_ANY, 0, NULL }, /* serial number */
1.185 + { SEC_ASN1_SKIP_REST },
1.186 + { 0 }
1.187 +};
1.188 +
1.189 +/*
1.190 + * Find the issuer and serialNumber in a DER encoded certificate.
1.191 + * This data is used as the database lookup key since its the unique
1.192 + * identifier of a certificate.
1.193 + */
1.194 +const SEC_ASN1Template CERT_CertKeyTemplate[] = {
1.195 + { SEC_ASN1_SEQUENCE,
1.196 + 0, NULL, sizeof(CERTCertKey) },
1.197 + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
1.198 + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
1.199 + 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */
1.200 + { SEC_ASN1_INTEGER,
1.201 + offsetof(CERTCertKey,serialNumber) },
1.202 + { SEC_ASN1_SKIP }, /* signature algorithm */
1.203 + { SEC_ASN1_ANY,
1.204 + offsetof(CERTCertKey,derIssuer) },
1.205 + { SEC_ASN1_SKIP_REST },
1.206 + { 0 }
1.207 +};
1.208 +
1.209 +SEC_ASN1_CHOOSER_IMPLEMENT(CERT_TimeChoiceTemplate)
1.210 +SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateTemplate)
1.211 +SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SignedCertificateTemplate)
1.212 +SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SequenceOfCertExtensionTemplate)
1.213 +
1.214 +SECStatus
1.215 +CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer, SECItem *sn,
1.216 + SECItem *key)
1.217 +{
1.218 + key->len = sn->len + issuer->len;
1.219 +
1.220 + if ((sn->data == NULL) || (issuer->data == NULL)) {
1.221 + goto loser;
1.222 + }
1.223 +
1.224 + key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len);
1.225 + if ( !key->data ) {
1.226 + goto loser;
1.227 + }
1.228 +
1.229 + /* copy the serialNumber */
1.230 + PORT_Memcpy(key->data, sn->data, sn->len);
1.231 +
1.232 + /* copy the issuer */
1.233 + PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
1.234 +
1.235 + return(SECSuccess);
1.236 +
1.237 +loser:
1.238 + return(SECFailure);
1.239 +}
1.240 +
1.241 +
1.242 +/*
1.243 + * Extract the subject name from a DER certificate
1.244 + */
1.245 +SECStatus
1.246 +CERT_NameFromDERCert(SECItem *derCert, SECItem *derName)
1.247 +{
1.248 + int rv;
1.249 + PLArenaPool *arena;
1.250 + CERTSignedData sd;
1.251 + void *tmpptr;
1.252 +
1.253 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.254 +
1.255 + if ( ! arena ) {
1.256 + return(SECFailure);
1.257 + }
1.258 +
1.259 + PORT_Memset(&sd, 0, sizeof(CERTSignedData));
1.260 + rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
1.261 +
1.262 + if ( rv ) {
1.263 + goto loser;
1.264 + }
1.265 +
1.266 + PORT_Memset(derName, 0, sizeof(SECItem));
1.267 + rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSubjectTemplate, &sd.data);
1.268 +
1.269 + if ( rv ) {
1.270 + goto loser;
1.271 + }
1.272 +
1.273 + tmpptr = derName->data;
1.274 + derName->data = (unsigned char*)PORT_Alloc(derName->len);
1.275 + if ( derName->data == NULL ) {
1.276 + goto loser;
1.277 + }
1.278 +
1.279 + PORT_Memcpy(derName->data, tmpptr, derName->len);
1.280 +
1.281 + PORT_FreeArena(arena, PR_FALSE);
1.282 + return(SECSuccess);
1.283 +
1.284 +loser:
1.285 + PORT_FreeArena(arena, PR_FALSE);
1.286 + return(SECFailure);
1.287 +}
1.288 +
1.289 +SECStatus
1.290 +CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName)
1.291 +{
1.292 + int rv;
1.293 + PLArenaPool *arena;
1.294 + CERTSignedData sd;
1.295 + void *tmpptr;
1.296 +
1.297 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.298 +
1.299 + if ( ! arena ) {
1.300 + return(SECFailure);
1.301 + }
1.302 +
1.303 + PORT_Memset(&sd, 0, sizeof(CERTSignedData));
1.304 + rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
1.305 +
1.306 + if ( rv ) {
1.307 + goto loser;
1.308 + }
1.309 +
1.310 + PORT_Memset(derName, 0, sizeof(SECItem));
1.311 + rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertIssuerTemplate, &sd.data);
1.312 +
1.313 + if ( rv ) {
1.314 + goto loser;
1.315 + }
1.316 +
1.317 + tmpptr = derName->data;
1.318 + derName->data = (unsigned char*)PORT_Alloc(derName->len);
1.319 + if ( derName->data == NULL ) {
1.320 + goto loser;
1.321 + }
1.322 +
1.323 + PORT_Memcpy(derName->data, tmpptr, derName->len);
1.324 +
1.325 + PORT_FreeArena(arena, PR_FALSE);
1.326 + return(SECSuccess);
1.327 +
1.328 +loser:
1.329 + PORT_FreeArena(arena, PR_FALSE);
1.330 + return(SECFailure);
1.331 +}
1.332 +
1.333 +SECStatus
1.334 +CERT_SerialNumberFromDERCert(SECItem *derCert, SECItem *derName)
1.335 +{
1.336 + int rv;
1.337 + PLArenaPool *arena;
1.338 + CERTSignedData sd;
1.339 + void *tmpptr;
1.340 +
1.341 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.342 +
1.343 + if ( ! arena ) {
1.344 + return(SECFailure);
1.345 + }
1.346 +
1.347 + PORT_Memset(&sd, 0, sizeof(CERTSignedData));
1.348 + rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
1.349 +
1.350 + if ( rv ) {
1.351 + goto loser;
1.352 + }
1.353 +
1.354 + PORT_Memset(derName, 0, sizeof(SECItem));
1.355 + rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSerialNumberTemplate, &sd.data);
1.356 +
1.357 + if ( rv ) {
1.358 + goto loser;
1.359 + }
1.360 +
1.361 + tmpptr = derName->data;
1.362 + derName->data = (unsigned char*)PORT_Alloc(derName->len);
1.363 + if ( derName->data == NULL ) {
1.364 + goto loser;
1.365 + }
1.366 +
1.367 + PORT_Memcpy(derName->data, tmpptr, derName->len);
1.368 +
1.369 + PORT_FreeArena(arena, PR_FALSE);
1.370 + return(SECSuccess);
1.371 +
1.372 +loser:
1.373 + PORT_FreeArena(arena, PR_FALSE);
1.374 + return(SECFailure);
1.375 +}
1.376 +
1.377 +/*
1.378 + * Generate a database key, based on serial number and issuer, from a
1.379 + * DER certificate.
1.380 + */
1.381 +SECStatus
1.382 +CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert, SECItem *key)
1.383 +{
1.384 + int rv;
1.385 + CERTSignedData sd;
1.386 + CERTCertKey certkey;
1.387 +
1.388 + if (!reqArena) {
1.389 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.390 + return SECFailure;
1.391 + }
1.392 +
1.393 + PORT_Memset(&sd, 0, sizeof(CERTSignedData));
1.394 + rv = SEC_QuickDERDecodeItem(reqArena, &sd, CERT_SignedDataTemplate,
1.395 + derCert);
1.396 +
1.397 + if ( rv ) {
1.398 + goto loser;
1.399 + }
1.400 +
1.401 + PORT_Memset(&certkey, 0, sizeof(CERTCertKey));
1.402 + rv = SEC_QuickDERDecodeItem(reqArena, &certkey, CERT_CertKeyTemplate,
1.403 + &sd.data);
1.404 +
1.405 + if ( rv ) {
1.406 + goto loser;
1.407 + }
1.408 +
1.409 + return(CERT_KeyFromIssuerAndSN(reqArena, &certkey.derIssuer,
1.410 + &certkey.serialNumber, key));
1.411 +loser:
1.412 + return(SECFailure);
1.413 +}
1.414 +
1.415 +/*
1.416 + * fill in keyUsage field of the cert based on the cert extension
1.417 + * if the extension is not critical, then we allow all uses
1.418 + */
1.419 +static SECStatus
1.420 +GetKeyUsage(CERTCertificate *cert)
1.421 +{
1.422 + SECStatus rv;
1.423 + SECItem tmpitem;
1.424 +
1.425 + rv = CERT_FindKeyUsageExtension(cert, &tmpitem);
1.426 + if ( rv == SECSuccess ) {
1.427 + /* remember the actual value of the extension */
1.428 + cert->rawKeyUsage = tmpitem.data[0];
1.429 + cert->keyUsagePresent = PR_TRUE;
1.430 + cert->keyUsage = tmpitem.data[0];
1.431 +
1.432 + PORT_Free(tmpitem.data);
1.433 + tmpitem.data = NULL;
1.434 +
1.435 + } else {
1.436 + /* if the extension is not present, then we allow all uses */
1.437 + cert->keyUsage = KU_ALL;
1.438 + cert->rawKeyUsage = KU_ALL;
1.439 + cert->keyUsagePresent = PR_FALSE;
1.440 + }
1.441 +
1.442 + if ( CERT_GovtApprovedBitSet(cert) ) {
1.443 + cert->keyUsage |= KU_NS_GOVT_APPROVED;
1.444 + cert->rawKeyUsage |= KU_NS_GOVT_APPROVED;
1.445 + }
1.446 +
1.447 + return(SECSuccess);
1.448 +}
1.449 +
1.450 +
1.451 +static SECStatus
1.452 +findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum)
1.453 +{
1.454 + SECItem **oids;
1.455 + SECItem *oid;
1.456 + SECStatus rv = SECFailure;
1.457 +
1.458 + if (seq != NULL) {
1.459 + oids = seq->oids;
1.460 + while (oids != NULL && *oids != NULL) {
1.461 + oid = *oids;
1.462 + if (SECOID_FindOIDTag(oid) == tagnum) {
1.463 + rv = SECSuccess;
1.464 + break;
1.465 + }
1.466 + oids++;
1.467 + }
1.468 + }
1.469 + return rv;
1.470 +}
1.471 +
1.472 +/*
1.473 + * fill in nsCertType field of the cert based on the cert extension
1.474 + */
1.475 +SECStatus
1.476 +cert_GetCertType(CERTCertificate *cert)
1.477 +{
1.478 + PRUint32 nsCertType;
1.479 +
1.480 + if (cert->nsCertType) {
1.481 + /* once set, no need to recalculate */
1.482 + return SECSuccess;
1.483 + }
1.484 + nsCertType = cert_ComputeCertType(cert);
1.485 +
1.486 + /* Assert that it is safe to cast &cert->nsCertType to "PRInt32 *" */
1.487 + PORT_Assert(sizeof(cert->nsCertType) == sizeof(PRInt32));
1.488 + PR_ATOMIC_SET((PRInt32 *)&cert->nsCertType, nsCertType);
1.489 + return SECSuccess;
1.490 +}
1.491 +
1.492 +PRUint32
1.493 +cert_ComputeCertType(CERTCertificate *cert)
1.494 +{
1.495 + SECStatus rv;
1.496 + SECItem tmpitem;
1.497 + SECItem encodedExtKeyUsage;
1.498 + CERTOidSequence *extKeyUsage = NULL;
1.499 + PRBool basicConstraintPresent = PR_FALSE;
1.500 + CERTBasicConstraints basicConstraint;
1.501 + PRUint32 nsCertType = 0;
1.502 +
1.503 + tmpitem.data = NULL;
1.504 + CERT_FindNSCertTypeExtension(cert, &tmpitem);
1.505 + encodedExtKeyUsage.data = NULL;
1.506 + rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,
1.507 + &encodedExtKeyUsage);
1.508 + if (rv == SECSuccess) {
1.509 + extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
1.510 + }
1.511 + rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
1.512 + if (rv == SECSuccess) {
1.513 + basicConstraintPresent = PR_TRUE;
1.514 + }
1.515 + if (tmpitem.data != NULL || extKeyUsage != NULL) {
1.516 + if (tmpitem.data == NULL) {
1.517 + nsCertType = 0;
1.518 + } else {
1.519 + nsCertType = tmpitem.data[0];
1.520 + }
1.521 +
1.522 + /* free tmpitem data pointer to avoid memory leak */
1.523 + PORT_Free(tmpitem.data);
1.524 + tmpitem.data = NULL;
1.525 +
1.526 + /*
1.527 + * for this release, we will allow SSL certs with an email address
1.528 + * to be used for email
1.529 + */
1.530 + if ( ( nsCertType & NS_CERT_TYPE_SSL_CLIENT ) &&
1.531 + cert->emailAddr && cert->emailAddr[0]) {
1.532 + nsCertType |= NS_CERT_TYPE_EMAIL;
1.533 + }
1.534 + /*
1.535 + * for this release, we will allow SSL intermediate CAs to be
1.536 + * email intermediate CAs too.
1.537 + */
1.538 + if ( nsCertType & NS_CERT_TYPE_SSL_CA ) {
1.539 + nsCertType |= NS_CERT_TYPE_EMAIL_CA;
1.540 + }
1.541 + /*
1.542 + * allow a cert with the extended key usage of EMail Protect
1.543 + * to be used for email or as an email CA, if basic constraints
1.544 + * indicates that it is a CA.
1.545 + */
1.546 + if (findOIDinOIDSeqByTagNum(extKeyUsage,
1.547 + SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
1.548 + SECSuccess) {
1.549 + if (basicConstraintPresent == PR_TRUE &&
1.550 + (basicConstraint.isCA)) {
1.551 + nsCertType |= NS_CERT_TYPE_EMAIL_CA;
1.552 + } else {
1.553 + nsCertType |= NS_CERT_TYPE_EMAIL;
1.554 + }
1.555 + }
1.556 + if (findOIDinOIDSeqByTagNum(extKeyUsage,
1.557 + SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) ==
1.558 + SECSuccess){
1.559 + if (basicConstraintPresent == PR_TRUE &&
1.560 + (basicConstraint.isCA)) {
1.561 + nsCertType |= NS_CERT_TYPE_SSL_CA;
1.562 + } else {
1.563 + nsCertType |= NS_CERT_TYPE_SSL_SERVER;
1.564 + }
1.565 + }
1.566 + /*
1.567 + * Treat certs with step-up OID as also having SSL server type.
1.568 + * COMODO needs this behaviour until June 2020. See Bug 737802.
1.569 + */
1.570 + if (findOIDinOIDSeqByTagNum(extKeyUsage,
1.571 + SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
1.572 + SECSuccess){
1.573 + if (basicConstraintPresent == PR_TRUE &&
1.574 + (basicConstraint.isCA)) {
1.575 + nsCertType |= NS_CERT_TYPE_SSL_CA;
1.576 + } else {
1.577 + nsCertType |= NS_CERT_TYPE_SSL_SERVER;
1.578 + }
1.579 + }
1.580 + if (findOIDinOIDSeqByTagNum(extKeyUsage,
1.581 + SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) ==
1.582 + SECSuccess){
1.583 + if (basicConstraintPresent == PR_TRUE &&
1.584 + (basicConstraint.isCA)) {
1.585 + nsCertType |= NS_CERT_TYPE_SSL_CA;
1.586 + } else {
1.587 + nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
1.588 + }
1.589 + }
1.590 + if (findOIDinOIDSeqByTagNum(extKeyUsage,
1.591 + SEC_OID_EXT_KEY_USAGE_CODE_SIGN) ==
1.592 + SECSuccess) {
1.593 + if (basicConstraintPresent == PR_TRUE &&
1.594 + (basicConstraint.isCA)) {
1.595 + nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
1.596 + } else {
1.597 + nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
1.598 + }
1.599 + }
1.600 + if (findOIDinOIDSeqByTagNum(extKeyUsage,
1.601 + SEC_OID_EXT_KEY_USAGE_TIME_STAMP) ==
1.602 + SECSuccess) {
1.603 + nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
1.604 + }
1.605 + if (findOIDinOIDSeqByTagNum(extKeyUsage,
1.606 + SEC_OID_OCSP_RESPONDER) ==
1.607 + SECSuccess) {
1.608 + nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
1.609 + }
1.610 + } else {
1.611 + /* If no NS Cert Type extension and no EKU extension, then */
1.612 + nsCertType = 0;
1.613 + if (CERT_IsCACert(cert, &nsCertType))
1.614 + nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
1.615 + /* if the basic constraint extension says the cert is a CA, then
1.616 + allow SSL CA and EMAIL CA and Status Responder */
1.617 + if (basicConstraintPresent && basicConstraint.isCA ) {
1.618 + nsCertType |= (NS_CERT_TYPE_SSL_CA |
1.619 + NS_CERT_TYPE_EMAIL_CA |
1.620 + EXT_KEY_USAGE_STATUS_RESPONDER);
1.621 + }
1.622 + /* allow any ssl or email (no ca or object signing. */
1.623 + nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
1.624 + NS_CERT_TYPE_EMAIL;
1.625 + }
1.626 +
1.627 + if (encodedExtKeyUsage.data != NULL) {
1.628 + PORT_Free(encodedExtKeyUsage.data);
1.629 + }
1.630 + if (extKeyUsage != NULL) {
1.631 + CERT_DestroyOidSequence(extKeyUsage);
1.632 + }
1.633 + return nsCertType;
1.634 +}
1.635 +
1.636 +/*
1.637 + * cert_GetKeyID() - extract or generate the subjectKeyID from a certificate
1.638 + */
1.639 +SECStatus
1.640 +cert_GetKeyID(CERTCertificate *cert)
1.641 +{
1.642 + SECItem tmpitem;
1.643 + SECStatus rv;
1.644 +
1.645 + cert->subjectKeyID.len = 0;
1.646 +
1.647 + /* see of the cert has a key identifier extension */
1.648 + rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem);
1.649 + if ( rv == SECSuccess ) {
1.650 + cert->subjectKeyID.data = (unsigned char*) PORT_ArenaAlloc(cert->arena, tmpitem.len);
1.651 + if ( cert->subjectKeyID.data != NULL ) {
1.652 + PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len);
1.653 + cert->subjectKeyID.len = tmpitem.len;
1.654 + cert->keyIDGenerated = PR_FALSE;
1.655 + }
1.656 +
1.657 + PORT_Free(tmpitem.data);
1.658 + }
1.659 +
1.660 + /* if the cert doesn't have a key identifier extension, then generate one*/
1.661 + if ( cert->subjectKeyID.len == 0 ) {
1.662 + /*
1.663 + * pkix says that if the subjectKeyID is not present, then we should
1.664 + * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert
1.665 + */
1.666 + cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH);
1.667 + if ( cert->subjectKeyID.data != NULL ) {
1.668 + rv = PK11_HashBuf(SEC_OID_SHA1,cert->subjectKeyID.data,
1.669 + cert->derPublicKey.data,
1.670 + cert->derPublicKey.len);
1.671 + if ( rv == SECSuccess ) {
1.672 + cert->subjectKeyID.len = SHA1_LENGTH;
1.673 + }
1.674 + }
1.675 + }
1.676 +
1.677 + if ( cert->subjectKeyID.len == 0 ) {
1.678 + return(SECFailure);
1.679 + }
1.680 + return(SECSuccess);
1.681 +
1.682 +}
1.683 +
1.684 +static PRBool
1.685 +cert_IsRootCert(CERTCertificate *cert)
1.686 +{
1.687 + SECStatus rv;
1.688 + SECItem tmpitem;
1.689 +
1.690 + /* cache the authKeyID extension, if present */
1.691 + cert->authKeyID = CERT_FindAuthKeyIDExten(cert->arena, cert);
1.692 +
1.693 + /* it MUST be self-issued to be a root */
1.694 + if (cert->derIssuer.len == 0 ||
1.695 + !SECITEM_ItemsAreEqual(&cert->derIssuer, &cert->derSubject))
1.696 + {
1.697 + return PR_FALSE;
1.698 + }
1.699 +
1.700 + /* check the authKeyID extension */
1.701 + if (cert->authKeyID) {
1.702 + /* authority key identifier is present */
1.703 + if (cert->authKeyID->keyID.len > 0) {
1.704 + /* the keyIdentifier field is set, look for subjectKeyID */
1.705 + rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem);
1.706 + if (rv == SECSuccess) {
1.707 + PRBool match;
1.708 + /* also present, they MUST match for it to be a root */
1.709 + match = SECITEM_ItemsAreEqual(&cert->authKeyID->keyID,
1.710 + &tmpitem);
1.711 + PORT_Free(tmpitem.data);
1.712 + if (!match) return PR_FALSE; /* else fall through */
1.713 + } else {
1.714 + /* the subject key ID is required when AKI is present */
1.715 + return PR_FALSE;
1.716 + }
1.717 + }
1.718 + if (cert->authKeyID->authCertIssuer) {
1.719 + SECItem *caName;
1.720 + caName = (SECItem *)CERT_GetGeneralNameByType(
1.721 + cert->authKeyID->authCertIssuer,
1.722 + certDirectoryName, PR_TRUE);
1.723 + if (caName) {
1.724 + if (!SECITEM_ItemsAreEqual(&cert->derIssuer, caName)) {
1.725 + return PR_FALSE;
1.726 + } /* else fall through */
1.727 + } /* else ??? could not get general name as directory name? */
1.728 + }
1.729 + if (cert->authKeyID->authCertSerialNumber.len > 0) {
1.730 + if (!SECITEM_ItemsAreEqual(&cert->serialNumber,
1.731 + &cert->authKeyID->authCertSerialNumber)) {
1.732 + return PR_FALSE;
1.733 + } /* else fall through */
1.734 + }
1.735 + /* all of the AKI fields that were present passed the test */
1.736 + return PR_TRUE;
1.737 + }
1.738 + /* else the AKI was not present, so this is a root */
1.739 + return PR_TRUE;
1.740 +}
1.741 +
1.742 +/*
1.743 + * take a DER certificate and decode it into a certificate structure
1.744 + */
1.745 +CERTCertificate *
1.746 +CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
1.747 + char *nickname)
1.748 +{
1.749 + CERTCertificate *cert;
1.750 + PLArenaPool *arena;
1.751 + void *data;
1.752 + int rv;
1.753 + int len;
1.754 + char *tmpname;
1.755 +
1.756 + /* make a new arena */
1.757 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.758 +
1.759 + if ( !arena ) {
1.760 + return 0;
1.761 + }
1.762 +
1.763 + /* allocate the certificate structure */
1.764 + cert = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
1.765 +
1.766 + if ( !cert ) {
1.767 + goto loser;
1.768 + }
1.769 +
1.770 + cert->arena = arena;
1.771 +
1.772 + if ( copyDER ) {
1.773 + /* copy the DER data for the cert into this arena */
1.774 + data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len);
1.775 + if ( !data ) {
1.776 + goto loser;
1.777 + }
1.778 + cert->derCert.data = (unsigned char *)data;
1.779 + cert->derCert.len = derSignedCert->len;
1.780 + PORT_Memcpy(data, derSignedCert->data, derSignedCert->len);
1.781 + } else {
1.782 + /* point to passed in DER data */
1.783 + cert->derCert = *derSignedCert;
1.784 + }
1.785 +
1.786 + /* decode the certificate info */
1.787 + rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate,
1.788 + &cert->derCert);
1.789 +
1.790 + if ( rv ) {
1.791 + goto loser;
1.792 + }
1.793 +
1.794 + if (cert_HasUnknownCriticalExten (cert->extensions) == PR_TRUE) {
1.795 + cert->options.bits.hasUnsupportedCriticalExt = PR_TRUE;
1.796 + }
1.797 +
1.798 + /* generate and save the database key for the cert */
1.799 + rv = CERT_KeyFromIssuerAndSN(arena, &cert->derIssuer, &cert->serialNumber,
1.800 + &cert->certKey);
1.801 + if ( rv ) {
1.802 + goto loser;
1.803 + }
1.804 +
1.805 + /* set the nickname */
1.806 + if ( nickname == NULL ) {
1.807 + cert->nickname = NULL;
1.808 + } else {
1.809 + /* copy and install the nickname */
1.810 + len = PORT_Strlen(nickname) + 1;
1.811 + cert->nickname = (char*)PORT_ArenaAlloc(arena, len);
1.812 + if ( cert->nickname == NULL ) {
1.813 + goto loser;
1.814 + }
1.815 +
1.816 + PORT_Memcpy(cert->nickname, nickname, len);
1.817 + }
1.818 +
1.819 + /* set the email address */
1.820 + cert->emailAddr = cert_GetCertificateEmailAddresses(cert);
1.821 +
1.822 + /* initialize the subjectKeyID */
1.823 + rv = cert_GetKeyID(cert);
1.824 + if ( rv != SECSuccess ) {
1.825 + goto loser;
1.826 + }
1.827 +
1.828 + /* initialize keyUsage */
1.829 + rv = GetKeyUsage(cert);
1.830 + if ( rv != SECSuccess ) {
1.831 + goto loser;
1.832 + }
1.833 +
1.834 + /* determine if this is a root cert */
1.835 + cert->isRoot = cert_IsRootCert(cert);
1.836 +
1.837 + /* initialize the certType */
1.838 + rv = cert_GetCertType(cert);
1.839 + if ( rv != SECSuccess ) {
1.840 + goto loser;
1.841 + }
1.842 +
1.843 + tmpname = CERT_NameToAscii(&cert->subject);
1.844 + if ( tmpname != NULL ) {
1.845 + cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname);
1.846 + PORT_Free(tmpname);
1.847 + }
1.848 +
1.849 + tmpname = CERT_NameToAscii(&cert->issuer);
1.850 + if ( tmpname != NULL ) {
1.851 + cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname);
1.852 + PORT_Free(tmpname);
1.853 + }
1.854 +
1.855 + cert->referenceCount = 1;
1.856 + cert->slot = NULL;
1.857 + cert->pkcs11ID = CK_INVALID_HANDLE;
1.858 + cert->dbnickname = NULL;
1.859 +
1.860 + return(cert);
1.861 +
1.862 +loser:
1.863 +
1.864 + if ( arena ) {
1.865 + PORT_FreeArena(arena, PR_FALSE);
1.866 + }
1.867 +
1.868 + return(0);
1.869 +}
1.870 +
1.871 +CERTCertificate *
1.872 +__CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
1.873 + char *nickname)
1.874 +{
1.875 + return CERT_DecodeDERCertificate(derSignedCert, copyDER, nickname);
1.876 +}
1.877 +
1.878 +
1.879 +CERTValidity *
1.880 +CERT_CreateValidity(PRTime notBefore, PRTime notAfter)
1.881 +{
1.882 + CERTValidity *v;
1.883 + int rv;
1.884 + PLArenaPool *arena;
1.885 +
1.886 + if (notBefore > notAfter) {
1.887 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.888 + return NULL;
1.889 + }
1.890 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.891 +
1.892 + if ( !arena ) {
1.893 + return(0);
1.894 + }
1.895 +
1.896 + v = (CERTValidity*) PORT_ArenaZAlloc(arena, sizeof(CERTValidity));
1.897 + if (v) {
1.898 + v->arena = arena;
1.899 + rv = DER_EncodeTimeChoice(arena, &v->notBefore, notBefore);
1.900 + if (rv) goto loser;
1.901 + rv = DER_EncodeTimeChoice(arena, &v->notAfter, notAfter);
1.902 + if (rv) goto loser;
1.903 + }
1.904 + return v;
1.905 +
1.906 + loser:
1.907 + CERT_DestroyValidity(v);
1.908 + return 0;
1.909 +}
1.910 +
1.911 +SECStatus
1.912 +CERT_CopyValidity(PLArenaPool *arena, CERTValidity *to, CERTValidity *from)
1.913 +{
1.914 + SECStatus rv;
1.915 +
1.916 + CERT_DestroyValidity(to);
1.917 + to->arena = arena;
1.918 +
1.919 + rv = SECITEM_CopyItem(arena, &to->notBefore, &from->notBefore);
1.920 + if (rv) return rv;
1.921 + rv = SECITEM_CopyItem(arena, &to->notAfter, &from->notAfter);
1.922 + return rv;
1.923 +}
1.924 +
1.925 +void
1.926 +CERT_DestroyValidity(CERTValidity *v)
1.927 +{
1.928 + if (v && v->arena) {
1.929 + PORT_FreeArena(v->arena, PR_FALSE);
1.930 + }
1.931 + return;
1.932 +}
1.933 +
1.934 +/*
1.935 +** Amount of time that a certifiate is allowed good before it is actually
1.936 +** good. This is used for pending certificates, ones that are about to be
1.937 +** valid. The slop is designed to allow for some variance in the clocks
1.938 +** of the machine checking the certificate.
1.939 +*/
1.940 +#define PENDING_SLOP (24L*60L*60L) /* seconds per day */
1.941 +static PRInt32 pendingSlop = PENDING_SLOP; /* seconds */
1.942 +
1.943 +PRInt32
1.944 +CERT_GetSlopTime(void)
1.945 +{
1.946 + return pendingSlop; /* seconds */
1.947 +}
1.948 +
1.949 +SECStatus
1.950 +CERT_SetSlopTime(PRInt32 slop) /* seconds */
1.951 +{
1.952 + if (slop < 0)
1.953 + return SECFailure;
1.954 + pendingSlop = slop;
1.955 + return SECSuccess;
1.956 +}
1.957 +
1.958 +SECStatus
1.959 +CERT_GetCertTimes(const CERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
1.960 +{
1.961 + SECStatus rv;
1.962 +
1.963 + if (!c || !notBefore || !notAfter) {
1.964 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.965 + return SECFailure;
1.966 + }
1.967 +
1.968 + /* convert DER not-before time */
1.969 + rv = DER_DecodeTimeChoice(notBefore, &c->validity.notBefore);
1.970 + if (rv) {
1.971 + return(SECFailure);
1.972 + }
1.973 +
1.974 + /* convert DER not-after time */
1.975 + rv = DER_DecodeTimeChoice(notAfter, &c->validity.notAfter);
1.976 + if (rv) {
1.977 + return(SECFailure);
1.978 + }
1.979 +
1.980 + return(SECSuccess);
1.981 +}
1.982 +
1.983 +/*
1.984 + * Check the validity times of a certificate
1.985 + */
1.986 +SECCertTimeValidity
1.987 +CERT_CheckCertValidTimes(const CERTCertificate *c, PRTime t,
1.988 + PRBool allowOverride)
1.989 +{
1.990 + PRTime notBefore, notAfter, llPendingSlop, tmp1;
1.991 + SECStatus rv;
1.992 +
1.993 + if (!c) {
1.994 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.995 + return(secCertTimeUndetermined);
1.996 + }
1.997 + /* if cert is already marked OK, then don't bother to check */
1.998 + if ( allowOverride && c->timeOK ) {
1.999 + return(secCertTimeValid);
1.1000 + }
1.1001 +
1.1002 + rv = CERT_GetCertTimes(c, ¬Before, ¬After);
1.1003 +
1.1004 + if (rv) {
1.1005 + return(secCertTimeExpired); /*XXX is this the right thing to do here?*/
1.1006 + }
1.1007 +
1.1008 + LL_I2L(llPendingSlop, pendingSlop);
1.1009 + /* convert to micro seconds */
1.1010 + LL_UI2L(tmp1, PR_USEC_PER_SEC);
1.1011 + LL_MUL(llPendingSlop, llPendingSlop, tmp1);
1.1012 + LL_SUB(notBefore, notBefore, llPendingSlop);
1.1013 + if ( LL_CMP( t, <, notBefore ) ) {
1.1014 + PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
1.1015 + return(secCertTimeNotValidYet);
1.1016 + }
1.1017 + if ( LL_CMP( t, >, notAfter) ) {
1.1018 + PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
1.1019 + return(secCertTimeExpired);
1.1020 + }
1.1021 +
1.1022 + return(secCertTimeValid);
1.1023 +}
1.1024 +
1.1025 +SECStatus
1.1026 +SEC_GetCrlTimes(CERTCrl *date, PRTime *notBefore, PRTime *notAfter)
1.1027 +{
1.1028 + int rv;
1.1029 +
1.1030 + /* convert DER not-before time */
1.1031 + rv = DER_DecodeTimeChoice(notBefore, &date->lastUpdate);
1.1032 + if (rv) {
1.1033 + return(SECFailure);
1.1034 + }
1.1035 +
1.1036 + /* convert DER not-after time */
1.1037 + if (date->nextUpdate.data) {
1.1038 + rv = DER_DecodeTimeChoice(notAfter, &date->nextUpdate);
1.1039 + if (rv) {
1.1040 + return(SECFailure);
1.1041 + }
1.1042 + }
1.1043 + else {
1.1044 + LL_I2L(*notAfter, 0L);
1.1045 + }
1.1046 + return(SECSuccess);
1.1047 +}
1.1048 +
1.1049 +/* These routines should probably be combined with the cert
1.1050 + * routines using an common extraction routine.
1.1051 + */
1.1052 +SECCertTimeValidity
1.1053 +SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) {
1.1054 + PRTime notBefore, notAfter, llPendingSlop, tmp1;
1.1055 + SECStatus rv;
1.1056 +
1.1057 + rv = SEC_GetCrlTimes(crl, ¬Before, ¬After);
1.1058 +
1.1059 + if (rv) {
1.1060 + return(secCertTimeExpired);
1.1061 + }
1.1062 +
1.1063 + LL_I2L(llPendingSlop, pendingSlop);
1.1064 + /* convert to micro seconds */
1.1065 + LL_I2L(tmp1, PR_USEC_PER_SEC);
1.1066 + LL_MUL(llPendingSlop, llPendingSlop, tmp1);
1.1067 + LL_SUB(notBefore, notBefore, llPendingSlop);
1.1068 + if ( LL_CMP( t, <, notBefore ) ) {
1.1069 + return(secCertTimeNotValidYet);
1.1070 + }
1.1071 +
1.1072 + /* If next update is omitted and the test for notBefore passes, then
1.1073 + we assume that the crl is up to date.
1.1074 + */
1.1075 + if ( LL_IS_ZERO(notAfter) ) {
1.1076 + return(secCertTimeValid);
1.1077 + }
1.1078 +
1.1079 + if ( LL_CMP( t, >, notAfter) ) {
1.1080 + return(secCertTimeExpired);
1.1081 + }
1.1082 +
1.1083 + return(secCertTimeValid);
1.1084 +}
1.1085 +
1.1086 +PRBool
1.1087 +SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) {
1.1088 + PRTime newNotBefore, newNotAfter;
1.1089 + PRTime oldNotBefore, oldNotAfter;
1.1090 + SECStatus rv;
1.1091 +
1.1092 + /* problems with the new CRL? reject it */
1.1093 + rv = SEC_GetCrlTimes(inNew, &newNotBefore, &newNotAfter);
1.1094 + if (rv) return PR_FALSE;
1.1095 +
1.1096 + /* problems with the old CRL? replace it */
1.1097 + rv = SEC_GetCrlTimes(old, &oldNotBefore, &oldNotAfter);
1.1098 + if (rv) return PR_TRUE;
1.1099 +
1.1100 + /* Question: what about the notAfter's? */
1.1101 + return ((PRBool)LL_CMP(oldNotBefore, <, newNotBefore));
1.1102 +}
1.1103 +
1.1104 +/*
1.1105 + * return required key usage and cert type based on cert usage
1.1106 + */
1.1107 +SECStatus
1.1108 +CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
1.1109 + PRBool ca,
1.1110 + unsigned int *retKeyUsage,
1.1111 + unsigned int *retCertType)
1.1112 +{
1.1113 + unsigned int requiredKeyUsage = 0;
1.1114 + unsigned int requiredCertType = 0;
1.1115 +
1.1116 + if ( ca ) {
1.1117 + switch ( usage ) {
1.1118 + case certUsageSSLServerWithStepUp:
1.1119 + requiredKeyUsage = KU_NS_GOVT_APPROVED | KU_KEY_CERT_SIGN;
1.1120 + requiredCertType = NS_CERT_TYPE_SSL_CA;
1.1121 + break;
1.1122 + case certUsageSSLClient:
1.1123 + requiredKeyUsage = KU_KEY_CERT_SIGN;
1.1124 + requiredCertType = NS_CERT_TYPE_SSL_CA;
1.1125 + break;
1.1126 + case certUsageSSLServer:
1.1127 + requiredKeyUsage = KU_KEY_CERT_SIGN;
1.1128 + requiredCertType = NS_CERT_TYPE_SSL_CA;
1.1129 + break;
1.1130 + case certUsageSSLCA:
1.1131 + requiredKeyUsage = KU_KEY_CERT_SIGN;
1.1132 + requiredCertType = NS_CERT_TYPE_SSL_CA;
1.1133 + break;
1.1134 + case certUsageEmailSigner:
1.1135 + requiredKeyUsage = KU_KEY_CERT_SIGN;
1.1136 + requiredCertType = NS_CERT_TYPE_EMAIL_CA;
1.1137 + break;
1.1138 + case certUsageEmailRecipient:
1.1139 + requiredKeyUsage = KU_KEY_CERT_SIGN;
1.1140 + requiredCertType = NS_CERT_TYPE_EMAIL_CA;
1.1141 + break;
1.1142 + case certUsageObjectSigner:
1.1143 + requiredKeyUsage = KU_KEY_CERT_SIGN;
1.1144 + requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA;
1.1145 + break;
1.1146 + case certUsageAnyCA:
1.1147 + case certUsageVerifyCA:
1.1148 + case certUsageStatusResponder:
1.1149 + requiredKeyUsage = KU_KEY_CERT_SIGN;
1.1150 + requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA |
1.1151 + NS_CERT_TYPE_EMAIL_CA |
1.1152 + NS_CERT_TYPE_SSL_CA;
1.1153 + break;
1.1154 + default:
1.1155 + PORT_Assert(0);
1.1156 + goto loser;
1.1157 + }
1.1158 + } else {
1.1159 + switch ( usage ) {
1.1160 + case certUsageSSLClient:
1.1161 + /*
1.1162 + * RFC 5280 lists digitalSignature and keyAgreement for
1.1163 + * id-kp-clientAuth. NSS does not support the *_fixed_dh and
1.1164 + * *_fixed_ecdh client certificate types.
1.1165 + */
1.1166 + requiredKeyUsage = KU_DIGITAL_SIGNATURE;
1.1167 + requiredCertType = NS_CERT_TYPE_SSL_CLIENT;
1.1168 + break;
1.1169 + case certUsageSSLServer:
1.1170 + requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
1.1171 + requiredCertType = NS_CERT_TYPE_SSL_SERVER;
1.1172 + break;
1.1173 + case certUsageSSLServerWithStepUp:
1.1174 + requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT |
1.1175 + KU_NS_GOVT_APPROVED;
1.1176 + requiredCertType = NS_CERT_TYPE_SSL_SERVER;
1.1177 + break;
1.1178 + case certUsageSSLCA:
1.1179 + requiredKeyUsage = KU_KEY_CERT_SIGN;
1.1180 + requiredCertType = NS_CERT_TYPE_SSL_CA;
1.1181 + break;
1.1182 + case certUsageEmailSigner:
1.1183 + requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;
1.1184 + requiredCertType = NS_CERT_TYPE_EMAIL;
1.1185 + break;
1.1186 + case certUsageEmailRecipient:
1.1187 + requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
1.1188 + requiredCertType = NS_CERT_TYPE_EMAIL;
1.1189 + break;
1.1190 + case certUsageObjectSigner:
1.1191 + /* RFC 5280 lists only digitalSignature for id-kp-codeSigning. */
1.1192 + requiredKeyUsage = KU_DIGITAL_SIGNATURE;
1.1193 + requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING;
1.1194 + break;
1.1195 + case certUsageStatusResponder:
1.1196 + requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;
1.1197 + requiredCertType = EXT_KEY_USAGE_STATUS_RESPONDER;
1.1198 + break;
1.1199 + default:
1.1200 + PORT_Assert(0);
1.1201 + goto loser;
1.1202 + }
1.1203 + }
1.1204 +
1.1205 + if ( retKeyUsage != NULL ) {
1.1206 + *retKeyUsage = requiredKeyUsage;
1.1207 + }
1.1208 + if ( retCertType != NULL ) {
1.1209 + *retCertType = requiredCertType;
1.1210 + }
1.1211 +
1.1212 + return(SECSuccess);
1.1213 +loser:
1.1214 + return(SECFailure);
1.1215 +}
1.1216 +
1.1217 +/*
1.1218 + * check the key usage of a cert against a set of required values
1.1219 + */
1.1220 +SECStatus
1.1221 +CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage)
1.1222 +{
1.1223 + if (!cert) {
1.1224 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1225 + return SECFailure;
1.1226 + }
1.1227 + /* choose between key agreement or key encipherment based on key
1.1228 + * type in cert
1.1229 + */
1.1230 + if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) {
1.1231 + KeyType keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo);
1.1232 + /* turn off the special bit */
1.1233 + requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT);
1.1234 +
1.1235 + switch (keyType) {
1.1236 + case rsaKey:
1.1237 + requiredUsage |= KU_KEY_ENCIPHERMENT;
1.1238 + break;
1.1239 + case dsaKey:
1.1240 + requiredUsage |= KU_DIGITAL_SIGNATURE;
1.1241 + break;
1.1242 + case dhKey:
1.1243 + requiredUsage |= KU_KEY_AGREEMENT;
1.1244 + break;
1.1245 + case ecKey:
1.1246 + /* Accept either signature or agreement. */
1.1247 + if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)))
1.1248 + goto loser;
1.1249 + break;
1.1250 + default:
1.1251 + goto loser;
1.1252 + }
1.1253 + }
1.1254 +
1.1255 + /* Allow either digital signature or non-repudiation */
1.1256 + if ( requiredUsage & KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION ) {
1.1257 + /* turn off the special bit */
1.1258 + requiredUsage &= (~KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION);
1.1259 +
1.1260 + if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION)))
1.1261 + goto loser;
1.1262 + }
1.1263 +
1.1264 + if ( (cert->keyUsage & requiredUsage) == requiredUsage )
1.1265 + return SECSuccess;
1.1266 +
1.1267 +loser:
1.1268 + PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
1.1269 + return SECFailure;
1.1270 +}
1.1271 +
1.1272 +
1.1273 +CERTCertificate *
1.1274 +CERT_DupCertificate(CERTCertificate *c)
1.1275 +{
1.1276 + if (c) {
1.1277 + NSSCertificate *tmp = STAN_GetNSSCertificate(c);
1.1278 + nssCertificate_AddRef(tmp);
1.1279 + }
1.1280 + return c;
1.1281 +}
1.1282 +
1.1283 +/*
1.1284 + * Allow use of default cert database, so that apps(such as mozilla) don't
1.1285 + * have to pass the handle all over the place.
1.1286 + */
1.1287 +static CERTCertDBHandle *default_cert_db_handle = 0;
1.1288 +
1.1289 +void
1.1290 +CERT_SetDefaultCertDB(CERTCertDBHandle *handle)
1.1291 +{
1.1292 + default_cert_db_handle = handle;
1.1293 +
1.1294 + return;
1.1295 +}
1.1296 +
1.1297 +CERTCertDBHandle *
1.1298 +CERT_GetDefaultCertDB(void)
1.1299 +{
1.1300 + return(default_cert_db_handle);
1.1301 +}
1.1302 +
1.1303 +/* XXX this would probably be okay/better as an xp routine? */
1.1304 +static void
1.1305 +sec_lower_string(char *s)
1.1306 +{
1.1307 + if ( s == NULL ) {
1.1308 + return;
1.1309 + }
1.1310 +
1.1311 + while ( *s ) {
1.1312 + *s = PORT_Tolower(*s);
1.1313 + s++;
1.1314 + }
1.1315 +
1.1316 + return;
1.1317 +}
1.1318 +
1.1319 +static PRBool
1.1320 +cert_IsIPAddr(const char *hn)
1.1321 +{
1.1322 + PRBool isIPaddr = PR_FALSE;
1.1323 + PRNetAddr netAddr;
1.1324 + isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr));
1.1325 + return isIPaddr;
1.1326 +}
1.1327 +
1.1328 +/*
1.1329 +** Add a domain name to the list of names that the user has explicitly
1.1330 +** allowed (despite cert name mismatches) for use with a server cert.
1.1331 +*/
1.1332 +SECStatus
1.1333 +CERT_AddOKDomainName(CERTCertificate *cert, const char *hn)
1.1334 +{
1.1335 + CERTOKDomainName *domainOK;
1.1336 + int newNameLen;
1.1337 +
1.1338 + if (!hn || !(newNameLen = strlen(hn))) {
1.1339 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1340 + return SECFailure;
1.1341 + }
1.1342 + domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(cert->arena,
1.1343 + (sizeof *domainOK) + newNameLen);
1.1344 + if (!domainOK)
1.1345 + return SECFailure; /* error code is already set. */
1.1346 +
1.1347 + PORT_Strcpy(domainOK->name, hn);
1.1348 + sec_lower_string(domainOK->name);
1.1349 +
1.1350 + /* put at head of list. */
1.1351 + domainOK->next = cert->domainOK;
1.1352 + cert->domainOK = domainOK;
1.1353 + return SECSuccess;
1.1354 +}
1.1355 +
1.1356 +/* returns SECSuccess if hn matches pattern cn,
1.1357 +** returns SECFailure with SSL_ERROR_BAD_CERT_DOMAIN if no match,
1.1358 +** returns SECFailure with some other error code if another error occurs.
1.1359 +**
1.1360 +** This function may modify string cn, so caller must pass a modifiable copy.
1.1361 +*/
1.1362 +static SECStatus
1.1363 +cert_TestHostName(char * cn, const char * hn)
1.1364 +{
1.1365 + static int useShellExp = -1;
1.1366 +
1.1367 + if (useShellExp < 0) {
1.1368 + useShellExp = (NULL != PR_GetEnv("NSS_USE_SHEXP_IN_CERT_NAME"));
1.1369 + }
1.1370 + if (useShellExp) {
1.1371 + /* Backward compatible code, uses Shell Expressions (SHEXP). */
1.1372 + int regvalid = PORT_RegExpValid(cn);
1.1373 + if (regvalid != NON_SXP) {
1.1374 + SECStatus rv;
1.1375 + /* cn is a regular expression, try to match the shexp */
1.1376 + int match = PORT_RegExpCaseSearch(hn, cn);
1.1377 +
1.1378 + if ( match == 0 ) {
1.1379 + rv = SECSuccess;
1.1380 + } else {
1.1381 + PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
1.1382 + rv = SECFailure;
1.1383 + }
1.1384 + return rv;
1.1385 + }
1.1386 + } else {
1.1387 + /* New approach conforms to RFC 6125. */
1.1388 + char *wildcard = PORT_Strchr(cn, '*');
1.1389 + char *firstcndot = PORT_Strchr(cn, '.');
1.1390 + char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
1.1391 + char *firsthndot = PORT_Strchr(hn, '.');
1.1392 +
1.1393 + /* For a cn pattern to be considered valid, the wildcard character...
1.1394 + * - may occur only in a DNS name with at least 3 components, and
1.1395 + * - may occur only as last character in the first component, and
1.1396 + * - may be preceded by additional characters, and
1.1397 + * - must not be preceded by an IDNA ACE prefix (xn--)
1.1398 + */
1.1399 + if (wildcard && secondcndot && secondcndot[1] && firsthndot
1.1400 + && firstcndot - wildcard == 1 /* wildcard is last char in first component */
1.1401 + && secondcndot - firstcndot > 1 /* second component is non-empty */
1.1402 + && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
1.1403 + && !PORT_Strncasecmp(cn, hn, wildcard - cn)
1.1404 + && !PORT_Strcasecmp(firstcndot, firsthndot)
1.1405 + /* If hn starts with xn--, then cn must start with wildcard */
1.1406 + && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
1.1407 + /* valid wildcard pattern match */
1.1408 + return SECSuccess;
1.1409 + }
1.1410 + }
1.1411 + /* String cn has no wildcard or shell expression.
1.1412 + * Compare entire string hn with cert name.
1.1413 + */
1.1414 + if (PORT_Strcasecmp(hn, cn) == 0) {
1.1415 + return SECSuccess;
1.1416 + }
1.1417 +
1.1418 + PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
1.1419 + return SECFailure;
1.1420 +}
1.1421 +
1.1422 +
1.1423 +SECStatus
1.1424 +cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn)
1.1425 +{
1.1426 + PLArenaPool * arena = NULL;
1.1427 + CERTGeneralName * nameList = NULL;
1.1428 + CERTGeneralName * current;
1.1429 + char * cn;
1.1430 + int cnBufLen;
1.1431 + unsigned int hnLen;
1.1432 + int DNSextCount = 0;
1.1433 + int IPextCount = 0;
1.1434 + PRBool isIPaddr = PR_FALSE;
1.1435 + SECStatus rv = SECFailure;
1.1436 + SECItem subAltName;
1.1437 + PRNetAddr netAddr;
1.1438 + char cnbuf[128];
1.1439 +
1.1440 + subAltName.data = NULL;
1.1441 + hnLen = strlen(hn);
1.1442 + cn = cnbuf;
1.1443 + cnBufLen = sizeof cnbuf;
1.1444 +
1.1445 + rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
1.1446 + &subAltName);
1.1447 + if (rv != SECSuccess) {
1.1448 + goto fail;
1.1449 + }
1.1450 + isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr));
1.1451 + rv = SECFailure;
1.1452 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.1453 + if (!arena)
1.1454 + goto fail;
1.1455 +
1.1456 + nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
1.1457 + if (!current)
1.1458 + goto fail;
1.1459 +
1.1460 + do {
1.1461 + switch (current->type) {
1.1462 + case certDNSName:
1.1463 + if (!isIPaddr) {
1.1464 + /* DNS name current->name.other.data is not null terminated.
1.1465 + ** so must copy it.
1.1466 + */
1.1467 + int cnLen = current->name.other.len;
1.1468 + rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen,
1.1469 + (char *)current->name.other.data,
1.1470 + cnLen);
1.1471 + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_OUTPUT_LEN) {
1.1472 + cnBufLen = cnLen * 3 + 3; /* big enough for worst case */
1.1473 + cn = (char *)PORT_ArenaAlloc(arena, cnBufLen);
1.1474 + if (!cn)
1.1475 + goto fail;
1.1476 + rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen,
1.1477 + (char *)current->name.other.data,
1.1478 + cnLen);
1.1479 + }
1.1480 + if (rv == SECSuccess)
1.1481 + rv = cert_TestHostName(cn ,hn);
1.1482 + if (rv == SECSuccess)
1.1483 + goto finish;
1.1484 + }
1.1485 + DNSextCount++;
1.1486 + break;
1.1487 + case certIPAddress:
1.1488 + if (isIPaddr) {
1.1489 + int match = 0;
1.1490 + PRIPv6Addr v6Addr;
1.1491 + if (current->name.other.len == 4 && /* IP v4 address */
1.1492 + netAddr.inet.family == PR_AF_INET) {
1.1493 + match = !memcmp(&netAddr.inet.ip,
1.1494 + current->name.other.data, 4);
1.1495 + } else if (current->name.other.len == 16 && /* IP v6 address */
1.1496 + netAddr.ipv6.family == PR_AF_INET6) {
1.1497 + match = !memcmp(&netAddr.ipv6.ip,
1.1498 + current->name.other.data, 16);
1.1499 + } else if (current->name.other.len == 16 && /* IP v6 address */
1.1500 + netAddr.inet.family == PR_AF_INET) {
1.1501 + /* convert netAddr to ipv6, then compare. */
1.1502 + /* ipv4 must be in Network Byte Order on input. */
1.1503 + PR_ConvertIPv4AddrToIPv6(netAddr.inet.ip, &v6Addr);
1.1504 + match = !memcmp(&v6Addr, current->name.other.data, 16);
1.1505 + } else if (current->name.other.len == 4 && /* IP v4 address */
1.1506 + netAddr.inet.family == PR_AF_INET6) {
1.1507 + /* convert netAddr to ipv6, then compare. */
1.1508 + PRUint32 ipv4 = (current->name.other.data[0] << 24) |
1.1509 + (current->name.other.data[1] << 16) |
1.1510 + (current->name.other.data[2] << 8) |
1.1511 + current->name.other.data[3];
1.1512 + /* ipv4 must be in Network Byte Order on input. */
1.1513 + PR_ConvertIPv4AddrToIPv6(PR_htonl(ipv4), &v6Addr);
1.1514 + match = !memcmp(&netAddr.ipv6.ip, &v6Addr, 16);
1.1515 + }
1.1516 + if (match) {
1.1517 + rv = SECSuccess;
1.1518 + goto finish;
1.1519 + }
1.1520 + }
1.1521 + IPextCount++;
1.1522 + break;
1.1523 + default:
1.1524 + break;
1.1525 + }
1.1526 + current = CERT_GetNextGeneralName(current);
1.1527 + } while (current != nameList);
1.1528 +
1.1529 +fail:
1.1530 +
1.1531 + if (!(isIPaddr ? IPextCount : DNSextCount)) {
1.1532 + /* no relevant value in the extension was found. */
1.1533 + PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
1.1534 + } else {
1.1535 + PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
1.1536 + }
1.1537 + rv = SECFailure;
1.1538 +
1.1539 +finish:
1.1540 +
1.1541 + /* Don't free nameList, it's part of the arena. */
1.1542 + if (arena) {
1.1543 + PORT_FreeArena(arena, PR_FALSE);
1.1544 + }
1.1545 +
1.1546 + if (subAltName.data) {
1.1547 + SECITEM_FreeItem(&subAltName, PR_FALSE);
1.1548 + }
1.1549 +
1.1550 + return rv;
1.1551 +}
1.1552 +
1.1553 +/*
1.1554 + * If found:
1.1555 + * - subAltName contains the extension (caller must free)
1.1556 + * - return value is the decoded namelist (allocated off arena)
1.1557 + * if not found, or if failure to decode:
1.1558 + * - return value is NULL
1.1559 + */
1.1560 +CERTGeneralName *
1.1561 +cert_GetSubjectAltNameList(const CERTCertificate *cert, PLArenaPool *arena)
1.1562 +{
1.1563 + CERTGeneralName * nameList = NULL;
1.1564 + SECStatus rv = SECFailure;
1.1565 + SECItem subAltName;
1.1566 +
1.1567 + if (!cert || !arena)
1.1568 + return NULL;
1.1569 +
1.1570 + subAltName.data = NULL;
1.1571 +
1.1572 + rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
1.1573 + &subAltName);
1.1574 + if (rv != SECSuccess)
1.1575 + return NULL;
1.1576 +
1.1577 + nameList = CERT_DecodeAltNameExtension(arena, &subAltName);
1.1578 + SECITEM_FreeItem(&subAltName, PR_FALSE);
1.1579 + return nameList;
1.1580 +}
1.1581 +
1.1582 +PRUint32
1.1583 +cert_CountDNSPatterns(CERTGeneralName *firstName)
1.1584 +{
1.1585 + CERTGeneralName * current;
1.1586 + PRUint32 count = 0;
1.1587 +
1.1588 + if (!firstName)
1.1589 + return 0;
1.1590 +
1.1591 + current = firstName;
1.1592 + do {
1.1593 + switch (current->type) {
1.1594 + case certDNSName:
1.1595 + case certIPAddress:
1.1596 + ++count;
1.1597 + break;
1.1598 + default:
1.1599 + break;
1.1600 + }
1.1601 + current = CERT_GetNextGeneralName(current);
1.1602 + } while (current != firstName);
1.1603 +
1.1604 + return count;
1.1605 +}
1.1606 +
1.1607 +#ifndef INET6_ADDRSTRLEN
1.1608 +#define INET6_ADDRSTRLEN 46
1.1609 +#endif
1.1610 +
1.1611 +/* will fill nickNames,
1.1612 + * will allocate all data from nickNames->arena,
1.1613 + * numberOfGeneralNames should have been obtained from cert_CountDNSPatterns,
1.1614 + * will ensure the numberOfGeneralNames matches the number of output entries.
1.1615 + */
1.1616 +SECStatus
1.1617 +cert_GetDNSPatternsFromGeneralNames(CERTGeneralName *firstName,
1.1618 + PRUint32 numberOfGeneralNames,
1.1619 + CERTCertNicknames *nickNames)
1.1620 +{
1.1621 + CERTGeneralName *currentInput;
1.1622 + char **currentOutput;
1.1623 +
1.1624 + if (!firstName || !nickNames || !numberOfGeneralNames)
1.1625 + return SECFailure;
1.1626 +
1.1627 + nickNames->numnicknames = numberOfGeneralNames;
1.1628 + nickNames->nicknames = PORT_ArenaAlloc(nickNames->arena,
1.1629 + sizeof(char *) * numberOfGeneralNames);
1.1630 + if (!nickNames->nicknames)
1.1631 + return SECFailure;
1.1632 +
1.1633 + currentInput = firstName;
1.1634 + currentOutput = nickNames->nicknames;
1.1635 + do {
1.1636 + char *cn = NULL;
1.1637 + char ipbuf[INET6_ADDRSTRLEN];
1.1638 + PRNetAddr addr;
1.1639 +
1.1640 + if (numberOfGeneralNames < 1) {
1.1641 + /* internal consistency error */
1.1642 + return SECFailure;
1.1643 + }
1.1644 +
1.1645 + switch (currentInput->type) {
1.1646 + case certDNSName:
1.1647 + /* DNS name currentInput->name.other.data is not null terminated.
1.1648 + ** so must copy it.
1.1649 + */
1.1650 + cn = (char *)PORT_ArenaAlloc(nickNames->arena,
1.1651 + currentInput->name.other.len + 1);
1.1652 + if (!cn)
1.1653 + return SECFailure;
1.1654 + PORT_Memcpy(cn, currentInput->name.other.data,
1.1655 + currentInput->name.other.len);
1.1656 + cn[currentInput->name.other.len] = 0;
1.1657 + break;
1.1658 + case certIPAddress:
1.1659 + if (currentInput->name.other.len == 4) {
1.1660 + addr.inet.family = PR_AF_INET;
1.1661 + memcpy(&addr.inet.ip, currentInput->name.other.data,
1.1662 + currentInput->name.other.len);
1.1663 + } else if (currentInput->name.other.len == 16) {
1.1664 + addr.ipv6.family = PR_AF_INET6;
1.1665 + memcpy(&addr.ipv6.ip, currentInput->name.other.data,
1.1666 + currentInput->name.other.len);
1.1667 + }
1.1668 + if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf)) == PR_FAILURE)
1.1669 + return SECFailure;
1.1670 + cn = PORT_ArenaStrdup(nickNames->arena, ipbuf);
1.1671 + if (!cn)
1.1672 + return SECFailure;
1.1673 + break;
1.1674 + default:
1.1675 + break;
1.1676 + }
1.1677 + if (cn) {
1.1678 + *currentOutput = cn;
1.1679 + nickNames->totallen += PORT_Strlen(cn);
1.1680 + ++currentOutput;
1.1681 + --numberOfGeneralNames;
1.1682 + }
1.1683 + currentInput = CERT_GetNextGeneralName(currentInput);
1.1684 + } while (currentInput != firstName);
1.1685 +
1.1686 + return (numberOfGeneralNames == 0) ? SECSuccess : SECFailure;
1.1687 +}
1.1688 +
1.1689 +/*
1.1690 + * Collect all valid DNS names from the given cert.
1.1691 + * The output arena will reference some temporaray data,
1.1692 + * but this saves us from dealing with two arenas.
1.1693 + * The caller may free all data by freeing CERTCertNicknames->arena.
1.1694 + */
1.1695 +CERTCertNicknames *
1.1696 +CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert)
1.1697 +{
1.1698 + CERTGeneralName *generalNames;
1.1699 + CERTCertNicknames *nickNames;
1.1700 + PLArenaPool *arena;
1.1701 + char *singleName;
1.1702 +
1.1703 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.1704 + if (!arena) {
1.1705 + return NULL;
1.1706 + }
1.1707 +
1.1708 + nickNames = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
1.1709 + if (!nickNames) {
1.1710 + PORT_FreeArena(arena, PR_FALSE);
1.1711 + return NULL;
1.1712 + }
1.1713 +
1.1714 + /* init the structure */
1.1715 + nickNames->arena = arena;
1.1716 + nickNames->head = NULL;
1.1717 + nickNames->numnicknames = 0;
1.1718 + nickNames->nicknames = NULL;
1.1719 + nickNames->totallen = 0;
1.1720 +
1.1721 + generalNames = cert_GetSubjectAltNameList(cert, arena);
1.1722 + if (generalNames) {
1.1723 + SECStatus rv_getnames = SECFailure;
1.1724 + PRUint32 numNames = cert_CountDNSPatterns(generalNames);
1.1725 +
1.1726 + if (numNames) {
1.1727 + rv_getnames = cert_GetDNSPatternsFromGeneralNames(generalNames,
1.1728 + numNames, nickNames);
1.1729 + }
1.1730 +
1.1731 + /* if there were names, we'll exit now, either with success or failure */
1.1732 + if (numNames) {
1.1733 + if (rv_getnames == SECSuccess) {
1.1734 + return nickNames;
1.1735 + }
1.1736 +
1.1737 + /* failure to produce output */
1.1738 + PORT_FreeArena(arena, PR_FALSE);
1.1739 + return NULL;
1.1740 + }
1.1741 + }
1.1742 +
1.1743 + /* no SAN extension or no names found in extension */
1.1744 + singleName = CERT_GetCommonName(&cert->subject);
1.1745 + if (singleName) {
1.1746 + nickNames->numnicknames = 1;
1.1747 + nickNames->nicknames = PORT_ArenaAlloc(arena, sizeof(char *));
1.1748 + if (nickNames->nicknames) {
1.1749 + *nickNames->nicknames = PORT_ArenaStrdup(arena, singleName);
1.1750 + }
1.1751 + PORT_Free(singleName);
1.1752 +
1.1753 + /* Did we allocate both the buffer of pointers and the string? */
1.1754 + if (nickNames->nicknames && *nickNames->nicknames) {
1.1755 + return nickNames;
1.1756 + }
1.1757 + }
1.1758 +
1.1759 + PORT_FreeArena(arena, PR_FALSE);
1.1760 + return NULL;
1.1761 +}
1.1762 +
1.1763 +/* Make sure that the name of the host we are connecting to matches the
1.1764 + * name that is incoded in the common-name component of the certificate
1.1765 + * that they are using.
1.1766 + */
1.1767 +SECStatus
1.1768 +CERT_VerifyCertName(const CERTCertificate *cert, const char *hn)
1.1769 +{
1.1770 + char * cn;
1.1771 + SECStatus rv;
1.1772 + CERTOKDomainName *domainOK;
1.1773 +
1.1774 + if (!hn || !strlen(hn)) {
1.1775 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1776 + return SECFailure;
1.1777 + }
1.1778 +
1.1779 + /* if the name is one that the user has already approved, it's OK. */
1.1780 + for (domainOK = cert->domainOK; domainOK; domainOK = domainOK->next) {
1.1781 + if (0 == PORT_Strcasecmp(hn, domainOK->name)) {
1.1782 + return SECSuccess;
1.1783 + }
1.1784 + }
1.1785 +
1.1786 + /* Per RFC 2818, if the SubjectAltName extension is present, it must
1.1787 + ** be used as the cert's identity.
1.1788 + */
1.1789 + rv = cert_VerifySubjectAltName(cert, hn);
1.1790 + if (rv == SECSuccess || PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
1.1791 + return rv;
1.1792 +
1.1793 + cn = CERT_GetCommonName(&cert->subject);
1.1794 + if ( cn ) {
1.1795 + PRBool isIPaddr = cert_IsIPAddr(hn);
1.1796 + if (isIPaddr) {
1.1797 + if (PORT_Strcasecmp(hn, cn) == 0) {
1.1798 + rv = SECSuccess;
1.1799 + } else {
1.1800 + PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
1.1801 + rv = SECFailure;
1.1802 + }
1.1803 + } else {
1.1804 + rv = cert_TestHostName(cn, hn);
1.1805 + }
1.1806 + PORT_Free(cn);
1.1807 + } else
1.1808 + PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
1.1809 + return rv;
1.1810 +}
1.1811 +
1.1812 +PRBool
1.1813 +CERT_CompareCerts(const CERTCertificate *c1, const CERTCertificate *c2)
1.1814 +{
1.1815 + SECComparison comp;
1.1816 +
1.1817 + comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
1.1818 + if ( comp == SECEqual ) { /* certs are the same */
1.1819 + return(PR_TRUE);
1.1820 + } else {
1.1821 + return(PR_FALSE);
1.1822 + }
1.1823 +}
1.1824 +
1.1825 +static SECStatus
1.1826 +StringsEqual(char *s1, char *s2) {
1.1827 + if ( ( s1 == NULL ) || ( s2 == NULL ) ) {
1.1828 + if ( s1 != s2 ) { /* only one is null */
1.1829 + return(SECFailure);
1.1830 + }
1.1831 + return(SECSuccess); /* both are null */
1.1832 + }
1.1833 +
1.1834 + if ( PORT_Strcmp( s1, s2 ) != 0 ) {
1.1835 + return(SECFailure); /* not equal */
1.1836 + }
1.1837 +
1.1838 + return(SECSuccess); /* strings are equal */
1.1839 +}
1.1840 +
1.1841 +
1.1842 +PRBool
1.1843 +CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2)
1.1844 +{
1.1845 + SECComparison comp;
1.1846 + char *c1str, *c2str;
1.1847 + SECStatus eq;
1.1848 +
1.1849 + comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
1.1850 + if ( comp == SECEqual ) { /* certs are the same */
1.1851 + return(PR_TRUE);
1.1852 + }
1.1853 +
1.1854 + /* check if they are issued by the same CA */
1.1855 + comp = SECITEM_CompareItem(&c1->derIssuer, &c2->derIssuer);
1.1856 + if ( comp != SECEqual ) { /* different issuer */
1.1857 + return(PR_FALSE);
1.1858 + }
1.1859 +
1.1860 + /* check country name */
1.1861 + c1str = CERT_GetCountryName(&c1->subject);
1.1862 + c2str = CERT_GetCountryName(&c2->subject);
1.1863 + eq = StringsEqual(c1str, c2str);
1.1864 + PORT_Free(c1str);
1.1865 + PORT_Free(c2str);
1.1866 + if ( eq != SECSuccess ) {
1.1867 + return(PR_FALSE);
1.1868 + }
1.1869 +
1.1870 + /* check locality name */
1.1871 + c1str = CERT_GetLocalityName(&c1->subject);
1.1872 + c2str = CERT_GetLocalityName(&c2->subject);
1.1873 + eq = StringsEqual(c1str, c2str);
1.1874 + PORT_Free(c1str);
1.1875 + PORT_Free(c2str);
1.1876 + if ( eq != SECSuccess ) {
1.1877 + return(PR_FALSE);
1.1878 + }
1.1879 +
1.1880 + /* check state name */
1.1881 + c1str = CERT_GetStateName(&c1->subject);
1.1882 + c2str = CERT_GetStateName(&c2->subject);
1.1883 + eq = StringsEqual(c1str, c2str);
1.1884 + PORT_Free(c1str);
1.1885 + PORT_Free(c2str);
1.1886 + if ( eq != SECSuccess ) {
1.1887 + return(PR_FALSE);
1.1888 + }
1.1889 +
1.1890 + /* check org name */
1.1891 + c1str = CERT_GetOrgName(&c1->subject);
1.1892 + c2str = CERT_GetOrgName(&c2->subject);
1.1893 + eq = StringsEqual(c1str, c2str);
1.1894 + PORT_Free(c1str);
1.1895 + PORT_Free(c2str);
1.1896 + if ( eq != SECSuccess ) {
1.1897 + return(PR_FALSE);
1.1898 + }
1.1899 +
1.1900 +#ifdef NOTDEF
1.1901 + /* check orgUnit name */
1.1902 + /*
1.1903 + * We need to revisit this and decide which fields should be allowed to be
1.1904 + * different
1.1905 + */
1.1906 + c1str = CERT_GetOrgUnitName(&c1->subject);
1.1907 + c2str = CERT_GetOrgUnitName(&c2->subject);
1.1908 + eq = StringsEqual(c1str, c2str);
1.1909 + PORT_Free(c1str);
1.1910 + PORT_Free(c2str);
1.1911 + if ( eq != SECSuccess ) {
1.1912 + return(PR_FALSE);
1.1913 + }
1.1914 +#endif
1.1915 +
1.1916 + return(PR_TRUE); /* all fields but common name are the same */
1.1917 +}
1.1918 +
1.1919 +
1.1920 +/* CERT_CertChainFromCert and CERT_DestroyCertificateList moved
1.1921 + to certhigh.c */
1.1922 +
1.1923 +
1.1924 +CERTIssuerAndSN *
1.1925 +CERT_GetCertIssuerAndSN(PLArenaPool *arena, CERTCertificate *cert)
1.1926 +{
1.1927 + CERTIssuerAndSN *result;
1.1928 + SECStatus rv;
1.1929 +
1.1930 + if ( arena == NULL ) {
1.1931 + arena = cert->arena;
1.1932 + }
1.1933 +
1.1934 + result = (CERTIssuerAndSN*)PORT_ArenaZAlloc(arena, sizeof(*result));
1.1935 + if (result == NULL) {
1.1936 + PORT_SetError (SEC_ERROR_NO_MEMORY);
1.1937 + return NULL;
1.1938 + }
1.1939 +
1.1940 + rv = SECITEM_CopyItem(arena, &result->derIssuer, &cert->derIssuer);
1.1941 + if (rv != SECSuccess)
1.1942 + return NULL;
1.1943 +
1.1944 + rv = CERT_CopyName(arena, &result->issuer, &cert->issuer);
1.1945 + if (rv != SECSuccess)
1.1946 + return NULL;
1.1947 +
1.1948 + rv = SECITEM_CopyItem(arena, &result->serialNumber, &cert->serialNumber);
1.1949 + if (rv != SECSuccess)
1.1950 + return NULL;
1.1951 +
1.1952 + return result;
1.1953 +}
1.1954 +
1.1955 +char *
1.1956 +CERT_MakeCANickname(CERTCertificate *cert)
1.1957 +{
1.1958 + char *firstname = NULL;
1.1959 + char *org = NULL;
1.1960 + char *nickname = NULL;
1.1961 + int count;
1.1962 + CERTCertificate *dummycert;
1.1963 +
1.1964 + firstname = CERT_GetCommonName(&cert->subject);
1.1965 + if ( firstname == NULL ) {
1.1966 + firstname = CERT_GetOrgUnitName(&cert->subject);
1.1967 + }
1.1968 +
1.1969 + org = CERT_GetOrgName(&cert->issuer);
1.1970 + if (org == NULL) {
1.1971 + org = CERT_GetDomainComponentName(&cert->issuer);
1.1972 + if (org == NULL) {
1.1973 + if (firstname) {
1.1974 + org = firstname;
1.1975 + firstname = NULL;
1.1976 + } else {
1.1977 + org = PORT_Strdup("Unknown CA");
1.1978 + }
1.1979 + }
1.1980 + }
1.1981 +
1.1982 + /* can only fail if PORT_Strdup fails, in which case
1.1983 + * we're having memory problems. */
1.1984 + if (org == NULL) {
1.1985 + goto done;
1.1986 + }
1.1987 +
1.1988 +
1.1989 + count = 1;
1.1990 + while ( 1 ) {
1.1991 +
1.1992 + if ( firstname ) {
1.1993 + if ( count == 1 ) {
1.1994 + nickname = PR_smprintf("%s - %s", firstname, org);
1.1995 + } else {
1.1996 + nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
1.1997 + }
1.1998 + } else {
1.1999 + if ( count == 1 ) {
1.2000 + nickname = PR_smprintf("%s", org);
1.2001 + } else {
1.2002 + nickname = PR_smprintf("%s #%d", org, count);
1.2003 + }
1.2004 + }
1.2005 + if ( nickname == NULL ) {
1.2006 + goto done;
1.2007 + }
1.2008 +
1.2009 + /* look up the nickname to make sure it isn't in use already */
1.2010 + dummycert = CERT_FindCertByNickname(cert->dbhandle, nickname);
1.2011 +
1.2012 + if ( dummycert == NULL ) {
1.2013 + goto done;
1.2014 + }
1.2015 +
1.2016 + /* found a cert, destroy it and loop */
1.2017 + CERT_DestroyCertificate(dummycert);
1.2018 +
1.2019 + /* free the nickname */
1.2020 + PORT_Free(nickname);
1.2021 +
1.2022 + count++;
1.2023 + }
1.2024 +
1.2025 +done:
1.2026 + if ( firstname ) {
1.2027 + PORT_Free(firstname);
1.2028 + }
1.2029 + if ( org ) {
1.2030 + PORT_Free(org);
1.2031 + }
1.2032 +
1.2033 + return(nickname);
1.2034 +}
1.2035 +
1.2036 +/* CERT_Import_CAChain moved to certhigh.c */
1.2037 +
1.2038 +void
1.2039 +CERT_DestroyCrl (CERTSignedCrl *crl)
1.2040 +{
1.2041 + SEC_DestroyCrl (crl);
1.2042 +}
1.2043 +
1.2044 +static int
1.2045 +cert_Version(CERTCertificate *cert)
1.2046 +{
1.2047 + int version = 0;
1.2048 + if (cert && cert->version.data && cert->version.len) {
1.2049 + version = DER_GetInteger(&cert->version);
1.2050 + if (version < 0)
1.2051 + version = 0;
1.2052 + }
1.2053 + return version;
1.2054 +}
1.2055 +
1.2056 +static unsigned int
1.2057 +cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
1.2058 +{
1.2059 + CERTCertTrust trust;
1.2060 + SECStatus rv = SECFailure;
1.2061 +
1.2062 + rv = CERT_GetCertTrust(cert, &trust);
1.2063 +
1.2064 + if (rv == SECSuccess && (trust.sslFlags |
1.2065 + trust.emailFlags |
1.2066 + trust.objectSigningFlags)) {
1.2067 +
1.2068 + if (trust.sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
1.2069 + cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT;
1.2070 + if (trust.sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
1.2071 + cType |= NS_CERT_TYPE_SSL_CA;
1.2072 +#if defined(CERTDB_NOT_TRUSTED)
1.2073 + if (trust.sslFlags & CERTDB_NOT_TRUSTED)
1.2074 + cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT|
1.2075 + NS_CERT_TYPE_SSL_CA);
1.2076 +#endif
1.2077 + if (trust.emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
1.2078 + cType |= NS_CERT_TYPE_EMAIL;
1.2079 + if (trust.emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
1.2080 + cType |= NS_CERT_TYPE_EMAIL_CA;
1.2081 +#if defined(CERTDB_NOT_TRUSTED)
1.2082 + if (trust.emailFlags & CERTDB_NOT_TRUSTED)
1.2083 + cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA);
1.2084 +#endif
1.2085 + if (trust.objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
1.2086 + cType |= NS_CERT_TYPE_OBJECT_SIGNING;
1.2087 + if (trust.objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
1.2088 + cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
1.2089 +#if defined(CERTDB_NOT_TRUSTED)
1.2090 + if (trust.objectSigningFlags & CERTDB_NOT_TRUSTED)
1.2091 + cType &= ~(NS_CERT_TYPE_OBJECT_SIGNING|
1.2092 + NS_CERT_TYPE_OBJECT_SIGNING_CA);
1.2093 +#endif
1.2094 + }
1.2095 + return cType;
1.2096 +}
1.2097 +
1.2098 +/*
1.2099 + * Does a cert belong to a CA? We decide based on perm database trust
1.2100 + * flags, Netscape Cert Type Extension, and KeyUsage Extension.
1.2101 + */
1.2102 +PRBool
1.2103 +CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
1.2104 +{
1.2105 + unsigned int cType = cert->nsCertType;
1.2106 + PRBool ret = PR_FALSE;
1.2107 +
1.2108 + if (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
1.2109 + NS_CERT_TYPE_OBJECT_SIGNING_CA)) {
1.2110 + ret = PR_TRUE;
1.2111 + } else {
1.2112 + SECStatus rv;
1.2113 + CERTBasicConstraints constraints;
1.2114 +
1.2115 + rv = CERT_FindBasicConstraintExten(cert, &constraints);
1.2116 + if (rv == SECSuccess && constraints.isCA) {
1.2117 + ret = PR_TRUE;
1.2118 + cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
1.2119 + }
1.2120 + }
1.2121 +
1.2122 + /* finally check if it's an X.509 v1 root CA */
1.2123 + if (!ret &&
1.2124 + (cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3)) {
1.2125 + ret = PR_TRUE;
1.2126 + cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
1.2127 + }
1.2128 + /* Now apply trust overrides, if any */
1.2129 + cType = cert_ComputeTrustOverrides(cert, cType);
1.2130 + ret = (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
1.2131 + NS_CERT_TYPE_OBJECT_SIGNING_CA)) ? PR_TRUE : PR_FALSE;
1.2132 +
1.2133 + if (rettype != NULL) {
1.2134 + *rettype = cType;
1.2135 + }
1.2136 + return ret;
1.2137 +}
1.2138 +
1.2139 +PRBool
1.2140 +CERT_IsCADERCert(SECItem *derCert, unsigned int *type) {
1.2141 + CERTCertificate *cert;
1.2142 + PRBool isCA;
1.2143 +
1.2144 + /* This is okay -- only looks at extensions */
1.2145 + cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
1.2146 + if (cert == NULL) return PR_FALSE;
1.2147 +
1.2148 + isCA = CERT_IsCACert(cert,type);
1.2149 + CERT_DestroyCertificate (cert);
1.2150 + return isCA;
1.2151 +}
1.2152 +
1.2153 +PRBool
1.2154 +CERT_IsRootDERCert(SECItem *derCert)
1.2155 +{
1.2156 + CERTCertificate *cert;
1.2157 + PRBool isRoot;
1.2158 +
1.2159 + /* This is okay -- only looks at extensions */
1.2160 + cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
1.2161 + if (cert == NULL) return PR_FALSE;
1.2162 +
1.2163 + isRoot = cert->isRoot;
1.2164 + CERT_DestroyCertificate (cert);
1.2165 + return isRoot;
1.2166 +}
1.2167 +
1.2168 +CERTCompareValidityStatus
1.2169 +CERT_CompareValidityTimes(CERTValidity* val_a, CERTValidity* val_b)
1.2170 +{
1.2171 + PRTime notBeforeA, notBeforeB, notAfterA, notAfterB;
1.2172 +
1.2173 + if (!val_a || !val_b)
1.2174 + {
1.2175 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.2176 + return certValidityUndetermined;
1.2177 + }
1.2178 +
1.2179 + if ( SECSuccess != DER_DecodeTimeChoice(¬BeforeA, &val_a->notBefore) ||
1.2180 + SECSuccess != DER_DecodeTimeChoice(¬BeforeB, &val_b->notBefore) ||
1.2181 + SECSuccess != DER_DecodeTimeChoice(¬AfterA, &val_a->notAfter) ||
1.2182 + SECSuccess != DER_DecodeTimeChoice(¬AfterB, &val_b->notAfter) ) {
1.2183 + return certValidityUndetermined;
1.2184 + }
1.2185 +
1.2186 + /* sanity check */
1.2187 + if (LL_CMP(notBeforeA,>,notAfterA) || LL_CMP(notBeforeB,>,notAfterB)) {
1.2188 + PORT_SetError(SEC_ERROR_INVALID_TIME);
1.2189 + return certValidityUndetermined;
1.2190 + }
1.2191 +
1.2192 + if (LL_CMP(notAfterA,!=,notAfterB)) {
1.2193 + /* one cert validity goes farther into the future, select it */
1.2194 + return LL_CMP(notAfterA,<,notAfterB) ?
1.2195 + certValidityChooseB : certValidityChooseA;
1.2196 + }
1.2197 + /* the two certs have the same expiration date */
1.2198 + PORT_Assert(LL_CMP(notAfterA, == , notAfterB));
1.2199 + /* do they also have the same start date ? */
1.2200 + if (LL_CMP(notBeforeA,==,notBeforeB)) {
1.2201 + return certValidityEqual;
1.2202 + }
1.2203 + /* choose cert with the later start date */
1.2204 + return LL_CMP(notBeforeA,<,notBeforeB) ?
1.2205 + certValidityChooseB : certValidityChooseA;
1.2206 +}
1.2207 +
1.2208 +/*
1.2209 + * is certa newer than certb? If one is expired, pick the other one.
1.2210 + */
1.2211 +PRBool
1.2212 +CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb)
1.2213 +{
1.2214 + PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
1.2215 + SECStatus rv;
1.2216 + PRBool newerbefore, newerafter;
1.2217 +
1.2218 + rv = CERT_GetCertTimes(certa, ¬BeforeA, ¬AfterA);
1.2219 + if ( rv != SECSuccess ) {
1.2220 + return(PR_FALSE);
1.2221 + }
1.2222 +
1.2223 + rv = CERT_GetCertTimes(certb, ¬BeforeB, ¬AfterB);
1.2224 + if ( rv != SECSuccess ) {
1.2225 + return(PR_TRUE);
1.2226 + }
1.2227 +
1.2228 + newerbefore = PR_FALSE;
1.2229 + if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
1.2230 + newerbefore = PR_TRUE;
1.2231 + }
1.2232 +
1.2233 + newerafter = PR_FALSE;
1.2234 + if ( LL_CMP(notAfterA, >, notAfterB) ) {
1.2235 + newerafter = PR_TRUE;
1.2236 + }
1.2237 +
1.2238 + if ( newerbefore && newerafter ) {
1.2239 + return(PR_TRUE);
1.2240 + }
1.2241 +
1.2242 + if ( ( !newerbefore ) && ( !newerafter ) ) {
1.2243 + return(PR_FALSE);
1.2244 + }
1.2245 +
1.2246 + /* get current time */
1.2247 + now = PR_Now();
1.2248 +
1.2249 + if ( newerbefore ) {
1.2250 + /* cert A was issued after cert B, but expires sooner */
1.2251 + /* if A is expired, then pick B */
1.2252 + if ( LL_CMP(notAfterA, <, now ) ) {
1.2253 + return(PR_FALSE);
1.2254 + }
1.2255 + return(PR_TRUE);
1.2256 + } else {
1.2257 + /* cert B was issued after cert A, but expires sooner */
1.2258 + /* if B is expired, then pick A */
1.2259 + if ( LL_CMP(notAfterB, <, now ) ) {
1.2260 + return(PR_TRUE);
1.2261 + }
1.2262 + return(PR_FALSE);
1.2263 + }
1.2264 +}
1.2265 +
1.2266 +void
1.2267 +CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts)
1.2268 +{
1.2269 + unsigned int i;
1.2270 +
1.2271 + if ( certs ) {
1.2272 + for ( i = 0; i < ncerts; i++ ) {
1.2273 + if ( certs[i] ) {
1.2274 + CERT_DestroyCertificate(certs[i]);
1.2275 + }
1.2276 + }
1.2277 +
1.2278 + PORT_Free(certs);
1.2279 + }
1.2280 +
1.2281 + return;
1.2282 +}
1.2283 +
1.2284 +char *
1.2285 +CERT_FixupEmailAddr(const char *emailAddr)
1.2286 +{
1.2287 + char *retaddr;
1.2288 + char *str;
1.2289 +
1.2290 + if ( emailAddr == NULL ) {
1.2291 + return(NULL);
1.2292 + }
1.2293 +
1.2294 + /* copy the string */
1.2295 + str = retaddr = PORT_Strdup(emailAddr);
1.2296 + if ( str == NULL ) {
1.2297 + return(NULL);
1.2298 + }
1.2299 +
1.2300 + /* make it lower case */
1.2301 + while ( *str ) {
1.2302 + *str = tolower( *str );
1.2303 + str++;
1.2304 + }
1.2305 +
1.2306 + return(retaddr);
1.2307 +}
1.2308 +
1.2309 +/*
1.2310 + * NOTE - don't allow encode of govt-approved or invisible bits
1.2311 + */
1.2312 +SECStatus
1.2313 +CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts)
1.2314 +{
1.2315 + unsigned int i;
1.2316 + unsigned int *pflags;
1.2317 +
1.2318 + if (!trust) {
1.2319 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.2320 + return SECFailure;
1.2321 + }
1.2322 + trust->sslFlags = 0;
1.2323 + trust->emailFlags = 0;
1.2324 + trust->objectSigningFlags = 0;
1.2325 + if (!trusts) {
1.2326 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.2327 + return SECFailure;
1.2328 + }
1.2329 +
1.2330 + pflags = &trust->sslFlags;
1.2331 +
1.2332 + for (i=0; i < PORT_Strlen(trusts); i++) {
1.2333 + switch (trusts[i]) {
1.2334 + case 'p':
1.2335 + *pflags = *pflags | CERTDB_TERMINAL_RECORD;
1.2336 + break;
1.2337 +
1.2338 + case 'P':
1.2339 + *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;
1.2340 + break;
1.2341 +
1.2342 + case 'w':
1.2343 + *pflags = *pflags | CERTDB_SEND_WARN;
1.2344 + break;
1.2345 +
1.2346 + case 'c':
1.2347 + *pflags = *pflags | CERTDB_VALID_CA;
1.2348 + break;
1.2349 +
1.2350 + case 'T':
1.2351 + *pflags = *pflags | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA;
1.2352 + break;
1.2353 +
1.2354 + case 'C' :
1.2355 + *pflags = *pflags | CERTDB_TRUSTED_CA | CERTDB_VALID_CA;
1.2356 + break;
1.2357 +
1.2358 + case 'u':
1.2359 + *pflags = *pflags | CERTDB_USER;
1.2360 + break;
1.2361 +
1.2362 + case 'i':
1.2363 + *pflags = *pflags | CERTDB_INVISIBLE_CA;
1.2364 + break;
1.2365 + case 'g':
1.2366 + *pflags = *pflags | CERTDB_GOVT_APPROVED_CA;
1.2367 + break;
1.2368 +
1.2369 + case ',':
1.2370 + if ( pflags == &trust->sslFlags ) {
1.2371 + pflags = &trust->emailFlags;
1.2372 + } else {
1.2373 + pflags = &trust->objectSigningFlags;
1.2374 + }
1.2375 + break;
1.2376 + default:
1.2377 + return SECFailure;
1.2378 + }
1.2379 + }
1.2380 +
1.2381 + return SECSuccess;
1.2382 +}
1.2383 +
1.2384 +static void
1.2385 +EncodeFlags(char *trusts, unsigned int flags)
1.2386 +{
1.2387 + if (flags & CERTDB_VALID_CA)
1.2388 + if (!(flags & CERTDB_TRUSTED_CA) &&
1.2389 + !(flags & CERTDB_TRUSTED_CLIENT_CA))
1.2390 + PORT_Strcat(trusts, "c");
1.2391 + if (flags & CERTDB_TERMINAL_RECORD)
1.2392 + if (!(flags & CERTDB_TRUSTED))
1.2393 + PORT_Strcat(trusts, "p");
1.2394 + if (flags & CERTDB_TRUSTED_CA)
1.2395 + PORT_Strcat(trusts, "C");
1.2396 + if (flags & CERTDB_TRUSTED_CLIENT_CA)
1.2397 + PORT_Strcat(trusts, "T");
1.2398 + if (flags & CERTDB_TRUSTED)
1.2399 + PORT_Strcat(trusts, "P");
1.2400 + if (flags & CERTDB_USER)
1.2401 + PORT_Strcat(trusts, "u");
1.2402 + if (flags & CERTDB_SEND_WARN)
1.2403 + PORT_Strcat(trusts, "w");
1.2404 + if (flags & CERTDB_INVISIBLE_CA)
1.2405 + PORT_Strcat(trusts, "I");
1.2406 + if (flags & CERTDB_GOVT_APPROVED_CA)
1.2407 + PORT_Strcat(trusts, "G");
1.2408 + return;
1.2409 +}
1.2410 +
1.2411 +char *
1.2412 +CERT_EncodeTrustString(CERTCertTrust *trust)
1.2413 +{
1.2414 + char tmpTrustSSL[32];
1.2415 + char tmpTrustEmail[32];
1.2416 + char tmpTrustSigning[32];
1.2417 + char *retstr = NULL;
1.2418 +
1.2419 + if ( trust ) {
1.2420 + tmpTrustSSL[0] = '\0';
1.2421 + tmpTrustEmail[0] = '\0';
1.2422 + tmpTrustSigning[0] = '\0';
1.2423 +
1.2424 + EncodeFlags(tmpTrustSSL, trust->sslFlags);
1.2425 + EncodeFlags(tmpTrustEmail, trust->emailFlags);
1.2426 + EncodeFlags(tmpTrustSigning, trust->objectSigningFlags);
1.2427 +
1.2428 + retstr = PR_smprintf("%s,%s,%s", tmpTrustSSL, tmpTrustEmail,
1.2429 + tmpTrustSigning);
1.2430 + }
1.2431 +
1.2432 + return(retstr);
1.2433 +}
1.2434 +
1.2435 +SECStatus
1.2436 +CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
1.2437 + unsigned int ncerts, SECItem **derCerts,
1.2438 + CERTCertificate ***retCerts, PRBool keepCerts,
1.2439 + PRBool caOnly, char *nickname)
1.2440 +{
1.2441 + unsigned int i;
1.2442 + CERTCertificate **certs = NULL;
1.2443 + SECStatus rv;
1.2444 + unsigned int fcerts = 0;
1.2445 +
1.2446 + if ( ncerts ) {
1.2447 + certs = PORT_ZNewArray(CERTCertificate*, ncerts);
1.2448 + if ( certs == NULL ) {
1.2449 + return(SECFailure);
1.2450 + }
1.2451 +
1.2452 + /* decode all of the certs into the temporary DB */
1.2453 + for ( i = 0, fcerts= 0; i < ncerts; i++) {
1.2454 + certs[fcerts] = CERT_NewTempCertificate(certdb,
1.2455 + derCerts[i],
1.2456 + NULL,
1.2457 + PR_FALSE,
1.2458 + PR_TRUE);
1.2459 + if (certs[fcerts]) {
1.2460 + SECItem subjKeyID = {siBuffer, NULL, 0};
1.2461 + if (CERT_FindSubjectKeyIDExtension(certs[fcerts],
1.2462 + &subjKeyID) == SECSuccess) {
1.2463 + if (subjKeyID.data) {
1.2464 + cert_AddSubjectKeyIDMapping(&subjKeyID, certs[fcerts]);
1.2465 + }
1.2466 + SECITEM_FreeItem(&subjKeyID, PR_FALSE);
1.2467 + }
1.2468 + fcerts++;
1.2469 + }
1.2470 + }
1.2471 +
1.2472 + if ( keepCerts ) {
1.2473 + for ( i = 0; i < fcerts; i++ ) {
1.2474 + char* canickname = NULL;
1.2475 + PRBool isCA;
1.2476 +
1.2477 + SECKEY_UpdateCertPQG(certs[i]);
1.2478 +
1.2479 + isCA = CERT_IsCACert(certs[i], NULL);
1.2480 + if ( isCA ) {
1.2481 + canickname = CERT_MakeCANickname(certs[i]);
1.2482 + }
1.2483 +
1.2484 + if(isCA && (fcerts > 1)) {
1.2485 + /* if we are importing only a single cert and specifying
1.2486 + * a nickname, we want to use that nickname if it a CA,
1.2487 + * otherwise if there are more than one cert, we don't
1.2488 + * know which cert it belongs to. But we still may try
1.2489 + * the individual canickname from the cert itself.
1.2490 + */
1.2491 + rv = CERT_AddTempCertToPerm(certs[i], canickname, NULL);
1.2492 + } else {
1.2493 + rv = CERT_AddTempCertToPerm(certs[i],
1.2494 + nickname?nickname:canickname, NULL);
1.2495 + }
1.2496 +
1.2497 + PORT_Free(canickname);
1.2498 + /* don't care if it fails - keep going */
1.2499 + }
1.2500 + }
1.2501 + }
1.2502 +
1.2503 + if ( retCerts ) {
1.2504 + *retCerts = certs;
1.2505 + } else {
1.2506 + if (certs) {
1.2507 + CERT_DestroyCertArray(certs, fcerts);
1.2508 + }
1.2509 + }
1.2510 +
1.2511 + return ((fcerts || !ncerts) ? SECSuccess : SECFailure);
1.2512 +}
1.2513 +
1.2514 +/*
1.2515 + * a real list of certificates - need to convert CERTCertificateList
1.2516 + * stuff and ASN 1 encoder/decoder over to using this...
1.2517 + */
1.2518 +CERTCertList *
1.2519 +CERT_NewCertList(void)
1.2520 +{
1.2521 + PLArenaPool *arena = NULL;
1.2522 + CERTCertList *ret = NULL;
1.2523 +
1.2524 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.2525 + if ( arena == NULL ) {
1.2526 + goto loser;
1.2527 + }
1.2528 +
1.2529 + ret = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
1.2530 + if ( ret == NULL ) {
1.2531 + goto loser;
1.2532 + }
1.2533 +
1.2534 + ret->arena = arena;
1.2535 +
1.2536 + PR_INIT_CLIST(&ret->list);
1.2537 +
1.2538 + return(ret);
1.2539 +
1.2540 +loser:
1.2541 + if ( arena != NULL ) {
1.2542 + PORT_FreeArena(arena, PR_FALSE);
1.2543 + }
1.2544 +
1.2545 + return(NULL);
1.2546 +}
1.2547 +
1.2548 +void
1.2549 +CERT_DestroyCertList(CERTCertList *certs)
1.2550 +{
1.2551 + PRCList *node;
1.2552 +
1.2553 + while( !PR_CLIST_IS_EMPTY(&certs->list) ) {
1.2554 + node = PR_LIST_HEAD(&certs->list);
1.2555 + CERT_DestroyCertificate(((CERTCertListNode *)node)->cert);
1.2556 + PR_REMOVE_LINK(node);
1.2557 + }
1.2558 +
1.2559 + PORT_FreeArena(certs->arena, PR_FALSE);
1.2560 +
1.2561 + return;
1.2562 +}
1.2563 +
1.2564 +void
1.2565 +CERT_RemoveCertListNode(CERTCertListNode *node)
1.2566 +{
1.2567 + CERT_DestroyCertificate(node->cert);
1.2568 + PR_REMOVE_LINK(&node->links);
1.2569 + return;
1.2570 +}
1.2571 +
1.2572 +
1.2573 +SECStatus
1.2574 +CERT_AddCertToListTailWithData(CERTCertList *certs,
1.2575 + CERTCertificate *cert, void *appData)
1.2576 +{
1.2577 + CERTCertListNode *node;
1.2578 +
1.2579 + node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
1.2580 + sizeof(CERTCertListNode));
1.2581 + if ( node == NULL ) {
1.2582 + goto loser;
1.2583 + }
1.2584 +
1.2585 + PR_INSERT_BEFORE(&node->links, &certs->list);
1.2586 + /* certs->count++; */
1.2587 + node->cert = cert;
1.2588 + node->appData = appData;
1.2589 + return(SECSuccess);
1.2590 +
1.2591 +loser:
1.2592 + return(SECFailure);
1.2593 +}
1.2594 +
1.2595 +SECStatus
1.2596 +CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert)
1.2597 +{
1.2598 + return CERT_AddCertToListTailWithData(certs, cert, NULL);
1.2599 +}
1.2600 +
1.2601 +SECStatus
1.2602 +CERT_AddCertToListHeadWithData(CERTCertList *certs,
1.2603 + CERTCertificate *cert, void *appData)
1.2604 +{
1.2605 + CERTCertListNode *node;
1.2606 + CERTCertListNode *head;
1.2607 +
1.2608 + head = CERT_LIST_HEAD(certs);
1.2609 +
1.2610 + if (head == NULL) return CERT_AddCertToListTail(certs,cert);
1.2611 +
1.2612 + node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
1.2613 + sizeof(CERTCertListNode));
1.2614 + if ( node == NULL ) {
1.2615 + goto loser;
1.2616 + }
1.2617 +
1.2618 + PR_INSERT_BEFORE(&node->links, &head->links);
1.2619 + /* certs->count++; */
1.2620 + node->cert = cert;
1.2621 + node->appData = appData;
1.2622 + return(SECSuccess);
1.2623 +
1.2624 +loser:
1.2625 + return(SECFailure);
1.2626 +}
1.2627 +
1.2628 +SECStatus
1.2629 +CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert)
1.2630 +{
1.2631 + return CERT_AddCertToListHeadWithData(certs, cert, NULL);
1.2632 +}
1.2633 +
1.2634 +/*
1.2635 + * Sort callback function to determine if cert a is newer than cert b.
1.2636 + * Not valid certs are considered older than valid certs.
1.2637 + */
1.2638 +PRBool
1.2639 +CERT_SortCBValidity(CERTCertificate *certa,
1.2640 + CERTCertificate *certb,
1.2641 + void *arg)
1.2642 +{
1.2643 + PRTime sorttime;
1.2644 + PRTime notBeforeA, notAfterA, notBeforeB, notAfterB;
1.2645 + SECStatus rv;
1.2646 + PRBool newerbefore, newerafter;
1.2647 + PRBool aNotValid = PR_FALSE, bNotValid = PR_FALSE;
1.2648 +
1.2649 + sorttime = *(PRTime *)arg;
1.2650 +
1.2651 + rv = CERT_GetCertTimes(certa, ¬BeforeA, ¬AfterA);
1.2652 + if ( rv != SECSuccess ) {
1.2653 + return(PR_FALSE);
1.2654 + }
1.2655 +
1.2656 + rv = CERT_GetCertTimes(certb, ¬BeforeB, ¬AfterB);
1.2657 + if ( rv != SECSuccess ) {
1.2658 + return(PR_TRUE);
1.2659 + }
1.2660 + newerbefore = PR_FALSE;
1.2661 + if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
1.2662 + newerbefore = PR_TRUE;
1.2663 + }
1.2664 + newerafter = PR_FALSE;
1.2665 + if ( LL_CMP(notAfterA, >, notAfterB) ) {
1.2666 + newerafter = PR_TRUE;
1.2667 + }
1.2668 +
1.2669 + /* check if A is valid at sorttime */
1.2670 + if ( CERT_CheckCertValidTimes(certa, sorttime, PR_FALSE)
1.2671 + != secCertTimeValid ) {
1.2672 + aNotValid = PR_TRUE;
1.2673 + }
1.2674 +
1.2675 + /* check if B is valid at sorttime */
1.2676 + if ( CERT_CheckCertValidTimes(certb, sorttime, PR_FALSE)
1.2677 + != secCertTimeValid ) {
1.2678 + bNotValid = PR_TRUE;
1.2679 + }
1.2680 +
1.2681 + /* a is valid, b is not */
1.2682 + if ( bNotValid && ( ! aNotValid ) ) {
1.2683 + return(PR_TRUE);
1.2684 + }
1.2685 +
1.2686 + /* b is valid, a is not */
1.2687 + if ( aNotValid && ( ! bNotValid ) ) {
1.2688 + return(PR_FALSE);
1.2689 + }
1.2690 +
1.2691 + /* a and b are either valid or not valid */
1.2692 + if ( newerbefore && newerafter ) {
1.2693 + return(PR_TRUE);
1.2694 + }
1.2695 +
1.2696 + if ( ( !newerbefore ) && ( !newerafter ) ) {
1.2697 + return(PR_FALSE);
1.2698 + }
1.2699 +
1.2700 + if ( newerbefore ) {
1.2701 + /* cert A was issued after cert B, but expires sooner */
1.2702 + return(PR_TRUE);
1.2703 + } else {
1.2704 + /* cert B was issued after cert A, but expires sooner */
1.2705 + return(PR_FALSE);
1.2706 + }
1.2707 +}
1.2708 +
1.2709 +
1.2710 +SECStatus
1.2711 +CERT_AddCertToListSorted(CERTCertList *certs,
1.2712 + CERTCertificate *cert,
1.2713 + CERTSortCallback f,
1.2714 + void *arg)
1.2715 +{
1.2716 + CERTCertListNode *node;
1.2717 + CERTCertListNode *head;
1.2718 + PRBool ret;
1.2719 +
1.2720 + node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
1.2721 + sizeof(CERTCertListNode));
1.2722 + if ( node == NULL ) {
1.2723 + goto loser;
1.2724 + }
1.2725 +
1.2726 + head = CERT_LIST_HEAD(certs);
1.2727 +
1.2728 + while ( !CERT_LIST_END(head, certs) ) {
1.2729 +
1.2730 + /* if cert is already in the list, then don't add it again */
1.2731 + if ( cert == head->cert ) {
1.2732 + /*XXX*/
1.2733 + /* don't keep a reference */
1.2734 + CERT_DestroyCertificate(cert);
1.2735 + goto done;
1.2736 + }
1.2737 +
1.2738 + ret = (* f)(cert, head->cert, arg);
1.2739 + /* if sort function succeeds, then insert before current node */
1.2740 + if ( ret ) {
1.2741 + PR_INSERT_BEFORE(&node->links, &head->links);
1.2742 + goto done;
1.2743 + }
1.2744 +
1.2745 + head = CERT_LIST_NEXT(head);
1.2746 + }
1.2747 + /* if we get to the end, then just insert it at the tail */
1.2748 + PR_INSERT_BEFORE(&node->links, &certs->list);
1.2749 +
1.2750 +done:
1.2751 + /* certs->count++; */
1.2752 + node->cert = cert;
1.2753 + return(SECSuccess);
1.2754 +
1.2755 +loser:
1.2756 + return(SECFailure);
1.2757 +}
1.2758 +
1.2759 +/* This routine is here because pcertdb.c still has a call to it.
1.2760 + * The SMIME profile code in pcertdb.c should be split into high (find
1.2761 + * the email cert) and low (store the profile) code. At that point, we
1.2762 + * can move this to certhigh.c where it belongs.
1.2763 + *
1.2764 + * remove certs from a list that don't have keyUsage and certType
1.2765 + * that match the given usage.
1.2766 + */
1.2767 +SECStatus
1.2768 +CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
1.2769 + PRBool ca)
1.2770 +{
1.2771 + unsigned int requiredKeyUsage;
1.2772 + unsigned int requiredCertType;
1.2773 + CERTCertListNode *node, *savenode;
1.2774 + SECStatus rv;
1.2775 +
1.2776 + if (certList == NULL) goto loser;
1.2777 +
1.2778 + rv = CERT_KeyUsageAndTypeForCertUsage(usage, ca, &requiredKeyUsage,
1.2779 + &requiredCertType);
1.2780 + if ( rv != SECSuccess ) {
1.2781 + goto loser;
1.2782 + }
1.2783 +
1.2784 + node = CERT_LIST_HEAD(certList);
1.2785 +
1.2786 + while ( !CERT_LIST_END(node, certList) ) {
1.2787 +
1.2788 + PRBool bad = (PRBool)(!node->cert);
1.2789 +
1.2790 + /* bad key usage ? */
1.2791 + if ( !bad &&
1.2792 + CERT_CheckKeyUsage(node->cert, requiredKeyUsage) != SECSuccess ) {
1.2793 + bad = PR_TRUE;
1.2794 + }
1.2795 + /* bad cert type ? */
1.2796 + if ( !bad ) {
1.2797 + unsigned int certType = 0;
1.2798 + if ( ca ) {
1.2799 + /* This function returns a more comprehensive cert type that
1.2800 + * takes trust flags into consideration. Should probably
1.2801 + * fix the cert decoding code to do this.
1.2802 + */
1.2803 + (void)CERT_IsCACert(node->cert, &certType);
1.2804 + } else {
1.2805 + certType = node->cert->nsCertType;
1.2806 + }
1.2807 + if ( !( certType & requiredCertType ) ) {
1.2808 + bad = PR_TRUE;
1.2809 + }
1.2810 + }
1.2811 +
1.2812 + if ( bad ) {
1.2813 + /* remove the node if it is bad */
1.2814 + savenode = CERT_LIST_NEXT(node);
1.2815 + CERT_RemoveCertListNode(node);
1.2816 + node = savenode;
1.2817 + } else {
1.2818 + node = CERT_LIST_NEXT(node);
1.2819 + }
1.2820 + }
1.2821 + return(SECSuccess);
1.2822 +
1.2823 +loser:
1.2824 + return(SECFailure);
1.2825 +}
1.2826 +
1.2827 +PRBool CERT_IsUserCert(CERTCertificate* cert)
1.2828 +{
1.2829 + CERTCertTrust trust;
1.2830 + SECStatus rv = SECFailure;
1.2831 +
1.2832 + rv = CERT_GetCertTrust(cert, &trust);
1.2833 + if (rv == SECSuccess &&
1.2834 + ((trust.sslFlags & CERTDB_USER ) ||
1.2835 + (trust.emailFlags & CERTDB_USER ) ||
1.2836 + (trust.objectSigningFlags & CERTDB_USER )) ) {
1.2837 + return PR_TRUE;
1.2838 + } else {
1.2839 + return PR_FALSE;
1.2840 + }
1.2841 +}
1.2842 +
1.2843 +SECStatus
1.2844 +CERT_FilterCertListForUserCerts(CERTCertList *certList)
1.2845 +{
1.2846 + CERTCertListNode *node, *freenode;
1.2847 + CERTCertificate *cert;
1.2848 +
1.2849 + if (!certList) {
1.2850 + return SECFailure;
1.2851 + }
1.2852 +
1.2853 + node = CERT_LIST_HEAD(certList);
1.2854 +
1.2855 + while ( ! CERT_LIST_END(node, certList) ) {
1.2856 + cert = node->cert;
1.2857 + if ( PR_TRUE != CERT_IsUserCert(cert) ) {
1.2858 + /* Not a User Cert, so remove this cert from the list */
1.2859 + freenode = node;
1.2860 + node = CERT_LIST_NEXT(node);
1.2861 + CERT_RemoveCertListNode(freenode);
1.2862 + } else {
1.2863 + /* Is a User cert, so leave it in the list */
1.2864 + node = CERT_LIST_NEXT(node);
1.2865 + }
1.2866 + }
1.2867 +
1.2868 + return(SECSuccess);
1.2869 +}
1.2870 +
1.2871 +static PZLock *certRefCountLock = NULL;
1.2872 +
1.2873 +/*
1.2874 + * Acquire the cert reference count lock
1.2875 + * There is currently one global lock for all certs, but I'm putting a cert
1.2876 + * arg here so that it will be easy to make it per-cert in the future if
1.2877 + * that turns out to be necessary.
1.2878 + */
1.2879 +void
1.2880 +CERT_LockCertRefCount(CERTCertificate *cert)
1.2881 +{
1.2882 + PORT_Assert(certRefCountLock != NULL);
1.2883 + PZ_Lock(certRefCountLock);
1.2884 + return;
1.2885 +}
1.2886 +
1.2887 +/*
1.2888 + * Free the cert reference count lock
1.2889 + */
1.2890 +void
1.2891 +CERT_UnlockCertRefCount(CERTCertificate *cert)
1.2892 +{
1.2893 + PRStatus prstat;
1.2894 +
1.2895 + PORT_Assert(certRefCountLock != NULL);
1.2896 +
1.2897 + prstat = PZ_Unlock(certRefCountLock);
1.2898 +
1.2899 + PORT_Assert(prstat == PR_SUCCESS);
1.2900 +
1.2901 + return;
1.2902 +}
1.2903 +
1.2904 +static PZLock *certTrustLock = NULL;
1.2905 +
1.2906 +/*
1.2907 + * Acquire the cert trust lock
1.2908 + * There is currently one global lock for all certs, but I'm putting a cert
1.2909 + * arg here so that it will be easy to make it per-cert in the future if
1.2910 + * that turns out to be necessary.
1.2911 + */
1.2912 +void
1.2913 +CERT_LockCertTrust(const CERTCertificate *cert)
1.2914 +{
1.2915 + PORT_Assert(certTrustLock != NULL);
1.2916 + PZ_Lock(certTrustLock);
1.2917 + return;
1.2918 +}
1.2919 +
1.2920 +SECStatus
1.2921 +cert_InitLocks(void)
1.2922 +{
1.2923 + if ( certRefCountLock == NULL ) {
1.2924 + certRefCountLock = PZ_NewLock(nssILockRefLock);
1.2925 + PORT_Assert(certRefCountLock != NULL);
1.2926 + if (!certRefCountLock) {
1.2927 + return SECFailure;
1.2928 + }
1.2929 + }
1.2930 +
1.2931 + if ( certTrustLock == NULL ) {
1.2932 + certTrustLock = PZ_NewLock(nssILockCertDB);
1.2933 + PORT_Assert(certTrustLock != NULL);
1.2934 + if (!certTrustLock) {
1.2935 + PZ_DestroyLock(certRefCountLock);
1.2936 + certRefCountLock = NULL;
1.2937 + return SECFailure;
1.2938 + }
1.2939 + }
1.2940 +
1.2941 + return SECSuccess;
1.2942 +}
1.2943 +
1.2944 +SECStatus
1.2945 +cert_DestroyLocks(void)
1.2946 +{
1.2947 + SECStatus rv = SECSuccess;
1.2948 +
1.2949 + PORT_Assert(certRefCountLock != NULL);
1.2950 + if (certRefCountLock) {
1.2951 + PZ_DestroyLock(certRefCountLock);
1.2952 + certRefCountLock = NULL;
1.2953 + } else {
1.2954 + rv = SECFailure;
1.2955 + }
1.2956 +
1.2957 + PORT_Assert(certTrustLock != NULL);
1.2958 + if (certTrustLock) {
1.2959 + PZ_DestroyLock(certTrustLock);
1.2960 + certTrustLock = NULL;
1.2961 + } else {
1.2962 + rv = SECFailure;
1.2963 + }
1.2964 + return rv;
1.2965 +}
1.2966 +
1.2967 +/*
1.2968 + * Free the cert trust lock
1.2969 + */
1.2970 +void
1.2971 +CERT_UnlockCertTrust(const CERTCertificate *cert)
1.2972 +{
1.2973 + PRStatus prstat;
1.2974 +
1.2975 + PORT_Assert(certTrustLock != NULL);
1.2976 +
1.2977 + prstat = PZ_Unlock(certTrustLock);
1.2978 +
1.2979 + PORT_Assert(prstat == PR_SUCCESS);
1.2980 +
1.2981 + return;
1.2982 +}
1.2983 +
1.2984 +
1.2985 +/*
1.2986 + * Get the StatusConfig data for this handle
1.2987 + */
1.2988 +CERTStatusConfig *
1.2989 +CERT_GetStatusConfig(CERTCertDBHandle *handle)
1.2990 +{
1.2991 + return handle->statusConfig;
1.2992 +}
1.2993 +
1.2994 +/*
1.2995 + * Set the StatusConfig data for this handle. There
1.2996 + * should not be another configuration set.
1.2997 + */
1.2998 +void
1.2999 +CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig)
1.3000 +{
1.3001 + PORT_Assert(handle->statusConfig == NULL);
1.3002 + handle->statusConfig = statusConfig;
1.3003 +}
1.3004 +
1.3005 +/*
1.3006 + * Code for dealing with subjKeyID to cert mappings.
1.3007 + */
1.3008 +
1.3009 +static PLHashTable *gSubjKeyIDHash = NULL;
1.3010 +static PRLock *gSubjKeyIDLock = NULL;
1.3011 +static PLHashTable *gSubjKeyIDSlotCheckHash = NULL;
1.3012 +static PRLock *gSubjKeyIDSlotCheckLock = NULL;
1.3013 +
1.3014 +static void *cert_AllocTable(void *pool, PRSize size)
1.3015 +{
1.3016 + return PORT_Alloc(size);
1.3017 +}
1.3018 +
1.3019 +static void cert_FreeTable(void *pool, void *item)
1.3020 +{
1.3021 + PORT_Free(item);
1.3022 +}
1.3023 +
1.3024 +static PLHashEntry* cert_AllocEntry(void *pool, const void *key)
1.3025 +{
1.3026 + return PORT_New(PLHashEntry);
1.3027 +}
1.3028 +
1.3029 +static void cert_FreeEntry(void *pool, PLHashEntry *he, PRUintn flag)
1.3030 +{
1.3031 + SECITEM_FreeItem((SECItem*)(he->value), PR_TRUE);
1.3032 + if (flag == HT_FREE_ENTRY) {
1.3033 + SECITEM_FreeItem((SECItem*)(he->key), PR_TRUE);
1.3034 + PORT_Free(he);
1.3035 + }
1.3036 +}
1.3037 +
1.3038 +static PLHashAllocOps cert_AllocOps = {
1.3039 + cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry
1.3040 +};
1.3041 +
1.3042 +SECStatus
1.3043 +cert_CreateSubjectKeyIDSlotCheckHash(void)
1.3044 +{
1.3045 + /*
1.3046 + * This hash is used to remember the series of a slot
1.3047 + * when we last checked for user certs
1.3048 + */
1.3049 + gSubjKeyIDSlotCheckHash = PL_NewHashTable(0, SECITEM_Hash,
1.3050 + SECITEM_HashCompare,
1.3051 + SECITEM_HashCompare,
1.3052 + &cert_AllocOps, NULL);
1.3053 + if (!gSubjKeyIDSlotCheckHash) {
1.3054 + PORT_SetError(SEC_ERROR_NO_MEMORY);
1.3055 + return SECFailure;
1.3056 + }
1.3057 + gSubjKeyIDSlotCheckLock = PR_NewLock();
1.3058 + if (!gSubjKeyIDSlotCheckLock) {
1.3059 + PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
1.3060 + gSubjKeyIDSlotCheckHash = NULL;
1.3061 + PORT_SetError(SEC_ERROR_NO_MEMORY);
1.3062 + return SECFailure;
1.3063 + }
1.3064 + return SECSuccess;
1.3065 +}
1.3066 +
1.3067 +SECStatus
1.3068 +cert_CreateSubjectKeyIDHashTable(void)
1.3069 +{
1.3070 + gSubjKeyIDHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
1.3071 + SECITEM_HashCompare,
1.3072 + &cert_AllocOps, NULL);
1.3073 + if (!gSubjKeyIDHash) {
1.3074 + PORT_SetError(SEC_ERROR_NO_MEMORY);
1.3075 + return SECFailure;
1.3076 + }
1.3077 + gSubjKeyIDLock = PR_NewLock();
1.3078 + if (!gSubjKeyIDLock) {
1.3079 + PL_HashTableDestroy(gSubjKeyIDHash);
1.3080 + gSubjKeyIDHash = NULL;
1.3081 + PORT_SetError(SEC_ERROR_NO_MEMORY);
1.3082 + return SECFailure;
1.3083 + }
1.3084 + /* initialize the companion hash (for remembering slot series) */
1.3085 + if (cert_CreateSubjectKeyIDSlotCheckHash() != SECSuccess) {
1.3086 + cert_DestroySubjectKeyIDHashTable();
1.3087 + return SECFailure;
1.3088 + }
1.3089 + return SECSuccess;
1.3090 +}
1.3091 +
1.3092 +SECStatus
1.3093 +cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert)
1.3094 +{
1.3095 + SECItem *newKeyID, *oldVal, *newVal;
1.3096 + SECStatus rv = SECFailure;
1.3097 +
1.3098 + if (!gSubjKeyIDLock) {
1.3099 + /* If one is created, then both are there. So only check for one. */
1.3100 + return SECFailure;
1.3101 + }
1.3102 +
1.3103 + newVal = SECITEM_DupItem(&cert->derCert);
1.3104 + if (!newVal) {
1.3105 + PORT_SetError(SEC_ERROR_NO_MEMORY);
1.3106 + goto done;
1.3107 + }
1.3108 + newKeyID = SECITEM_DupItem(subjKeyID);
1.3109 + if (!newKeyID) {
1.3110 + SECITEM_FreeItem(newVal, PR_TRUE);
1.3111 + PORT_SetError(SEC_ERROR_NO_MEMORY);
1.3112 + goto done;
1.3113 + }
1.3114 +
1.3115 + PR_Lock(gSubjKeyIDLock);
1.3116 + /* The hash table implementation does not free up the memory
1.3117 + * associated with the key of an already existing entry if we add a
1.3118 + * duplicate, so we would wind up leaking the previously allocated
1.3119 + * key if we don't remove before adding.
1.3120 + */
1.3121 + oldVal = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID);
1.3122 + if (oldVal) {
1.3123 + PL_HashTableRemove(gSubjKeyIDHash, subjKeyID);
1.3124 + }
1.3125 +
1.3126 + rv = (PL_HashTableAdd(gSubjKeyIDHash, newKeyID, newVal)) ? SECSuccess :
1.3127 + SECFailure;
1.3128 + PR_Unlock(gSubjKeyIDLock);
1.3129 +done:
1.3130 + return rv;
1.3131 +}
1.3132 +
1.3133 +SECStatus
1.3134 +cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID)
1.3135 +{
1.3136 + SECStatus rv;
1.3137 + if (!gSubjKeyIDLock)
1.3138 + return SECFailure;
1.3139 +
1.3140 + PR_Lock(gSubjKeyIDLock);
1.3141 + rv = (PL_HashTableRemove(gSubjKeyIDHash, subjKeyID)) ? SECSuccess :
1.3142 + SECFailure;
1.3143 + PR_Unlock(gSubjKeyIDLock);
1.3144 + return rv;
1.3145 +}
1.3146 +
1.3147 +SECStatus
1.3148 +cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series)
1.3149 +{
1.3150 + SECItem *oldSeries, *newSlotid, *newSeries;
1.3151 + SECStatus rv = SECFailure;
1.3152 +
1.3153 + if (!gSubjKeyIDSlotCheckLock) {
1.3154 + return rv;
1.3155 + }
1.3156 +
1.3157 + newSlotid = SECITEM_DupItem(slotid);
1.3158 + newSeries = SECITEM_AllocItem(NULL, NULL, sizeof(int));
1.3159 + if (!newSlotid || !newSeries ) {
1.3160 + PORT_SetError(SEC_ERROR_NO_MEMORY);
1.3161 + goto loser;
1.3162 + }
1.3163 + PORT_Memcpy(newSeries->data, &series, sizeof(int));
1.3164 +
1.3165 + PR_Lock(gSubjKeyIDSlotCheckLock);
1.3166 + oldSeries = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
1.3167 + if (oldSeries) {
1.3168 + /*
1.3169 + * make sure we don't leak the key of an existing entry
1.3170 + * (similar to cert_AddSubjectKeyIDMapping, see comment there)
1.3171 + */
1.3172 + PL_HashTableRemove(gSubjKeyIDSlotCheckHash, slotid);
1.3173 + }
1.3174 + rv = (PL_HashTableAdd(gSubjKeyIDSlotCheckHash, newSlotid, newSeries)) ?
1.3175 + SECSuccess : SECFailure;
1.3176 + PR_Unlock(gSubjKeyIDSlotCheckLock);
1.3177 + if (rv == SECSuccess) {
1.3178 + return rv;
1.3179 + }
1.3180 +
1.3181 +loser:
1.3182 + if (newSlotid) {
1.3183 + SECITEM_FreeItem(newSlotid, PR_TRUE);
1.3184 + }
1.3185 + if (newSeries) {
1.3186 + SECITEM_FreeItem(newSeries, PR_TRUE);
1.3187 + }
1.3188 + return rv;
1.3189 +}
1.3190 +
1.3191 +int
1.3192 +cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid)
1.3193 +{
1.3194 + SECItem *seriesItem = NULL;
1.3195 + int series;
1.3196 +
1.3197 + if (!gSubjKeyIDSlotCheckLock) {
1.3198 + PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
1.3199 + return -1;
1.3200 + }
1.3201 +
1.3202 + PR_Lock(gSubjKeyIDSlotCheckLock);
1.3203 + seriesItem = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
1.3204 + PR_Unlock(gSubjKeyIDSlotCheckLock);
1.3205 + /* getting a null series just means we haven't registered one yet,
1.3206 + * just return 0 */
1.3207 + if (seriesItem == NULL) {
1.3208 + return 0;
1.3209 + }
1.3210 + /* if we got a series back, assert if it's not the proper length. */
1.3211 + PORT_Assert(seriesItem->len == sizeof(int));
1.3212 + if (seriesItem->len != sizeof(int)) {
1.3213 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1.3214 + return -1;
1.3215 + }
1.3216 + PORT_Memcpy(&series, seriesItem->data, sizeof(int));
1.3217 + return series;
1.3218 +}
1.3219 +
1.3220 +SECStatus
1.3221 +cert_DestroySubjectKeyIDSlotCheckHash(void)
1.3222 +{
1.3223 + if (gSubjKeyIDSlotCheckHash) {
1.3224 + PR_Lock(gSubjKeyIDSlotCheckLock);
1.3225 + PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
1.3226 + gSubjKeyIDSlotCheckHash = NULL;
1.3227 + PR_Unlock(gSubjKeyIDSlotCheckLock);
1.3228 + PR_DestroyLock(gSubjKeyIDSlotCheckLock);
1.3229 + gSubjKeyIDSlotCheckLock = NULL;
1.3230 + }
1.3231 + return SECSuccess;
1.3232 +}
1.3233 +
1.3234 +SECStatus
1.3235 +cert_DestroySubjectKeyIDHashTable(void)
1.3236 +{
1.3237 + if (gSubjKeyIDHash) {
1.3238 + PR_Lock(gSubjKeyIDLock);
1.3239 + PL_HashTableDestroy(gSubjKeyIDHash);
1.3240 + gSubjKeyIDHash = NULL;
1.3241 + PR_Unlock(gSubjKeyIDLock);
1.3242 + PR_DestroyLock(gSubjKeyIDLock);
1.3243 + gSubjKeyIDLock = NULL;
1.3244 + }
1.3245 + cert_DestroySubjectKeyIDSlotCheckHash();
1.3246 + return SECSuccess;
1.3247 +}
1.3248 +
1.3249 +SECItem*
1.3250 +cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID)
1.3251 +{
1.3252 + SECItem *val;
1.3253 +
1.3254 + if (!gSubjKeyIDLock)
1.3255 + return NULL;
1.3256 +
1.3257 + PR_Lock(gSubjKeyIDLock);
1.3258 + val = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID);
1.3259 + if (val) {
1.3260 + val = SECITEM_DupItem(val);
1.3261 + }
1.3262 + PR_Unlock(gSubjKeyIDLock);
1.3263 + return val;
1.3264 +}
1.3265 +
1.3266 +CERTCertificate*
1.3267 +CERT_FindCertBySubjectKeyID(CERTCertDBHandle *handle, SECItem *subjKeyID)
1.3268 +{
1.3269 + CERTCertificate *cert = NULL;
1.3270 + SECItem *derCert;
1.3271 +
1.3272 + derCert = cert_FindDERCertBySubjectKeyID(subjKeyID);
1.3273 + if (derCert) {
1.3274 + cert = CERT_FindCertByDERCert(handle, derCert);
1.3275 + SECITEM_FreeItem(derCert, PR_TRUE);
1.3276 + }
1.3277 + return cert;
1.3278 +}
