1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/certdb/genname.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1970 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#include "plarena.h"
1.9 +#include "seccomon.h"
1.10 +#include "secitem.h"
1.11 +#include "secoidt.h"
1.12 +#include "secasn1.h"
1.13 +#include "secder.h"
1.14 +#include "certt.h"
1.15 +#include "cert.h"
1.16 +#include "certi.h"
1.17 +#include "xconst.h"
1.18 +#include "secerr.h"
1.19 +#include "secoid.h"
1.20 +#include "prprf.h"
1.21 +#include "genname.h"
1.22 +
1.23 +SEC_ASN1_MKSUB(SEC_AnyTemplate)
1.24 +SEC_ASN1_MKSUB(SEC_IntegerTemplate)
1.25 +SEC_ASN1_MKSUB(SEC_IA5StringTemplate)
1.26 +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
1.27 +SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
1.28 +
1.29 +static const SEC_ASN1Template CERTNameConstraintTemplate[] = {
1.30 + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraint) },
1.31 + { SEC_ASN1_ANY, offsetof(CERTNameConstraint, DERName) },
1.32 + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
1.33 + offsetof(CERTNameConstraint, min),
1.34 + SEC_ASN1_SUB(SEC_IntegerTemplate) },
1.35 + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
1.36 + offsetof(CERTNameConstraint, max),
1.37 + SEC_ASN1_SUB(SEC_IntegerTemplate) },
1.38 + { 0, }
1.39 +};
1.40 +
1.41 +const SEC_ASN1Template CERT_NameConstraintSubtreeSubTemplate[] = {
1.42 + { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
1.43 +};
1.44 +
1.45 +static const SEC_ASN1Template CERTNameConstraintsTemplate[] = {
1.46 + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraints) },
1.47 + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
1.48 + offsetof(CERTNameConstraints, DERPermited),
1.49 + CERT_NameConstraintSubtreeSubTemplate},
1.50 + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
1.51 + offsetof(CERTNameConstraints, DERExcluded),
1.52 + CERT_NameConstraintSubtreeSubTemplate},
1.53 + { 0, }
1.54 +};
1.55 +
1.56 +
1.57 +static const SEC_ASN1Template CERTOthNameTemplate[] = {
1.58 + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OtherName) },
1.59 + { SEC_ASN1_OBJECT_ID,
1.60 + offsetof(OtherName, oid) },
1.61 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
1.62 + SEC_ASN1_XTRN | 0, offsetof(OtherName, name),
1.63 + SEC_ASN1_SUB(SEC_AnyTemplate) },
1.64 + { 0, }
1.65 +};
1.66 +
1.67 +static const SEC_ASN1Template CERTOtherNameTemplate[] = {
1.68 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0 ,
1.69 + offsetof(CERTGeneralName, name.OthName), CERTOthNameTemplate,
1.70 + sizeof(CERTGeneralName) }
1.71 +};
1.72 +
1.73 +static const SEC_ASN1Template CERTOtherName2Template[] = {
1.74 + { SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
1.75 + 0, NULL, sizeof(CERTGeneralName) },
1.76 + { SEC_ASN1_OBJECT_ID,
1.77 + offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) },
1.78 + { SEC_ASN1_ANY,
1.79 + offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) },
1.80 + { 0, }
1.81 +};
1.82 +
1.83 +static const SEC_ASN1Template CERT_RFC822NameTemplate[] = {
1.84 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1 ,
1.85 + offsetof(CERTGeneralName, name.other),
1.86 + SEC_ASN1_SUB(SEC_IA5StringTemplate),
1.87 + sizeof (CERTGeneralName)}
1.88 +};
1.89 +
1.90 +static const SEC_ASN1Template CERT_DNSNameTemplate[] = {
1.91 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2 ,
1.92 + offsetof(CERTGeneralName, name.other),
1.93 + SEC_ASN1_SUB(SEC_IA5StringTemplate),
1.94 + sizeof (CERTGeneralName)}
1.95 +};
1.96 +
1.97 +static const SEC_ASN1Template CERT_X400AddressTemplate[] = {
1.98 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 3,
1.99 + offsetof(CERTGeneralName, name.other), SEC_ASN1_SUB(SEC_AnyTemplate),
1.100 + sizeof (CERTGeneralName)}
1.101 +};
1.102 +
1.103 +static const SEC_ASN1Template CERT_DirectoryNameTemplate[] = {
1.104 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
1.105 + SEC_ASN1_XTRN | 4, offsetof(CERTGeneralName, derDirectoryName),
1.106 + SEC_ASN1_SUB(SEC_AnyTemplate), sizeof (CERTGeneralName)}
1.107 +};
1.108 +
1.109 +
1.110 +static const SEC_ASN1Template CERT_EDIPartyNameTemplate[] = {
1.111 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 5,
1.112 + offsetof(CERTGeneralName, name.other), SEC_ASN1_SUB(SEC_AnyTemplate),
1.113 + sizeof (CERTGeneralName)}
1.114 +};
1.115 +
1.116 +static const SEC_ASN1Template CERT_URITemplate[] = {
1.117 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 6 ,
1.118 + offsetof(CERTGeneralName, name.other),
1.119 + SEC_ASN1_SUB(SEC_IA5StringTemplate),
1.120 + sizeof (CERTGeneralName)}
1.121 +};
1.122 +
1.123 +static const SEC_ASN1Template CERT_IPAddressTemplate[] = {
1.124 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 7 ,
1.125 + offsetof(CERTGeneralName, name.other),
1.126 + SEC_ASN1_SUB(SEC_OctetStringTemplate),
1.127 + sizeof (CERTGeneralName)}
1.128 +};
1.129 +
1.130 +static const SEC_ASN1Template CERT_RegisteredIDTemplate[] = {
1.131 + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 8 ,
1.132 + offsetof(CERTGeneralName, name.other),
1.133 + SEC_ASN1_SUB(SEC_ObjectIDTemplate),
1.134 + sizeof (CERTGeneralName)}
1.135 +};
1.136 +
1.137 +
1.138 +const SEC_ASN1Template CERT_GeneralNamesTemplate[] = {
1.139 + { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN , 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
1.140 +};
1.141 +
1.142 +
1.143 +static struct {
1.144 + CERTGeneralNameType type;
1.145 + char *name;
1.146 +} typesArray[] = {
1.147 + { certOtherName, "other" },
1.148 + { certRFC822Name, "email" },
1.149 + { certRFC822Name, "rfc822" },
1.150 + { certDNSName, "dns" },
1.151 + { certX400Address, "x400" },
1.152 + { certX400Address, "x400addr" },
1.153 + { certDirectoryName, "directory" },
1.154 + { certDirectoryName, "dn" },
1.155 + { certEDIPartyName, "edi" },
1.156 + { certEDIPartyName, "ediparty" },
1.157 + { certURI, "uri" },
1.158 + { certIPAddress, "ip" },
1.159 + { certIPAddress, "ipaddr" },
1.160 + { certRegisterID, "registerid" }
1.161 +};
1.162 +
1.163 +CERTGeneralNameType
1.164 +CERT_GetGeneralNameTypeFromString(const char *string)
1.165 +{
1.166 + int types_count = sizeof(typesArray)/sizeof(typesArray[0]);
1.167 + int i;
1.168 +
1.169 + for (i=0; i < types_count; i++) {
1.170 + if (PORT_Strcasecmp(string, typesArray[i].name) == 0) {
1.171 + return typesArray[i].type;
1.172 + }
1.173 + }
1.174 + return 0;
1.175 +}
1.176 +
1.177 +CERTGeneralName *
1.178 +CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type)
1.179 +{
1.180 + CERTGeneralName *name = arena
1.181 + ? PORT_ArenaZNew(arena, CERTGeneralName)
1.182 + : PORT_ZNew(CERTGeneralName);
1.183 + if (name) {
1.184 + name->type = type;
1.185 + name->l.prev = name->l.next = &name->l;
1.186 + }
1.187 + return name;
1.188 +}
1.189 +
1.190 +/* Copy content of one General Name to another.
1.191 +** Caller has allocated destination general name.
1.192 +** This function does not change the destinate's GeneralName's list linkage.
1.193 +*/
1.194 +SECStatus
1.195 +cert_CopyOneGeneralName(PLArenaPool *arena,
1.196 + CERTGeneralName *dest,
1.197 + CERTGeneralName *src)
1.198 +{
1.199 + SECStatus rv;
1.200 + void *mark = NULL;
1.201 +
1.202 + PORT_Assert(dest != NULL);
1.203 + dest->type = src->type;
1.204 +
1.205 + mark = PORT_ArenaMark(arena);
1.206 +
1.207 + switch (src->type) {
1.208 + case certDirectoryName:
1.209 + rv = SECITEM_CopyItem(arena, &dest->derDirectoryName,
1.210 + &src->derDirectoryName);
1.211 + if (rv == SECSuccess)
1.212 + rv = CERT_CopyName(arena, &dest->name.directoryName,
1.213 + &src->name.directoryName);
1.214 + break;
1.215 +
1.216 + case certOtherName:
1.217 + rv = SECITEM_CopyItem(arena, &dest->name.OthName.name,
1.218 + &src->name.OthName.name);
1.219 + if (rv == SECSuccess)
1.220 + rv = SECITEM_CopyItem(arena, &dest->name.OthName.oid,
1.221 + &src->name.OthName.oid);
1.222 + break;
1.223 +
1.224 + default:
1.225 + rv = SECITEM_CopyItem(arena, &dest->name.other,
1.226 + &src->name.other);
1.227 + break;
1.228 +
1.229 + }
1.230 + if (rv != SECSuccess) {
1.231 + PORT_ArenaRelease(arena, mark);
1.232 + } else {
1.233 + PORT_ArenaUnmark(arena, mark);
1.234 + }
1.235 + return rv;
1.236 +}
1.237 +
1.238 +
1.239 +void
1.240 +CERT_DestroyGeneralNameList(CERTGeneralNameList *list)
1.241 +{
1.242 + PZLock *lock;
1.243 +
1.244 + if (list != NULL) {
1.245 + lock = list->lock;
1.246 + PZ_Lock(lock);
1.247 + if (--list->refCount <= 0 && list->arena != NULL) {
1.248 + PORT_FreeArena(list->arena, PR_FALSE);
1.249 + PZ_Unlock(lock);
1.250 + PZ_DestroyLock(lock);
1.251 + } else {
1.252 + PZ_Unlock(lock);
1.253 + }
1.254 + }
1.255 + return;
1.256 +}
1.257 +
1.258 +CERTGeneralNameList *
1.259 +CERT_CreateGeneralNameList(CERTGeneralName *name) {
1.260 + PLArenaPool *arena;
1.261 + CERTGeneralNameList *list = NULL;
1.262 +
1.263 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.264 + if (arena == NULL) {
1.265 + goto done;
1.266 + }
1.267 + list = PORT_ArenaZNew(arena, CERTGeneralNameList);
1.268 + if (!list)
1.269 + goto loser;
1.270 + if (name != NULL) {
1.271 + SECStatus rv;
1.272 + list->name = CERT_NewGeneralName(arena, (CERTGeneralNameType)0);
1.273 + if (!list->name)
1.274 + goto loser;
1.275 + rv = CERT_CopyGeneralName(arena, list->name, name);
1.276 + if (rv != SECSuccess)
1.277 + goto loser;
1.278 + }
1.279 + list->lock = PZ_NewLock(nssILockList);
1.280 + if (!list->lock)
1.281 + goto loser;
1.282 + list->arena = arena;
1.283 + list->refCount = 1;
1.284 +done:
1.285 + return list;
1.286 +
1.287 +loser:
1.288 + PORT_FreeArena(arena, PR_FALSE);
1.289 + return NULL;
1.290 +}
1.291 +
1.292 +CERTGeneralName *
1.293 +CERT_GetNextGeneralName(CERTGeneralName *current)
1.294 +{
1.295 + PRCList *next;
1.296 +
1.297 + next = current->l.next;
1.298 + return (CERTGeneralName *) (((char *) next) - offsetof(CERTGeneralName, l));
1.299 +}
1.300 +
1.301 +CERTGeneralName *
1.302 +CERT_GetPrevGeneralName(CERTGeneralName *current)
1.303 +{
1.304 + PRCList *prev;
1.305 + prev = current->l.prev;
1.306 + return (CERTGeneralName *) (((char *) prev) - offsetof(CERTGeneralName, l));
1.307 +}
1.308 +
1.309 +CERTNameConstraint *
1.310 +CERT_GetNextNameConstraint(CERTNameConstraint *current)
1.311 +{
1.312 + PRCList *next;
1.313 +
1.314 + next = current->l.next;
1.315 + return (CERTNameConstraint *) (((char *) next) - offsetof(CERTNameConstraint, l));
1.316 +}
1.317 +
1.318 +CERTNameConstraint *
1.319 +CERT_GetPrevNameConstraint(CERTNameConstraint *current)
1.320 +{
1.321 + PRCList *prev;
1.322 + prev = current->l.prev;
1.323 + return (CERTNameConstraint *) (((char *) prev) - offsetof(CERTNameConstraint, l));
1.324 +}
1.325 +
1.326 +SECItem *
1.327 +CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PLArenaPool *arena)
1.328 +{
1.329 +
1.330 + const SEC_ASN1Template * template;
1.331 +
1.332 + PORT_Assert(arena);
1.333 + if (arena == NULL) {
1.334 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.335 + return NULL;
1.336 + }
1.337 + /* TODO: mark arena */
1.338 + if (dest == NULL) {
1.339 + dest = PORT_ArenaZNew(arena, SECItem);
1.340 + if (!dest)
1.341 + goto loser;
1.342 + }
1.343 + if (genName->type == certDirectoryName) {
1.344 + if (genName->derDirectoryName.data == NULL) {
1.345 + /* The field hasn't been encoded yet. */
1.346 + SECItem * pre_dest =
1.347 + SEC_ASN1EncodeItem (arena, &(genName->derDirectoryName),
1.348 + &(genName->name.directoryName),
1.349 + CERT_NameTemplate);
1.350 + if (!pre_dest)
1.351 + goto loser;
1.352 + }
1.353 + if (genName->derDirectoryName.data == NULL) {
1.354 + goto loser;
1.355 + }
1.356 + }
1.357 + switch (genName->type) {
1.358 + case certURI: template = CERT_URITemplate; break;
1.359 + case certRFC822Name: template = CERT_RFC822NameTemplate; break;
1.360 + case certDNSName: template = CERT_DNSNameTemplate; break;
1.361 + case certIPAddress: template = CERT_IPAddressTemplate; break;
1.362 + case certOtherName: template = CERTOtherNameTemplate; break;
1.363 + case certRegisterID: template = CERT_RegisteredIDTemplate; break;
1.364 + /* for this type, we expect the value is already encoded */
1.365 + case certEDIPartyName: template = CERT_EDIPartyNameTemplate; break;
1.366 + /* for this type, we expect the value is already encoded */
1.367 + case certX400Address: template = CERT_X400AddressTemplate; break;
1.368 + case certDirectoryName: template = CERT_DirectoryNameTemplate; break;
1.369 + default:
1.370 + PORT_Assert(0); goto loser;
1.371 + }
1.372 + dest = SEC_ASN1EncodeItem(arena, dest, genName, template);
1.373 + if (!dest) {
1.374 + goto loser;
1.375 + }
1.376 + /* TODO: unmark arena */
1.377 + return dest;
1.378 +loser:
1.379 + /* TODO: release arena back to mark */
1.380 + return NULL;
1.381 +}
1.382 +
1.383 +SECItem **
1.384 +cert_EncodeGeneralNames(PLArenaPool *arena, CERTGeneralName *names)
1.385 +{
1.386 + CERTGeneralName *current_name;
1.387 + SECItem **items = NULL;
1.388 + int count = 0;
1.389 + int i;
1.390 + PRCList *head;
1.391 +
1.392 + PORT_Assert(arena);
1.393 + /* TODO: mark arena */
1.394 + current_name = names;
1.395 + if (names != NULL) {
1.396 + count = 1;
1.397 + }
1.398 + head = &(names->l);
1.399 + while (current_name->l.next != head) {
1.400 + current_name = CERT_GetNextGeneralName(current_name);
1.401 + ++count;
1.402 + }
1.403 + current_name = CERT_GetNextGeneralName(current_name);
1.404 + items = PORT_ArenaNewArray(arena, SECItem *, count + 1);
1.405 + if (items == NULL) {
1.406 + goto loser;
1.407 + }
1.408 + for (i = 0; i < count; i++) {
1.409 + items[i] = CERT_EncodeGeneralName(current_name, (SECItem *)NULL, arena);
1.410 + if (items[i] == NULL) {
1.411 + goto loser;
1.412 + }
1.413 + current_name = CERT_GetNextGeneralName(current_name);
1.414 + }
1.415 + items[i] = NULL;
1.416 + /* TODO: unmark arena */
1.417 + return items;
1.418 +loser:
1.419 + /* TODO: release arena to mark */
1.420 + return NULL;
1.421 +}
1.422 +
1.423 +CERTGeneralName *
1.424 +CERT_DecodeGeneralName(PLArenaPool *reqArena,
1.425 + SECItem *encodedName,
1.426 + CERTGeneralName *genName)
1.427 +{
1.428 + const SEC_ASN1Template * template;
1.429 + CERTGeneralNameType genNameType;
1.430 + SECStatus rv = SECSuccess;
1.431 + SECItem* newEncodedName;
1.432 +
1.433 + if (!reqArena) {
1.434 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.435 + return NULL;
1.436 + }
1.437 + /* make a copy for decoding so the data decoded with QuickDER doesn't
1.438 + point to temporary memory */
1.439 + newEncodedName = SECITEM_ArenaDupItem(reqArena, encodedName);
1.440 + if (!newEncodedName) {
1.441 + return NULL;
1.442 + }
1.443 + /* TODO: mark arena */
1.444 + genNameType = (CERTGeneralNameType)((*(newEncodedName->data) & 0x0f) + 1);
1.445 + if (genName == NULL) {
1.446 + genName = CERT_NewGeneralName(reqArena, genNameType);
1.447 + if (!genName)
1.448 + goto loser;
1.449 + } else {
1.450 + genName->type = genNameType;
1.451 + genName->l.prev = genName->l.next = &genName->l;
1.452 + }
1.453 +
1.454 + switch (genNameType) {
1.455 + case certURI: template = CERT_URITemplate; break;
1.456 + case certRFC822Name: template = CERT_RFC822NameTemplate; break;
1.457 + case certDNSName: template = CERT_DNSNameTemplate; break;
1.458 + case certIPAddress: template = CERT_IPAddressTemplate; break;
1.459 + case certOtherName: template = CERTOtherNameTemplate; break;
1.460 + case certRegisterID: template = CERT_RegisteredIDTemplate; break;
1.461 + case certEDIPartyName: template = CERT_EDIPartyNameTemplate; break;
1.462 + case certX400Address: template = CERT_X400AddressTemplate; break;
1.463 + case certDirectoryName: template = CERT_DirectoryNameTemplate; break;
1.464 + default:
1.465 + goto loser;
1.466 + }
1.467 + rv = SEC_QuickDERDecodeItem(reqArena, genName, template, newEncodedName);
1.468 + if (rv != SECSuccess)
1.469 + goto loser;
1.470 + if (genNameType == certDirectoryName) {
1.471 + rv = SEC_QuickDERDecodeItem(reqArena, &(genName->name.directoryName),
1.472 + CERT_NameTemplate,
1.473 + &(genName->derDirectoryName));
1.474 + if (rv != SECSuccess)
1.475 + goto loser;
1.476 + }
1.477 +
1.478 + /* TODO: unmark arena */
1.479 + return genName;
1.480 +loser:
1.481 + /* TODO: release arena to mark */
1.482 + return NULL;
1.483 +}
1.484 +
1.485 +CERTGeneralName *
1.486 +cert_DecodeGeneralNames (PLArenaPool *arena,
1.487 + SECItem **encodedGenName)
1.488 +{
1.489 + PRCList *head = NULL;
1.490 + PRCList *tail = NULL;
1.491 + CERTGeneralName *currentName = NULL;
1.492 +
1.493 + PORT_Assert(arena);
1.494 + if (!encodedGenName || !arena) {
1.495 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.496 + return NULL;
1.497 + }
1.498 + /* TODO: mark arena */
1.499 + while (*encodedGenName != NULL) {
1.500 + currentName = CERT_DecodeGeneralName(arena, *encodedGenName, NULL);
1.501 + if (currentName == NULL)
1.502 + break;
1.503 + if (head == NULL) {
1.504 + head = &(currentName->l);
1.505 + tail = head;
1.506 + }
1.507 + currentName->l.next = head;
1.508 + currentName->l.prev = tail;
1.509 + tail = head->prev = tail->next = &(currentName->l);
1.510 + encodedGenName++;
1.511 + }
1.512 + if (currentName) {
1.513 + /* TODO: unmark arena */
1.514 + return CERT_GetNextGeneralName(currentName);
1.515 + }
1.516 + /* TODO: release arena to mark */
1.517 + return NULL;
1.518 +}
1.519 +
1.520 +void
1.521 +CERT_DestroyGeneralName(CERTGeneralName *name)
1.522 +{
1.523 + cert_DestroyGeneralNames(name);
1.524 +}
1.525 +
1.526 +SECStatus
1.527 +cert_DestroyGeneralNames(CERTGeneralName *name)
1.528 +{
1.529 + CERTGeneralName *first;
1.530 + CERTGeneralName *next = NULL;
1.531 +
1.532 +
1.533 + first = name;
1.534 + do {
1.535 + next = CERT_GetNextGeneralName(name);
1.536 + PORT_Free(name);
1.537 + name = next;
1.538 + } while (name != first);
1.539 + return SECSuccess;
1.540 +}
1.541 +
1.542 +static SECItem *
1.543 +cert_EncodeNameConstraint(CERTNameConstraint *constraint,
1.544 + SECItem *dest,
1.545 + PLArenaPool *arena)
1.546 +{
1.547 + PORT_Assert(arena);
1.548 + if (dest == NULL) {
1.549 + dest = PORT_ArenaZNew(arena, SECItem);
1.550 + if (dest == NULL) {
1.551 + return NULL;
1.552 + }
1.553 + }
1.554 + CERT_EncodeGeneralName(&(constraint->name), &(constraint->DERName), arena);
1.555 +
1.556 + dest = SEC_ASN1EncodeItem (arena, dest, constraint,
1.557 + CERTNameConstraintTemplate);
1.558 + return dest;
1.559 +}
1.560 +
1.561 +SECStatus
1.562 +cert_EncodeNameConstraintSubTree(CERTNameConstraint *constraints,
1.563 + PLArenaPool *arena,
1.564 + SECItem ***dest,
1.565 + PRBool permited)
1.566 +{
1.567 + CERTNameConstraint *current_constraint = constraints;
1.568 + SECItem **items = NULL;
1.569 + int count = 0;
1.570 + int i;
1.571 + PRCList *head;
1.572 +
1.573 + PORT_Assert(arena);
1.574 + /* TODO: mark arena */
1.575 + if (constraints != NULL) {
1.576 + count = 1;
1.577 + }
1.578 + head = &constraints->l;
1.579 + while (current_constraint->l.next != head) {
1.580 + current_constraint = CERT_GetNextNameConstraint(current_constraint);
1.581 + ++count;
1.582 + }
1.583 + current_constraint = CERT_GetNextNameConstraint(current_constraint);
1.584 + items = PORT_ArenaZNewArray(arena, SECItem *, count + 1);
1.585 + if (items == NULL) {
1.586 + goto loser;
1.587 + }
1.588 + for (i = 0; i < count; i++) {
1.589 + items[i] = cert_EncodeNameConstraint(current_constraint,
1.590 + (SECItem *) NULL, arena);
1.591 + if (items[i] == NULL) {
1.592 + goto loser;
1.593 + }
1.594 + current_constraint = CERT_GetNextNameConstraint(current_constraint);
1.595 + }
1.596 + *dest = items;
1.597 + if (*dest == NULL) {
1.598 + goto loser;
1.599 + }
1.600 + /* TODO: unmark arena */
1.601 + return SECSuccess;
1.602 +loser:
1.603 + /* TODO: release arena to mark */
1.604 + return SECFailure;
1.605 +}
1.606 +
1.607 +SECStatus
1.608 +cert_EncodeNameConstraints(CERTNameConstraints *constraints,
1.609 + PLArenaPool *arena,
1.610 + SECItem *dest)
1.611 +{
1.612 + SECStatus rv = SECSuccess;
1.613 +
1.614 + PORT_Assert(arena);
1.615 + /* TODO: mark arena */
1.616 + if (constraints->permited != NULL) {
1.617 + rv = cert_EncodeNameConstraintSubTree(constraints->permited, arena,
1.618 + &constraints->DERPermited,
1.619 + PR_TRUE);
1.620 + if (rv == SECFailure) {
1.621 + goto loser;
1.622 + }
1.623 + }
1.624 + if (constraints->excluded != NULL) {
1.625 + rv = cert_EncodeNameConstraintSubTree(constraints->excluded, arena,
1.626 + &constraints->DERExcluded,
1.627 + PR_FALSE);
1.628 + if (rv == SECFailure) {
1.629 + goto loser;
1.630 + }
1.631 + }
1.632 + dest = SEC_ASN1EncodeItem(arena, dest, constraints,
1.633 + CERTNameConstraintsTemplate);
1.634 + if (dest == NULL) {
1.635 + goto loser;
1.636 + }
1.637 + /* TODO: unmark arena */
1.638 + return SECSuccess;
1.639 +loser:
1.640 + /* TODO: release arena to mark */
1.641 + return SECFailure;
1.642 +}
1.643 +
1.644 +
1.645 +CERTNameConstraint *
1.646 +cert_DecodeNameConstraint(PLArenaPool *reqArena,
1.647 + SECItem *encodedConstraint)
1.648 +{
1.649 + CERTNameConstraint *constraint;
1.650 + SECStatus rv = SECSuccess;
1.651 + CERTGeneralName *temp;
1.652 + SECItem* newEncodedConstraint;
1.653 +
1.654 + if (!reqArena) {
1.655 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.656 + return NULL;
1.657 + }
1.658 + newEncodedConstraint = SECITEM_ArenaDupItem(reqArena, encodedConstraint);
1.659 + if (!newEncodedConstraint) {
1.660 + return NULL;
1.661 + }
1.662 + /* TODO: mark arena */
1.663 + constraint = PORT_ArenaZNew(reqArena, CERTNameConstraint);
1.664 + if (!constraint)
1.665 + goto loser;
1.666 + rv = SEC_QuickDERDecodeItem(reqArena, constraint,
1.667 + CERTNameConstraintTemplate,
1.668 + newEncodedConstraint);
1.669 + if (rv != SECSuccess) {
1.670 + goto loser;
1.671 + }
1.672 + temp = CERT_DecodeGeneralName(reqArena, &(constraint->DERName),
1.673 + &(constraint->name));
1.674 + if (temp != &(constraint->name)) {
1.675 + goto loser;
1.676 + }
1.677 +
1.678 + /* ### sjlee: since the name constraint contains only one
1.679 + * CERTGeneralName, the list within CERTGeneralName shouldn't
1.680 + * point anywhere else. Otherwise, bad things will happen.
1.681 + */
1.682 + constraint->name.l.prev = constraint->name.l.next = &(constraint->name.l);
1.683 + /* TODO: unmark arena */
1.684 + return constraint;
1.685 +loser:
1.686 + /* TODO: release arena back to mark */
1.687 + return NULL;
1.688 +}
1.689 +
1.690 +CERTNameConstraint *
1.691 +cert_DecodeNameConstraintSubTree(PLArenaPool *arena,
1.692 + SECItem **subTree,
1.693 + PRBool permited)
1.694 +{
1.695 + CERTNameConstraint *current = NULL;
1.696 + CERTNameConstraint *first = NULL;
1.697 + CERTNameConstraint *last = NULL;
1.698 + int i = 0;
1.699 +
1.700 + PORT_Assert(arena);
1.701 + /* TODO: mark arena */
1.702 + while (subTree[i] != NULL) {
1.703 + current = cert_DecodeNameConstraint(arena, subTree[i]);
1.704 + if (current == NULL) {
1.705 + goto loser;
1.706 + }
1.707 + if (last == NULL) {
1.708 + first = last = current;
1.709 + }
1.710 + current->l.prev = &(last->l);
1.711 + current->l.next = last->l.next;
1.712 + last->l.next = &(current->l);
1.713 + i++;
1.714 + }
1.715 + first->l.prev = &(current->l);
1.716 + /* TODO: unmark arena */
1.717 + return first;
1.718 +loser:
1.719 + /* TODO: release arena back to mark */
1.720 + return NULL;
1.721 +}
1.722 +
1.723 +CERTNameConstraints *
1.724 +cert_DecodeNameConstraints(PLArenaPool *reqArena,
1.725 + const SECItem *encodedConstraints)
1.726 +{
1.727 + CERTNameConstraints *constraints;
1.728 + SECStatus rv;
1.729 + SECItem* newEncodedConstraints;
1.730 +
1.731 + if (!reqArena) {
1.732 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.733 + return NULL;
1.734 + }
1.735 + PORT_Assert(encodedConstraints);
1.736 + newEncodedConstraints = SECITEM_ArenaDupItem(reqArena, encodedConstraints);
1.737 +
1.738 + /* TODO: mark arena */
1.739 + constraints = PORT_ArenaZNew(reqArena, CERTNameConstraints);
1.740 + if (constraints == NULL) {
1.741 + goto loser;
1.742 + }
1.743 + rv = SEC_QuickDERDecodeItem(reqArena, constraints,
1.744 + CERTNameConstraintsTemplate,
1.745 + newEncodedConstraints);
1.746 + if (rv != SECSuccess) {
1.747 + goto loser;
1.748 + }
1.749 + if (constraints->DERPermited != NULL &&
1.750 + constraints->DERPermited[0] != NULL) {
1.751 + constraints->permited =
1.752 + cert_DecodeNameConstraintSubTree(reqArena,
1.753 + constraints->DERPermited,
1.754 + PR_TRUE);
1.755 + if (constraints->permited == NULL) {
1.756 + goto loser;
1.757 + }
1.758 + }
1.759 + if (constraints->DERExcluded != NULL &&
1.760 + constraints->DERExcluded[0] != NULL) {
1.761 + constraints->excluded =
1.762 + cert_DecodeNameConstraintSubTree(reqArena,
1.763 + constraints->DERExcluded,
1.764 + PR_FALSE);
1.765 + if (constraints->excluded == NULL) {
1.766 + goto loser;
1.767 + }
1.768 + }
1.769 + /* TODO: unmark arena */
1.770 + return constraints;
1.771 +loser:
1.772 + /* TODO: release arena back to mark */
1.773 + return NULL;
1.774 +}
1.775 +
1.776 +/* Copy a chain of one or more general names to a destination chain.
1.777 +** Caller has allocated at least the first destination GeneralName struct.
1.778 +** Both source and destination chains are circular doubly-linked lists.
1.779 +** The first source struct is copied to the first destination struct.
1.780 +** If the source chain has more than one member, and the destination chain
1.781 +** has only one member, then this function allocates new structs for all but
1.782 +** the first copy from the arena and links them into the destination list.
1.783 +** If the destination struct is part of a list with more than one member,
1.784 +** then this function traverses both the source and destination lists,
1.785 +** copying each source struct to the corresponding dest struct.
1.786 +** In that case, the destination list MUST contain at least as many
1.787 +** structs as the source list or some dest entries will be overwritten.
1.788 +*/
1.789 +SECStatus
1.790 +CERT_CopyGeneralName(PLArenaPool *arena,
1.791 + CERTGeneralName *dest,
1.792 + CERTGeneralName *src)
1.793 +{
1.794 + SECStatus rv;
1.795 + CERTGeneralName *destHead = dest;
1.796 + CERTGeneralName *srcHead = src;
1.797 +
1.798 + PORT_Assert(dest != NULL);
1.799 + if (!dest) {
1.800 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.801 + return SECFailure;
1.802 + }
1.803 + /* TODO: mark arena */
1.804 + do {
1.805 + rv = cert_CopyOneGeneralName(arena, dest, src);
1.806 + if (rv != SECSuccess)
1.807 + goto loser;
1.808 + src = CERT_GetNextGeneralName(src);
1.809 + /* if there is only one general name, we shouldn't do this */
1.810 + if (src != srcHead) {
1.811 + if (dest->l.next == &destHead->l) {
1.812 + CERTGeneralName *temp;
1.813 + temp = CERT_NewGeneralName(arena, (CERTGeneralNameType)0);
1.814 + if (!temp)
1.815 + goto loser;
1.816 + temp->l.next = &destHead->l;
1.817 + temp->l.prev = &dest->l;
1.818 + destHead->l.prev = &temp->l;
1.819 + dest->l.next = &temp->l;
1.820 + dest = temp;
1.821 + } else {
1.822 + dest = CERT_GetNextGeneralName(dest);
1.823 + }
1.824 + }
1.825 + } while (src != srcHead && rv == SECSuccess);
1.826 + /* TODO: unmark arena */
1.827 + return rv;
1.828 +loser:
1.829 + /* TODO: release back to mark */
1.830 + return SECFailure;
1.831 +}
1.832 +
1.833 +
1.834 +CERTGeneralNameList *
1.835 +CERT_DupGeneralNameList(CERTGeneralNameList *list)
1.836 +{
1.837 + if (list != NULL) {
1.838 + PZ_Lock(list->lock);
1.839 + list->refCount++;
1.840 + PZ_Unlock(list->lock);
1.841 + }
1.842 + return list;
1.843 +}
1.844 +
1.845 +/* Allocate space and copy CERTNameConstraint from src to dest */
1.846 +CERTNameConstraint *
1.847 +CERT_CopyNameConstraint(PLArenaPool *arena,
1.848 + CERTNameConstraint *dest,
1.849 + CERTNameConstraint *src)
1.850 +{
1.851 + SECStatus rv;
1.852 +
1.853 + /* TODO: mark arena */
1.854 + if (dest == NULL) {
1.855 + dest = PORT_ArenaZNew(arena, CERTNameConstraint);
1.856 + if (!dest)
1.857 + goto loser;
1.858 + /* mark that it is not linked */
1.859 + dest->name.l.prev = dest->name.l.next = &(dest->name.l);
1.860 + }
1.861 + rv = CERT_CopyGeneralName(arena, &dest->name, &src->name);
1.862 + if (rv != SECSuccess) {
1.863 + goto loser;
1.864 + }
1.865 + rv = SECITEM_CopyItem(arena, &dest->DERName, &src->DERName);
1.866 + if (rv != SECSuccess) {
1.867 + goto loser;
1.868 + }
1.869 + rv = SECITEM_CopyItem(arena, &dest->min, &src->min);
1.870 + if (rv != SECSuccess) {
1.871 + goto loser;
1.872 + }
1.873 + rv = SECITEM_CopyItem(arena, &dest->max, &src->max);
1.874 + if (rv != SECSuccess) {
1.875 + goto loser;
1.876 + }
1.877 + dest->l.prev = dest->l.next = &dest->l;
1.878 + /* TODO: unmark arena */
1.879 + return dest;
1.880 +loser:
1.881 + /* TODO: release arena to mark */
1.882 + return NULL;
1.883 +}
1.884 +
1.885 +
1.886 +CERTGeneralName *
1.887 +cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2)
1.888 +{
1.889 + PRCList *begin1;
1.890 + PRCList *begin2;
1.891 + PRCList *end1;
1.892 + PRCList *end2;
1.893 +
1.894 + if (list1 == NULL){
1.895 + return list2;
1.896 + } else if (list2 == NULL) {
1.897 + return list1;
1.898 + } else {
1.899 + begin1 = &list1->l;
1.900 + begin2 = &list2->l;
1.901 + end1 = list1->l.prev;
1.902 + end2 = list2->l.prev;
1.903 + end1->next = begin2;
1.904 + end2->next = begin1;
1.905 + begin1->prev = end2;
1.906 + begin2->prev = end1;
1.907 + return list1;
1.908 + }
1.909 +}
1.910 +
1.911 +
1.912 +CERTNameConstraint *
1.913 +cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2)
1.914 +{
1.915 + PRCList *begin1;
1.916 + PRCList *begin2;
1.917 + PRCList *end1;
1.918 + PRCList *end2;
1.919 +
1.920 + if (list1 == NULL){
1.921 + return list2;
1.922 + } else if (list2 == NULL) {
1.923 + return list1;
1.924 + } else {
1.925 + begin1 = &list1->l;
1.926 + begin2 = &list2->l;
1.927 + end1 = list1->l.prev;
1.928 + end2 = list2->l.prev;
1.929 + end1->next = begin2;
1.930 + end2->next = begin1;
1.931 + begin1->prev = end2;
1.932 + begin2->prev = end1;
1.933 + return list1;
1.934 + }
1.935 +}
1.936 +
1.937 +
1.938 +/* Add a CERTNameConstraint to the CERTNameConstraint list */
1.939 +CERTNameConstraint *
1.940 +CERT_AddNameConstraint(CERTNameConstraint *list,
1.941 + CERTNameConstraint *constraint)
1.942 +{
1.943 + PORT_Assert(constraint != NULL);
1.944 + constraint->l.next = constraint->l.prev = &constraint->l;
1.945 + list = cert_CombineConstraintsLists(list, constraint);
1.946 + return list;
1.947 +}
1.948 +
1.949 +
1.950 +SECStatus
1.951 +CERT_GetNameConstraintByType (CERTNameConstraint *constraints,
1.952 + CERTGeneralNameType type,
1.953 + CERTNameConstraint **returnList,
1.954 + PLArenaPool *arena)
1.955 +{
1.956 + CERTNameConstraint *current = NULL;
1.957 + void *mark = NULL;
1.958 +
1.959 + *returnList = NULL;
1.960 + if (!constraints)
1.961 + return SECSuccess;
1.962 +
1.963 + mark = PORT_ArenaMark(arena);
1.964 +
1.965 + current = constraints;
1.966 + do {
1.967 + PORT_Assert(current->name.type);
1.968 + if (current->name.type == type) {
1.969 + CERTNameConstraint *temp;
1.970 + temp = CERT_CopyNameConstraint(arena, NULL, current);
1.971 + if (temp == NULL)
1.972 + goto loser;
1.973 + *returnList = CERT_AddNameConstraint(*returnList, temp);
1.974 + }
1.975 + current = CERT_GetNextNameConstraint(current);
1.976 + } while (current != constraints);
1.977 + PORT_ArenaUnmark(arena, mark);
1.978 + return SECSuccess;
1.979 +
1.980 +loser:
1.981 + PORT_ArenaRelease(arena, mark);
1.982 + return SECFailure;
1.983 +}
1.984 +
1.985 +void *
1.986 +CERT_GetGeneralNameByType (CERTGeneralName *genNames,
1.987 + CERTGeneralNameType type, PRBool derFormat)
1.988 +{
1.989 + CERTGeneralName *current;
1.990 +
1.991 + if (!genNames)
1.992 + return NULL;
1.993 + current = genNames;
1.994 +
1.995 + do {
1.996 + if (current->type == type) {
1.997 + switch (type) {
1.998 + case certDNSName:
1.999 + case certEDIPartyName:
1.1000 + case certIPAddress:
1.1001 + case certRegisterID:
1.1002 + case certRFC822Name:
1.1003 + case certX400Address:
1.1004 + case certURI:
1.1005 + return (void *)¤t->name.other; /* SECItem * */
1.1006 +
1.1007 + case certOtherName:
1.1008 + return (void *)¤t->name.OthName; /* OthName * */
1.1009 +
1.1010 + case certDirectoryName:
1.1011 + return derFormat
1.1012 + ? (void *)¤t->derDirectoryName /* SECItem * */
1.1013 + : (void *)¤t->name.directoryName; /* CERTName * */
1.1014 + }
1.1015 + PORT_Assert(0);
1.1016 + return NULL;
1.1017 + }
1.1018 + current = CERT_GetNextGeneralName(current);
1.1019 + } while (current != genNames);
1.1020 + return NULL;
1.1021 +}
1.1022 +
1.1023 +int
1.1024 +CERT_GetNamesLength(CERTGeneralName *names)
1.1025 +{
1.1026 + int length = 0;
1.1027 + CERTGeneralName *first;
1.1028 +
1.1029 + first = names;
1.1030 + if (names != NULL) {
1.1031 + do {
1.1032 + length++;
1.1033 + names = CERT_GetNextGeneralName(names);
1.1034 + } while (names != first);
1.1035 + }
1.1036 + return length;
1.1037 +}
1.1038 +
1.1039 +/* Creates new GeneralNames for any email addresses found in the
1.1040 +** input DN, and links them onto the list for the DN.
1.1041 +*/
1.1042 +SECStatus
1.1043 +cert_ExtractDNEmailAddrs(CERTGeneralName *name, PLArenaPool *arena)
1.1044 +{
1.1045 + CERTGeneralName *nameList = NULL;
1.1046 + const CERTRDN **nRDNs = (const CERTRDN **)(name->name.directoryName.rdns);
1.1047 + SECStatus rv = SECSuccess;
1.1048 +
1.1049 + PORT_Assert(name->type == certDirectoryName);
1.1050 + if (name->type != certDirectoryName) {
1.1051 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1052 + return SECFailure;
1.1053 + }
1.1054 + /* TODO: mark arena */
1.1055 + while (nRDNs && *nRDNs) { /* loop over RDNs */
1.1056 + const CERTRDN *nRDN = *nRDNs++;
1.1057 + CERTAVA **nAVAs = nRDN->avas;
1.1058 + while (nAVAs && *nAVAs) { /* loop over AVAs */
1.1059 + int tag;
1.1060 + CERTAVA *nAVA = *nAVAs++;
1.1061 + tag = CERT_GetAVATag(nAVA);
1.1062 + if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS ||
1.1063 + tag == SEC_OID_RFC1274_MAIL) { /* email AVA */
1.1064 + CERTGeneralName *newName = NULL;
1.1065 + SECItem *avaValue = CERT_DecodeAVAValue(&nAVA->value);
1.1066 + if (!avaValue)
1.1067 + goto loser;
1.1068 + rv = SECFailure;
1.1069 + newName = CERT_NewGeneralName(arena, certRFC822Name);
1.1070 + if (newName) {
1.1071 + rv = SECITEM_CopyItem(arena, &newName->name.other, avaValue);
1.1072 + }
1.1073 + SECITEM_FreeItem(avaValue, PR_TRUE);
1.1074 + if (rv != SECSuccess)
1.1075 + goto loser;
1.1076 + nameList = cert_CombineNamesLists(nameList, newName);
1.1077 + } /* handle one email AVA */
1.1078 + } /* loop over AVAs */
1.1079 + } /* loop over RDNs */
1.1080 + /* combine new names with old one. */
1.1081 + name = cert_CombineNamesLists(name, nameList);
1.1082 + /* TODO: unmark arena */
1.1083 + return SECSuccess;
1.1084 +
1.1085 +loser:
1.1086 + /* TODO: release arena back to mark */
1.1087 + return SECFailure;
1.1088 +}
1.1089 +
1.1090 +/* Extract all names except Subject Common Name from a cert
1.1091 +** in preparation for a name constraints test.
1.1092 +*/
1.1093 +CERTGeneralName *
1.1094 +CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena)
1.1095 +{
1.1096 + return CERT_GetConstrainedCertificateNames(cert, arena, PR_FALSE);
1.1097 +}
1.1098 +
1.1099 +/* This function is called by CERT_VerifyCertChain to extract all
1.1100 +** names from a cert in preparation for a name constraints test.
1.1101 +*/
1.1102 +CERTGeneralName *
1.1103 +CERT_GetConstrainedCertificateNames(const CERTCertificate *cert,
1.1104 + PLArenaPool *arena,
1.1105 + PRBool includeSubjectCommonName)
1.1106 +{
1.1107 + CERTGeneralName *DN;
1.1108 + CERTGeneralName *SAN;
1.1109 + PRUint32 numDNSNames = 0;
1.1110 + SECStatus rv;
1.1111 +
1.1112 + if (!arena) {
1.1113 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1114 + return NULL;
1.1115 + }
1.1116 + /* TODO: mark arena */
1.1117 + DN = CERT_NewGeneralName(arena, certDirectoryName);
1.1118 + if (DN == NULL) {
1.1119 + goto loser;
1.1120 + }
1.1121 + rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject);
1.1122 + if (rv != SECSuccess) {
1.1123 + goto loser;
1.1124 + }
1.1125 + rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject);
1.1126 + if (rv != SECSuccess) {
1.1127 + goto loser;
1.1128 + }
1.1129 + /* Extract email addresses from DN, construct CERTGeneralName structs
1.1130 + ** for them, add them to the name list
1.1131 + */
1.1132 + rv = cert_ExtractDNEmailAddrs(DN, arena);
1.1133 + if (rv != SECSuccess)
1.1134 + goto loser;
1.1135 +
1.1136 + /* Now extract any GeneralNames from the subject name names extension. */
1.1137 + SAN = cert_GetSubjectAltNameList(cert, arena);
1.1138 + if (SAN) {
1.1139 + numDNSNames = cert_CountDNSPatterns(SAN);
1.1140 + DN = cert_CombineNamesLists(DN, SAN);
1.1141 + }
1.1142 + if (!numDNSNames && includeSubjectCommonName) {
1.1143 + char *cn = CERT_GetCommonName(&cert->subject);
1.1144 + if (cn) {
1.1145 + CERTGeneralName *CN = CERT_NewGeneralName(arena, certDNSName);
1.1146 + if (CN) {
1.1147 + SECItem cnItem = {siBuffer, NULL, 0};
1.1148 + cnItem.data = (unsigned char *)cn;
1.1149 + cnItem.len = strlen(cn);
1.1150 + rv = SECITEM_CopyItem(arena, &CN->name.other, &cnItem);
1.1151 + if (rv == SECSuccess) {
1.1152 + DN = cert_CombineNamesLists(DN, CN);
1.1153 + }
1.1154 + }
1.1155 + PORT_Free(cn);
1.1156 + }
1.1157 + }
1.1158 + if (rv == SECSuccess) {
1.1159 + /* TODO: unmark arena */
1.1160 + return DN;
1.1161 + }
1.1162 +loser:
1.1163 + /* TODO: release arena to mark */
1.1164 + return NULL;
1.1165 +}
1.1166 +
1.1167 +/* Returns SECSuccess if name matches constraint per RFC 3280 rules for
1.1168 +** URI name constraints. SECFailure otherwise.
1.1169 +** If the constraint begins with a dot, it is a domain name, otherwise
1.1170 +** It is a host name. Examples:
1.1171 +** Constraint Name Result
1.1172 +** ------------ --------------- --------
1.1173 +** foo.bar.com foo.bar.com matches
1.1174 +** foo.bar.com FoO.bAr.CoM matches
1.1175 +** foo.bar.com www.foo.bar.com no match
1.1176 +** foo.bar.com nofoo.bar.com no match
1.1177 +** .foo.bar.com www.foo.bar.com matches
1.1178 +** .foo.bar.com nofoo.bar.com no match
1.1179 +** .foo.bar.com foo.bar.com no match
1.1180 +** .foo.bar.com www..foo.bar.com no match
1.1181 +*/
1.1182 +static SECStatus
1.1183 +compareURIN2C(const SECItem *name, const SECItem *constraint)
1.1184 +{
1.1185 + int offset;
1.1186 + /* The spec is silent on intepreting zero-length constraints.
1.1187 + ** We interpret them as matching no URI names.
1.1188 + */
1.1189 + if (!constraint->len)
1.1190 + return SECFailure;
1.1191 + if (constraint->data[0] != '.') {
1.1192 + /* constraint is a host name. */
1.1193 + if (name->len != constraint->len ||
1.1194 + PL_strncasecmp((char *)name->data,
1.1195 + (char *)constraint->data, constraint->len))
1.1196 + return SECFailure;
1.1197 + return SECSuccess;
1.1198 + }
1.1199 + /* constraint is a domain name. */
1.1200 + if (name->len < constraint->len)
1.1201 + return SECFailure;
1.1202 + offset = name->len - constraint->len;
1.1203 + if (PL_strncasecmp((char *)(name->data + offset),
1.1204 + (char *)constraint->data, constraint->len))
1.1205 + return SECFailure;
1.1206 + if (!offset ||
1.1207 + (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
1.1208 + return SECSuccess;
1.1209 + return SECFailure;
1.1210 +}
1.1211 +
1.1212 +/* for DNSname constraints, RFC 3280 says, (section 4.2.1.11, page 38)
1.1213 +**
1.1214 +** DNS name restrictions are expressed as foo.bar.com. Any DNS name
1.1215 +** that can be constructed by simply adding to the left hand side of the
1.1216 +** name satisfies the name constraint. For example, www.foo.bar.com
1.1217 +** would satisfy the constraint but foo1.bar.com would not.
1.1218 +**
1.1219 +** But NIST's PKITS test suite requires that the constraint be treated
1.1220 +** as a domain name, and requires that any name added to the left hand
1.1221 +** side end in a dot ".". Sensible, but not strictly following the RFC.
1.1222 +**
1.1223 +** Constraint Name RFC 3280 NIST PKITS
1.1224 +** ------------ --------------- -------- ----------
1.1225 +** foo.bar.com foo.bar.com matches matches
1.1226 +** foo.bar.com FoO.bAr.CoM matches matches
1.1227 +** foo.bar.com www.foo.bar.com matches matches
1.1228 +** foo.bar.com nofoo.bar.com MATCHES NO MATCH
1.1229 +** .foo.bar.com www.foo.bar.com matches matches? disallowed?
1.1230 +** .foo.bar.com foo.bar.com no match no match
1.1231 +** .foo.bar.com www..foo.bar.com matches probably not
1.1232 +**
1.1233 +** We will try to conform to NIST's PKITS tests, and the unstated
1.1234 +** rules they imply.
1.1235 +*/
1.1236 +static SECStatus
1.1237 +compareDNSN2C(const SECItem *name, const SECItem *constraint)
1.1238 +{
1.1239 + int offset;
1.1240 + /* The spec is silent on intepreting zero-length constraints.
1.1241 + ** We interpret them as matching all DNSnames.
1.1242 + */
1.1243 + if (!constraint->len)
1.1244 + return SECSuccess;
1.1245 + if (name->len < constraint->len)
1.1246 + return SECFailure;
1.1247 + offset = name->len - constraint->len;
1.1248 + if (PL_strncasecmp((char *)(name->data + offset),
1.1249 + (char *)constraint->data, constraint->len))
1.1250 + return SECFailure;
1.1251 + if (!offset ||
1.1252 + (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
1.1253 + return SECSuccess;
1.1254 + return SECFailure;
1.1255 +}
1.1256 +
1.1257 +/* Returns SECSuccess if name matches constraint per RFC 3280 rules for
1.1258 +** internet email addresses. SECFailure otherwise.
1.1259 +** If constraint contains a '@' then the two strings much match exactly.
1.1260 +** Else if constraint starts with a '.'. then it must match the right-most
1.1261 +** substring of the name,
1.1262 +** else constraint string must match entire name after the name's '@'.
1.1263 +** Empty constraint string matches all names. All comparisons case insensitive.
1.1264 +*/
1.1265 +static SECStatus
1.1266 +compareRFC822N2C(const SECItem *name, const SECItem *constraint)
1.1267 +{
1.1268 + int offset;
1.1269 + if (!constraint->len)
1.1270 + return SECSuccess;
1.1271 + if (name->len < constraint->len)
1.1272 + return SECFailure;
1.1273 + if (constraint->len == 1 && constraint->data[0] == '.')
1.1274 + return SECSuccess;
1.1275 + for (offset = constraint->len - 1; offset >= 0; --offset) {
1.1276 + if (constraint->data[offset] == '@') {
1.1277 + return (name->len == constraint->len &&
1.1278 + !PL_strncasecmp((char *)name->data,
1.1279 + (char *)constraint->data, constraint->len))
1.1280 + ? SECSuccess : SECFailure;
1.1281 + }
1.1282 + }
1.1283 + offset = name->len - constraint->len;
1.1284 + if (PL_strncasecmp((char *)(name->data + offset),
1.1285 + (char *)constraint->data, constraint->len))
1.1286 + return SECFailure;
1.1287 + if (constraint->data[0] == '.')
1.1288 + return SECSuccess;
1.1289 + if (offset > 0 && name->data[offset - 1] == '@')
1.1290 + return SECSuccess;
1.1291 + return SECFailure;
1.1292 +}
1.1293 +
1.1294 +/* name contains either a 4 byte IPv4 address or a 16 byte IPv6 address.
1.1295 +** constraint contains an address of the same length, and a subnet mask
1.1296 +** of the same length. Compare name's address to the constraint's
1.1297 +** address, subject to the mask.
1.1298 +** Return SECSuccess if they match, SECFailure if they don't.
1.1299 +*/
1.1300 +static SECStatus
1.1301 +compareIPaddrN2C(const SECItem *name, const SECItem *constraint)
1.1302 +{
1.1303 + int i;
1.1304 + if (name->len == 4 && constraint->len == 8) { /* ipv4 addr */
1.1305 + for (i = 0; i < 4; i++) {
1.1306 + if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+4])
1.1307 + goto loser;
1.1308 + }
1.1309 + return SECSuccess;
1.1310 + }
1.1311 + if (name->len == 16 && constraint->len == 32) { /* ipv6 addr */
1.1312 + for (i = 0; i < 16; i++) {
1.1313 + if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+16])
1.1314 + goto loser;
1.1315 + }
1.1316 + return SECSuccess;
1.1317 + }
1.1318 +loser:
1.1319 + return SECFailure;
1.1320 +}
1.1321 +
1.1322 +/* start with a SECItem that points to a URI. Parse it lookingg for
1.1323 +** a hostname. Modify item->data and item->len to define the hostname,
1.1324 +** but do not modify and data at item->data.
1.1325 +** If anything goes wrong, the contents of *item are undefined.
1.1326 +*/
1.1327 +static SECStatus
1.1328 +parseUriHostname(SECItem * item)
1.1329 +{
1.1330 + int i;
1.1331 + PRBool found = PR_FALSE;
1.1332 + for (i = 0; (unsigned)(i+2) < item->len; ++i) {
1.1333 + if (item->data[i ] == ':' &&
1.1334 + item->data[i+1] == '/' &&
1.1335 + item->data[i+2] == '/') {
1.1336 + i += 3;
1.1337 + item->data += i;
1.1338 + item->len -= i;
1.1339 + found = PR_TRUE;
1.1340 + break;
1.1341 + }
1.1342 + }
1.1343 + if (!found)
1.1344 + return SECFailure;
1.1345 + /* now look for a '/', which is an upper bound in the end of the name */
1.1346 + for (i = 0; (unsigned)i < item->len; ++i) {
1.1347 + if (item->data[i] == '/') {
1.1348 + item->len = i;
1.1349 + break;
1.1350 + }
1.1351 + }
1.1352 + /* now look for a ':', which marks the end of the name */
1.1353 + for (i = item->len; --i >= 0; ) {
1.1354 + if (item->data[i] == ':') {
1.1355 + item->len = i;
1.1356 + break;
1.1357 + }
1.1358 + }
1.1359 + /* now look for an '@', which marks the beginning of the hostname */
1.1360 + for (i = 0; (unsigned)i < item->len; ++i) {
1.1361 + if (item->data[i] == '@') {
1.1362 + ++i;
1.1363 + item->data += i;
1.1364 + item->len -= i;
1.1365 + break;
1.1366 + }
1.1367 + }
1.1368 + return item->len ? SECSuccess : SECFailure;
1.1369 +}
1.1370 +
1.1371 +/* This function takes one name, and a list of constraints.
1.1372 +** It searches the constraints looking for a match.
1.1373 +** It returns SECSuccess if the name satisfies the constraints, i.e.,
1.1374 +** if excluded, then the name does not match any constraint,
1.1375 +** if permitted, then the name matches at least one constraint.
1.1376 +** It returns SECFailure if the name fails to satisfy the constraints,
1.1377 +** or if some code fails (e.g. out of memory, or invalid constraint)
1.1378 +*/
1.1379 +SECStatus
1.1380 +cert_CompareNameWithConstraints(const CERTGeneralName *name,
1.1381 + const CERTNameConstraint *constraints,
1.1382 + PRBool excluded)
1.1383 +{
1.1384 + SECStatus rv = SECSuccess;
1.1385 + SECStatus matched = SECFailure;
1.1386 + const CERTNameConstraint *current;
1.1387 +
1.1388 + PORT_Assert(constraints); /* caller should not call with NULL */
1.1389 + if (!constraints) {
1.1390 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.1391 + return SECFailure;
1.1392 + }
1.1393 +
1.1394 + current = constraints;
1.1395 + do {
1.1396 + rv = SECSuccess;
1.1397 + matched = SECFailure;
1.1398 + PORT_Assert(name->type == current->name.type);
1.1399 + switch (name->type) {
1.1400 +
1.1401 + case certDNSName:
1.1402 + matched = compareDNSN2C(&name->name.other,
1.1403 + ¤t->name.name.other);
1.1404 + break;
1.1405 +
1.1406 + case certRFC822Name:
1.1407 + matched = compareRFC822N2C(&name->name.other,
1.1408 + ¤t->name.name.other);
1.1409 + break;
1.1410 +
1.1411 + case certURI:
1.1412 + {
1.1413 + /* make a modifiable copy of the URI SECItem. */
1.1414 + SECItem uri = name->name.other;
1.1415 + /* find the hostname in the URI */
1.1416 + rv = parseUriHostname(&uri);
1.1417 + if (rv == SECSuccess) {
1.1418 + /* does our hostname meet the constraint? */
1.1419 + matched = compareURIN2C(&uri, ¤t->name.name.other);
1.1420 + }
1.1421 + }
1.1422 + break;
1.1423 +
1.1424 + case certDirectoryName:
1.1425 + /* Determine if the constraint directory name is a "prefix"
1.1426 + ** for the directory name being tested.
1.1427 + */
1.1428 + {
1.1429 + /* status defaults to SECEqual, so that a constraint with
1.1430 + ** no AVAs will be a wildcard, matching all directory names.
1.1431 + */
1.1432 + SECComparison status = SECEqual;
1.1433 + const CERTRDN **cRDNs =
1.1434 + (const CERTRDN **)current->name.name.directoryName.rdns;
1.1435 + const CERTRDN **nRDNs =
1.1436 + (const CERTRDN **)name->name.directoryName.rdns;
1.1437 + while (cRDNs && *cRDNs && nRDNs && *nRDNs) {
1.1438 + /* loop over name RDNs and constraint RDNs in lock step */
1.1439 + const CERTRDN *cRDN = *cRDNs++;
1.1440 + const CERTRDN *nRDN = *nRDNs++;
1.1441 + CERTAVA **cAVAs = cRDN->avas;
1.1442 + while (cAVAs && *cAVAs) { /* loop over constraint AVAs */
1.1443 + CERTAVA *cAVA = *cAVAs++;
1.1444 + CERTAVA **nAVAs = nRDN->avas;
1.1445 + while (nAVAs && *nAVAs) { /* loop over name AVAs */
1.1446 + CERTAVA *nAVA = *nAVAs++;
1.1447 + status = CERT_CompareAVA(cAVA, nAVA);
1.1448 + if (status == SECEqual)
1.1449 + break;
1.1450 + } /* loop over name AVAs */
1.1451 + if (status != SECEqual)
1.1452 + break;
1.1453 + } /* loop over constraint AVAs */
1.1454 + if (status != SECEqual)
1.1455 + break;
1.1456 + } /* loop over name RDNs and constraint RDNs */
1.1457 + matched = (status == SECEqual) ? SECSuccess : SECFailure;
1.1458 + break;
1.1459 + }
1.1460 +
1.1461 + case certIPAddress: /* type 8 */
1.1462 + matched = compareIPaddrN2C(&name->name.other,
1.1463 + ¤t->name.name.other);
1.1464 + break;
1.1465 +
1.1466 + /* NSS does not know how to compare these "Other" type names with
1.1467 + ** their respective constraints. But it does know how to tell
1.1468 + ** if the constraint applies to the type of name (by comparing
1.1469 + ** the constraint OID to the name OID). NSS makes no use of "Other"
1.1470 + ** type names at all, so NSS errs on the side of leniency for these
1.1471 + ** types, provided that their OIDs match. So, when an "Other"
1.1472 + ** name constraint appears in an excluded subtree, it never causes
1.1473 + ** a name to fail. When an "Other" name constraint appears in a
1.1474 + ** permitted subtree, AND the constraint's OID matches the name's
1.1475 + ** OID, then name is treated as if it matches the constraint.
1.1476 + */
1.1477 + case certOtherName: /* type 1 */
1.1478 + matched = (!excluded &&
1.1479 + name->type == current->name.type &&
1.1480 + SECITEM_ItemsAreEqual(&name->name.OthName.oid,
1.1481 + ¤t->name.name.OthName.oid))
1.1482 + ? SECSuccess : SECFailure;
1.1483 + break;
1.1484 +
1.1485 + /* NSS does not know how to compare these types of names with their
1.1486 + ** respective constraints. But NSS makes no use of these types of
1.1487 + ** names at all, so it errs on the side of leniency for these types.
1.1488 + ** Constraints for these types of names never cause the name to
1.1489 + ** fail the constraints test. NSS behaves as if the name matched
1.1490 + ** for permitted constraints, and did not match for excluded ones.
1.1491 + */
1.1492 + case certX400Address: /* type 4 */
1.1493 + case certEDIPartyName: /* type 6 */
1.1494 + case certRegisterID: /* type 9 */
1.1495 + matched = excluded ? SECFailure : SECSuccess;
1.1496 + break;
1.1497 +
1.1498 + default: /* non-standard types are not supported */
1.1499 + rv = SECFailure;
1.1500 + break;
1.1501 + }
1.1502 + if (matched == SECSuccess || rv != SECSuccess)
1.1503 + break;
1.1504 + current = CERT_GetNextNameConstraint((CERTNameConstraint*)current);
1.1505 + } while (current != constraints);
1.1506 + if (rv == SECSuccess) {
1.1507 + if (matched == SECSuccess)
1.1508 + rv = excluded ? SECFailure : SECSuccess;
1.1509 + else
1.1510 + rv = excluded ? SECSuccess : SECFailure;
1.1511 + return rv;
1.1512 + }
1.1513 +
1.1514 + return SECFailure;
1.1515 +}
1.1516 +
1.1517 +/* Add and link a CERTGeneralName to a CERTNameConstraint list. Most
1.1518 +** likely the CERTNameConstraint passed in is either the permitted
1.1519 +** list or the excluded list of a CERTNameConstraints.
1.1520 +*/
1.1521 +SECStatus
1.1522 +CERT_AddNameConstraintByGeneralName(PLArenaPool *arena,
1.1523 + CERTNameConstraint **constraints,
1.1524 + CERTGeneralName *name)
1.1525 +{
1.1526 + SECStatus rv;
1.1527 + CERTNameConstraint *current = NULL;
1.1528 + CERTNameConstraint *first = *constraints;
1.1529 + void *mark = NULL;
1.1530 +
1.1531 + mark = PORT_ArenaMark(arena);
1.1532 +
1.1533 + current = PORT_ArenaZNew(arena, CERTNameConstraint);
1.1534 + if (current == NULL) {
1.1535 + rv = SECFailure;
1.1536 + goto done;
1.1537 + }
1.1538 +
1.1539 + rv = cert_CopyOneGeneralName(arena, ¤t->name, name);
1.1540 + if (rv != SECSuccess) {
1.1541 + goto done;
1.1542 + }
1.1543 +
1.1544 + current->name.l.prev = current->name.l.next = &(current->name.l);
1.1545 +
1.1546 + if (first == NULL) {
1.1547 + *constraints = current;
1.1548 + PR_INIT_CLIST(¤t->l);
1.1549 + } else {
1.1550 + PR_INSERT_BEFORE(¤t->l, &first->l);
1.1551 + }
1.1552 +
1.1553 +done:
1.1554 + if (rv == SECFailure) {
1.1555 + PORT_ArenaRelease(arena, mark);
1.1556 + } else {
1.1557 + PORT_ArenaUnmark(arena, mark);
1.1558 + }
1.1559 + return rv;
1.1560 +}
1.1561 +
1.1562 +/* Add name constraints to certain certs that do not include name constraints
1.1563 + * This is the core of the implementation for bug 952572.
1.1564 + */
1.1565 +
1.1566 +static SECStatus
1.1567 +getNameExtensionsBuiltIn(CERTCertificate *cert,
1.1568 + SECItem *extensions)
1.1569 +{
1.1570 + const char constraintFranceGov[] = "\x30\x5D" /* sequence len = 93*/
1.1571 + "\xA0\x5B" /* element len =91 */
1.1572 + "\x30\x05" /* sequence len 5 */
1.1573 + "\x82\x03" /* entry len 3 */
1.1574 + ".fr"
1.1575 + "\x30\x05\x82\x03" /* sequence len5, entry len 3 */
1.1576 + ".gp"
1.1577 + "\x30\x05\x82\x03"
1.1578 + ".gf"
1.1579 + "\x30\x05\x82\x03"
1.1580 + ".mq"
1.1581 + "\x30\x05\x82\x03"
1.1582 + ".re"
1.1583 + "\x30\x05\x82\x03"
1.1584 + ".yt"
1.1585 + "\x30\x05\x82\x03"
1.1586 + ".pm"
1.1587 + "\x30\x05\x82\x03"
1.1588 + ".bl"
1.1589 + "\x30\x05\x82\x03"
1.1590 + ".mf"
1.1591 + "\x30\x05\x82\x03"
1.1592 + ".wf"
1.1593 + "\x30\x05\x82\x03"
1.1594 + ".pf"
1.1595 + "\x30\x05\x82\x03"
1.1596 + ".nc"
1.1597 + "\x30\x05\x82\x03"
1.1598 + ".tf";
1.1599 +
1.1600 + /* The stringified value for the subject is:
1.1601 + E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
1.1602 + */
1.1603 + const char rawANSSISubject[] = "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04"
1.1604 + "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03"
1.1605 + "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65"
1.1606 + "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05"
1.1607 + "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03"
1.1608 + "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44"
1.1609 + "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13"
1.1610 + "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06"
1.1611 + "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41"
1.1612 + "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7"
1.1613 + "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40"
1.1614 + "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75"
1.1615 + "\x76\x2E\x66\x72";
1.1616 +
1.1617 + const SECItem anssi_subject = {0, (unsigned char *) rawANSSISubject,
1.1618 + sizeof(rawANSSISubject)-1};
1.1619 + const SECItem permitFranceGovNC = {0, (unsigned char *) constraintFranceGov,
1.1620 + sizeof(constraintFranceGov)-1};
1.1621 +
1.1622 + if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) {
1.1623 + SECStatus rv;
1.1624 + rv = SECITEM_CopyItem(NULL, extensions, &permitFranceGovNC);
1.1625 + return rv;
1.1626 + }
1.1627 + PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
1.1628 + return SECFailure;
1.1629 +}
1.1630 +
1.1631 +/* Extract the name constraints extension from the CA cert. */
1.1632 +SECStatus
1.1633 +CERT_FindNameConstraintsExten(PLArenaPool *arena,
1.1634 + CERTCertificate *cert,
1.1635 + CERTNameConstraints **constraints)
1.1636 +{
1.1637 + SECStatus rv = SECSuccess;
1.1638 + SECItem constraintsExtension;
1.1639 + void *mark = NULL;
1.1640 +
1.1641 + *constraints = NULL;
1.1642 +
1.1643 + rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS,
1.1644 + &constraintsExtension);
1.1645 + if (rv != SECSuccess) {
1.1646 + if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
1.1647 + return rv;
1.1648 + }
1.1649 + rv = getNameExtensionsBuiltIn(cert, &constraintsExtension);
1.1650 + if (rv != SECSuccess) {
1.1651 + if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
1.1652 + return SECSuccess;
1.1653 + }
1.1654 + return rv;
1.1655 + }
1.1656 + }
1.1657 +
1.1658 + mark = PORT_ArenaMark(arena);
1.1659 +
1.1660 + *constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
1.1661 + if (*constraints == NULL) { /* decode failed */
1.1662 + rv = SECFailure;
1.1663 + }
1.1664 + PORT_Free (constraintsExtension.data);
1.1665 +
1.1666 + if (rv == SECFailure) {
1.1667 + PORT_ArenaRelease(arena, mark);
1.1668 + } else {
1.1669 + PORT_ArenaUnmark(arena, mark);
1.1670 + }
1.1671 +
1.1672 + return rv;
1.1673 +}
1.1674 +
1.1675 +/* Verify name against all the constraints relevant to that type of
1.1676 +** the name.
1.1677 +*/
1.1678 +SECStatus
1.1679 +CERT_CheckNameSpace(PLArenaPool *arena,
1.1680 + const CERTNameConstraints *constraints,
1.1681 + const CERTGeneralName *currentName)
1.1682 +{
1.1683 + CERTNameConstraint *matchingConstraints;
1.1684 + SECStatus rv = SECSuccess;
1.1685 +
1.1686 + if (constraints->excluded != NULL) {
1.1687 + rv = CERT_GetNameConstraintByType(constraints->excluded,
1.1688 + currentName->type,
1.1689 + &matchingConstraints, arena);
1.1690 + if (rv == SECSuccess && matchingConstraints != NULL) {
1.1691 + rv = cert_CompareNameWithConstraints(currentName,
1.1692 + matchingConstraints,
1.1693 + PR_TRUE);
1.1694 + }
1.1695 + if (rv != SECSuccess) {
1.1696 + return(rv);
1.1697 + }
1.1698 + }
1.1699 +
1.1700 + if (constraints->permited != NULL) {
1.1701 + rv = CERT_GetNameConstraintByType(constraints->permited,
1.1702 + currentName->type,
1.1703 + &matchingConstraints, arena);
1.1704 + if (rv == SECSuccess && matchingConstraints != NULL) {
1.1705 + rv = cert_CompareNameWithConstraints(currentName,
1.1706 + matchingConstraints,
1.1707 + PR_FALSE);
1.1708 + }
1.1709 + if (rv != SECSuccess) {
1.1710 + return(rv);
1.1711 + }
1.1712 + }
1.1713 +
1.1714 + return(SECSuccess);
1.1715 +}
1.1716 +
1.1717 +/* Extract the name constraints extension from the CA cert.
1.1718 +** Test each and every name in namesList against all the constraints
1.1719 +** relevant to that type of name.
1.1720 +** Returns NULL in pBadCert for success, if all names are acceptable.
1.1721 +** If some name is not acceptable, returns a pointer to the cert that
1.1722 +** contained that name.
1.1723 +*/
1.1724 +SECStatus
1.1725 +CERT_CompareNameSpace(CERTCertificate *cert,
1.1726 + CERTGeneralName *namesList,
1.1727 + CERTCertificate **certsList,
1.1728 + PLArenaPool *reqArena,
1.1729 + CERTCertificate **pBadCert)
1.1730 +{
1.1731 + SECStatus rv = SECSuccess;
1.1732 + CERTNameConstraints *constraints;
1.1733 + CERTGeneralName *currentName;
1.1734 + int count = 0;
1.1735 + CERTCertificate *badCert = NULL;
1.1736 +
1.1737 + /* If no names to check, then no names can be bad. */
1.1738 + if (!namesList)
1.1739 + goto done;
1.1740 + rv = CERT_FindNameConstraintsExten(reqArena, cert, &constraints);
1.1741 + if (rv != SECSuccess) {
1.1742 + count = -1;
1.1743 + goto done;
1.1744 + }
1.1745 +
1.1746 + currentName = namesList;
1.1747 + do {
1.1748 + if (constraints){
1.1749 + rv = CERT_CheckNameSpace(reqArena, constraints, currentName);
1.1750 + if (rv != SECSuccess) {
1.1751 + break;
1.1752 + }
1.1753 + }
1.1754 + currentName = CERT_GetNextGeneralName(currentName);
1.1755 + count ++;
1.1756 + } while (currentName != namesList);
1.1757 +
1.1758 +done:
1.1759 + if (rv != SECSuccess) {
1.1760 + badCert = (count >= 0) ? certsList[count] : cert;
1.1761 + }
1.1762 + if (pBadCert)
1.1763 + *pBadCert = badCert;
1.1764 +
1.1765 + return rv;
1.1766 +}
1.1767 +
1.1768 +#if 0
1.1769 +/* not exported from shared libs, not used. Turn on if we ever need it. */
1.1770 +SECStatus
1.1771 +CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b)
1.1772 +{
1.1773 + CERTGeneralName *currentA;
1.1774 + CERTGeneralName *currentB;
1.1775 + PRBool found;
1.1776 +
1.1777 + currentA = a;
1.1778 + currentB = b;
1.1779 + if (a != NULL) {
1.1780 + do {
1.1781 + if (currentB == NULL) {
1.1782 + return SECFailure;
1.1783 + }
1.1784 + currentB = CERT_GetNextGeneralName(currentB);
1.1785 + currentA = CERT_GetNextGeneralName(currentA);
1.1786 + } while (currentA != a);
1.1787 + }
1.1788 + if (currentB != b) {
1.1789 + return SECFailure;
1.1790 + }
1.1791 + currentA = a;
1.1792 + do {
1.1793 + currentB = b;
1.1794 + found = PR_FALSE;
1.1795 + do {
1.1796 + if (currentB->type == currentA->type) {
1.1797 + switch (currentB->type) {
1.1798 + case certDNSName:
1.1799 + case certEDIPartyName:
1.1800 + case certIPAddress:
1.1801 + case certRegisterID:
1.1802 + case certRFC822Name:
1.1803 + case certX400Address:
1.1804 + case certURI:
1.1805 + if (SECITEM_CompareItem(¤tA->name.other,
1.1806 + ¤tB->name.other)
1.1807 + == SECEqual) {
1.1808 + found = PR_TRUE;
1.1809 + }
1.1810 + break;
1.1811 + case certOtherName:
1.1812 + if (SECITEM_CompareItem(¤tA->name.OthName.oid,
1.1813 + ¤tB->name.OthName.oid)
1.1814 + == SECEqual &&
1.1815 + SECITEM_CompareItem(¤tA->name.OthName.name,
1.1816 + ¤tB->name.OthName.name)
1.1817 + == SECEqual) {
1.1818 + found = PR_TRUE;
1.1819 + }
1.1820 + break;
1.1821 + case certDirectoryName:
1.1822 + if (CERT_CompareName(¤tA->name.directoryName,
1.1823 + ¤tB->name.directoryName)
1.1824 + == SECEqual) {
1.1825 + found = PR_TRUE;
1.1826 + }
1.1827 + }
1.1828 +
1.1829 + }
1.1830 + currentB = CERT_GetNextGeneralName(currentB);
1.1831 + } while (currentB != b && found != PR_TRUE);
1.1832 + if (found != PR_TRUE) {
1.1833 + return SECFailure;
1.1834 + }
1.1835 + currentA = CERT_GetNextGeneralName(currentA);
1.1836 + } while (currentA != a);
1.1837 + return SECSuccess;
1.1838 +}
1.1839 +
1.1840 +SECStatus
1.1841 +CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b)
1.1842 +{
1.1843 + SECStatus rv;
1.1844 +
1.1845 + if (a == b) {
1.1846 + return SECSuccess;
1.1847 + }
1.1848 + if (a != NULL && b != NULL) {
1.1849 + PZ_Lock(a->lock);
1.1850 + PZ_Lock(b->lock);
1.1851 + rv = CERT_CompareGeneralName(a->name, b->name);
1.1852 + PZ_Unlock(a->lock);
1.1853 + PZ_Unlock(b->lock);
1.1854 + } else {
1.1855 + rv = SECFailure;
1.1856 + }
1.1857 + return rv;
1.1858 +}
1.1859 +#endif
1.1860 +
1.1861 +#if 0
1.1862 +/* This function is not exported from NSS shared libraries, and is not
1.1863 +** used inside of NSS.
1.1864 +** XXX it doesn't check for failed allocations. :-(
1.1865 +*/
1.1866 +void *
1.1867 +CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
1.1868 + CERTGeneralNameType type,
1.1869 + PLArenaPool *arena)
1.1870 +{
1.1871 + CERTName *name = NULL;
1.1872 + SECItem *item = NULL;
1.1873 + OtherName *other = NULL;
1.1874 + OtherName *tmpOther = NULL;
1.1875 + void *data;
1.1876 +
1.1877 + PZ_Lock(list->lock);
1.1878 + data = CERT_GetGeneralNameByType(list->name, type, PR_FALSE);
1.1879 + if (data != NULL) {
1.1880 + switch (type) {
1.1881 + case certDNSName:
1.1882 + case certEDIPartyName:
1.1883 + case certIPAddress:
1.1884 + case certRegisterID:
1.1885 + case certRFC822Name:
1.1886 + case certX400Address:
1.1887 + case certURI:
1.1888 + if (arena != NULL) {
1.1889 + item = PORT_ArenaNew(arena, SECItem);
1.1890 + if (item != NULL) {
1.1891 +XXX SECITEM_CopyItem(arena, item, (SECItem *) data);
1.1892 + }
1.1893 + } else {
1.1894 + item = SECITEM_DupItem((SECItem *) data);
1.1895 + }
1.1896 + PZ_Unlock(list->lock);
1.1897 + return item;
1.1898 + case certOtherName:
1.1899 + other = (OtherName *) data;
1.1900 + if (arena != NULL) {
1.1901 + tmpOther = PORT_ArenaNew(arena, OtherName);
1.1902 + } else {
1.1903 + tmpOther = PORT_New(OtherName);
1.1904 + }
1.1905 + if (tmpOther != NULL) {
1.1906 +XXX SECITEM_CopyItem(arena, &tmpOther->oid, &other->oid);
1.1907 +XXX SECITEM_CopyItem(arena, &tmpOther->name, &other->name);
1.1908 + }
1.1909 + PZ_Unlock(list->lock);
1.1910 + return tmpOther;
1.1911 + case certDirectoryName:
1.1912 + if (arena) {
1.1913 + name = PORT_ArenaZNew(list->arena, CERTName);
1.1914 + if (name) {
1.1915 +XXX CERT_CopyName(arena, name, (CERTName *) data);
1.1916 + }
1.1917 + }
1.1918 + PZ_Unlock(list->lock);
1.1919 + return name;
1.1920 + }
1.1921 + }
1.1922 + PZ_Unlock(list->lock);
1.1923 + return NULL;
1.1924 +}
1.1925 +#endif
1.1926 +
1.1927 +#if 0
1.1928 +/* This function is not exported from NSS shared libraries, and is not
1.1929 +** used inside of NSS.
1.1930 +** XXX it should NOT be a void function, since it does allocations
1.1931 +** that can fail.
1.1932 +*/
1.1933 +void
1.1934 +CERT_AddGeneralNameToList(CERTGeneralNameList *list,
1.1935 + CERTGeneralNameType type,
1.1936 + void *data, SECItem *oid)
1.1937 +{
1.1938 + CERTGeneralName *name;
1.1939 +
1.1940 + if (list != NULL && data != NULL) {
1.1941 + PZ_Lock(list->lock);
1.1942 + name = CERT_NewGeneralName(list->arena, type);
1.1943 + if (!name)
1.1944 + goto done;
1.1945 + switch (type) {
1.1946 + case certDNSName:
1.1947 + case certEDIPartyName:
1.1948 + case certIPAddress:
1.1949 + case certRegisterID:
1.1950 + case certRFC822Name:
1.1951 + case certX400Address:
1.1952 + case certURI:
1.1953 +XXX SECITEM_CopyItem(list->arena, &name->name.other, (SECItem *)data);
1.1954 + break;
1.1955 + case certOtherName:
1.1956 +XXX SECITEM_CopyItem(list->arena, &name->name.OthName.name,
1.1957 + (SECItem *) data);
1.1958 +XXX SECITEM_CopyItem(list->arena, &name->name.OthName.oid,
1.1959 + oid);
1.1960 + break;
1.1961 + case certDirectoryName:
1.1962 +XXX CERT_CopyName(list->arena, &name->name.directoryName,
1.1963 + (CERTName *) data);
1.1964 + break;
1.1965 + }
1.1966 + list->name = cert_CombineNamesLists(list->name, name);
1.1967 + list->len++;
1.1968 +done:
1.1969 + PZ_Unlock(list->lock);
1.1970 + }
1.1971 + return;
1.1972 +}
1.1973 +#endif
