The Tor Browser / file diff

diff: security/nss/lib/certdb/xbsconst.c

security/nss/lib/certdb/xbsconst.c

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/nss/lib/certdb/xbsconst.c	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,145 @@
     1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
     1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
     1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
     1.7 +
     1.8 +/*
     1.9 + * X.509 v3 Basic Constraints Extension 
    1.10 + */
    1.11 +
    1.12 +#include "prtypes.h"
    1.13 +#include <limits.h>     /* for LONG_MAX */
    1.14 +#include "seccomon.h"
    1.15 +#include "secdert.h"
    1.16 +#include "secoidt.h"
    1.17 +#include "secasn1t.h"
    1.18 +#include "secasn1.h"
    1.19 +#include "certt.h"
    1.20 +#include "secder.h"
    1.21 +#include "prprf.h"
    1.22 +#include "secerr.h"
    1.23 +
    1.24 +typedef struct EncodedContext{
    1.25 +    SECItem isCA;
    1.26 +    SECItem pathLenConstraint;
    1.27 +    SECItem encodedValue;
    1.28 +    PLArenaPool *arena;
    1.29 +}EncodedContext;
    1.30 +
    1.31 +static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = {
    1.32 +    { SEC_ASN1_SEQUENCE,
    1.33 +	  0, NULL, sizeof(EncodedContext) },
    1.34 +    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
    1.35 +	  offsetof(EncodedContext,isCA)},
    1.36 +    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
    1.37 +	  offsetof(EncodedContext,pathLenConstraint) },
    1.38 +    { 0, }
    1.39 +};
    1.40 +
    1.41 +static unsigned char hexTrue = 0xff;
    1.42 +static unsigned char hexFalse = 0x00;
    1.43 +
    1.44 +#define GEN_BREAK(status) rv = status; break;
    1.45 +
    1.46 +SECStatus CERT_EncodeBasicConstraintValue
    1.47 +   (PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue)
    1.48 +{
    1.49 +    EncodedContext encodeContext;
    1.50 +    PLArenaPool *our_pool = NULL;
    1.51 +    SECStatus rv = SECSuccess;
    1.52 +
    1.53 +    do {
    1.54 +	PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
    1.55 +	if (!value->isCA && value->pathLenConstraint >= 0) {
    1.56 +	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
    1.57 +	    GEN_BREAK (SECFailure);
    1.58 +	}
    1.59 +
    1.60 +        encodeContext.arena = arena;
    1.61 +	if (value->isCA == PR_TRUE) {
    1.62 +	    encodeContext.isCA.data =  &hexTrue ;
    1.63 +	    encodeContext.isCA.len = 1;
    1.64 +	}
    1.65 +
    1.66 +	/* If the pathLenConstraint is less than 0, then it should be
    1.67 +	 * omitted from the encoding.
    1.68 +	 */
    1.69 +	if (value->isCA && value->pathLenConstraint >= 0) {
    1.70 +	    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
    1.71 +	    if (our_pool == NULL) {
    1.72 +		PORT_SetError (SEC_ERROR_NO_MEMORY);
    1.73 +		GEN_BREAK (SECFailure);
    1.74 +	    }
    1.75 +	    if (SEC_ASN1EncodeUnsignedInteger
    1.76 +		(our_pool, &encodeContext.pathLenConstraint,
    1.77 +		 (unsigned long)value->pathLenConstraint) == NULL) {
    1.78 +		PORT_SetError (SEC_ERROR_NO_MEMORY);
    1.79 +		GEN_BREAK (SECFailure);
    1.80 +	    }
    1.81 +	}
    1.82 +	if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
    1.83 +				CERTBasicConstraintsTemplate) == NULL) {
    1.84 +	    GEN_BREAK (SECFailure);
    1.85 +	}
    1.86 +    } while (0);
    1.87 +    if (our_pool)
    1.88 +	PORT_FreeArena (our_pool, PR_FALSE);
    1.89 +    return(rv);
    1.90 +
    1.91 +}
    1.92 +
    1.93 +SECStatus CERT_DecodeBasicConstraintValue
    1.94 +   (CERTBasicConstraints *value, const SECItem *encodedValue)
    1.95 +{
    1.96 +    EncodedContext decodeContext;
    1.97 +    PLArenaPool *our_pool;
    1.98 +    SECStatus rv = SECSuccess;
    1.99 +
   1.100 +    do {
   1.101 +	PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
   1.102 +	/* initialize the value just in case we got "0x30 00", or when the
   1.103 +	   pathLenConstraint is omitted.
   1.104 +         */
   1.105 +	decodeContext.isCA.data =&hexFalse;
   1.106 +	decodeContext.isCA.len = 1;
   1.107 +	
   1.108 +	our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
   1.109 +	if (our_pool == NULL) {
   1.110 +	    PORT_SetError (SEC_ERROR_NO_MEMORY);
   1.111 +	    GEN_BREAK (SECFailure);
   1.112 +	}
   1.113 +
   1.114 +        rv = SEC_QuickDERDecodeItem
   1.115 +	     (our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue);
   1.116 +	if (rv == SECFailure)
   1.117 +	    break;
   1.118 +	
   1.119 +	value->isCA = decodeContext.isCA.data 
   1.120 +	              ? (PRBool)(decodeContext.isCA.data[0] != 0)
   1.121 +		      : PR_FALSE;
   1.122 +	if (decodeContext.pathLenConstraint.data == NULL) {
   1.123 +	    /* if the pathLenConstraint is not encoded, and the current setting
   1.124 +	      is CA, then the pathLenConstraint should be set to a negative number
   1.125 +	      for unlimited certificate path.
   1.126 +	     */
   1.127 +	    if (value->isCA)
   1.128 +		value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
   1.129 +	} else if (value->isCA) {
   1.130 +	    long len = DER_GetInteger (&decodeContext.pathLenConstraint);
   1.131 +	    if (len < 0 || len == LONG_MAX) {
   1.132 +		PORT_SetError (SEC_ERROR_BAD_DER);
   1.133 +		GEN_BREAK (SECFailure);
   1.134 +	    }
   1.135 +	    value->pathLenConstraint = len;
   1.136 +	} else {
   1.137 +	    /* here we get an error where the subject is not a CA, but
   1.138 +	       the pathLenConstraint is set */
   1.139 +	    PORT_SetError (SEC_ERROR_BAD_DER);
   1.140 +	    GEN_BREAK (SECFailure);
   1.141 +	    break;
   1.142 +	}
   1.143 +	 
   1.144 +    } while (0);
   1.145 +    PORT_FreeArena (our_pool, PR_FALSE);
   1.146 +    return (rv);
   1.147 +
   1.148 +}

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial