1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1637 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * pkix_certselector.c
1.9 + *
1.10 + * CertSelector Object Functions
1.11 + *
1.12 + */
1.13 +
1.14 +#include "pkix_certselector.h"
1.15 +
1.16 +/* --Private-Functions-------------------------------------------- */
1.17 +
1.18 +/*
1.19 + * FUNCTION: pkix_CertSelector_Destroy
1.20 + * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
1.21 + */
1.22 +static PKIX_Error *
1.23 +pkix_CertSelector_Destroy(
1.24 + PKIX_PL_Object *object,
1.25 + void *plContext)
1.26 +{
1.27 + PKIX_CertSelector *selector = NULL;
1.28 +
1.29 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Destroy");
1.30 + PKIX_NULLCHECK_ONE(object);
1.31 +
1.32 + /* Check that this object is a cert selector */
1.33 + PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
1.34 + PKIX_OBJECTNOTCERTSELECTOR);
1.35 +
1.36 + selector = (PKIX_CertSelector *)object;
1.37 + PKIX_DECREF(selector->params);
1.38 + PKIX_DECREF(selector->context);
1.39 +
1.40 +cleanup:
1.41 +
1.42 + PKIX_RETURN(CERTSELECTOR);
1.43 +}
1.44 +
1.45 +/*
1.46 + * FUNCTION: pkix_CertSelector_Duplicate
1.47 + * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
1.48 + */
1.49 +static PKIX_Error *
1.50 +pkix_CertSelector_Duplicate(
1.51 + PKIX_PL_Object *object,
1.52 + PKIX_PL_Object **pNewObject,
1.53 + void *plContext)
1.54 +{
1.55 + PKIX_CertSelector *certSelector = NULL;
1.56 + PKIX_CertSelector *certSelectorDuplicate = NULL;
1.57 +
1.58 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Duplicate");
1.59 + PKIX_NULLCHECK_TWO(object, pNewObject);
1.60 +
1.61 + PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
1.62 + PKIX_OBJECTNOTCERTSELECTOR);
1.63 +
1.64 + certSelector = (PKIX_CertSelector *)object;
1.65 +
1.66 + PKIX_CHECK(PKIX_CertSelector_Create
1.67 + (certSelector->matchCallback,
1.68 + certSelector->context,
1.69 + &certSelectorDuplicate,
1.70 + plContext),
1.71 + PKIX_CERTSELECTORCREATEFAILED);
1.72 +
1.73 + PKIX_CHECK(PKIX_PL_Object_Duplicate
1.74 + ((PKIX_PL_Object *)certSelector->params,
1.75 + (PKIX_PL_Object **)&certSelectorDuplicate->params,
1.76 + plContext),
1.77 + PKIX_OBJECTDUPLICATEFAILED);
1.78 +
1.79 + *pNewObject = (PKIX_PL_Object *)certSelectorDuplicate;
1.80 +
1.81 +cleanup:
1.82 +
1.83 + if (PKIX_ERROR_RECEIVED){
1.84 + PKIX_DECREF(certSelectorDuplicate);
1.85 + }
1.86 +
1.87 + PKIX_RETURN(CERTSELECTOR);
1.88 +}
1.89 +
1.90 +/*
1.91 + * FUNCTION: pkix_CertSelector_Match_BasicConstraint
1.92 + * DESCRIPTION:
1.93 + *
1.94 + * Determines whether the Cert pointed to by "cert" matches the basic
1.95 + * constraints criterion using the basic constraints field of the
1.96 + * ComCertSelParams pointed to by "params". If the basic constraints field is
1.97 + * -1, no basic constraints check is done and the Cert is considered to match
1.98 + * the basic constraints criterion. If the Cert does not match the basic
1.99 + * constraints criterion, an Error pointer is returned.
1.100 + *
1.101 + * In order to match against this criterion, there are several possibilities.
1.102 + *
1.103 + * 1) If the criterion's minimum path length is greater than or equal to zero,
1.104 + * a certificate must include a BasicConstraints extension with a pathLen of
1.105 + * at least this value.
1.106 + *
1.107 + * 2) If the criterion's minimum path length is -2, a certificate must be an
1.108 + * end-entity certificate.
1.109 + *
1.110 + * 3) If the criterion's minimum path length is -1, no basic constraints check
1.111 + * is done and all certificates are considered to match this criterion.
1.112 + *
1.113 + * PARAMETERS:
1.114 + * "params"
1.115 + * Address of ComCertSelParams whose basic constraints field is used.
1.116 + * Must be non-NULL.
1.117 + * "cert"
1.118 + * Address of Cert that is to be matched. Must be non-NULL.
1.119 + * "pResult"
1.120 + * Address of PKIX_Boolean that returns the match result.
1.121 + * "plContext"
1.122 + * Platform-specific context pointer.
1.123 + * OUTPUT PARAMETERS ON FAILURE:
1.124 + * If the function returns a failure,
1.125 + * the output parameters of this function are undefined.
1.126 + * THREAD SAFETY:
1.127 + * Conditionally Thread Safe
1.128 + * (see Thread Safety Definitions in Programmer's Guide)
1.129 + * RETURNS:
1.130 + * Returns NULL if the function succeeds.
1.131 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.132 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.133 + */
1.134 +static PKIX_Error *
1.135 +pkix_CertSelector_Match_BasicConstraint(
1.136 + PKIX_ComCertSelParams *params,
1.137 + PKIX_PL_Cert *cert,
1.138 + PKIX_Boolean *pResult,
1.139 + void *plContext)
1.140 +{
1.141 + PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
1.142 + PKIX_Boolean caFlag = PKIX_FALSE; /* EE Cert by default */
1.143 + PKIX_Int32 pathLength = 0;
1.144 + PKIX_Int32 minPathLength = 0;
1.145 +
1.146 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_BasicConstraint");
1.147 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.148 + *pResult = PKIX_TRUE;
1.149 +
1.150 + PKIX_CHECK(PKIX_ComCertSelParams_GetBasicConstraints
1.151 + (params, &minPathLength, plContext),
1.152 + PKIX_COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED);
1.153 +
1.154 + /* If the minPathLength is unlimited (-1), no checking */
1.155 + if (minPathLength == PKIX_CERTSEL_ALL_MATCH_MIN_PATHLENGTH) {
1.156 + goto cleanup;
1.157 + }
1.158 +
1.159 + PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
1.160 + (cert, &basicConstraints, plContext),
1.161 + PKIX_CERTGETBASICCONSTRAINTSFAILED);
1.162 +
1.163 + if (basicConstraints != NULL) {
1.164 + PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
1.165 + (basicConstraints, &caFlag, plContext),
1.166 + PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
1.167 +
1.168 + PKIX_CHECK(PKIX_PL_BasicConstraints_GetPathLenConstraint
1.169 + (basicConstraints, &pathLength, plContext),
1.170 + PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
1.171 + }
1.172 +
1.173 + /*
1.174 + * if minPathLength >= 0, the cert must have a BasicConstraints ext and
1.175 + * the pathLength in this cert
1.176 + * BasicConstraints needs to be >= minPathLength.
1.177 + */
1.178 + if (minPathLength >= 0){
1.179 + if ((!basicConstraints) || (caFlag == PKIX_FALSE)){
1.180 + PKIX_ERROR(PKIX_CERTNOTALLOWEDTOSIGNCERTIFICATES);
1.181 + } else if ((pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) &&
1.182 + (pathLength < minPathLength)){
1.183 + PKIX_CERTSELECTOR_DEBUG
1.184 + ("Basic Constraints path length match failed\n");
1.185 + *pResult = PKIX_FALSE;
1.186 + PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
1.187 + }
1.188 + }
1.189 +
1.190 + /* if the minPathLength is -2, this cert must be an end-entity cert. */
1.191 + if (minPathLength == PKIX_CERTSEL_ENDENTITY_MIN_PATHLENGTH) {
1.192 + if (caFlag == PKIX_TRUE) {
1.193 + PKIX_CERTSELECTOR_DEBUG
1.194 + ("Basic Constraints end-entity match failed\n");
1.195 + *pResult = PKIX_FALSE;
1.196 + PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
1.197 + }
1.198 + }
1.199 +
1.200 +cleanup:
1.201 +
1.202 + PKIX_DECREF(basicConstraints);
1.203 + PKIX_RETURN(CERTSELECTOR);
1.204 +}
1.205 +
1.206 +/*
1.207 + * FUNCTION: pkix_CertSelector_Match_Policies
1.208 + * DESCRIPTION:
1.209 + *
1.210 + * Determines whether the Cert pointed to by "cert" matches the policy
1.211 + * constraints specified in the ComCertsSelParams given by "params".
1.212 + * If "params" specifies a policy constraint of NULL, all certificates
1.213 + * match. If "params" specifies an empty list, "cert" must have at least
1.214 + * some policy. Otherwise "cert" must include at least one of the
1.215 + * policies in the list. See the description of PKIX_CertSelector in
1.216 + * pkix_certsel.h for more.
1.217 + *
1.218 + * PARAMETERS:
1.219 + * "params"
1.220 + * Address of ComCertSelParams whose policy criterion (if any) is used.
1.221 + * Must be non-NULL.
1.222 + * "cert"
1.223 + * Address of Cert that is to be matched. Must be non-NULL.
1.224 + * "pResult"
1.225 + * Address of PKIX_Boolean that returns the match result.
1.226 + * "plContext"
1.227 + * Platform-specific context pointer.
1.228 + * THREAD SAFETY:
1.229 + * Conditionally Thread Safe
1.230 + * (see Thread Safety Definitions in Programmer's Guide)
1.231 + * RETURNS:
1.232 + * Returns NULL if the function succeeds.
1.233 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.234 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.235 + */
1.236 +static PKIX_Error *
1.237 +pkix_CertSelector_Match_Policies(
1.238 + PKIX_ComCertSelParams *params,
1.239 + PKIX_PL_Cert *cert,
1.240 + PKIX_Boolean *pResult,
1.241 + void *plContext)
1.242 +{
1.243 + PKIX_UInt32 numConstraintPolicies = 0;
1.244 + PKIX_UInt32 numCertPolicies = 0;
1.245 + PKIX_UInt32 certPolicyIndex = 0;
1.246 + PKIX_Boolean result = PKIX_FALSE;
1.247 + PKIX_List *constraintPolicies = NULL; /* List of PKIX_PL_OID */
1.248 + PKIX_List *certPolicyInfos = NULL; /* List of PKIX_PL_CertPolicyInfo */
1.249 + PKIX_PL_CertPolicyInfo *policyInfo = NULL;
1.250 + PKIX_PL_OID *polOID = NULL;
1.251 +
1.252 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_Policies");
1.253 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.254 +
1.255 + PKIX_CHECK(PKIX_ComCertSelParams_GetPolicy
1.256 + (params, &constraintPolicies, plContext),
1.257 + PKIX_COMCERTSELPARAMSGETPOLICYFAILED);
1.258 +
1.259 + /* If constraintPolicies is NULL, all certificates "match" */
1.260 + if (constraintPolicies) {
1.261 + PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
1.262 + (cert, &certPolicyInfos, plContext),
1.263 + PKIX_CERTGETPOLICYINFORMATIONFAILED);
1.264 +
1.265 + /* No hope of a match if cert has no policies */
1.266 + if (!certPolicyInfos) {
1.267 + PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n");
1.268 + *pResult = PKIX_FALSE;
1.269 + PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
1.270 + }
1.271 +
1.272 + PKIX_CHECK(PKIX_List_GetLength
1.273 + (constraintPolicies, &numConstraintPolicies, plContext),
1.274 + PKIX_LISTGETLENGTHFAILED);
1.275 +
1.276 + if (numConstraintPolicies > 0) {
1.277 +
1.278 + PKIX_CHECK(PKIX_List_GetLength
1.279 + (certPolicyInfos, &numCertPolicies, plContext),
1.280 + PKIX_LISTGETLENGTHFAILED);
1.281 +
1.282 + for (certPolicyIndex = 0;
1.283 + ((!result) && (certPolicyIndex < numCertPolicies));
1.284 + certPolicyIndex++) {
1.285 +
1.286 + PKIX_CHECK(PKIX_List_GetItem
1.287 + (certPolicyInfos,
1.288 + certPolicyIndex,
1.289 + (PKIX_PL_Object **)&policyInfo,
1.290 + plContext),
1.291 + PKIX_LISTGETELEMENTFAILED);
1.292 + PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
1.293 + (policyInfo, &polOID, plContext),
1.294 + PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
1.295 +
1.296 + PKIX_CHECK(pkix_List_Contains
1.297 + (constraintPolicies,
1.298 + (PKIX_PL_Object *)polOID,
1.299 + &result,
1.300 + plContext),
1.301 + PKIX_LISTCONTAINSFAILED);
1.302 + PKIX_DECREF(policyInfo);
1.303 + PKIX_DECREF(polOID);
1.304 + }
1.305 + if (!result) {
1.306 + *pResult = PKIX_FALSE;
1.307 + PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
1.308 + }
1.309 + }
1.310 + }
1.311 +
1.312 +cleanup:
1.313 +
1.314 + PKIX_DECREF(constraintPolicies);
1.315 + PKIX_DECREF(certPolicyInfos);
1.316 + PKIX_DECREF(policyInfo);
1.317 + PKIX_DECREF(polOID);
1.318 +
1.319 + PKIX_RETURN(CERTSELECTOR);
1.320 +
1.321 +}
1.322 +
1.323 +/*
1.324 + * FUNCTION: pkix_CertSelector_Match_CertificateValid
1.325 + * DESCRIPTION:
1.326 + *
1.327 + * Determines whether the Cert pointed to by "cert" matches the certificate
1.328 + * validity criterion using the CertificateValid field of the
1.329 + * ComCertSelParams pointed to by "params". If the CertificateValid field is
1.330 + * NULL, no validity check is done and the Cert is considered to match
1.331 + * the CertificateValid criterion. If the CertificateValid field specifies a
1.332 + * Date prior to the notBefore field in the Cert, or greater than the notAfter
1.333 + * field in the Cert, an Error is returned.
1.334 + *
1.335 + * PARAMETERS:
1.336 + * "params"
1.337 + * Address of ComCertSelParams whose certValid field is used.
1.338 + * Must be non-NULL.
1.339 + * "cert"
1.340 + * Address of Cert that is to be matched. Must be non-NULL.
1.341 + * "pResult"
1.342 + * Address of PKIX_Boolean that returns the match result.
1.343 + * "plContext"
1.344 + * Platform-specific context pointer.
1.345 + * THREAD SAFETY:
1.346 + * Conditionally Thread Safe
1.347 + * (see Thread Safety Definitions in Programmer's Guide)
1.348 + * RETURNS:
1.349 + * Returns NULL if the function succeeds.
1.350 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.351 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.352 + */
1.353 +static PKIX_Error *
1.354 +pkix_CertSelector_Match_CertificateValid(
1.355 + PKIX_ComCertSelParams *params,
1.356 + PKIX_PL_Cert *cert,
1.357 + PKIX_Boolean *pResult,
1.358 + void *plContext)
1.359 +{
1.360 + PKIX_PL_Date *validityTime = NULL;
1.361 +
1.362 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_CertificateValid");
1.363 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.364 +
1.365 + PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
1.366 + (params, &validityTime, plContext),
1.367 + PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
1.368 +
1.369 + /* If the validityTime is not set, all certificates are acceptable */
1.370 + if (validityTime) {
1.371 + PKIX_CHECK(PKIX_PL_Cert_CheckValidity
1.372 + (cert, validityTime, plContext),
1.373 + PKIX_CERTCHECKVALIDITYFAILED);
1.374 + }
1.375 +
1.376 +cleanup:
1.377 + if (PKIX_ERROR_RECEIVED) {
1.378 + *pResult = PKIX_FALSE;
1.379 + }
1.380 + PKIX_DECREF(validityTime);
1.381 +
1.382 + PKIX_RETURN(CERTSELECTOR);
1.383 +}
1.384 +
1.385 +/*
1.386 + * FUNCTION: pkix_CertSelector_Match_NameConstraints
1.387 + * DESCRIPTION:
1.388 + *
1.389 + * Determines whether the Cert pointed to by "cert" matches the name
1.390 + * constraints criterion specified in the ComCertSelParams pointed to by
1.391 + * "params". If the name constraints field is NULL, no name constraints check
1.392 + * is done and the Cert is considered to match the name constraints criterion.
1.393 + * If the Cert does not match the name constraints criterion, an Error pointer
1.394 + * is returned.
1.395 + *
1.396 + * PARAMETERS:
1.397 + * "params"
1.398 + * Address of ComCertSelParams whose name constraints field is used.
1.399 + * Must be non-NULL.
1.400 + * "cert"
1.401 + * Address of Cert that is to be matched. Must be non-NULL.
1.402 + * "pResult"
1.403 + * Address of PKIX_Boolean that returns the match result.
1.404 + * "plContext"
1.405 + * Platform-specific context pointer.
1.406 + * THREAD SAFETY:
1.407 + * Conditionally Thread Safe
1.408 + * (see Thread Safety Definitions in Programmer's Guide)
1.409 + * RETURNS:
1.410 + * Returns NULL if the function succeeds.
1.411 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.412 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.413 + */
1.414 +static PKIX_Error *
1.415 +pkix_CertSelector_Match_NameConstraints(
1.416 + PKIX_ComCertSelParams *params,
1.417 + PKIX_PL_Cert *cert,
1.418 + PKIX_Boolean *pResult,
1.419 + void *plContext)
1.420 +{
1.421 + PKIX_PL_CertNameConstraints *nameConstraints = NULL;
1.422 +
1.423 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_NameConstraints");
1.424 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.425 +
1.426 + PKIX_CHECK(PKIX_ComCertSelParams_GetNameConstraints
1.427 + (params, &nameConstraints, plContext),
1.428 + PKIX_COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED);
1.429 +
1.430 + if (nameConstraints != NULL) {
1.431 + /* As only the end-entity certificate should have
1.432 + * the common name constrained as if it was a dNSName,
1.433 + * do not constrain the common name when building a
1.434 + * forward path.
1.435 + */
1.436 + PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
1.437 + (cert, nameConstraints, PKIX_FALSE, plContext),
1.438 + PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
1.439 + }
1.440 +
1.441 +cleanup:
1.442 + if (PKIX_ERROR_RECEIVED) {
1.443 + *pResult = PKIX_FALSE;
1.444 + }
1.445 +
1.446 + PKIX_DECREF(nameConstraints);
1.447 + PKIX_RETURN(CERTSELECTOR);
1.448 +}
1.449 +
1.450 +/*
1.451 + * FUNCTION: pkix_CertSelector_Match_PathToNames
1.452 + * DESCRIPTION:
1.453 + *
1.454 + * Determines whether the names at pathToNames in "params" complies with the
1.455 + * NameConstraints pointed to by "cert". If the pathToNames field is NULL
1.456 + * or there is no name constraints for this "cert", no checking is done
1.457 + * and the Cert is considered to match the name constraints criterion.
1.458 + * If the Cert does not match the name constraints criterion, an Error
1.459 + * pointer is returned.
1.460 + *
1.461 + * PARAMETERS:
1.462 + * "params"
1.463 + * Address of ComCertSelParams whose PathToNames field is used.
1.464 + * Must be non-NULL.
1.465 + * "cert"
1.466 + * Address of Cert that is to be matched. Must be non-NULL.
1.467 + * "pResult"
1.468 + * Address of PKIX_Boolean that returns the match result.
1.469 + * "plContext"
1.470 + * Platform-specific context pointer.
1.471 + * THREAD SAFETY:
1.472 + * Conditionally Thread Safe
1.473 + * (see Thread Safety Definitions in Programmer's Guide)
1.474 + * RETURNS:
1.475 + * Returns NULL if the function succeeds.
1.476 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.477 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.478 + */
1.479 +static PKIX_Error *
1.480 +pkix_CertSelector_Match_PathToNames(
1.481 + PKIX_ComCertSelParams *params,
1.482 + PKIX_PL_Cert *cert,
1.483 + PKIX_Boolean *pResult,
1.484 + void *plContext)
1.485 +{
1.486 + PKIX_List *pathToNamesList = NULL;
1.487 + PKIX_Boolean passed = PKIX_FALSE;
1.488 + PKIX_PL_CertNameConstraints *nameConstraints = NULL;
1.489 +
1.490 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_PathToNames");
1.491 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.492 +
1.493 + PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames
1.494 + (params, &pathToNamesList, plContext),
1.495 + PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED);
1.496 +
1.497 + if (pathToNamesList != NULL) {
1.498 +
1.499 + PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
1.500 + (cert, &nameConstraints, plContext),
1.501 + PKIX_CERTGETNAMECONSTRAINTSFAILED);
1.502 +
1.503 + if (nameConstraints != NULL) {
1.504 +
1.505 + PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
1.506 + (pathToNamesList, nameConstraints, &passed, plContext),
1.507 + PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED);
1.508 +
1.509 + if (passed != PKIX_TRUE) {
1.510 + *pResult = PKIX_FALSE;
1.511 + PKIX_ERROR(PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
1.512 + }
1.513 + }
1.514 +
1.515 + }
1.516 +
1.517 +cleanup:
1.518 +
1.519 + PKIX_DECREF(nameConstraints);
1.520 + PKIX_DECREF(pathToNamesList);
1.521 +
1.522 + PKIX_RETURN(CERTSELECTOR);
1.523 +}
1.524 +
1.525 +/*
1.526 + * FUNCTION: pkix_CertSelector_Match_SubjAltNames
1.527 + * DESCRIPTION:
1.528 + *
1.529 + * Determines whether the names at subjAltNames in "params" match with the
1.530 + * SubjAltNames pointed to by "cert". If the subjAltNames field is NULL,
1.531 + * no name checking is done and the Cert is considered to match the
1.532 + * criterion. If the Cert does not match the criterion, an Error pointer
1.533 + * is returned.
1.534 + *
1.535 + * PARAMETERS:
1.536 + * "params"
1.537 + * Address of ComCertSelParams whose SubjAltNames field is used.
1.538 + * Must be non-NULL.
1.539 + * "cert"
1.540 + * Address of Cert that is to be matched. Must be non-NULL.
1.541 + * "pResult"
1.542 + * Address of PKIX_Boolean that returns the match result.
1.543 + * "plContext"
1.544 + * Platform-specific context pointer.
1.545 + * THREAD SAFETY:
1.546 + * Conditionally Thread Safe
1.547 + * (see Thread Safety Definitions in Programmer's Guide)
1.548 + * RETURNS:
1.549 + * Returns NULL if the function succeeds.
1.550 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.551 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.552 + */
1.553 +static PKIX_Error *
1.554 +pkix_CertSelector_Match_SubjAltNames(
1.555 + PKIX_ComCertSelParams *params,
1.556 + PKIX_PL_Cert *cert,
1.557 + PKIX_Boolean *pResult,
1.558 + void *plContext)
1.559 +{
1.560 + PKIX_List *subjAltNamesList = NULL;
1.561 + PKIX_List *certSubjAltNames = NULL;
1.562 + PKIX_PL_GeneralName *name = NULL;
1.563 + PKIX_Boolean checkPassed = PKIX_FALSE;
1.564 + PKIX_Boolean matchAll = PKIX_TRUE;
1.565 + PKIX_UInt32 i, numItems;
1.566 + PKIX_UInt32 matchCount = 0;
1.567 +
1.568 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjAltNames");
1.569 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.570 +
1.571 + PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
1.572 + (params, &matchAll, plContext),
1.573 + PKIX_COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED);
1.574 +
1.575 + PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames
1.576 + (params, &subjAltNamesList, plContext),
1.577 + PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
1.578 +
1.579 + if (subjAltNamesList != NULL) {
1.580 +
1.581 + PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
1.582 + (cert, &certSubjAltNames, plContext),
1.583 + PKIX_CERTGETSUBJALTNAMESFAILED);
1.584 +
1.585 + if (certSubjAltNames == NULL) {
1.586 + *pResult = PKIX_FALSE;
1.587 + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
1.588 + }
1.589 +
1.590 + PKIX_CHECK(PKIX_List_GetLength
1.591 + (subjAltNamesList, &numItems, plContext),
1.592 + PKIX_LISTGETLENGTHFAILED);
1.593 +
1.594 + for (i = 0; i < numItems; i++) {
1.595 +
1.596 + PKIX_CHECK(PKIX_List_GetItem
1.597 + (subjAltNamesList,
1.598 + i,
1.599 + (PKIX_PL_Object **) &name,
1.600 + plContext),
1.601 + PKIX_LISTGETITEMFAILED);
1.602 +
1.603 + PKIX_CHECK(pkix_List_Contains
1.604 + (certSubjAltNames,
1.605 + (PKIX_PL_Object *) name,
1.606 + &checkPassed,
1.607 + plContext),
1.608 + PKIX_LISTCONTAINSFAILED);
1.609 +
1.610 + PKIX_DECREF(name);
1.611 +
1.612 + if (checkPassed == PKIX_TRUE) {
1.613 +
1.614 + if (matchAll == PKIX_FALSE) {
1.615 + /* one match is good enough */
1.616 + matchCount = numItems;
1.617 + break;
1.618 + } else {
1.619 + /* else continue checking next */
1.620 + matchCount++;
1.621 + }
1.622 +
1.623 + }
1.624 +
1.625 + }
1.626 +
1.627 + if (matchCount != numItems) {
1.628 + *pResult = PKIX_FALSE;
1.629 + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
1.630 + }
1.631 + }
1.632 +
1.633 +cleanup:
1.634 +
1.635 + PKIX_DECREF(name);
1.636 + PKIX_DECREF(certSubjAltNames);
1.637 + PKIX_DECREF(subjAltNamesList);
1.638 +
1.639 + PKIX_RETURN(CERTSELECTOR);
1.640 +}
1.641 +
1.642 +/*
1.643 + * FUNCTION: pkix_CertSelector_Match_ExtendedKeyUsage
1.644 + * DESCRIPTION:
1.645 + *
1.646 + * Determines whether the names at ExtKeyUsage in "params" matches with the
1.647 + * ExtKeyUsage pointed to by "cert". If the ExtKeyUsage criterion or
1.648 + * ExtKeyUsage in "cert" is NULL, no checking is done and the Cert is
1.649 + * considered a match. If the Cert does not match, an Error pointer is
1.650 + * returned.
1.651 + *
1.652 + * PARAMETERS:
1.653 + * "params"
1.654 + * Address of ComCertSelParams whose ExtKeyUsage field is used.
1.655 + * Must be non-NULL.
1.656 + * "cert"
1.657 + * Address of Cert that is to be matched. Must be non-NULL.
1.658 + * "pResult"
1.659 + * Address of PKIX_Boolean that returns the match result.
1.660 + * "plContext"
1.661 + * Platform-specific context pointer.
1.662 + * THREAD SAFETY:
1.663 + * Conditionally Thread Safe
1.664 + * (see Thread Safety Definitions in Programmer's Guide)
1.665 + * RETURNS:
1.666 + * Returns NULL if the function succeeds.
1.667 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.668 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.669 + */
1.670 +static PKIX_Error *
1.671 +pkix_CertSelector_Match_ExtendedKeyUsage(
1.672 + PKIX_ComCertSelParams *params,
1.673 + PKIX_PL_Cert *cert,
1.674 + PKIX_Boolean *pResult,
1.675 + void *plContext)
1.676 +{
1.677 + PKIX_List *extKeyUsageList = NULL;
1.678 + PKIX_List *certExtKeyUsageList = NULL;
1.679 + PKIX_PL_OID *ekuOid = NULL;
1.680 + PKIX_Boolean isContained = PKIX_FALSE;
1.681 + PKIX_UInt32 numItems = 0;
1.682 + PKIX_UInt32 i;
1.683 +
1.684 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_ExtendedKeyUsage");
1.685 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.686 +
1.687 + PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
1.688 + (params, &extKeyUsageList, plContext),
1.689 + PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
1.690 +
1.691 + if (extKeyUsageList == NULL) {
1.692 + goto cleanup;
1.693 + }
1.694 +
1.695 + PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
1.696 + (cert, &certExtKeyUsageList, plContext),
1.697 + PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
1.698 +
1.699 + if (certExtKeyUsageList != NULL) {
1.700 +
1.701 + PKIX_CHECK(PKIX_List_GetLength
1.702 + (extKeyUsageList, &numItems, plContext),
1.703 + PKIX_LISTGETLENGTHFAILED);
1.704 +
1.705 + for (i = 0; i < numItems; i++) {
1.706 +
1.707 + PKIX_CHECK(PKIX_List_GetItem
1.708 + (extKeyUsageList, i, (PKIX_PL_Object **)&ekuOid, plContext),
1.709 + PKIX_LISTGETITEMFAILED);
1.710 +
1.711 + PKIX_CHECK(pkix_List_Contains
1.712 + (certExtKeyUsageList,
1.713 + (PKIX_PL_Object *)ekuOid,
1.714 + &isContained,
1.715 + plContext),
1.716 + PKIX_LISTCONTAINSFAILED);
1.717 +
1.718 + PKIX_DECREF(ekuOid);
1.719 +
1.720 + if (isContained != PKIX_TRUE) {
1.721 + *pResult = PKIX_FALSE;
1.722 + PKIX_ERROR(PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
1.723 + }
1.724 + }
1.725 + }
1.726 +
1.727 +cleanup:
1.728 +
1.729 + PKIX_DECREF(ekuOid);
1.730 + PKIX_DECREF(extKeyUsageList);
1.731 + PKIX_DECREF(certExtKeyUsageList);
1.732 +
1.733 + PKIX_RETURN(CERTSELECTOR);
1.734 +}
1.735 +
1.736 +/*
1.737 + * FUNCTION: pkix_CertSelector_Match_KeyUsage
1.738 + * DESCRIPTION:
1.739 + *
1.740 + * Determines whether the bits at KeyUsage in "params" matches with the
1.741 + * KeyUsage pointed to by "cert". If the KeyUsage in params is 0
1.742 + * no checking is done and the Cert is considered a match. If the Cert does
1.743 + * not match, an Error pointer is returned.
1.744 + *
1.745 + * PARAMETERS:
1.746 + * "params"
1.747 + * Address of ComCertSelParams whose ExtKeyUsage field is used.
1.748 + * Must be non-NULL.
1.749 + * "cert"
1.750 + * Address of Cert that is to be matched. Must be non-NULL.
1.751 + * "pResult"
1.752 + * Address of PKIX_Boolean that returns the match result.
1.753 + * "plContext"
1.754 + * Platform-specific context pointer.
1.755 + * THREAD SAFETY:
1.756 + * Conditionally Thread Safe
1.757 + * (see Thread Safety Definitions in Programmer's Guide)
1.758 + * RETURNS:
1.759 + * Returns NULL if the function succeeds.
1.760 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.761 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.762 + */
1.763 +static PKIX_Error *
1.764 +pkix_CertSelector_Match_KeyUsage(
1.765 + PKIX_ComCertSelParams *params,
1.766 + PKIX_PL_Cert *cert,
1.767 + PKIX_Boolean *pResult,
1.768 + void *plContext)
1.769 +{
1.770 + PKIX_UInt32 keyUsage = 0;
1.771 +
1.772 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_KeyUsage");
1.773 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.774 +
1.775 + PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
1.776 + (params, &keyUsage, plContext),
1.777 + PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
1.778 +
1.779 + if (keyUsage != 0) {
1.780 +
1.781 + PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
1.782 + (cert, keyUsage, plContext),
1.783 + PKIX_CERTVERIFYKEYUSAGEFAILED);
1.784 +
1.785 + }
1.786 +
1.787 +cleanup:
1.788 + if (PKIX_ERROR_RECEIVED) {
1.789 + *pResult = PKIX_FALSE;
1.790 + }
1.791 +
1.792 + PKIX_RETURN(CERTSELECTOR);
1.793 +}
1.794 +
1.795 +/*
1.796 + * FUNCTION: pkix_CertSelector_Match_SubjKeyId
1.797 + * DESCRIPTION:
1.798 + *
1.799 + * Determines whether the bytes at subjKeyId in "params" matches with the
1.800 + * Subject Key Identifier pointed to by "cert". If the subjKeyId in params is
1.801 + * set to NULL or the Cert doesn't have a Subject Key Identifier, no checking
1.802 + * is done and the Cert is considered a match. If the Cert does not match, an
1.803 + * Error pointer is returned.
1.804 + *
1.805 + * PARAMETERS:
1.806 + * "params"
1.807 + * Address of ComCertSelParams whose subjKeyId field is used.
1.808 + * Must be non-NULL.
1.809 + * "cert"
1.810 + * Address of Cert that is to be matched. Must be non-NULL.
1.811 + * "pResult"
1.812 + * Address of PKIX_Boolean that returns the match result.
1.813 + * "plContext"
1.814 + * Platform-specific context pointer.
1.815 + * THREAD SAFETY:
1.816 + * Conditionally Thread Safe
1.817 + * (see Thread Safety Definitions in Programmer's Guide)
1.818 + * RETURNS:
1.819 + * Returns NULL if the function succeeds.
1.820 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.821 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.822 + */
1.823 +static PKIX_Error *
1.824 +pkix_CertSelector_Match_SubjKeyId(
1.825 + PKIX_ComCertSelParams *params,
1.826 + PKIX_PL_Cert *cert,
1.827 + PKIX_Boolean *pResult,
1.828 + void *plContext)
1.829 +{
1.830 + PKIX_PL_ByteArray *selSubjKeyId = NULL;
1.831 + PKIX_PL_ByteArray *certSubjKeyId = NULL;
1.832 + PKIX_Boolean equals = PKIX_FALSE;
1.833 +
1.834 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjKeyId");
1.835 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.836 +
1.837 + PKIX_CHECK(PKIX_ComCertSelParams_GetSubjKeyIdentifier
1.838 + (params, &selSubjKeyId, plContext),
1.839 + PKIX_COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED);
1.840 +
1.841 + if (selSubjKeyId != NULL) {
1.842 +
1.843 + PKIX_CHECK(PKIX_PL_Cert_GetSubjectKeyIdentifier
1.844 + (cert, &certSubjKeyId, plContext),
1.845 + PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
1.846 +
1.847 + if (certSubjKeyId == NULL) {
1.848 + goto cleanup;
1.849 + }
1.850 +
1.851 + PKIX_CHECK(PKIX_PL_Object_Equals
1.852 + ((PKIX_PL_Object *)selSubjKeyId,
1.853 + (PKIX_PL_Object *)certSubjKeyId,
1.854 + &equals,
1.855 + plContext),
1.856 + PKIX_OBJECTEQUALSFAILED);
1.857 +
1.858 + if (equals == PKIX_FALSE) {
1.859 + *pResult = PKIX_FALSE;
1.860 + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
1.861 + }
1.862 + }
1.863 +
1.864 +cleanup:
1.865 +
1.866 + PKIX_DECREF(selSubjKeyId);
1.867 + PKIX_DECREF(certSubjKeyId);
1.868 +
1.869 + PKIX_RETURN(CERTSELECTOR);
1.870 +}
1.871 +
1.872 +/*
1.873 + * FUNCTION: pkix_CertSelector_Match_AuthKeyId
1.874 + * DESCRIPTION:
1.875 + *
1.876 + * Determines whether the bytes at authKeyId in "params" matches with the
1.877 + * Authority Key Identifier pointed to by "cert". If the authKeyId in params
1.878 + * is set to NULL, no checking is done and the Cert is considered a match. If
1.879 + * the Cert does not match, an Error pointer is returned.
1.880 + *
1.881 + * PARAMETERS:
1.882 + * "params"
1.883 + * Address of ComCertSelParams whose authKeyId field is used.
1.884 + * Must be non-NULL.
1.885 + * "cert"
1.886 + * Address of Cert that is to be matched. Must be non-NULL.
1.887 + * "pResult"
1.888 + * Address of PKIX_Boolean that returns the match result.
1.889 + * "plContext"
1.890 + * Platform-specific context pointer.
1.891 + * THREAD SAFETY:
1.892 + * Conditionally Thread Safe
1.893 + * (see Thread Safety Definitions in Programmer's Guide)
1.894 + * RETURNS:
1.895 + * Returns NULL if the function succeeds.
1.896 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.897 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.898 + */
1.899 +static PKIX_Error *
1.900 +pkix_CertSelector_Match_AuthKeyId(
1.901 + PKIX_ComCertSelParams *params,
1.902 + PKIX_PL_Cert *cert,
1.903 + PKIX_Boolean *pResult,
1.904 + void *plContext)
1.905 +{
1.906 + PKIX_PL_ByteArray *selAuthKeyId = NULL;
1.907 + PKIX_PL_ByteArray *certAuthKeyId = NULL;
1.908 + PKIX_Boolean equals = PKIX_FALSE;
1.909 +
1.910 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_AuthKeyId");
1.911 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.912 +
1.913 + PKIX_CHECK(PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
1.914 + (params, &selAuthKeyId, plContext),
1.915 + PKIX_COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED);
1.916 +
1.917 + if (selAuthKeyId != NULL) {
1.918 +
1.919 + PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier
1.920 + (cert, &certAuthKeyId, plContext),
1.921 + PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
1.922 +
1.923 + if (certAuthKeyId == NULL) {
1.924 + *pResult = PKIX_FALSE;
1.925 + PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
1.926 + }
1.927 + PKIX_CHECK(PKIX_PL_Object_Equals
1.928 + ((PKIX_PL_Object *)selAuthKeyId,
1.929 + (PKIX_PL_Object *)certAuthKeyId,
1.930 + &equals,
1.931 + plContext),
1.932 + PKIX_OBJECTEQUALSFAILED);
1.933 +
1.934 + if (equals != PKIX_TRUE) {
1.935 + *pResult = PKIX_FALSE;
1.936 + PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
1.937 + }
1.938 + }
1.939 +
1.940 +cleanup:
1.941 +
1.942 + PKIX_DECREF(selAuthKeyId);
1.943 + PKIX_DECREF(certAuthKeyId);
1.944 +
1.945 + PKIX_RETURN(CERTSELECTOR);
1.946 +}
1.947 +
1.948 +/*
1.949 + * FUNCTION: pkix_CertSelector_Match_SubjPKAlgId
1.950 + * DESCRIPTION:
1.951 + *
1.952 + * Determines whether the OID at subjPKAlgId in "params" matches with the
1.953 + * Subject Public Key Alg Id pointed to by "cert". If the subjPKAlgId in params
1.954 + * is set to NULL, no checking is done and the Cert is considered a match. If
1.955 + * the Cert does not match, an Error pointer is returned.
1.956 + *
1.957 + * PARAMETERS:
1.958 + * "params"
1.959 + * Address of ComCertSelParams whose subjPKAlgId field is used.
1.960 + * Must be non-NULL.
1.961 + * "cert"
1.962 + * Address of Cert that is to be matched. Must be non-NULL.
1.963 + * "pResult"
1.964 + * Address of PKIX_Boolean that returns the match result.
1.965 + * "plContext"
1.966 + * Platform-specific context pointer.
1.967 + * THREAD SAFETY:
1.968 + * Conditionally Thread Safe
1.969 + * (see Thread Safety Definitions in Programmer's Guide)
1.970 + * RETURNS:
1.971 + * Returns NULL if the function succeeds.
1.972 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.973 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.974 + */
1.975 +static PKIX_Error *
1.976 +pkix_CertSelector_Match_SubjPKAlgId(
1.977 + PKIX_ComCertSelParams *params,
1.978 + PKIX_PL_Cert *cert,
1.979 + PKIX_Boolean *pResult,
1.980 + void *plContext)
1.981 +{
1.982 + PKIX_PL_OID *selPKAlgId = NULL;
1.983 + PKIX_PL_OID *certPKAlgId = NULL;
1.984 + PKIX_Boolean equals = PKIX_FALSE;
1.985 +
1.986 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPKAlgId");
1.987 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.988 +
1.989 + PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPKAlgId
1.990 + (params, &selPKAlgId, plContext),
1.991 + PKIX_COMCERTSELPARAMSGETSUBJPKALGIDFAILED);
1.992 +
1.993 + if (selPKAlgId != NULL) {
1.994 +
1.995 + PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKeyAlgId
1.996 + (cert, &certPKAlgId, plContext),
1.997 + PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED);
1.998 +
1.999 + if (certPKAlgId != NULL) {
1.1000 + *pResult = PKIX_FALSE;
1.1001 + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1.1002 + }
1.1003 + PKIX_CHECK(PKIX_PL_Object_Equals
1.1004 + ((PKIX_PL_Object *)selPKAlgId,
1.1005 + (PKIX_PL_Object *)certPKAlgId,
1.1006 + &equals,
1.1007 + plContext),
1.1008 + PKIX_OBJECTEQUALSFAILED);
1.1009 +
1.1010 + if (equals != PKIX_TRUE) {
1.1011 + *pResult = PKIX_FALSE;
1.1012 + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1.1013 + }
1.1014 + }
1.1015 +
1.1016 +cleanup:
1.1017 +
1.1018 + PKIX_DECREF(selPKAlgId);
1.1019 + PKIX_DECREF(certPKAlgId);
1.1020 +
1.1021 + PKIX_RETURN(CERTSELECTOR);
1.1022 +}
1.1023 +
1.1024 +/*
1.1025 + * FUNCTION: pkix_CertSelector_Match_SubjPubKey
1.1026 + * DESCRIPTION:
1.1027 + *
1.1028 + * Determines whether the key at subjPubKey in "params" matches with the
1.1029 + * Subject Public Key pointed to by "cert". If the subjPubKey in params
1.1030 + * is set to NULL, no checking is done and the Cert is considered a match. If
1.1031 + * the Cert does not match, an Error pointer is returned.
1.1032 + *
1.1033 + * PARAMETERS:
1.1034 + * "params"
1.1035 + * Address of ComCertSelParams whose subPubKey field is used.
1.1036 + * Must be non-NULL.
1.1037 + * "cert"
1.1038 + * Address of Cert that is to be matched. Must be non-NULL.
1.1039 + * "pResult"
1.1040 + * Address of PKIX_Boolean that returns the match result.
1.1041 + * "plContext"
1.1042 + * Platform-specific context pointer.
1.1043 + * THREAD SAFETY:
1.1044 + * Conditionally Thread Safe
1.1045 + * (see Thread Safety Definitions in Programmer's Guide)
1.1046 + * RETURNS:
1.1047 + * Returns NULL if the function succeeds.
1.1048 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.1049 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1050 + */
1.1051 +static PKIX_Error *
1.1052 +pkix_CertSelector_Match_SubjPubKey(
1.1053 + PKIX_ComCertSelParams *params,
1.1054 + PKIX_PL_Cert *cert,
1.1055 + PKIX_Boolean *pResult,
1.1056 + void *plContext)
1.1057 +{
1.1058 + PKIX_PL_PublicKey *selPK = NULL;
1.1059 + PKIX_PL_PublicKey *certPK = NULL;
1.1060 + PKIX_Boolean equals = PKIX_FALSE;
1.1061 +
1.1062 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPubKey");
1.1063 + PKIX_NULLCHECK_THREE(params, cert, pResult);
1.1064 +
1.1065 + PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPubKey
1.1066 + (params, &selPK, plContext),
1.1067 + PKIX_COMCERTSELPARAMSGETSUBJPUBKEYFAILED);
1.1068 +
1.1069 + if (selPK != NULL) {
1.1070 +
1.1071 + PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1.1072 + (cert, &certPK, plContext),
1.1073 + PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1.1074 +
1.1075 + if (certPK == NULL) {
1.1076 + *pResult = PKIX_FALSE;
1.1077 + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1.1078 + }
1.1079 + PKIX_CHECK(PKIX_PL_Object_Equals
1.1080 + ((PKIX_PL_Object *)selPK,
1.1081 + (PKIX_PL_Object *)certPK,
1.1082 + &equals,
1.1083 + plContext),
1.1084 + PKIX_OBJECTEQUALSFAILED);
1.1085 +
1.1086 + if (equals != PKIX_TRUE) {
1.1087 + *pResult = PKIX_FALSE;
1.1088 + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1.1089 + }
1.1090 + }
1.1091 +
1.1092 +cleanup:
1.1093 +
1.1094 + PKIX_DECREF(selPK);
1.1095 + PKIX_DECREF(certPK);
1.1096 +
1.1097 + PKIX_RETURN(CERTSELECTOR);
1.1098 +}
1.1099 +
1.1100 +/*
1.1101 + * FUNCTION: pkix_CertSelector_DefaultMatch
1.1102 + * DESCRIPTION:
1.1103 + *
1.1104 + * This default match function determines whether the specified Cert pointed
1.1105 + * to by "cert" matches the criteria of the CertSelector pointed to by
1.1106 + * "selector". If the Cert does not match the CertSelector's
1.1107 + * criteria, an error will be thrown.
1.1108 + *
1.1109 + * This default match function understands how to process the most common
1.1110 + * parameters. Any common parameter that is not set is assumed to be disabled,
1.1111 + * which means this function will select all certificates without regard to
1.1112 + * that particular disabled parameter. For example, if the SerialNumber
1.1113 + * parameter is not set, this function will not filter out any certificate
1.1114 + * based on its serial number. As such, if no parameters are set, all are
1.1115 + * disabled and any certificate will match. If a parameter is disabled, its
1.1116 + * associated PKIX_ComCertSelParams_Get* function returns a default value.
1.1117 + * That value is -1 for PKIX_ComCertSelParams_GetBasicConstraints and
1.1118 + * PKIX_ComCertSelParams_GetVersion, 0 for PKIX_ComCertSelParams_GetKeyUsage,
1.1119 + * and NULL for all other Get functions.
1.1120 + *
1.1121 + * PARAMETERS:
1.1122 + * "selector"
1.1123 + * Address of CertSelector whose MatchCallback logic and parameters are
1.1124 + * to be used. Must be non-NULL.
1.1125 + * "cert"
1.1126 + * Address of Cert that is to be matched using "selector".
1.1127 + * Must be non-NULL.
1.1128 + * "plContext"
1.1129 + * Platform-specific context pointer.
1.1130 + * THREAD SAFETY:
1.1131 + * Conditionally Thread Safe
1.1132 + * (see Thread Safety Definitions in Programmer's Guide)
1.1133 + * RETURNS:
1.1134 + * Returns NULL if the function succeeds.
1.1135 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.1136 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1137 + */
1.1138 +static PKIX_Error *
1.1139 +pkix_CertSelector_DefaultMatch(
1.1140 + PKIX_CertSelector *selector,
1.1141 + PKIX_PL_Cert *cert,
1.1142 + void *plContext)
1.1143 +{
1.1144 + PKIX_ComCertSelParams *params = NULL;
1.1145 + PKIX_PL_X500Name *certSubject = NULL;
1.1146 + PKIX_PL_X500Name *selSubject = NULL;
1.1147 + PKIX_PL_X500Name *certIssuer = NULL;
1.1148 + PKIX_PL_X500Name *selIssuer = NULL;
1.1149 + PKIX_PL_BigInt *certSerialNumber = NULL;
1.1150 + PKIX_PL_BigInt *selSerialNumber = NULL;
1.1151 + PKIX_PL_Cert *selCert = NULL;
1.1152 + PKIX_PL_Date *selDate = NULL;
1.1153 + PKIX_UInt32 selVersion = 0xFFFFFFFF;
1.1154 + PKIX_UInt32 certVersion = 0;
1.1155 + PKIX_Boolean result = PKIX_TRUE;
1.1156 + PKIX_Boolean isLeafCert = PKIX_TRUE;
1.1157 +
1.1158 +#ifdef PKIX_BUILDDEBUG
1.1159 + PKIX_PL_String *certString = NULL;
1.1160 + void *certAscii = NULL;
1.1161 + PKIX_UInt32 certAsciiLen;
1.1162 +#endif
1.1163 +
1.1164 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch");
1.1165 + PKIX_NULLCHECK_TWO(selector, cert);
1.1166 +
1.1167 + PKIX_INCREF(selector->params);
1.1168 + params = selector->params;
1.1169 +
1.1170 + /* Are we looking for CAs? */
1.1171 + PKIX_CHECK(PKIX_ComCertSelParams_GetLeafCertFlag
1.1172 + (params, &isLeafCert, plContext),
1.1173 + PKIX_COMCERTSELPARAMSGETLEAFCERTFLAGFAILED);
1.1174 +
1.1175 + if (params == NULL){
1.1176 + goto cleanup;
1.1177 + }
1.1178 +
1.1179 + PKIX_CHECK(PKIX_ComCertSelParams_GetVersion
1.1180 + (params, &selVersion, plContext),
1.1181 + PKIX_COMCERTSELPARAMSGETVERSIONFAILED);
1.1182 +
1.1183 + if (selVersion != 0xFFFFFFFF){
1.1184 + PKIX_CHECK(PKIX_PL_Cert_GetVersion
1.1185 + (cert, &certVersion, plContext),
1.1186 + PKIX_CERTGETVERSIONFAILED);
1.1187 +
1.1188 + if (selVersion != certVersion) {
1.1189 + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTVERSIONFAILED);
1.1190 + }
1.1191 + }
1.1192 +
1.1193 + PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
1.1194 + (params, &selSubject, plContext),
1.1195 + PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
1.1196 +
1.1197 + if (selSubject){
1.1198 + PKIX_CHECK(PKIX_PL_Cert_GetSubject
1.1199 + (cert, &certSubject, plContext),
1.1200 + PKIX_CERTGETSUBJECTFAILED);
1.1201 +
1.1202 + if (certSubject){
1.1203 + PKIX_CHECK(PKIX_PL_X500Name_Match
1.1204 + (selSubject, certSubject, &result, plContext),
1.1205 + PKIX_X500NAMEMATCHFAILED);
1.1206 +
1.1207 + if (result == PKIX_FALSE){
1.1208 + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
1.1209 + }
1.1210 + } else { /* cert has no subject */
1.1211 + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
1.1212 + }
1.1213 + }
1.1214 +
1.1215 + PKIX_CHECK(PKIX_ComCertSelParams_GetIssuer
1.1216 + (params, &selIssuer, plContext),
1.1217 + PKIX_COMCERTSELPARAMSGETISSUERFAILED);
1.1218 +
1.1219 + if (selIssuer){
1.1220 + PKIX_CHECK(PKIX_PL_Cert_GetIssuer
1.1221 + (cert, &certIssuer, plContext),
1.1222 + PKIX_CERTGETISSUERFAILED);
1.1223 +
1.1224 + PKIX_CHECK(PKIX_PL_X500Name_Match
1.1225 + (selIssuer, certIssuer, &result, plContext),
1.1226 + PKIX_X500NAMEMATCHFAILED);
1.1227 +
1.1228 + if (result == PKIX_FALSE){
1.1229 + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTISSUERFAILED);
1.1230 + }
1.1231 + }
1.1232 +
1.1233 + PKIX_CHECK(PKIX_ComCertSelParams_GetSerialNumber
1.1234 + (params, &selSerialNumber, plContext),
1.1235 + PKIX_COMCERTSELPARAMSGETSERIALNUMBERFAILED);
1.1236 +
1.1237 + if (selSerialNumber){
1.1238 + PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
1.1239 + (cert, &certSerialNumber, plContext),
1.1240 + PKIX_CERTGETSERIALNUMBERFAILED);
1.1241 +
1.1242 + PKIX_CHECK(PKIX_PL_Object_Equals
1.1243 + ((PKIX_PL_Object *)selSerialNumber,
1.1244 + (PKIX_PL_Object *)certSerialNumber,
1.1245 + &result,
1.1246 + plContext),
1.1247 + PKIX_OBJECTEQUALSFAILED);
1.1248 +
1.1249 + if (result == PKIX_FALSE){
1.1250 + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSERIALNUMFAILED);
1.1251 + }
1.1252 + }
1.1253 +
1.1254 + PKIX_CHECK(PKIX_ComCertSelParams_GetCertificate
1.1255 + (params, &selCert, plContext),
1.1256 + PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
1.1257 +
1.1258 + if (selCert){
1.1259 + PKIX_CHECK(PKIX_PL_Object_Equals
1.1260 + ((PKIX_PL_Object *) selCert,
1.1261 + (PKIX_PL_Object *) cert,
1.1262 + &result,
1.1263 + plContext),
1.1264 + PKIX_OBJECTEQUALSFAILED);
1.1265 +
1.1266 + if (result == PKIX_FALSE){
1.1267 + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTOBJECTFAILED);
1.1268 + }
1.1269 + }
1.1270 +
1.1271 + PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
1.1272 + (params, &selDate, plContext),
1.1273 + PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
1.1274 +
1.1275 + if (selDate){
1.1276 + PKIX_CHECK(PKIX_PL_Cert_CheckValidity
1.1277 + (cert, selDate, plContext),
1.1278 + PKIX_CERTCHECKVALIDITYFAILED);
1.1279 + }
1.1280 +
1.1281 + PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint
1.1282 + (params, cert, &result, plContext),
1.1283 + PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED);
1.1284 +
1.1285 + PKIX_CHECK(pkix_CertSelector_Match_Policies
1.1286 + (params, cert, &result, plContext),
1.1287 + PKIX_CERTSELECTORMATCHPOLICIESFAILED);
1.1288 +
1.1289 + PKIX_CHECK(pkix_CertSelector_Match_CertificateValid
1.1290 + (params, cert, &result, plContext),
1.1291 + PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED);
1.1292 +
1.1293 + PKIX_CHECK(pkix_CertSelector_Match_NameConstraints
1.1294 + (params, cert, &result, plContext),
1.1295 + PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED);
1.1296 +
1.1297 + PKIX_CHECK(pkix_CertSelector_Match_PathToNames
1.1298 + (params, cert, &result, plContext),
1.1299 + PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
1.1300 +
1.1301 + PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames
1.1302 + (params, cert, &result, plContext),
1.1303 + PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
1.1304 +
1.1305 + /* Check key usage and cert type based on certificate usage. */
1.1306 + PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, !isLeafCert,
1.1307 + plContext),
1.1308 + PKIX_CERTVERIFYCERTTYPEFAILED);
1.1309 +
1.1310 + /* Next two check are for user supplied additional KU and EKU. */
1.1311 + PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage
1.1312 + (params, cert, &result, plContext),
1.1313 + PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
1.1314 +
1.1315 + PKIX_CHECK(pkix_CertSelector_Match_KeyUsage
1.1316 + (params, cert, &result, plContext),
1.1317 + PKIX_CERTSELECTORMATCHKEYUSAGEFAILED);
1.1318 +
1.1319 + PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId
1.1320 + (params, cert, &result, plContext),
1.1321 + PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
1.1322 +
1.1323 + PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId
1.1324 + (params, cert, &result, plContext),
1.1325 + PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
1.1326 +
1.1327 + PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId
1.1328 + (params, cert, &result, plContext),
1.1329 + PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1.1330 +
1.1331 + PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey
1.1332 + (params, cert, &result, plContext),
1.1333 + PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1.1334 +
1.1335 + /* if we reach here, the cert has successfully matched criteria */
1.1336 +
1.1337 +
1.1338 +#ifdef PKIX_BUILDDEBUG
1.1339 +
1.1340 + PKIX_CHECK(pkix_pl_Cert_ToString_Helper
1.1341 + (cert, PKIX_TRUE, &certString, plContext),
1.1342 + PKIX_CERTTOSTRINGHELPERFAILED);
1.1343 +
1.1344 + PKIX_CHECK(PKIX_PL_String_GetEncoded
1.1345 + (certString,
1.1346 + PKIX_ESCASCII,
1.1347 + &certAscii,
1.1348 + &certAsciiLen,
1.1349 + plContext),
1.1350 + PKIX_STRINGGETENCODEDFAILED);
1.1351 +
1.1352 + PKIX_CERTSELECTOR_DEBUG_ARG("Cert Selected:\n%s\n", certAscii);
1.1353 +
1.1354 +#endif
1.1355 +
1.1356 +cleanup:
1.1357 +
1.1358 +#ifdef PKIX_BUILDDEBUG
1.1359 + PKIX_DECREF(certString);
1.1360 + PKIX_FREE(certAscii);
1.1361 +#endif
1.1362 +
1.1363 + PKIX_DECREF(certSubject);
1.1364 + PKIX_DECREF(selSubject);
1.1365 + PKIX_DECREF(certIssuer);
1.1366 + PKIX_DECREF(selIssuer);
1.1367 + PKIX_DECREF(certSerialNumber);
1.1368 + PKIX_DECREF(selSerialNumber);
1.1369 + PKIX_DECREF(selCert);
1.1370 + PKIX_DECREF(selDate);
1.1371 + PKIX_DECREF(params);
1.1372 + PKIX_RETURN(CERTSELECTOR);
1.1373 +}
1.1374 +
1.1375 +/*
1.1376 + * FUNCTION: pkix_CertSelector_RegisterSelf
1.1377 + * DESCRIPTION:
1.1378 + * Registers PKIX_CERTSELECTOR_TYPE and its related functions with
1.1379 + * systemClasses[]
1.1380 + * THREAD SAFETY:
1.1381 + * Not Thread Safe - for performance and complexity reasons
1.1382 + *
1.1383 + * Since this function is only called by PKIX_PL_Initialize, which should
1.1384 + * only be called once, it is acceptable that this function is not
1.1385 + * thread-safe.
1.1386 + */
1.1387 +PKIX_Error *
1.1388 +pkix_CertSelector_RegisterSelf(void *plContext)
1.1389 +{
1.1390 + extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
1.1391 + pkix_ClassTable_Entry entry;
1.1392 +
1.1393 + PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_RegisterSelf");
1.1394 +
1.1395 + entry.description = "CertSelector";
1.1396 + entry.objCounter = 0;
1.1397 + entry.typeObjectSize = sizeof(PKIX_CertSelector);
1.1398 + entry.destructor = pkix_CertSelector_Destroy;
1.1399 + entry.equalsFunction = NULL;
1.1400 + entry.hashcodeFunction = NULL;
1.1401 + entry.toStringFunction = NULL;
1.1402 + entry.comparator = NULL;
1.1403 + entry.duplicateFunction = pkix_CertSelector_Duplicate;
1.1404 +
1.1405 + systemClasses[PKIX_CERTSELECTOR_TYPE] = entry;
1.1406 +
1.1407 + PKIX_RETURN(CERTSELECTOR);
1.1408 +}
1.1409 +
1.1410 +/* --Public-Functions--------------------------------------------- */
1.1411 +
1.1412 +
1.1413 +/*
1.1414 + * FUNCTION: PKIX_CertSelector_Create (see comments in pkix_certsel.h)
1.1415 + */
1.1416 +PKIX_Error *
1.1417 +PKIX_CertSelector_Create(
1.1418 + PKIX_CertSelector_MatchCallback callback,
1.1419 + PKIX_PL_Object *certSelectorContext,
1.1420 + PKIX_CertSelector **pSelector,
1.1421 + void *plContext)
1.1422 +{
1.1423 + PKIX_CertSelector *selector = NULL;
1.1424 +
1.1425 + PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Create");
1.1426 + PKIX_NULLCHECK_ONE(pSelector);
1.1427 +
1.1428 + PKIX_CHECK(PKIX_PL_Object_Alloc
1.1429 + (PKIX_CERTSELECTOR_TYPE,
1.1430 + sizeof (PKIX_CertSelector),
1.1431 + (PKIX_PL_Object **)&selector,
1.1432 + plContext),
1.1433 + PKIX_COULDNOTCREATECERTSELECTOROBJECT);
1.1434 +
1.1435 + /*
1.1436 + * if user specified a particular match callback, we use that one.
1.1437 + * otherwise, we use the default match implementation which
1.1438 + * understands how to process PKIX_ComCertSelParams
1.1439 + */
1.1440 +
1.1441 + if (callback){
1.1442 + selector->matchCallback = callback;
1.1443 + } else {
1.1444 + selector->matchCallback = pkix_CertSelector_DefaultMatch;
1.1445 + }
1.1446 +
1.1447 + /* initialize other fields */
1.1448 + selector->params = NULL;
1.1449 +
1.1450 + PKIX_INCREF(certSelectorContext);
1.1451 + selector->context = certSelectorContext;
1.1452 +
1.1453 + *pSelector = selector;
1.1454 +
1.1455 +cleanup:
1.1456 +
1.1457 + PKIX_RETURN(CERTSELECTOR);
1.1458 +
1.1459 +}
1.1460 +
1.1461 +/*
1.1462 + * FUNCTION: PKIX_CertSelector_GetMatchCallback
1.1463 + * (see comments in pkix_certsel.h)
1.1464 + */
1.1465 +PKIX_Error *
1.1466 +PKIX_CertSelector_GetMatchCallback(
1.1467 + PKIX_CertSelector *selector,
1.1468 + PKIX_CertSelector_MatchCallback *pCallback,
1.1469 + void *plContext)
1.1470 +{
1.1471 + PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetMatchCallback");
1.1472 + PKIX_NULLCHECK_TWO(selector, pCallback);
1.1473 +
1.1474 + *pCallback = selector->matchCallback;
1.1475 +
1.1476 + PKIX_RETURN(CERTSELECTOR);
1.1477 +}
1.1478 +
1.1479 +/*
1.1480 + * FUNCTION: PKIX_CertSelector_GetCertSelectorContext
1.1481 + * (see comments in pkix_certsel.h)
1.1482 + */
1.1483 +PKIX_Error *
1.1484 +PKIX_CertSelector_GetCertSelectorContext(
1.1485 + PKIX_CertSelector *selector,
1.1486 + PKIX_PL_Object **pCertSelectorContext,
1.1487 + void *plContext)
1.1488 +{
1.1489 + PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetCertSelectorContext");
1.1490 + PKIX_NULLCHECK_TWO(selector, pCertSelectorContext);
1.1491 +
1.1492 + PKIX_INCREF(selector->context);
1.1493 +
1.1494 + *pCertSelectorContext = selector->context;
1.1495 +
1.1496 +cleanup:
1.1497 + PKIX_RETURN(CERTSELECTOR);
1.1498 +}
1.1499 +
1.1500 +/*
1.1501 + * FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams
1.1502 + * (see comments in pkix_certsel.h)
1.1503 + */
1.1504 +PKIX_Error *
1.1505 +PKIX_CertSelector_GetCommonCertSelectorParams(
1.1506 + PKIX_CertSelector *selector,
1.1507 + PKIX_ComCertSelParams **pParams,
1.1508 + void *plContext)
1.1509 +{
1.1510 + PKIX_ENTER(CERTSELECTOR,
1.1511 + "PKIX_CertSelector_GetCommonCertSelectorParams");
1.1512 +
1.1513 + PKIX_NULLCHECK_TWO(selector, pParams);
1.1514 +
1.1515 + PKIX_INCREF(selector->params);
1.1516 + *pParams = selector->params;
1.1517 +
1.1518 +cleanup:
1.1519 + PKIX_RETURN(CERTSELECTOR);
1.1520 +
1.1521 +}
1.1522 +
1.1523 +/*
1.1524 + * FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams
1.1525 + * (see comments in pkix_certsel.h)
1.1526 + */
1.1527 +PKIX_Error *
1.1528 +PKIX_CertSelector_SetCommonCertSelectorParams(
1.1529 + PKIX_CertSelector *selector,
1.1530 + PKIX_ComCertSelParams *params,
1.1531 + void *plContext)
1.1532 +{
1.1533 + PKIX_ENTER(CERTSELECTOR,
1.1534 + "PKIX_CertSelector_SetCommonCertSelectorParams");
1.1535 +
1.1536 + PKIX_NULLCHECK_ONE(selector);
1.1537 +
1.1538 + PKIX_DECREF(selector->params);
1.1539 + PKIX_INCREF(params);
1.1540 + selector->params = params;
1.1541 +
1.1542 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.1543 + ((PKIX_PL_Object *)selector, plContext),
1.1544 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.1545 +
1.1546 +cleanup:
1.1547 +
1.1548 + PKIX_RETURN(CERTSELECTOR);
1.1549 +
1.1550 +}
1.1551 +
1.1552 +/*
1.1553 + * FUNCTION: pkix_CertSelector_Select
1.1554 + * DESCRIPTION:
1.1555 + *
1.1556 + * This function applies the selector pointed to by "selector" to each Cert,
1.1557 + * in turn, in the List pointed to by "before", and creates a List containing
1.1558 + * all the Certs that matched, or passed the selection process, storing that
1.1559 + * List at "pAfter". If no Certs match, an empty List is stored at "pAfter".
1.1560 + *
1.1561 + * The List returned in "pAfter" is immutable.
1.1562 + *
1.1563 + * PARAMETERS:
1.1564 + * "selector"
1.1565 + * Address of CertSelelector to be applied to the List. Must be non-NULL.
1.1566 + * "before"
1.1567 + * Address of List that is to be filtered. Must be non-NULL.
1.1568 + * "pAfter"
1.1569 + * Address at which resulting List, possibly empty, is stored. Must be
1.1570 + * non-NULL.
1.1571 + * "plContext"
1.1572 + * Platform-specific context pointer.
1.1573 + * THREAD SAFETY:
1.1574 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1575 + * RETURNS:
1.1576 + * Returns NULL if the function succeeds.
1.1577 + * Returns a CertSelector Error if the function fails in a non-fatal way.
1.1578 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.1579 + */
1.1580 +PKIX_Error *
1.1581 +pkix_CertSelector_Select(
1.1582 + PKIX_CertSelector *selector,
1.1583 + PKIX_List *before,
1.1584 + PKIX_List **pAfter,
1.1585 + void *plContext)
1.1586 +{
1.1587 + PKIX_UInt32 numBefore = 0;
1.1588 + PKIX_UInt32 i = 0;
1.1589 + PKIX_List *filtered = NULL;
1.1590 + PKIX_PL_Cert *candidate = NULL;
1.1591 +
1.1592 + PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Select");
1.1593 + PKIX_NULLCHECK_THREE(selector, before, pAfter);
1.1594 +
1.1595 + PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
1.1596 + PKIX_LISTCREATEFAILED);
1.1597 +
1.1598 + PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
1.1599 + PKIX_LISTGETLENGTHFAILED);
1.1600 +
1.1601 + for (i = 0; i < numBefore; i++) {
1.1602 +
1.1603 + PKIX_CHECK(PKIX_List_GetItem
1.1604 + (before, i, (PKIX_PL_Object **)&candidate, plContext),
1.1605 + PKIX_LISTGETITEMFAILED);
1.1606 +
1.1607 + PKIX_CHECK_ONLY_FATAL(selector->matchCallback
1.1608 + (selector, candidate, plContext),
1.1609 + PKIX_CERTSELECTORMATCHCALLBACKFAILED);
1.1610 +
1.1611 + if (!(PKIX_ERROR_RECEIVED)) {
1.1612 +
1.1613 + PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
1.1614 + (filtered,
1.1615 + (PKIX_PL_Object *)candidate,
1.1616 + plContext),
1.1617 + PKIX_LISTAPPENDITEMFAILED);
1.1618 + }
1.1619 +
1.1620 + pkixTempErrorReceived = PKIX_FALSE;
1.1621 + PKIX_DECREF(candidate);
1.1622 + }
1.1623 +
1.1624 + PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
1.1625 + PKIX_LISTSETIMMUTABLEFAILED);
1.1626 +
1.1627 + /* Don't throw away the list if one Cert was bad! */
1.1628 + pkixTempErrorReceived = PKIX_FALSE;
1.1629 +
1.1630 + *pAfter = filtered;
1.1631 + filtered = NULL;
1.1632 +
1.1633 +cleanup:
1.1634 +
1.1635 + PKIX_DECREF(filtered);
1.1636 + PKIX_DECREF(candidate);
1.1637 +
1.1638 + PKIX_RETURN(CERTSELECTOR);
1.1639 +
1.1640 +}
