1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,2783 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * pkix_policychecker.c
1.9 + *
1.10 + * Functions for Policy Checker
1.11 + *
1.12 + */
1.13 +#include "pkix_policychecker.h"
1.14 +
1.15 +/* --Forward declarations----------------------------------------------- */
1.16 +
1.17 +static PKIX_Error *
1.18 +pkix_PolicyChecker_MakeSingleton(
1.19 + PKIX_PL_Object *listItem,
1.20 + PKIX_Boolean immutability,
1.21 + PKIX_List **pList,
1.22 + void *plContext);
1.23 +
1.24 +/* --Private-PolicyCheckerState-Functions---------------------------------- */
1.25 +
1.26 +/*
1.27 + * FUNCTION:pkix_PolicyCheckerState_Destroy
1.28 + * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
1.29 + */
1.30 +static PKIX_Error *
1.31 +pkix_PolicyCheckerState_Destroy(
1.32 + PKIX_PL_Object *object,
1.33 + void *plContext)
1.34 +{
1.35 + PKIX_PolicyCheckerState *checkerState = NULL;
1.36 +
1.37 + PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy");
1.38 + PKIX_NULLCHECK_ONE(object);
1.39 +
1.40 + PKIX_CHECK(pkix_CheckType
1.41 + (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
1.42 + PKIX_OBJECTNOTPOLICYCHECKERSTATE);
1.43 +
1.44 + checkerState = (PKIX_PolicyCheckerState *)object;
1.45 +
1.46 + PKIX_DECREF(checkerState->certPoliciesExtension);
1.47 + PKIX_DECREF(checkerState->policyMappingsExtension);
1.48 + PKIX_DECREF(checkerState->policyConstraintsExtension);
1.49 + PKIX_DECREF(checkerState->inhibitAnyPolicyExtension);
1.50 + PKIX_DECREF(checkerState->anyPolicyOID);
1.51 + PKIX_DECREF(checkerState->validPolicyTree);
1.52 + PKIX_DECREF(checkerState->userInitialPolicySet);
1.53 + PKIX_DECREF(checkerState->mappedUserInitialPolicySet);
1.54 +
1.55 + checkerState->policyQualifiersRejected = PKIX_FALSE;
1.56 + checkerState->explicitPolicy = 0;
1.57 + checkerState->inhibitAnyPolicy = 0;
1.58 + checkerState->policyMapping = 0;
1.59 + checkerState->numCerts = 0;
1.60 + checkerState->certsProcessed = 0;
1.61 + checkerState->certPoliciesCritical = PKIX_FALSE;
1.62 +
1.63 + PKIX_DECREF(checkerState->anyPolicyNodeAtBottom);
1.64 + PKIX_DECREF(checkerState->newAnyPolicyNode);
1.65 + PKIX_DECREF(checkerState->mappedPolicyOIDs);
1.66 +
1.67 +cleanup:
1.68 +
1.69 + PKIX_RETURN(CERTPOLICYCHECKERSTATE);
1.70 +}
1.71 +
1.72 +/*
1.73 + * FUNCTION: pkix_PolicyCheckerState_ToString
1.74 + * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
1.75 + */
1.76 +static PKIX_Error *
1.77 +pkix_PolicyCheckerState_ToString(
1.78 + PKIX_PL_Object *object,
1.79 + PKIX_PL_String **pCheckerStateString,
1.80 + void *plContext)
1.81 +{
1.82 + PKIX_PolicyCheckerState *state = NULL;
1.83 + PKIX_PL_String *resultString = NULL;
1.84 + PKIX_PL_String *policiesExtOIDString = NULL;
1.85 + PKIX_PL_String *policyMapOIDString = NULL;
1.86 + PKIX_PL_String *policyConstrOIDString = NULL;
1.87 + PKIX_PL_String *inhAnyPolOIDString = NULL;
1.88 + PKIX_PL_String *anyPolicyOIDString = NULL;
1.89 + PKIX_PL_String *validPolicyTreeString = NULL;
1.90 + PKIX_PL_String *userInitialPolicySetString = NULL;
1.91 + PKIX_PL_String *mappedUserPolicySetString = NULL;
1.92 + PKIX_PL_String *mappedPolicyOIDsString = NULL;
1.93 + PKIX_PL_String *anyAtBottomString = NULL;
1.94 + PKIX_PL_String *newAnyPolicyString = NULL;
1.95 + PKIX_PL_String *formatString = NULL;
1.96 + PKIX_PL_String *trueString = NULL;
1.97 + PKIX_PL_String *falseString = NULL;
1.98 + PKIX_PL_String *nullString = NULL;
1.99 + PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
1.100 + PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
1.101 + PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
1.102 + PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE;
1.103 + PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
1.104 + PKIX_Boolean certPoliciesCritical = PKIX_FALSE;
1.105 + char *asciiFormat =
1.106 + "{\n"
1.107 + "\tcertPoliciesExtension: \t%s\n"
1.108 + "\tpolicyMappingsExtension: \t%s\n"
1.109 + "\tpolicyConstraintsExtension:\t%s\n"
1.110 + "\tinhibitAnyPolicyExtension:\t%s\n"
1.111 + "\tanyPolicyOID: \t%s\n"
1.112 + "\tinitialIsAnyPolicy: \t%s\n"
1.113 + "\tvalidPolicyTree: \t%s\n"
1.114 + "\tuserInitialPolicySet: \t%s\n"
1.115 + "\tmappedUserPolicySet: \t%s\n"
1.116 + "\tpolicyQualifiersRejected: \t%s\n"
1.117 + "\tinitialPolMappingInhibit: \t%s\n"
1.118 + "\tinitialExplicitPolicy: \t%s\n"
1.119 + "\tinitialAnyPolicyInhibit: \t%s\n"
1.120 + "\texplicitPolicy: \t%d\n"
1.121 + "\tinhibitAnyPolicy: \t%d\n"
1.122 + "\tpolicyMapping: \t%d\n"
1.123 + "\tnumCerts: \t%d\n"
1.124 + "\tcertsProcessed: \t%d\n"
1.125 + "\tanyPolicyNodeAtBottom: \t%s\n"
1.126 + "\tnewAnyPolicyNode: \t%s\n"
1.127 + "\tcertPoliciesCritical: \t%s\n"
1.128 + "\tmappedPolicyOIDs: \t%s\n"
1.129 + "}";
1.130 +
1.131 + PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString");
1.132 +
1.133 + PKIX_NULLCHECK_TWO(object, pCheckerStateString);
1.134 +
1.135 + PKIX_CHECK(pkix_CheckType
1.136 + (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
1.137 + PKIX_OBJECTNOTPOLICYCHECKERSTATE);
1.138 +
1.139 + state = (PKIX_PolicyCheckerState *)object;
1.140 + PKIX_NULLCHECK_THREE
1.141 + (state->certPoliciesExtension,
1.142 + state->policyMappingsExtension,
1.143 + state->policyConstraintsExtension);
1.144 + PKIX_NULLCHECK_THREE
1.145 + (state->inhibitAnyPolicyExtension,
1.146 + state->anyPolicyOID,
1.147 + state->userInitialPolicySet);
1.148 +
1.149 + PKIX_CHECK(PKIX_PL_String_Create
1.150 + (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
1.151 + PKIX_STRINGCREATEFAILED);
1.152 + /*
1.153 + * Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a
1.154 + * PKIX_PL_String is complicated enough, it's worth checking, for
1.155 + * each, to make sure the string is needed.
1.156 + */
1.157 + initialPolicyMappingInhibit = state->initialPolicyMappingInhibit;
1.158 + initialExplicitPolicy = state->initialExplicitPolicy;
1.159 + initialAnyPolicyInhibit = state->initialAnyPolicyInhibit;
1.160 + initialIsAnyPolicy = state->initialIsAnyPolicy;
1.161 + policyQualifiersRejected = state->policyQualifiersRejected;
1.162 + certPoliciesCritical = state->certPoliciesCritical;
1.163 +
1.164 + if (initialPolicyMappingInhibit || initialExplicitPolicy ||
1.165 + initialAnyPolicyInhibit || initialIsAnyPolicy ||
1.166 + policyQualifiersRejected || certPoliciesCritical) {
1.167 + PKIX_CHECK(PKIX_PL_String_Create
1.168 + (PKIX_ESCASCII, "TRUE", 0, &trueString, plContext),
1.169 + PKIX_STRINGCREATEFAILED);
1.170 + }
1.171 + if (!initialPolicyMappingInhibit || !initialExplicitPolicy ||
1.172 + !initialAnyPolicyInhibit || !initialIsAnyPolicy ||
1.173 + !policyQualifiersRejected || !certPoliciesCritical) {
1.174 + PKIX_CHECK(PKIX_PL_String_Create
1.175 + (PKIX_ESCASCII, "FALSE", 0, &falseString, plContext),
1.176 + PKIX_STRINGCREATEFAILED);
1.177 + }
1.178 + if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) {
1.179 + PKIX_CHECK(PKIX_PL_String_Create
1.180 + (PKIX_ESCASCII, "(null)", 0, &nullString, plContext),
1.181 + PKIX_STRINGCREATEFAILED);
1.182 + }
1.183 +
1.184 + PKIX_TOSTRING
1.185 + (state->certPoliciesExtension, &policiesExtOIDString, plContext,
1.186 + PKIX_OBJECTTOSTRINGFAILED);
1.187 +
1.188 + PKIX_TOSTRING
1.189 + (state->policyMappingsExtension,
1.190 + &policyMapOIDString,
1.191 + plContext,
1.192 + PKIX_OBJECTTOSTRINGFAILED);
1.193 +
1.194 + PKIX_TOSTRING
1.195 + (state->policyConstraintsExtension,
1.196 + &policyConstrOIDString,
1.197 + plContext,
1.198 + PKIX_OBJECTTOSTRINGFAILED);
1.199 +
1.200 + PKIX_TOSTRING
1.201 + (state->inhibitAnyPolicyExtension,
1.202 + &inhAnyPolOIDString,
1.203 + plContext,
1.204 + PKIX_OBJECTTOSTRINGFAILED);
1.205 +
1.206 + PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext,
1.207 + PKIX_OBJECTTOSTRINGFAILED);
1.208 +
1.209 + PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext,
1.210 + PKIX_OBJECTTOSTRINGFAILED);
1.211 +
1.212 + PKIX_TOSTRING
1.213 + (state->userInitialPolicySet,
1.214 + &userInitialPolicySetString,
1.215 + plContext,
1.216 + PKIX_OBJECTTOSTRINGFAILED);
1.217 +
1.218 + PKIX_TOSTRING
1.219 + (state->mappedUserInitialPolicySet,
1.220 + &mappedUserPolicySetString,
1.221 + plContext,
1.222 + PKIX_OBJECTTOSTRINGFAILED);
1.223 +
1.224 + if (state->anyPolicyNodeAtBottom) {
1.225 + PKIX_CHECK(pkix_SinglePolicyNode_ToString
1.226 + (state->anyPolicyNodeAtBottom,
1.227 + &anyAtBottomString,
1.228 + plContext),
1.229 + PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
1.230 + } else {
1.231 + PKIX_INCREF(nullString);
1.232 + anyAtBottomString = nullString;
1.233 + }
1.234 +
1.235 + if (state->newAnyPolicyNode) {
1.236 + PKIX_CHECK(pkix_SinglePolicyNode_ToString
1.237 + (state->newAnyPolicyNode,
1.238 + &newAnyPolicyString,
1.239 + plContext),
1.240 + PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
1.241 + } else {
1.242 + PKIX_INCREF(nullString);
1.243 + newAnyPolicyString = nullString;
1.244 + }
1.245 +
1.246 + PKIX_TOSTRING
1.247 + (state->mappedPolicyOIDs,
1.248 + &mappedPolicyOIDsString,
1.249 + plContext,
1.250 + PKIX_OBJECTTOSTRINGFAILED);
1.251 +
1.252 + PKIX_CHECK(PKIX_PL_Sprintf
1.253 + (&resultString,
1.254 + plContext,
1.255 + formatString,
1.256 + policiesExtOIDString,
1.257 + policyMapOIDString,
1.258 + policyConstrOIDString,
1.259 + inhAnyPolOIDString,
1.260 + anyPolicyOIDString,
1.261 + initialIsAnyPolicy?trueString:falseString,
1.262 + validPolicyTreeString,
1.263 + userInitialPolicySetString,
1.264 + mappedUserPolicySetString,
1.265 + policyQualifiersRejected?trueString:falseString,
1.266 + initialPolicyMappingInhibit?trueString:falseString,
1.267 + initialExplicitPolicy?trueString:falseString,
1.268 + initialAnyPolicyInhibit?trueString:falseString,
1.269 + state->explicitPolicy,
1.270 + state->inhibitAnyPolicy,
1.271 + state->policyMapping,
1.272 + state->numCerts,
1.273 + state->certsProcessed,
1.274 + anyAtBottomString,
1.275 + newAnyPolicyString,
1.276 + certPoliciesCritical?trueString:falseString,
1.277 + mappedPolicyOIDsString),
1.278 + PKIX_SPRINTFFAILED);
1.279 +
1.280 + *pCheckerStateString = resultString;
1.281 +
1.282 +cleanup:
1.283 + PKIX_DECREF(policiesExtOIDString);
1.284 + PKIX_DECREF(policyMapOIDString);
1.285 + PKIX_DECREF(policyConstrOIDString);
1.286 + PKIX_DECREF(inhAnyPolOIDString);
1.287 + PKIX_DECREF(anyPolicyOIDString);
1.288 + PKIX_DECREF(validPolicyTreeString);
1.289 + PKIX_DECREF(userInitialPolicySetString);
1.290 + PKIX_DECREF(mappedUserPolicySetString);
1.291 + PKIX_DECREF(anyAtBottomString);
1.292 + PKIX_DECREF(newAnyPolicyString);
1.293 + PKIX_DECREF(mappedPolicyOIDsString);
1.294 + PKIX_DECREF(formatString);
1.295 + PKIX_DECREF(trueString);
1.296 + PKIX_DECREF(falseString);
1.297 + PKIX_DECREF(nullString);
1.298 +
1.299 + PKIX_RETURN(CERTPOLICYCHECKERSTATE);
1.300 +}
1.301 +
1.302 +/*
1.303 + * FUNCTION: pkix_PolicyCheckerState_RegisterSelf
1.304 + * DESCRIPTION:
1.305 + *
1.306 + * Registers PKIX_POLICYCHECKERSTATE_TYPE and its related functions
1.307 + * with systemClasses[]
1.308 + *
1.309 + * PARAMETERS:
1.310 + * "plContext"
1.311 + * Platform-specific context pointer.
1.312 + * THREAD SAFETY:
1.313 + * Not Thread Safe - for performance and complexity reasons
1.314 + *
1.315 + * Since this function is only called by PKIX_PL_Initialize, which should
1.316 + * only be called once, it is acceptable that this function is not
1.317 + * thread-safe.
1.318 + */
1.319 +PKIX_Error *
1.320 +pkix_PolicyCheckerState_RegisterSelf(void *plContext)
1.321 +{
1.322 + extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
1.323 + pkix_ClassTable_Entry entry;
1.324 +
1.325 + PKIX_ENTER
1.326 + (CERTPOLICYCHECKERSTATE,
1.327 + "pkix_PolicyCheckerState_RegisterSelf");
1.328 +
1.329 + entry.description = "PolicyCheckerState";
1.330 + entry.objCounter = 0;
1.331 + entry.typeObjectSize = sizeof(PKIX_PolicyCheckerState);
1.332 + entry.destructor = pkix_PolicyCheckerState_Destroy;
1.333 + entry.equalsFunction = NULL;
1.334 + entry.hashcodeFunction = NULL;
1.335 + entry.toStringFunction = pkix_PolicyCheckerState_ToString;
1.336 + entry.comparator = NULL;
1.337 + entry.duplicateFunction = NULL;
1.338 +
1.339 + systemClasses[PKIX_CERTPOLICYCHECKERSTATE_TYPE] = entry;
1.340 +
1.341 + PKIX_RETURN(CERTPOLICYCHECKERSTATE);
1.342 +}
1.343 +
1.344 +/*
1.345 + * FUNCTION:pkix_PolicyCheckerState_Create
1.346 + * DESCRIPTION:
1.347 + *
1.348 + * Creates a PolicyCheckerState Object, using the List pointed to
1.349 + * by "initialPolicies" for the user-initial-policy-set, the Boolean value
1.350 + * of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
1.351 + * the Boolean value of "initialPolicyMappingInhibit" for the
1.352 + * inhibitPolicyMappings parameter, the Boolean value of
1.353 + * "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
1.354 + * Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
1.355 + * parameter, and the UInt32 value of "numCerts" as the number of
1.356 + * certificates in the chain; and stores the Object at "pCheckerState".
1.357 + *
1.358 + * PARAMETERS:
1.359 + * "initialPolicies"
1.360 + * Address of List of OIDs comprising the user-initial-policy-set; the List
1.361 + * may be empty, but must be non-NULL
1.362 + * "policyQualifiersRejected"
1.363 + * Boolean value of the policyQualifiersRejected parameter
1.364 + * "initialPolicyMappingInhibit"
1.365 + * Boolean value of the inhibitPolicyMappings parameter
1.366 + * "initialExplicitPolicy"
1.367 + * Boolean value of the initialExplicitPolicy parameter
1.368 + * "initialAnyPolicyInhibit"
1.369 + * Boolean value of the inhibitAnyPolicy parameter
1.370 + * "numCerts"
1.371 + * Number of certificates in the chain to be validated
1.372 + * "pCheckerState"
1.373 + * Address where PolicyCheckerState will be stored. Must be non-NULL.
1.374 + * "plContext"
1.375 + * Platform-specific context pointer.
1.376 + * THREAD SAFETY:
1.377 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.378 + * RETURNS:
1.379 + * Returns NULL if the function succeeds
1.380 + * Returns a CertPolicyCheckerState Error if the functions fails in a
1.381 + * non-fatal way
1.382 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.383 + */
1.384 +static PKIX_Error *
1.385 +pkix_PolicyCheckerState_Create(
1.386 + PKIX_List *initialPolicies,
1.387 + PKIX_Boolean policyQualifiersRejected,
1.388 + PKIX_Boolean initialPolicyMappingInhibit,
1.389 + PKIX_Boolean initialExplicitPolicy,
1.390 + PKIX_Boolean initialAnyPolicyInhibit,
1.391 + PKIX_UInt32 numCerts,
1.392 + PKIX_PolicyCheckerState **pCheckerState,
1.393 + void *plContext)
1.394 +{
1.395 + PKIX_PolicyCheckerState *checkerState = NULL;
1.396 + PKIX_PolicyNode *policyNode = NULL;
1.397 + PKIX_List *anyPolicyList = NULL;
1.398 + PKIX_Boolean initialPoliciesIsEmpty = PKIX_FALSE;
1.399 +
1.400 + PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Create");
1.401 + PKIX_NULLCHECK_TWO(initialPolicies, pCheckerState);
1.402 +
1.403 + PKIX_CHECK(PKIX_PL_Object_Alloc
1.404 + (PKIX_CERTPOLICYCHECKERSTATE_TYPE,
1.405 + sizeof (PKIX_PolicyCheckerState),
1.406 + (PKIX_PL_Object **)&checkerState,
1.407 + plContext),
1.408 + PKIX_COULDNOTCREATEPOLICYCHECKERSTATEOBJECT);
1.409 +
1.410 + /* Create constant PKIX_PL_OIDs: */
1.411 +
1.412 + PKIX_CHECK(PKIX_PL_OID_Create
1.413 + (PKIX_CERTIFICATEPOLICIES_OID,
1.414 + &(checkerState->certPoliciesExtension),
1.415 + plContext),
1.416 + PKIX_OIDCREATEFAILED);
1.417 +
1.418 + PKIX_CHECK(PKIX_PL_OID_Create
1.419 + (PKIX_POLICYMAPPINGS_OID,
1.420 + &(checkerState->policyMappingsExtension),
1.421 + plContext),
1.422 + PKIX_OIDCREATEFAILED);
1.423 +
1.424 + PKIX_CHECK(PKIX_PL_OID_Create
1.425 + (PKIX_POLICYCONSTRAINTS_OID,
1.426 + &(checkerState->policyConstraintsExtension),
1.427 + plContext),
1.428 + PKIX_OIDCREATEFAILED);
1.429 +
1.430 + PKIX_CHECK(PKIX_PL_OID_Create
1.431 + (PKIX_INHIBITANYPOLICY_OID,
1.432 + &(checkerState->inhibitAnyPolicyExtension),
1.433 + plContext),
1.434 + PKIX_OIDCREATEFAILED);
1.435 +
1.436 + PKIX_CHECK(PKIX_PL_OID_Create
1.437 + (PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID,
1.438 + &(checkerState->anyPolicyOID),
1.439 + plContext),
1.440 + PKIX_OIDCREATEFAILED);
1.441 +
1.442 + /* Create an initial policy set from argument supplied */
1.443 + PKIX_INCREF(initialPolicies);
1.444 + checkerState->userInitialPolicySet = initialPolicies;
1.445 + PKIX_INCREF(initialPolicies);
1.446 + checkerState->mappedUserInitialPolicySet = initialPolicies;
1.447 +
1.448 + PKIX_CHECK(PKIX_List_IsEmpty
1.449 + (initialPolicies,
1.450 + &initialPoliciesIsEmpty,
1.451 + plContext),
1.452 + PKIX_LISTISEMPTYFAILED);
1.453 + if (initialPoliciesIsEmpty) {
1.454 + checkerState->initialIsAnyPolicy = PKIX_TRUE;
1.455 + } else {
1.456 + PKIX_CHECK(pkix_List_Contains
1.457 + (initialPolicies,
1.458 + (PKIX_PL_Object *)(checkerState->anyPolicyOID),
1.459 + &(checkerState->initialIsAnyPolicy),
1.460 + plContext),
1.461 + PKIX_LISTCONTAINSFAILED);
1.462 + }
1.463 +
1.464 + checkerState->policyQualifiersRejected =
1.465 + policyQualifiersRejected;
1.466 + checkerState->initialExplicitPolicy = initialExplicitPolicy;
1.467 + checkerState->explicitPolicy =
1.468 + (initialExplicitPolicy? 0: numCerts + 1);
1.469 + checkerState->initialAnyPolicyInhibit = initialAnyPolicyInhibit;
1.470 + checkerState->inhibitAnyPolicy =
1.471 + (initialAnyPolicyInhibit? 0: numCerts + 1);
1.472 + checkerState->initialPolicyMappingInhibit = initialPolicyMappingInhibit;
1.473 + checkerState->policyMapping =
1.474 + (initialPolicyMappingInhibit? 0: numCerts + 1);
1.475 + ;
1.476 + checkerState->numCerts = numCerts;
1.477 + checkerState->certsProcessed = 0;
1.478 + checkerState->certPoliciesCritical = PKIX_FALSE;
1.479 +
1.480 + /* Create a valid_policy_tree as in RFC3280 6.1.2(a) */
1.481 + PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
1.482 + ((PKIX_PL_Object *)(checkerState->anyPolicyOID),
1.483 + PKIX_TRUE,
1.484 + &anyPolicyList,
1.485 + plContext),
1.486 + PKIX_POLICYCHECKERMAKESINGLETONFAILED);
1.487 +
1.488 + PKIX_CHECK(pkix_PolicyNode_Create
1.489 + (checkerState->anyPolicyOID, /* validPolicy */
1.490 + NULL, /* qualifier set */
1.491 + PKIX_FALSE, /* criticality */
1.492 + anyPolicyList, /* expectedPolicySet */
1.493 + &policyNode,
1.494 + plContext),
1.495 + PKIX_POLICYNODECREATEFAILED);
1.496 + checkerState->validPolicyTree = policyNode;
1.497 +
1.498 + /*
1.499 + * Since the initial validPolicyTree specifies
1.500 + * ANY_POLICY, begin with a pointer to the root node.
1.501 + */
1.502 + PKIX_INCREF(policyNode);
1.503 + checkerState->anyPolicyNodeAtBottom = policyNode;
1.504 +
1.505 + checkerState->newAnyPolicyNode = NULL;
1.506 +
1.507 + checkerState->mappedPolicyOIDs = NULL;
1.508 +
1.509 + *pCheckerState = checkerState;
1.510 + checkerState = NULL;
1.511 +
1.512 +cleanup:
1.513 +
1.514 + PKIX_DECREF(checkerState);
1.515 +
1.516 + PKIX_DECREF(anyPolicyList);
1.517 +
1.518 + PKIX_RETURN(CERTPOLICYCHECKERSTATE);
1.519 +}
1.520 +
1.521 +/* --Private-PolicyChecker-Functions--------------------------------------- */
1.522 +
1.523 +/*
1.524 + * FUNCTION: pkix_PolicyChecker_MapContains
1.525 + * DESCRIPTION:
1.526 + *
1.527 + * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to
1.528 + * determine whether the OID pointed to by "policy" is among the
1.529 + * issuerDomainPolicies or subjectDomainPolicies of "certPolicyMaps", and
1.530 + * stores the result in "pFound".
1.531 + *
1.532 + * This function is intended to allow an efficient check that the proscription
1.533 + * against anyPolicy being mapped, described in RFC3280 Section 6.1.4(a), is
1.534 + * not violated.
1.535 + *
1.536 + * PARAMETERS:
1.537 + * "certPolicyMaps"
1.538 + * Address of List of CertPolicyMaps to be searched. May be empty, but
1.539 + * must be non-NULL
1.540 + * "policy"
1.541 + * Address of OID to be checked for. Must be non-NULL
1.542 + * "pFound"
1.543 + * Address where the result of the search will be stored. Must be non-NULL.
1.544 + * "plContext"
1.545 + * platform-specific context pointer
1.546 + * THREAD SAFETY:
1.547 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.548 + * RETURNS:
1.549 + * Returns NULL if the function succeeds
1.550 + * Returns a CertChainChecker Error if the function fails in a non-fatal way.
1.551 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.552 + */
1.553 +PKIX_Error *
1.554 +pkix_PolicyChecker_MapContains(
1.555 + PKIX_List *certPolicyMaps,
1.556 + PKIX_PL_OID *policy,
1.557 + PKIX_Boolean *pFound,
1.558 + void *plContext)
1.559 +{
1.560 + PKIX_PL_CertPolicyMap *map = NULL;
1.561 + PKIX_UInt32 numEntries = 0;
1.562 + PKIX_UInt32 index = 0;
1.563 + PKIX_Boolean match = PKIX_FALSE;
1.564 + PKIX_PL_OID *issuerDomainPolicy = NULL;
1.565 + PKIX_PL_OID *subjectDomainPolicy = NULL;
1.566 +
1.567 + PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MapContains");
1.568 + PKIX_NULLCHECK_THREE(certPolicyMaps, policy, pFound);
1.569 +
1.570 + PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
1.571 + PKIX_LISTGETLENGTHFAILED);
1.572 +
1.573 + for (index = 0; (!match) && (index < numEntries); index++) {
1.574 + PKIX_CHECK(PKIX_List_GetItem
1.575 + (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
1.576 + PKIX_LISTGETITEMFAILED);
1.577 +
1.578 + PKIX_NULLCHECK_ONE(map);
1.579 +
1.580 + PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
1.581 + (map, &issuerDomainPolicy, plContext),
1.582 + PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
1.583 +
1.584 + PKIX_EQUALS
1.585 + (policy, issuerDomainPolicy, &match, plContext,
1.586 + PKIX_OBJECTEQUALSFAILED);
1.587 +
1.588 + if (!match) {
1.589 + PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
1.590 + (map, &subjectDomainPolicy, plContext),
1.591 + PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
1.592 +
1.593 + PKIX_EQUALS
1.594 + (policy, subjectDomainPolicy, &match, plContext,
1.595 + PKIX_OBJECTEQUALSFAILED);
1.596 + }
1.597 +
1.598 + PKIX_DECREF(map);
1.599 + PKIX_DECREF(issuerDomainPolicy);
1.600 + PKIX_DECREF(subjectDomainPolicy);
1.601 + }
1.602 +
1.603 + *pFound = match;
1.604 +
1.605 +cleanup:
1.606 +
1.607 + PKIX_DECREF(map);
1.608 + PKIX_DECREF(issuerDomainPolicy);
1.609 + PKIX_DECREF(subjectDomainPolicy);
1.610 + PKIX_RETURN(CERTCHAINCHECKER);
1.611 +}
1.612 +
1.613 +/*
1.614 + * FUNCTION: pkix_PolicyChecker_MapGetSubjectDomainPolicies
1.615 + * DESCRIPTION:
1.616 + *
1.617 + * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to create
1.618 + * a list of all SubjectDomainPolicies for which the IssuerDomainPolicy is the
1.619 + * policy pointed to by "policy", and stores the result in
1.620 + * "pSubjectDomainPolicies".
1.621 + *
1.622 + * If the List of CertPolicyMaps provided in "certPolicyMaps" is NULL, the
1.623 + * resulting List will be NULL. If there are CertPolicyMaps, but none that
1.624 + * include "policy" as an IssuerDomainPolicy, the returned List pointer will
1.625 + * be NULL. Otherwise, the returned List will contain the SubjectDomainPolicies
1.626 + * of all CertPolicyMaps for which "policy" is the IssuerDomainPolicy. If a
1.627 + * List is returned it will be immutable.
1.628 + *
1.629 + * PARAMETERS:
1.630 + * "certPolicyMaps"
1.631 + * Address of List of CertPolicyMaps to be searched. May be empty or NULL.
1.632 + * "policy"
1.633 + * Address of OID to be checked for. Must be non-NULL
1.634 + * "pSubjectDomainPolicies"
1.635 + * Address where the result of the search will be stored. Must be non-NULL.
1.636 + * "plContext"
1.637 + * platform-specific context pointer
1.638 + * THREAD SAFETY:
1.639 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.640 + * RETURNS:
1.641 + * Returns NULL if the function succeeds
1.642 + * Returns a CertChainChecker Error if the function fails in a non-fatal way.
1.643 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.644 + */
1.645 +PKIX_Error *
1.646 +pkix_PolicyChecker_MapGetSubjectDomainPolicies(
1.647 + PKIX_List *certPolicyMaps,
1.648 + PKIX_PL_OID *policy,
1.649 + PKIX_List **pSubjectDomainPolicies,
1.650 + void *plContext)
1.651 +{
1.652 + PKIX_PL_CertPolicyMap *map = NULL;
1.653 + PKIX_List *subjectList = NULL;
1.654 + PKIX_UInt32 numEntries = 0;
1.655 + PKIX_UInt32 index = 0;
1.656 + PKIX_Boolean match = PKIX_FALSE;
1.657 + PKIX_PL_OID *issuerDomainPolicy = NULL;
1.658 + PKIX_PL_OID *subjectDomainPolicy = NULL;
1.659 +
1.660 + PKIX_ENTER
1.661 + (CERTCHAINCHECKER,
1.662 + "pkix_PolicyChecker_MapGetSubjectDomainPolicies");
1.663 + PKIX_NULLCHECK_TWO(policy, pSubjectDomainPolicies);
1.664 +
1.665 + if (certPolicyMaps) {
1.666 + PKIX_CHECK(PKIX_List_GetLength
1.667 + (certPolicyMaps,
1.668 + &numEntries,
1.669 + plContext),
1.670 + PKIX_LISTGETLENGTHFAILED);
1.671 + }
1.672 +
1.673 + for (index = 0; index < numEntries; index++) {
1.674 + PKIX_CHECK(PKIX_List_GetItem
1.675 + (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
1.676 + PKIX_LISTGETITEMFAILED);
1.677 +
1.678 + PKIX_NULLCHECK_ONE(map);
1.679 +
1.680 + PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
1.681 + (map, &issuerDomainPolicy, plContext),
1.682 + PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
1.683 +
1.684 + PKIX_EQUALS
1.685 + (policy, issuerDomainPolicy, &match, plContext,
1.686 + PKIX_OBJECTEQUALSFAILED);
1.687 +
1.688 + if (match) {
1.689 + if (!subjectList) {
1.690 + PKIX_CHECK(PKIX_List_Create(&subjectList, plContext),
1.691 + PKIX_LISTCREATEFAILED);
1.692 + }
1.693 +
1.694 + PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
1.695 + (map, &subjectDomainPolicy, plContext),
1.696 + PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
1.697 +
1.698 + PKIX_CHECK(PKIX_List_AppendItem
1.699 + (subjectList,
1.700 + (PKIX_PL_Object *)subjectDomainPolicy,
1.701 + plContext),
1.702 + PKIX_LISTAPPENDITEMFAILED);
1.703 + }
1.704 +
1.705 + PKIX_DECREF(map);
1.706 + PKIX_DECREF(issuerDomainPolicy);
1.707 + PKIX_DECREF(subjectDomainPolicy);
1.708 + }
1.709 +
1.710 + if (subjectList) {
1.711 + PKIX_CHECK(PKIX_List_SetImmutable(subjectList, plContext),
1.712 + PKIX_LISTSETIMMUTABLEFAILED);
1.713 + }
1.714 +
1.715 + *pSubjectDomainPolicies = subjectList;
1.716 +
1.717 +cleanup:
1.718 +
1.719 + if (PKIX_ERROR_RECEIVED) {
1.720 + PKIX_DECREF(subjectList);
1.721 + }
1.722 +
1.723 + PKIX_DECREF(map);
1.724 + PKIX_DECREF(issuerDomainPolicy);
1.725 + PKIX_DECREF(subjectDomainPolicy);
1.726 +
1.727 + PKIX_RETURN(CERTCHAINCHECKER);
1.728 +}
1.729 +
1.730 +/*
1.731 + * FUNCTION: pkix_PolicyChecker_MapGetMappedPolicies
1.732 + * DESCRIPTION:
1.733 + *
1.734 + * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps" to create a
1.735 + * List of all IssuerDomainPolicies, and stores the result in
1.736 + * "pMappedPolicies".
1.737 + *
1.738 + * The caller may not rely on the IssuerDomainPolicies to be in any particular
1.739 + * order. IssuerDomainPolicies that appear in more than one CertPolicyMap will
1.740 + * only appear once in "pMappedPolicies". If "certPolicyMaps" is empty the
1.741 + * result will be an empty List. The created List is mutable.
1.742 + *
1.743 + * PARAMETERS:
1.744 + * "certPolicyMaps"
1.745 + * Address of List of CertPolicyMaps to be searched. May be empty, but
1.746 + * must be non-NULL.
1.747 + * "pMappedPolicies"
1.748 + * Address where the result will be stored. Must be non-NULL.
1.749 + * "plContext"
1.750 + * platform-specific context pointer
1.751 + * THREAD SAFETY:
1.752 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.753 + * RETURNS:
1.754 + * Returns NULL if the function succeeds
1.755 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.756 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.757 + */
1.758 +PKIX_Error *
1.759 +pkix_PolicyChecker_MapGetMappedPolicies(
1.760 + PKIX_List *certPolicyMaps,
1.761 + PKIX_List **pMappedPolicies,
1.762 + void *plContext)
1.763 +{
1.764 + PKIX_PL_CertPolicyMap *map = NULL;
1.765 + PKIX_List *mappedList = NULL;
1.766 + PKIX_UInt32 numEntries = 0;
1.767 + PKIX_UInt32 index = 0;
1.768 + PKIX_Boolean isContained = PKIX_FALSE;
1.769 + PKIX_PL_OID *issuerDomainPolicy = NULL;
1.770 +
1.771 + PKIX_ENTER
1.772 + (CERTCHAINCHECKER, "pkix_PolicyChecker_MapGetMappedPolicies");
1.773 + PKIX_NULLCHECK_TWO(certPolicyMaps, pMappedPolicies);
1.774 +
1.775 + PKIX_CHECK(PKIX_List_Create(&mappedList, plContext),
1.776 + PKIX_LISTCREATEFAILED);
1.777 +
1.778 + PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
1.779 + PKIX_LISTGETLENGTHFAILED);
1.780 +
1.781 + for (index = 0; index < numEntries; index++) {
1.782 + PKIX_CHECK(PKIX_List_GetItem
1.783 + (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
1.784 + PKIX_LISTGETITEMFAILED);
1.785 +
1.786 + PKIX_NULLCHECK_ONE(map);
1.787 +
1.788 + PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
1.789 + (map, &issuerDomainPolicy, plContext),
1.790 + PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
1.791 +
1.792 + PKIX_CHECK(pkix_List_Contains
1.793 + (mappedList,
1.794 + (PKIX_PL_Object *)issuerDomainPolicy,
1.795 + &isContained,
1.796 + plContext),
1.797 + PKIX_LISTCONTAINSFAILED);
1.798 +
1.799 + if (isContained == PKIX_FALSE) {
1.800 + PKIX_CHECK(PKIX_List_AppendItem
1.801 + (mappedList,
1.802 + (PKIX_PL_Object *)issuerDomainPolicy,
1.803 + plContext),
1.804 + PKIX_LISTAPPENDITEMFAILED);
1.805 + }
1.806 +
1.807 + PKIX_DECREF(map);
1.808 + PKIX_DECREF(issuerDomainPolicy);
1.809 + }
1.810 +
1.811 + *pMappedPolicies = mappedList;
1.812 +
1.813 +cleanup:
1.814 +
1.815 + if (PKIX_ERROR_RECEIVED) {
1.816 + PKIX_DECREF(mappedList);
1.817 + }
1.818 +
1.819 + PKIX_DECREF(map);
1.820 + PKIX_DECREF(issuerDomainPolicy);
1.821 +
1.822 + PKIX_RETURN(CERTCHAINCHECKER);
1.823 +}
1.824 +
1.825 +/*
1.826 + * FUNCTION: pkix_PolicyChecker_MakeMutableCopy
1.827 + * DESCRIPTION:
1.828 + *
1.829 + * Creates a mutable copy of the List pointed to by "list", which may or may
1.830 + * not be immutable, and stores the address at "pMutableCopy".
1.831 + *
1.832 + * PARAMETERS:
1.833 + * "list"
1.834 + * Address of List to be copied. Must be non-NULL.
1.835 + * "pMutableCopy"
1.836 + * Address where mutable copy will be stored. Must be non-NULL.
1.837 + * "plContext"
1.838 + * Platform-specific context pointer.
1.839 + * THREAD SAFETY:
1.840 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.841 + * RETURNS:
1.842 + * Returns NULL if the function succeeds
1.843 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.844 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.845 + */
1.846 +static PKIX_Error *
1.847 +pkix_PolicyChecker_MakeMutableCopy(
1.848 + PKIX_List *list,
1.849 + PKIX_List **pMutableCopy,
1.850 + void *plContext)
1.851 +{
1.852 + PKIX_List *newList = NULL;
1.853 + PKIX_UInt32 listLen = 0;
1.854 + PKIX_UInt32 listIx = 0;
1.855 + PKIX_PL_Object *object = NULL;
1.856 +
1.857 + PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeMutableCopy");
1.858 + PKIX_NULLCHECK_TWO(list, pMutableCopy);
1.859 +
1.860 + PKIX_CHECK(PKIX_List_Create(&newList, plContext),
1.861 + PKIX_LISTCREATEFAILED);
1.862 +
1.863 + PKIX_CHECK(PKIX_List_GetLength(list, &listLen, plContext),
1.864 + PKIX_LISTGETLENGTHFAILED);
1.865 +
1.866 + for (listIx = 0; listIx < listLen; listIx++) {
1.867 +
1.868 + PKIX_CHECK(PKIX_List_GetItem(list, listIx, &object, plContext),
1.869 + PKIX_LISTGETITEMFAILED);
1.870 +
1.871 + PKIX_CHECK(PKIX_List_AppendItem(newList, object, plContext),
1.872 + PKIX_LISTAPPENDITEMFAILED);
1.873 +
1.874 + PKIX_DECREF(object);
1.875 + }
1.876 +
1.877 + *pMutableCopy = newList;
1.878 + newList = NULL;
1.879 +
1.880 +cleanup:
1.881 + PKIX_DECREF(newList);
1.882 + PKIX_DECREF(object);
1.883 +
1.884 + PKIX_RETURN(CERTCHAINCHECKER);
1.885 +}
1.886 +
1.887 +/*
1.888 + * FUNCTION: pkix_PolicyChecker_MakeSingleton
1.889 + * DESCRIPTION:
1.890 + *
1.891 + * Creates a new List containing the Object pointed to by "listItem", using
1.892 + * the Boolean value of "immutability" to determine whether to set the List
1.893 + * immutable, and stores the address at "pList".
1.894 + *
1.895 + * PARAMETERS:
1.896 + * "listItem"
1.897 + * Address of Object to be inserted into the new List. Must be non-NULL.
1.898 + * "immutability"
1.899 + * Boolean value indicating whether new List is to be immutable
1.900 + * "pList"
1.901 + * Address where List will be stored. Must be non-NULL.
1.902 + * "plContext"
1.903 + * Platform-specific context pointer.
1.904 + * THREAD SAFETY:
1.905 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.906 + * RETURNS:
1.907 + * Returns NULL if the function succeeds
1.908 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.909 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.910 + */
1.911 +static PKIX_Error *
1.912 +pkix_PolicyChecker_MakeSingleton(
1.913 + PKIX_PL_Object *listItem,
1.914 + PKIX_Boolean immutability,
1.915 + PKIX_List **pList,
1.916 + void *plContext)
1.917 +{
1.918 + PKIX_List *newList = NULL;
1.919 +
1.920 + PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeSingleton");
1.921 + PKIX_NULLCHECK_TWO(listItem, pList);
1.922 +
1.923 + PKIX_CHECK(PKIX_List_Create(&newList, plContext),
1.924 + PKIX_LISTCREATEFAILED);
1.925 +
1.926 + PKIX_CHECK(PKIX_List_AppendItem
1.927 + (newList, (PKIX_PL_Object *)listItem, plContext),
1.928 + PKIX_LISTAPPENDITEMFAILED);
1.929 +
1.930 + if (immutability) {
1.931 + PKIX_CHECK(PKIX_List_SetImmutable(newList, plContext),
1.932 + PKIX_LISTSETIMMUTABLEFAILED);
1.933 + }
1.934 +
1.935 + *pList = newList;
1.936 +
1.937 +cleanup:
1.938 + if (PKIX_ERROR_RECEIVED) {
1.939 + PKIX_DECREF(newList);
1.940 + }
1.941 +
1.942 + PKIX_RETURN(CERTCHAINCHECKER);
1.943 +}
1.944 +
1.945 +/*
1.946 + * FUNCTION: pkix_PolicyChecker_Spawn
1.947 + * DESCRIPTION:
1.948 + *
1.949 + * Creates a new childNode for the parent pointed to by "parent", using
1.950 + * the OID pointed to by "policyOID", the List of CertPolicyQualifiers
1.951 + * pointed to by "qualifiers", the List of OIDs pointed to by
1.952 + * "subjectDomainPolicies", and the PolicyCheckerState pointed to by
1.953 + * "state". The new node will be added to "parent".
1.954 + *
1.955 + * The validPolicy of the new node is set from the OID pointed to by
1.956 + * "policyOID". The policy qualifiers for the new node is set from the
1.957 + * List of qualifiers pointed to by "qualifiers", and may be NULL or
1.958 + * empty if the argument provided was NULL or empty. The criticality is
1.959 + * set according to the criticality obtained from the PolicyCheckerState.
1.960 + * If "subjectDomainPolicies" is NULL, the expectedPolicySet of the
1.961 + * child is set to contain the same policy as the validPolicy. If
1.962 + * "subjectDomainPolicies" is not NULL, it is used as the value for
1.963 + * the expectedPolicySet.
1.964 + *
1.965 + * The PolicyCheckerState also contains a constant, anyPolicy, which is
1.966 + * compared to "policyOID". If they match, the address of the childNode
1.967 + * is saved in the state's newAnyPolicyNode.
1.968 + *
1.969 + * PARAMETERS:
1.970 + * "parent"
1.971 + * Address of PolicyNode to which the child will be linked. Must be
1.972 + * non-NULL.
1.973 + * "policyOID"
1.974 + * Address of OID of the new child's validPolicy and also, if
1.975 + * subjectDomainPolicies is NULL, of the new child's expectedPolicySet.
1.976 + * Must be non-NULL.
1.977 + * "qualifiers"
1.978 + * Address of List of CertPolicyQualifiers. May be NULL or empty.
1.979 + * "subjectDomainPolicies"
1.980 + * Address of List of OIDs indicating the policies to which "policy" is
1.981 + * mapped. May be empty or NULL.
1.982 + * "state"
1.983 + * Address of the current PKIX_PolicyCheckerState. Must be non-NULL..
1.984 + * "plContext"
1.985 + * Platform-specific context pointer.
1.986 + * THREAD SAFETY:
1.987 + * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.988 + * RETURNS:
1.989 + * Returns NULL if the function succeeds
1.990 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.991 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.992 + */
1.993 +static PKIX_Error *
1.994 +pkix_PolicyChecker_Spawn(
1.995 + PKIX_PolicyNode *parent,
1.996 + PKIX_PL_OID *policyOID,
1.997 + PKIX_List *qualifiers, /* CertPolicyQualifiers */
1.998 + PKIX_List *subjectDomainPolicies,
1.999 + PKIX_PolicyCheckerState *state,
1.1000 + void *plContext)
1.1001 +{
1.1002 + PKIX_List *expectedSet = NULL; /* OIDs */
1.1003 + PKIX_PolicyNode *childNode = NULL;
1.1004 + PKIX_Boolean match = PKIX_FALSE;
1.1005 +
1.1006 + PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Spawn");
1.1007 + PKIX_NULLCHECK_THREE(policyOID, parent, state);
1.1008 +
1.1009 + if (subjectDomainPolicies) {
1.1010 +
1.1011 + PKIX_INCREF(subjectDomainPolicies);
1.1012 + expectedSet = subjectDomainPolicies;
1.1013 +
1.1014 + } else {
1.1015 + /* Create the child's ExpectedPolicy Set */
1.1016 + PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
1.1017 + ((PKIX_PL_Object *)policyOID,
1.1018 + PKIX_TRUE, /* make expectedPolicySet immutable */
1.1019 + &expectedSet,
1.1020 + plContext),
1.1021 + PKIX_POLICYCHECKERMAKESINGLETONFAILED);
1.1022 + }
1.1023 +
1.1024 + PKIX_CHECK(pkix_PolicyNode_Create
1.1025 + (policyOID,
1.1026 + qualifiers,
1.1027 + state->certPoliciesCritical,
1.1028 + expectedSet,
1.1029 + &childNode,
1.1030 + plContext),
1.1031 + PKIX_POLICYNODECREATEFAILED);
1.1032 +
1.1033 + /*
1.1034 + * If we had a non-empty mapping, we know the new node could not
1.1035 + * have been created with a validPolicy of anyPolicy. Otherwise,
1.1036 + * check whether we just created a new node with anyPolicy, because
1.1037 + * in that case we want to save the child pointer in newAnyPolicyNode.
1.1038 + */
1.1039 + if (!subjectDomainPolicies) {
1.1040 + PKIX_EQUALS(policyOID, state->anyPolicyOID, &match, plContext,
1.1041 + PKIX_OBJECTEQUALSFAILED);
1.1042 +
1.1043 + if (match) {
1.1044 + PKIX_DECREF(state->newAnyPolicyNode);
1.1045 + PKIX_INCREF(childNode);
1.1046 + state->newAnyPolicyNode = childNode;
1.1047 + }
1.1048 + }
1.1049 +
1.1050 + PKIX_CHECK(pkix_PolicyNode_AddToParent(parent, childNode, plContext),
1.1051 + PKIX_POLICYNODEADDTOPARENTFAILED);
1.1052 +
1.1053 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.1054 + ((PKIX_PL_Object *)state, plContext),
1.1055 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.1056 +
1.1057 +cleanup:
1.1058 + PKIX_DECREF(childNode);
1.1059 + PKIX_DECREF(expectedSet);
1.1060 + PKIX_RETURN(CERTCHAINCHECKER);
1.1061 +}
1.1062 +
1.1063 +/*
1.1064 + * FUNCTION: pkix_PolicyChecker_CheckPolicyRecursive
1.1065 + * DESCRIPTION:
1.1066 + *
1.1067 + * Performs policy processing for the policy whose OID is pointed to by
1.1068 + * "policyOID" and whose List of CertPolicyQualifiers is pointed to by
1.1069 + * "policyQualifiers", using the List of policy OIDs pointed to by
1.1070 + * "subjectDomainPolicies" and the PolicyNode pointed to by "currentNode",
1.1071 + * in accordance with the current PolicyCheckerState pointed to by "state",
1.1072 + * and setting "pChildNodeCreated" to TRUE if a new childNode is created.
1.1073 + * Note: "pChildNodeCreated" is not set to FALSE if no childNode is created.
1.1074 + * The intent of the design is that the caller can set a variable to FALSE
1.1075 + * initially, prior to a recursive set of calls. At the end, the variable
1.1076 + * can be tested to see whether *any* of the calls created a child node.
1.1077 + *
1.1078 + * If the currentNode is not at the bottom of the tree, this function
1.1079 + * calls itself recursively for each child of currentNode. At the bottom of
1.1080 + * the tree, it creates new child nodes as appropriate. This function will
1.1081 + * never be called with policy = anyPolicy.
1.1082 + *
1.1083 + * This function implements the processing described in RFC3280
1.1084 + * Section 6.1.3(d)(1)(i).
1.1085 + *
1.1086 + * PARAMETERS:
1.1087 + * "policyOID"
1.1088 + * Address of OID of the policy to be checked for. Must be non-NULL.
1.1089 + * "policyQualifiers"
1.1090 + * Address of List of CertPolicyQualifiers of the policy to be checked for.
1.1091 + * May be empty or NULL.
1.1092 + * "subjectDomainPolicies"
1.1093 + * Address of List of OIDs indicating the policies to which "policy" is
1.1094 + * mapped. May be empty or NULL.
1.1095 + * "currentNode"
1.1096 + * Address of PolicyNode whose descendants will be checked, if not at the
1.1097 + * bottom of the tree; or whose expectedPolicySet will be compared to
1.1098 + * "policy", if at the bottom. Must be non-NULL.
1.1099 + * "state"
1.1100 + * Address of PolicyCheckerState of the current PolicyChecker. Must be
1.1101 + * non-NULL.
1.1102 + * "pChildNodeCreated"
1.1103 + * Address of the Boolean that will be set TRUE if this function
1.1104 + * creates a child node. Must be non-NULL.
1.1105 + * "plContext"
1.1106 + * Platform-specific context pointer.
1.1107 + * THREAD SAFETY:
1.1108 + * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1109 + * RETURNS:
1.1110 + * Returns NULL if the function succeeds
1.1111 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.1112 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.1113 + */
1.1114 +static PKIX_Error *
1.1115 +pkix_PolicyChecker_CheckPolicyRecursive(
1.1116 + PKIX_PL_OID *policyOID,
1.1117 + PKIX_List *policyQualifiers,
1.1118 + PKIX_List *subjectDomainPolicies,
1.1119 + PKIX_PolicyNode *currentNode,
1.1120 + PKIX_PolicyCheckerState *state,
1.1121 + PKIX_Boolean *pChildNodeCreated,
1.1122 + void *plContext)
1.1123 +{
1.1124 + PKIX_UInt32 depth = 0;
1.1125 + PKIX_UInt32 numChildren = 0;
1.1126 + PKIX_UInt32 childIx = 0;
1.1127 + PKIX_Boolean isIncluded = PKIX_FALSE;
1.1128 + PKIX_List *children = NULL; /* PolicyNodes */
1.1129 + PKIX_PolicyNode *childNode = NULL;
1.1130 + PKIX_List *expectedPolicies = NULL; /* OIDs */
1.1131 +
1.1132 + PKIX_ENTER
1.1133 + (CERTCHAINCHECKER,
1.1134 + "pkix_PolicyChecker_CheckPolicyRecursive");
1.1135 + PKIX_NULLCHECK_FOUR(policyOID, currentNode, state, pChildNodeCreated);
1.1136 +
1.1137 + /* if not at the bottom of the tree */
1.1138 + PKIX_CHECK(PKIX_PolicyNode_GetDepth
1.1139 + (currentNode, &depth, plContext),
1.1140 + PKIX_POLICYNODEGETDEPTHFAILED);
1.1141 +
1.1142 + if (depth < (state->certsProcessed)) {
1.1143 + PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
1.1144 + (currentNode, &children, plContext),
1.1145 + PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
1.1146 +
1.1147 + if (children) {
1.1148 + PKIX_CHECK(PKIX_List_GetLength
1.1149 + (children, &numChildren, plContext),
1.1150 + PKIX_LISTGETLENGTHFAILED);
1.1151 + }
1.1152 +
1.1153 + for (childIx = 0; childIx < numChildren; childIx++) {
1.1154 +
1.1155 + PKIX_CHECK(PKIX_List_GetItem
1.1156 + (children,
1.1157 + childIx,
1.1158 + (PKIX_PL_Object **)&childNode,
1.1159 + plContext),
1.1160 + PKIX_LISTGETITEMFAILED);
1.1161 +
1.1162 + PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
1.1163 + (policyOID,
1.1164 + policyQualifiers,
1.1165 + subjectDomainPolicies,
1.1166 + childNode,
1.1167 + state,
1.1168 + pChildNodeCreated,
1.1169 + plContext),
1.1170 + PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
1.1171 +
1.1172 + PKIX_DECREF(childNode);
1.1173 + }
1.1174 + } else { /* if at the bottom of the tree */
1.1175 +
1.1176 + /* Check whether policy is in this node's expectedPolicySet */
1.1177 + PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
1.1178 + (currentNode, &expectedPolicies, plContext),
1.1179 + PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
1.1180 +
1.1181 + PKIX_NULLCHECK_ONE(expectedPolicies);
1.1182 +
1.1183 + PKIX_CHECK(pkix_List_Contains
1.1184 + (expectedPolicies,
1.1185 + (PKIX_PL_Object *)policyOID,
1.1186 + &isIncluded,
1.1187 + plContext),
1.1188 + PKIX_LISTCONTAINSFAILED);
1.1189 +
1.1190 + if (isIncluded) {
1.1191 + PKIX_CHECK(pkix_PolicyChecker_Spawn
1.1192 + (currentNode,
1.1193 + policyOID,
1.1194 + policyQualifiers,
1.1195 + subjectDomainPolicies,
1.1196 + state,
1.1197 + plContext),
1.1198 + PKIX_POLICYCHECKERSPAWNFAILED);
1.1199 +
1.1200 + *pChildNodeCreated = PKIX_TRUE;
1.1201 + }
1.1202 + }
1.1203 +
1.1204 +cleanup:
1.1205 +
1.1206 + PKIX_DECREF(children);
1.1207 + PKIX_DECREF(childNode);
1.1208 + PKIX_DECREF(expectedPolicies);
1.1209 +
1.1210 + PKIX_RETURN(CERTCHAINCHECKER);
1.1211 +}
1.1212 +
1.1213 +/*
1.1214 + * FUNCTION: pkix_PolicyChecker_CheckPolicy
1.1215 + * DESCRIPTION:
1.1216 + *
1.1217 + * Performs the non-recursive portion of the policy processing for the policy
1.1218 + * whose OID is pointed to by "policyOID" and whose List of
1.1219 + * CertPolicyQualifiers is pointed to by "policyQualifiers", for the
1.1220 + * Certificate pointed to by "cert" with the List of CertPolicyMaps pointed
1.1221 + * to by "maps", in accordance with the current PolicyCheckerState pointed
1.1222 + * to by "state".
1.1223 + *
1.1224 + * This function implements the processing described in RFC3280
1.1225 + * Section 6.1.3(d)(1)(i).
1.1226 + *
1.1227 + * PARAMETERS:
1.1228 + * "policyOID"
1.1229 + * Address of OID of the policy to be checked for. Must be non-NULL.
1.1230 + * "policyQualifiers"
1.1231 + * Address of List of CertPolicyQualifiers of the policy to be checked for.
1.1232 + * May be empty or NULL.
1.1233 + * "cert"
1.1234 + * Address of the current certificate. Must be non-NULL.
1.1235 + * "maps"
1.1236 + * Address of List of CertPolicyMaps for the current certificate
1.1237 + * "state"
1.1238 + * Address of PolicyCheckerState of the current PolicyChecker. Must be
1.1239 + * non-NULL.
1.1240 + * "plContext"
1.1241 + * Platform-specific context pointer.
1.1242 + * THREAD SAFETY:
1.1243 + * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1244 + * RETURNS:
1.1245 + * Returns NULL if the function succeeds
1.1246 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.1247 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.1248 + */
1.1249 +static PKIX_Error *
1.1250 +pkix_PolicyChecker_CheckPolicy(
1.1251 + PKIX_PL_OID *policyOID,
1.1252 + PKIX_List *policyQualifiers,
1.1253 + PKIX_PL_Cert *cert,
1.1254 + PKIX_List *maps,
1.1255 + PKIX_PolicyCheckerState *state,
1.1256 + void *plContext)
1.1257 +{
1.1258 + PKIX_Boolean childNodeCreated = PKIX_FALSE;
1.1259 + PKIX_Boolean okToSpawn = PKIX_FALSE;
1.1260 + PKIX_Boolean found = PKIX_FALSE;
1.1261 + PKIX_List *subjectDomainPolicies = NULL;
1.1262 +
1.1263 + PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckPolicy");
1.1264 + PKIX_NULLCHECK_THREE(policyOID, cert, state);
1.1265 +
1.1266 + /*
1.1267 + * If this is not the last certificate, get the set of
1.1268 + * subjectDomainPolicies that "policy" maps to, according to the
1.1269 + * current cert's policy mapping extension. That set will be NULL
1.1270 + * if the current cert does not have a policy mapping extension,
1.1271 + * or if the current policy is not mapped.
1.1272 + */
1.1273 + if (state->certsProcessed != (state->numCerts - 1)) {
1.1274 + PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
1.1275 + (maps, policyOID, &subjectDomainPolicies, plContext),
1.1276 + PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
1.1277 + }
1.1278 +
1.1279 + /*
1.1280 + * Section 6.1.4(b)(2) tells us that if policyMapping is zero, we
1.1281 + * will have to delete any nodes created with validPolicies equal to
1.1282 + * policies that appear as issuerDomainPolicies in a policy mapping
1.1283 + * extension. Let's avoid creating any such nodes.
1.1284 + */
1.1285 + if ((state->policyMapping) == 0) {
1.1286 + if (subjectDomainPolicies) {
1.1287 + goto cleanup;
1.1288 + }
1.1289 + }
1.1290 +
1.1291 + PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
1.1292 + (policyOID,
1.1293 + policyQualifiers,
1.1294 + subjectDomainPolicies,
1.1295 + state->validPolicyTree,
1.1296 + state,
1.1297 + &childNodeCreated,
1.1298 + plContext),
1.1299 + PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
1.1300 +
1.1301 + if (!childNodeCreated) {
1.1302 + /*
1.1303 + * Section 6.1.3(d)(1)(ii)
1.1304 + * There was no match. If there was a node at
1.1305 + * depth i-1 with valid policy anyPolicy,
1.1306 + * generate a node subordinate to that.
1.1307 + *
1.1308 + * But that means this created node would be in
1.1309 + * the valid-policy-node-set, and will be
1.1310 + * pruned in 6.1.5(g)(iii)(2) unless it is in
1.1311 + * the user-initial-policy-set or the user-
1.1312 + * initial-policy-set is {anyPolicy}. So check,
1.1313 + * and don't create it if it will be pruned.
1.1314 + */
1.1315 + if (state->anyPolicyNodeAtBottom) {
1.1316 + if (state->initialIsAnyPolicy) {
1.1317 + okToSpawn = PKIX_TRUE;
1.1318 + } else {
1.1319 + PKIX_CHECK(pkix_List_Contains
1.1320 + (state->mappedUserInitialPolicySet,
1.1321 + (PKIX_PL_Object *)policyOID,
1.1322 + &okToSpawn,
1.1323 + plContext),
1.1324 + PKIX_LISTCONTAINSFAILED);
1.1325 + }
1.1326 + if (okToSpawn) {
1.1327 + PKIX_CHECK(pkix_PolicyChecker_Spawn
1.1328 + (state->anyPolicyNodeAtBottom,
1.1329 + policyOID,
1.1330 + policyQualifiers,
1.1331 + subjectDomainPolicies,
1.1332 + state,
1.1333 + plContext),
1.1334 + PKIX_POLICYCHECKERSPAWNFAILED);
1.1335 + childNodeCreated = PKIX_TRUE;
1.1336 + }
1.1337 + }
1.1338 + }
1.1339 +
1.1340 + if (childNodeCreated) {
1.1341 + /*
1.1342 + * If this policy had qualifiers, and the certificate policies
1.1343 + * extension was marked critical, and the user cannot deal with
1.1344 + * policy qualifiers, throw an error.
1.1345 + */
1.1346 + if (policyQualifiers &&
1.1347 + state->certPoliciesCritical &&
1.1348 + state->policyQualifiersRejected) {
1.1349 + PKIX_ERROR
1.1350 + (PKIX_QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION);
1.1351 + }
1.1352 + /*
1.1353 + * If the policy we just propagated was in the list of mapped
1.1354 + * policies, remove it from the list. That list is used, at the
1.1355 + * end, to determine policies that have not been propagated.
1.1356 + */
1.1357 + if (state->mappedPolicyOIDs) {
1.1358 + PKIX_CHECK(pkix_List_Contains
1.1359 + (state->mappedPolicyOIDs,
1.1360 + (PKIX_PL_Object *)policyOID,
1.1361 + &found,
1.1362 + plContext),
1.1363 + PKIX_LISTCONTAINSFAILED);
1.1364 + if (found) {
1.1365 + PKIX_CHECK(pkix_List_Remove
1.1366 + (state->mappedPolicyOIDs,
1.1367 + (PKIX_PL_Object *)policyOID,
1.1368 + plContext),
1.1369 + PKIX_LISTREMOVEFAILED);
1.1370 + }
1.1371 + }
1.1372 + }
1.1373 +
1.1374 +cleanup:
1.1375 +
1.1376 + PKIX_DECREF(subjectDomainPolicies);
1.1377 +
1.1378 + PKIX_RETURN(CERTCHAINCHECKER);
1.1379 +}
1.1380 +
1.1381 +/*
1.1382 + * FUNCTION: pkix_PolicyChecker_CheckAny
1.1383 + * DESCRIPTION:
1.1384 + * Performs the creation of PolicyNodes, for the PolicyNode pointed to by
1.1385 + * "currentNode" and PolicyNodes subordinate to it, using the List of
1.1386 + * qualifiers pointed to by "qualsOfAny", in accordance with the current
1.1387 + * certificate's PolicyMaps pointed to by "policyMaps" and the current
1.1388 + * PolicyCheckerState pointed to by "state".
1.1389 + *
1.1390 + * If the currentNode is not just above the bottom of the validPolicyTree, this
1.1391 + * function calls itself recursively for each child of currentNode. At the
1.1392 + * level just above the bottom, for each policy in the currentNode's
1.1393 + * expectedPolicySet not already present in a child node, it creates a new
1.1394 + * child node. The validPolicy of the child created, and its expectedPolicySet,
1.1395 + * will be the policy from the currentNode's expectedPolicySet. The policy
1.1396 + * qualifiers will be the qualifiers from the current certificate's anyPolicy,
1.1397 + * the "qualsOfAny" parameter. If the currentNode's expectedSet includes
1.1398 + * anyPolicy, a childNode will be created with a policy of anyPolicy. This is
1.1399 + * the only way such a node can be created.
1.1400 + *
1.1401 + * This function is called only when anyPolicy is one of the current
1.1402 + * certificate's policies. This function implements the processing described
1.1403 + * in RFC3280 Section 6.1.3(d)(2).
1.1404 + *
1.1405 + * PARAMETERS:
1.1406 + * "currentNode"
1.1407 + * Address of PolicyNode whose descendants will be checked, if not at the
1.1408 + * bottom of the tree; or whose expectedPolicySet will be compared to those
1.1409 + * in "alreadyPresent", if at the bottom. Must be non-NULL.
1.1410 + * "qualsOfAny"
1.1411 + * Address of List of qualifiers of the anyPolicy in the current
1.1412 + * certificate. May be empty or NULL.
1.1413 + * "policyMaps"
1.1414 + * Address of the List of PolicyMaps of the current certificate. May be
1.1415 + * empty or NULL.
1.1416 + * "state"
1.1417 + * Address of the current state of the PKIX_PolicyChecker.
1.1418 + * Must be non-NULL.
1.1419 + * "plContext"
1.1420 + * Platform-specific context pointer.
1.1421 + * THREAD SAFETY:
1.1422 + * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1423 + * RETURNS:
1.1424 + * Returns NULL if the function succeeds
1.1425 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.1426 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.1427 + */
1.1428 +static PKIX_Error *
1.1429 +pkix_PolicyChecker_CheckAny(
1.1430 + PKIX_PolicyNode *currentNode,
1.1431 + PKIX_List *qualsOfAny, /* CertPolicyQualifiers */
1.1432 + PKIX_List *policyMaps, /* CertPolicyMaps */
1.1433 + PKIX_PolicyCheckerState *state,
1.1434 + void *plContext)
1.1435 +{
1.1436 + PKIX_UInt32 depth = 0;
1.1437 + PKIX_UInt32 numChildren = 0;
1.1438 + PKIX_UInt32 childIx = 0;
1.1439 + PKIX_UInt32 numPolicies = 0;
1.1440 + PKIX_UInt32 polx = 0;
1.1441 + PKIX_Boolean isIncluded = PKIX_FALSE;
1.1442 + PKIX_List *children = NULL; /* PolicyNodes */
1.1443 + PKIX_PolicyNode *childNode = NULL;
1.1444 + PKIX_List *expectedPolicies = NULL; /* OIDs */
1.1445 + PKIX_PL_OID *policyOID = NULL;
1.1446 + PKIX_PL_OID *childPolicy = NULL;
1.1447 + PKIX_List *subjectDomainPolicies = NULL; /* OIDs */
1.1448 +
1.1449 + PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckAny");
1.1450 + PKIX_NULLCHECK_TWO(currentNode, state);
1.1451 +
1.1452 + PKIX_CHECK(PKIX_PolicyNode_GetDepth
1.1453 + (currentNode, &depth, plContext),
1.1454 + PKIX_POLICYNODEGETDEPTHFAILED);
1.1455 +
1.1456 + PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
1.1457 + (currentNode, &children, plContext),
1.1458 + PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
1.1459 +
1.1460 + if (children) {
1.1461 + PKIX_CHECK(PKIX_List_GetLength
1.1462 + (children, &numChildren, plContext),
1.1463 + PKIX_LISTGETLENGTHFAILED);
1.1464 + }
1.1465 +
1.1466 + if (depth < (state->certsProcessed)) {
1.1467 + for (childIx = 0; childIx < numChildren; childIx++) {
1.1468 +
1.1469 + PKIX_CHECK(PKIX_List_GetItem
1.1470 + (children,
1.1471 + childIx,
1.1472 + (PKIX_PL_Object **)&childNode,
1.1473 + plContext),
1.1474 + PKIX_LISTGETITEMFAILED);
1.1475 +
1.1476 + PKIX_NULLCHECK_ONE(childNode);
1.1477 + PKIX_CHECK(pkix_PolicyChecker_CheckAny
1.1478 + (childNode,
1.1479 + qualsOfAny,
1.1480 + policyMaps,
1.1481 + state,
1.1482 + plContext),
1.1483 + PKIX_POLICYCHECKERCHECKANYFAILED);
1.1484 +
1.1485 + PKIX_DECREF(childNode);
1.1486 + }
1.1487 + } else { /* if at the bottom of the tree */
1.1488 +
1.1489 + PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
1.1490 + (currentNode, &expectedPolicies, plContext),
1.1491 + PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
1.1492 +
1.1493 + /* Expected Policy Set is not allowed to be NULL */
1.1494 + PKIX_NULLCHECK_ONE(expectedPolicies);
1.1495 +
1.1496 + PKIX_CHECK(PKIX_List_GetLength
1.1497 + (expectedPolicies, &numPolicies, plContext),
1.1498 + PKIX_LISTGETLENGTHFAILED);
1.1499 +
1.1500 + for (polx = 0; polx < numPolicies; polx++) {
1.1501 + PKIX_CHECK(PKIX_List_GetItem
1.1502 + (expectedPolicies,
1.1503 + polx,
1.1504 + (PKIX_PL_Object **)&policyOID,
1.1505 + plContext),
1.1506 + PKIX_LISTGETITEMFAILED);
1.1507 +
1.1508 + PKIX_NULLCHECK_ONE(policyOID);
1.1509 +
1.1510 + isIncluded = PKIX_FALSE;
1.1511 +
1.1512 + for (childIx = 0;
1.1513 + (!isIncluded && (childIx < numChildren));
1.1514 + childIx++) {
1.1515 +
1.1516 + PKIX_CHECK(PKIX_List_GetItem
1.1517 + (children,
1.1518 + childIx,
1.1519 + (PKIX_PL_Object **)&childNode,
1.1520 + plContext),
1.1521 + PKIX_LISTGETITEMFAILED);
1.1522 +
1.1523 + PKIX_NULLCHECK_ONE(childNode);
1.1524 +
1.1525 + PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
1.1526 + (childNode, &childPolicy, plContext),
1.1527 + PKIX_POLICYNODEGETVALIDPOLICYFAILED);
1.1528 +
1.1529 + PKIX_NULLCHECK_ONE(childPolicy);
1.1530 +
1.1531 + PKIX_EQUALS(policyOID, childPolicy, &isIncluded, plContext,
1.1532 + PKIX_OBJECTEQUALSFAILED);
1.1533 +
1.1534 + PKIX_DECREF(childNode);
1.1535 + PKIX_DECREF(childPolicy);
1.1536 + }
1.1537 +
1.1538 + if (!isIncluded) {
1.1539 + if (policyMaps) {
1.1540 + PKIX_CHECK
1.1541 + (pkix_PolicyChecker_MapGetSubjectDomainPolicies
1.1542 + (policyMaps,
1.1543 + policyOID,
1.1544 + &subjectDomainPolicies,
1.1545 + plContext),
1.1546 + PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
1.1547 + }
1.1548 + PKIX_CHECK(pkix_PolicyChecker_Spawn
1.1549 + (currentNode,
1.1550 + policyOID,
1.1551 + qualsOfAny,
1.1552 + subjectDomainPolicies,
1.1553 + state,
1.1554 + plContext),
1.1555 + PKIX_POLICYCHECKERSPAWNFAILED);
1.1556 + PKIX_DECREF(subjectDomainPolicies);
1.1557 + }
1.1558 +
1.1559 + PKIX_DECREF(policyOID);
1.1560 + }
1.1561 + }
1.1562 +
1.1563 +cleanup:
1.1564 +
1.1565 + PKIX_DECREF(children);
1.1566 + PKIX_DECREF(childNode);
1.1567 + PKIX_DECREF(expectedPolicies);
1.1568 + PKIX_DECREF(policyOID);
1.1569 + PKIX_DECREF(childPolicy);
1.1570 + PKIX_DECREF(subjectDomainPolicies);
1.1571 +
1.1572 + PKIX_RETURN(CERTCHAINCHECKER);
1.1573 +
1.1574 +}
1.1575 +
1.1576 +/*
1.1577 + * FUNCTION: pkix_PolicyChecker_CalculateIntersection
1.1578 + * DESCRIPTION:
1.1579 + *
1.1580 + * Processes the PolicyNode pointed to by "currentNode", and its descendants,
1.1581 + * using the PolicyCheckerState pointed to by "state", using the List at
1.1582 + * the address pointed to by "nominees" the OIDs of policies that are in the
1.1583 + * user-initial-policy-set but are not represented among the nodes at the
1.1584 + * bottom of the tree, and storing at "pShouldBePruned" the value TRUE if
1.1585 + * currentNode is childless at the end of this processing, FALSE if it has
1.1586 + * children or is at the bottom of the tree.
1.1587 + *
1.1588 + * When this function is called at the top level, "nominees" should be the List
1.1589 + * of all policies in the user-initial-policy-set. Policies that are
1.1590 + * represented in the valid-policy-node-set are removed from this List. As a
1.1591 + * result when nodes are created according to 6.1.5.(g)(iii)(3)(b), a node will
1.1592 + * be created for each policy remaining in this List.
1.1593 + *
1.1594 + * This function implements the calculation of the intersection of the
1.1595 + * validPolicyTree with the user-initial-policy-set, as described in
1.1596 + * RFC 3280 6.1.5(g)(iii).
1.1597 + *
1.1598 + * PARAMETERS:
1.1599 + * "currentNode"
1.1600 + * Address of PolicyNode whose descendants will be processed as described.
1.1601 + * Must be non-NULL.
1.1602 + * "state"
1.1603 + * Address of the current state of the PKIX_PolicyChecker. Must be non-NULL
1.1604 + * "nominees"
1.1605 + * Address of List of the OIDs for which nodes should be created to replace
1.1606 + * anyPolicy nodes. Must be non-NULL but may be empty.
1.1607 + * "pShouldBePruned"
1.1608 + * Address where Boolean return value, set to TRUE if this PolicyNode
1.1609 + * should be deleted, is stored. Must be non-NULL.
1.1610 + * "plContext"
1.1611 + * Platform-specific context pointer.
1.1612 + * THREAD SAFETY:
1.1613 + * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1614 + * RETURNS:
1.1615 + * Returns NULL if the function succeeds
1.1616 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.1617 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.1618 + */
1.1619 +static PKIX_Error *
1.1620 +pkix_PolicyChecker_CalculateIntersection(
1.1621 + PKIX_PolicyNode *currentNode,
1.1622 + PKIX_PolicyCheckerState *state,
1.1623 + PKIX_List *nominees, /* OIDs */
1.1624 + PKIX_Boolean *pShouldBePruned,
1.1625 + void *plContext)
1.1626 +{
1.1627 + PKIX_Boolean currentPolicyIsAny = PKIX_FALSE;
1.1628 + PKIX_Boolean parentPolicyIsAny = PKIX_FALSE;
1.1629 + PKIX_Boolean currentPolicyIsValid = PKIX_FALSE;
1.1630 + PKIX_Boolean shouldBePruned = PKIX_FALSE;
1.1631 + PKIX_Boolean priorCriticality = PKIX_FALSE;
1.1632 + PKIX_UInt32 depth = 0;
1.1633 + PKIX_UInt32 numChildren = 0;
1.1634 + PKIX_UInt32 childIndex = 0;
1.1635 + PKIX_UInt32 numNominees = 0;
1.1636 + PKIX_UInt32 polIx = 0;
1.1637 + PKIX_PL_OID *currentPolicy = NULL;
1.1638 + PKIX_PL_OID *parentPolicy = NULL;
1.1639 + PKIX_PL_OID *substPolicy = NULL;
1.1640 + PKIX_PolicyNode *parent = NULL;
1.1641 + PKIX_PolicyNode *child = NULL;
1.1642 + PKIX_List *children = NULL; /* PolicyNodes */
1.1643 + PKIX_List *policyQualifiers = NULL;
1.1644 +
1.1645 + PKIX_ENTER
1.1646 + (CERTCHAINCHECKER,
1.1647 + "pkix_PolicyChecker_CalculateIntersection");
1.1648 +
1.1649 + /*
1.1650 + * We call this function if the valid_policy_tree is not NULL and
1.1651 + * the user-initial-policy-set is not any-policy.
1.1652 + */
1.1653 + if (!state->validPolicyTree || state->initialIsAnyPolicy) {
1.1654 + PKIX_ERROR(PKIX_PRECONDITIONFAILED);
1.1655 + }
1.1656 +
1.1657 + PKIX_NULLCHECK_FOUR(currentNode, state, nominees, pShouldBePruned);
1.1658 +
1.1659 + PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
1.1660 + (currentNode, ¤tPolicy, plContext),
1.1661 + PKIX_POLICYNODEGETVALIDPOLICYFAILED);
1.1662 +
1.1663 + PKIX_NULLCHECK_TWO(state->anyPolicyOID, currentPolicy);
1.1664 +
1.1665 + PKIX_EQUALS
1.1666 + (state->anyPolicyOID,
1.1667 + currentPolicy,
1.1668 + ¤tPolicyIsAny,
1.1669 + plContext,
1.1670 + PKIX_OBJECTEQUALSFAILED);
1.1671 +
1.1672 + PKIX_CHECK(PKIX_PolicyNode_GetParent(currentNode, &parent, plContext),
1.1673 + PKIX_POLICYNODEGETPARENTFAILED);
1.1674 +
1.1675 + if (currentPolicyIsAny == PKIX_FALSE) {
1.1676 +
1.1677 + /*
1.1678 + * If we are at the top of the tree, or if our
1.1679 + * parent's validPolicy is anyPolicy, we are in
1.1680 + * the valid policy node set.
1.1681 + */
1.1682 + if (parent) {
1.1683 + PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
1.1684 + (parent, &parentPolicy, plContext),
1.1685 + PKIX_POLICYNODEGETVALIDPOLICYFAILED);
1.1686 +
1.1687 + PKIX_NULLCHECK_ONE(parentPolicy);
1.1688 +
1.1689 + PKIX_EQUALS
1.1690 + (state->anyPolicyOID,
1.1691 + parentPolicy,
1.1692 + &parentPolicyIsAny,
1.1693 + plContext,
1.1694 + PKIX_OBJECTEQUALSFAILED);
1.1695 + }
1.1696 +
1.1697 + /*
1.1698 + * Section 6.1.5(g)(iii)(2)
1.1699 + * If this node's policy is not in the user-initial-policy-set,
1.1700 + * it is not in the intersection. Prune it.
1.1701 + */
1.1702 + if (!parent || parentPolicyIsAny) {
1.1703 + PKIX_CHECK(pkix_List_Contains
1.1704 + (state->userInitialPolicySet,
1.1705 + (PKIX_PL_Object *)currentPolicy,
1.1706 + ¤tPolicyIsValid,
1.1707 + plContext),
1.1708 + PKIX_LISTCONTAINSFAILED);
1.1709 + if (!currentPolicyIsValid) {
1.1710 + *pShouldBePruned = PKIX_TRUE;
1.1711 + goto cleanup;
1.1712 + }
1.1713 +
1.1714 + /*
1.1715 + * If this node's policy is in the user-initial-policy-
1.1716 + * set, it will propagate that policy into the next
1.1717 + * level of the tree. Remove the policy from the list
1.1718 + * of policies that an anyPolicy will spawn.
1.1719 + */
1.1720 + PKIX_CHECK(pkix_List_Remove
1.1721 + (nominees,
1.1722 + (PKIX_PL_Object *)currentPolicy,
1.1723 + plContext),
1.1724 + PKIX_LISTREMOVEFAILED);
1.1725 + }
1.1726 + }
1.1727 +
1.1728 +
1.1729 + /* Are we at the bottom of the tree? */
1.1730 +
1.1731 + PKIX_CHECK(PKIX_PolicyNode_GetDepth
1.1732 + (currentNode, &depth, plContext),
1.1733 + PKIX_POLICYNODEGETDEPTHFAILED);
1.1734 +
1.1735 + if (depth == (state->numCerts)) {
1.1736 + /*
1.1737 + * Section 6.1.5(g)(iii)(3)
1.1738 + * Replace anyPolicy nodes...
1.1739 + */
1.1740 + if (currentPolicyIsAny == PKIX_TRUE) {
1.1741 +
1.1742 + /* replace this node */
1.1743 +
1.1744 + PKIX_CHECK(PKIX_List_GetLength
1.1745 + (nominees, &numNominees, plContext),
1.1746 + PKIX_LISTGETLENGTHFAILED);
1.1747 +
1.1748 + if (numNominees) {
1.1749 +
1.1750 + PKIX_CHECK(PKIX_PolicyNode_GetPolicyQualifiers
1.1751 + (currentNode,
1.1752 + &policyQualifiers,
1.1753 + plContext),
1.1754 + PKIX_POLICYNODEGETPOLICYQUALIFIERSFAILED);
1.1755 +
1.1756 + PKIX_CHECK(PKIX_PolicyNode_IsCritical
1.1757 + (currentNode, &priorCriticality, plContext),
1.1758 + PKIX_POLICYNODEISCRITICALFAILED);
1.1759 + }
1.1760 +
1.1761 + PKIX_NULLCHECK_ONE(parent);
1.1762 +
1.1763 + for (polIx = 0; polIx < numNominees; polIx++) {
1.1764 +
1.1765 + PKIX_CHECK(PKIX_List_GetItem
1.1766 + (nominees,
1.1767 + polIx,
1.1768 + (PKIX_PL_Object **)&substPolicy,
1.1769 + plContext),
1.1770 + PKIX_LISTGETITEMFAILED);
1.1771 +
1.1772 + PKIX_CHECK(pkix_PolicyChecker_Spawn
1.1773 + (parent,
1.1774 + substPolicy,
1.1775 + policyQualifiers,
1.1776 + NULL,
1.1777 + state,
1.1778 + plContext),
1.1779 + PKIX_POLICYCHECKERSPAWNFAILED);
1.1780 +
1.1781 + PKIX_DECREF(substPolicy);
1.1782 +
1.1783 + }
1.1784 + /* remove currentNode from parent */
1.1785 + *pShouldBePruned = PKIX_TRUE;
1.1786 + /*
1.1787 + * We can get away with augmenting the parent's List
1.1788 + * of children because we started at the end and went
1.1789 + * toward the beginning. New nodes are added at the end.
1.1790 + */
1.1791 + }
1.1792 + } else {
1.1793 + /*
1.1794 + * Section 6.1.5(g)(iii)(4)
1.1795 + * Prune any childless nodes above the bottom level
1.1796 + */
1.1797 + PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
1.1798 + (currentNode, &children, plContext),
1.1799 + PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
1.1800 +
1.1801 + /* CurrentNode should have been pruned if childless. */
1.1802 + PKIX_NULLCHECK_ONE(children);
1.1803 +
1.1804 + PKIX_CHECK(PKIX_List_GetLength
1.1805 + (children, &numChildren, plContext),
1.1806 + PKIX_LISTGETLENGTHFAILED);
1.1807 +
1.1808 + for (childIndex = numChildren; childIndex > 0; childIndex--) {
1.1809 +
1.1810 + PKIX_CHECK(PKIX_List_GetItem
1.1811 + (children,
1.1812 + childIndex - 1,
1.1813 + (PKIX_PL_Object **)&child,
1.1814 + plContext),
1.1815 + PKIX_LISTGETITEMFAILED);
1.1816 +
1.1817 + PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
1.1818 + (child, state, nominees, &shouldBePruned, plContext),
1.1819 + PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
1.1820 +
1.1821 + if (PKIX_TRUE == shouldBePruned) {
1.1822 +
1.1823 + PKIX_CHECK(PKIX_List_DeleteItem
1.1824 + (children, childIndex - 1, plContext),
1.1825 + PKIX_LISTDELETEITEMFAILED);
1.1826 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.1827 + ((PKIX_PL_Object *)state, plContext),
1.1828 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.1829 + }
1.1830 +
1.1831 + PKIX_DECREF(child);
1.1832 + }
1.1833 +
1.1834 + PKIX_CHECK(PKIX_List_GetLength
1.1835 + (children, &numChildren, plContext),
1.1836 + PKIX_LISTGETLENGTHFAILED);
1.1837 +
1.1838 + if (numChildren == 0) {
1.1839 + *pShouldBePruned = PKIX_TRUE;
1.1840 + }
1.1841 + }
1.1842 +cleanup:
1.1843 + PKIX_DECREF(currentPolicy);
1.1844 + PKIX_DECREF(parentPolicy);
1.1845 + PKIX_DECREF(substPolicy);
1.1846 + PKIX_DECREF(parent);
1.1847 + PKIX_DECREF(child);
1.1848 + PKIX_DECREF(children);
1.1849 + PKIX_DECREF(policyQualifiers);
1.1850 +
1.1851 + PKIX_RETURN(CERTCHAINCHECKER);
1.1852 +
1.1853 +}
1.1854 +
1.1855 +/*
1.1856 + * FUNCTION: pkix_PolicyChecker_PolicyMapProcessing
1.1857 + * DESCRIPTION:
1.1858 + *
1.1859 + * Performs the processing of Policies in the List of CertPolicyMaps pointed
1.1860 + * to by "policyMaps", using and updating the PolicyCheckerState pointed to by
1.1861 + * "state".
1.1862 + *
1.1863 + * This function implements the policyMap processing described in RFC3280
1.1864 + * Section 6.1.4(b)(1), after certificate i has been processed, in preparation
1.1865 + * for certificate i+1. Section references are to that document.
1.1866 + *
1.1867 + * PARAMETERS:
1.1868 + * "policyMaps"
1.1869 + * Address of the List of CertPolicyMaps presented by certificate i.
1.1870 + * Must be non-NULL.
1.1871 + * "certPoliciesIncludeAny"
1.1872 + * Boolean value which is PKIX_TRUE if the current certificate asserts
1.1873 + * anyPolicy, PKIX_FALSE otherwise.
1.1874 + * "qualsOfAny"
1.1875 + * Address of List of qualifiers of the anyPolicy in the current
1.1876 + * certificate. May be empty or NULL.
1.1877 + * "state"
1.1878 + * Address of the current state of the PKIX_PolicyChecker.
1.1879 + * Must be non-NULL.
1.1880 + * "plContext"
1.1881 + * Platform-specific context pointer.
1.1882 + * THREAD SAFETY:
1.1883 + * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.1884 + * RETURNS:
1.1885 + * Returns NULL if the function succeeds
1.1886 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.1887 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.1888 + */
1.1889 +static PKIX_Error *
1.1890 +pkix_PolicyChecker_PolicyMapProcessing(
1.1891 + PKIX_List *policyMaps, /* CertPolicyMaps */
1.1892 + PKIX_Boolean certPoliciesIncludeAny,
1.1893 + PKIX_List *qualsOfAny,
1.1894 + PKIX_PolicyCheckerState *state,
1.1895 + void *plContext)
1.1896 +{
1.1897 + PKIX_UInt32 numPolicies = 0;
1.1898 + PKIX_UInt32 polX = 0;
1.1899 + PKIX_PL_OID *policyOID = NULL;
1.1900 + PKIX_List *newMappedPolicies = NULL; /* OIDs */
1.1901 + PKIX_List *subjectDomainPolicies = NULL; /* OIDs */
1.1902 +
1.1903 + PKIX_ENTER
1.1904 + (CERTCHAINCHECKER,
1.1905 + "pkix_PolicyChecker_PolicyMapProcessing");
1.1906 + PKIX_NULLCHECK_THREE
1.1907 + (policyMaps,
1.1908 + state,
1.1909 + state->mappedUserInitialPolicySet);
1.1910 +
1.1911 + /*
1.1912 + * For each policy in mappedUserInitialPolicySet, if it is not mapped,
1.1913 + * append it to new policySet; if it is mapped, append its
1.1914 + * subjectDomainPolicies to new policySet. When done, this new
1.1915 + * policySet will replace mappedUserInitialPolicySet.
1.1916 + */
1.1917 + PKIX_CHECK(PKIX_List_Create
1.1918 + (&newMappedPolicies, plContext),
1.1919 + PKIX_LISTCREATEFAILED);
1.1920 +
1.1921 + PKIX_CHECK(PKIX_List_GetLength
1.1922 + (state->mappedUserInitialPolicySet,
1.1923 + &numPolicies,
1.1924 + plContext),
1.1925 + PKIX_LISTGETLENGTHFAILED);
1.1926 +
1.1927 + for (polX = 0; polX < numPolicies; polX++) {
1.1928 +
1.1929 + PKIX_CHECK(PKIX_List_GetItem
1.1930 + (state->mappedUserInitialPolicySet,
1.1931 + polX,
1.1932 + (PKIX_PL_Object **)&policyOID,
1.1933 + plContext),
1.1934 + PKIX_LISTGETITEMFAILED);
1.1935 +
1.1936 + PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
1.1937 + (policyMaps,
1.1938 + policyOID,
1.1939 + &subjectDomainPolicies,
1.1940 + plContext),
1.1941 + PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
1.1942 +
1.1943 + if (subjectDomainPolicies) {
1.1944 +
1.1945 + PKIX_CHECK(pkix_List_AppendUnique
1.1946 + (newMappedPolicies,
1.1947 + subjectDomainPolicies,
1.1948 + plContext),
1.1949 + PKIX_LISTAPPENDUNIQUEFAILED);
1.1950 +
1.1951 + PKIX_DECREF(subjectDomainPolicies);
1.1952 +
1.1953 + } else {
1.1954 + PKIX_CHECK(PKIX_List_AppendItem
1.1955 + (newMappedPolicies,
1.1956 + (PKIX_PL_Object *)policyOID,
1.1957 + plContext),
1.1958 + PKIX_LISTAPPENDITEMFAILED);
1.1959 + }
1.1960 + PKIX_DECREF(policyOID);
1.1961 + }
1.1962 +
1.1963 + /*
1.1964 + * For each policy ID-P remaining in mappedPolicyOIDs, it has not been
1.1965 + * propagated to the bottom of the tree (depth i). If policyMapping
1.1966 + * is greater than zero and this cert contains anyPolicy and the tree
1.1967 + * contains an anyPolicy node at depth i-1, then we must create a node
1.1968 + * with validPolicy ID-P, the policy qualifiers of anyPolicy in
1.1969 + * this certificate, and expectedPolicySet the subjectDomainPolicies
1.1970 + * that ID-P maps to. We also then add those subjectDomainPolicies to
1.1971 + * the list of policies that will be accepted in the next certificate,
1.1972 + * the mappedUserInitialPolicySet.
1.1973 + */
1.1974 +
1.1975 + if ((state->policyMapping > 0) && (certPoliciesIncludeAny) &&
1.1976 + (state->anyPolicyNodeAtBottom) && (state->mappedPolicyOIDs)) {
1.1977 +
1.1978 + PKIX_CHECK(PKIX_List_GetLength
1.1979 + (state->mappedPolicyOIDs,
1.1980 + &numPolicies,
1.1981 + plContext),
1.1982 + PKIX_LISTGETLENGTHFAILED);
1.1983 +
1.1984 + for (polX = 0; polX < numPolicies; polX++) {
1.1985 +
1.1986 + PKIX_CHECK(PKIX_List_GetItem
1.1987 + (state->mappedPolicyOIDs,
1.1988 + polX,
1.1989 + (PKIX_PL_Object **)&policyOID,
1.1990 + plContext),
1.1991 + PKIX_LISTGETITEMFAILED);
1.1992 +
1.1993 + PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
1.1994 + (policyMaps,
1.1995 + policyOID,
1.1996 + &subjectDomainPolicies,
1.1997 + plContext),
1.1998 + PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
1.1999 +
1.2000 + PKIX_CHECK(pkix_PolicyChecker_Spawn
1.2001 + (state->anyPolicyNodeAtBottom,
1.2002 + policyOID,
1.2003 + qualsOfAny,
1.2004 + subjectDomainPolicies,
1.2005 + state,
1.2006 + plContext),
1.2007 + PKIX_POLICYCHECKERSPAWNFAILED);
1.2008 +
1.2009 + PKIX_CHECK(pkix_List_AppendUnique
1.2010 + (newMappedPolicies,
1.2011 + subjectDomainPolicies,
1.2012 + plContext),
1.2013 + PKIX_LISTAPPENDUNIQUEFAILED);
1.2014 +
1.2015 + PKIX_DECREF(subjectDomainPolicies);
1.2016 + PKIX_DECREF(policyOID);
1.2017 + }
1.2018 + }
1.2019 +
1.2020 + PKIX_CHECK(PKIX_List_SetImmutable(newMappedPolicies, plContext),
1.2021 + PKIX_LISTSETIMMUTABLEFAILED);
1.2022 +
1.2023 + PKIX_DECREF(state->mappedUserInitialPolicySet);
1.2024 + PKIX_INCREF(newMappedPolicies);
1.2025 +
1.2026 + state->mappedUserInitialPolicySet = newMappedPolicies;
1.2027 +
1.2028 +cleanup:
1.2029 +
1.2030 + PKIX_DECREF(policyOID);
1.2031 + PKIX_DECREF(newMappedPolicies);
1.2032 + PKIX_DECREF(subjectDomainPolicies);
1.2033 +
1.2034 + PKIX_RETURN(CERTCHAINCHECKER);
1.2035 +}
1.2036 +
1.2037 +/*
1.2038 + * FUNCTION: pkix_PolicyChecker_WrapUpProcessing
1.2039 + * DESCRIPTION:
1.2040 + *
1.2041 + * Performs the wrap-up processing for the Cert pointed to by "cert",
1.2042 + * using and updating the PolicyCheckerState pointed to by "state".
1.2043 + *
1.2044 + * This function implements the wrap-up processing described in RFC3280
1.2045 + * Section 6.1.5, after the final certificate has been processed. Section
1.2046 + * references in the comments are to that document.
1.2047 + *
1.2048 + * PARAMETERS:
1.2049 + * "cert"
1.2050 + * Address of the current (presumably the end entity) certificate.
1.2051 + * Must be non-NULL.
1.2052 + * "state"
1.2053 + * Address of the current state of the PKIX_PolicyChecker.
1.2054 + * Must be non-NULL.
1.2055 + * "plContext"
1.2056 + * Platform-specific context pointer.
1.2057 + * THREAD SAFETY:
1.2058 + * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2059 + * RETURNS:
1.2060 + * Returns NULL if the function succeeds
1.2061 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.2062 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.2063 + */
1.2064 +static PKIX_Error *
1.2065 +pkix_PolicyChecker_WrapUpProcessing(
1.2066 + PKIX_PL_Cert *cert,
1.2067 + PKIX_PolicyCheckerState *state,
1.2068 + void *plContext)
1.2069 +{
1.2070 + PKIX_Int32 explicitPolicySkipCerts = 0;
1.2071 + PKIX_Boolean isSelfIssued = PKIX_FALSE;
1.2072 + PKIX_Boolean shouldBePruned = PKIX_FALSE;
1.2073 + PKIX_List *nominees = NULL; /* OIDs */
1.2074 +#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
1.2075 + PKIX_PL_String *stateString = NULL;
1.2076 + char *stateAscii = NULL;
1.2077 + PKIX_UInt32 length;
1.2078 +#endif
1.2079 +
1.2080 + PKIX_ENTER
1.2081 + (CERTCHAINCHECKER,
1.2082 + "pkix_PolicyChecker_WrapUpProcessing");
1.2083 + PKIX_NULLCHECK_THREE(cert, state, state->userInitialPolicySet);
1.2084 +
1.2085 +#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
1.2086 + PKIX_CHECK(PKIX_PL_Object_ToString
1.2087 + ((PKIX_PL_Object*)state, &stateString, plContext),
1.2088 + PKIX_OBJECTTOSTRINGFAILED);
1.2089 +
1.2090 + PKIX_CHECK(PKIX_PL_String_GetEncoded
1.2091 + (stateString,
1.2092 + PKIX_ESCASCII,
1.2093 + (void **)&stateAscii,
1.2094 + &length,
1.2095 + plContext),
1.2096 + PKIX_STRINGGETENCODEDFAILED);
1.2097 +
1.2098 + PKIX_DEBUG_ARG("%s\n", stateAscii);
1.2099 +
1.2100 + PKIX_FREE(stateAscii);
1.2101 + PKIX_DECREF(stateString);
1.2102 +#endif
1.2103 +
1.2104 + /* Section 6.1.5(a) ... */
1.2105 + PKIX_CHECK(pkix_IsCertSelfIssued
1.2106 + (cert, &isSelfIssued, plContext),
1.2107 + PKIX_ISCERTSELFISSUEDFAILED);
1.2108 +
1.2109 + if (!isSelfIssued) {
1.2110 + if (state->explicitPolicy > 0) {
1.2111 +
1.2112 + state->explicitPolicy--;
1.2113 +
1.2114 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.2115 + ((PKIX_PL_Object *)state, plContext),
1.2116 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.2117 + }
1.2118 + }
1.2119 +
1.2120 + /* Section 6.1.5(b) ... */
1.2121 + PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
1.2122 + (cert, &explicitPolicySkipCerts, plContext),
1.2123 + PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
1.2124 +
1.2125 + if (explicitPolicySkipCerts == 0) {
1.2126 + state->explicitPolicy = 0;
1.2127 + }
1.2128 +
1.2129 + /* Section 6.1.5(g)(i) ... */
1.2130 +
1.2131 + if (!(state->validPolicyTree)) {
1.2132 + goto cleanup;
1.2133 + }
1.2134 +
1.2135 + /* Section 6.1.5(g)(ii) ... */
1.2136 +
1.2137 + if (state->initialIsAnyPolicy) {
1.2138 + goto cleanup;
1.2139 + }
1.2140 +
1.2141 + /*
1.2142 + * Section 6.1.5(g)(iii) ...
1.2143 + * Create a list of policies which could be substituted for anyPolicy.
1.2144 + * Start with a (mutable) copy of user-initial-policy-set.
1.2145 + */
1.2146 + PKIX_CHECK(pkix_PolicyChecker_MakeMutableCopy
1.2147 + (state->userInitialPolicySet, &nominees, plContext),
1.2148 + PKIX_POLICYCHECKERMAKEMUTABLECOPYFAILED);
1.2149 +
1.2150 + PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
1.2151 + (state->validPolicyTree, /* node at top of tree */
1.2152 + state,
1.2153 + nominees,
1.2154 + &shouldBePruned,
1.2155 + plContext),
1.2156 + PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
1.2157 +
1.2158 + if (PKIX_TRUE == shouldBePruned) {
1.2159 + PKIX_DECREF(state->validPolicyTree);
1.2160 + }
1.2161 +
1.2162 + if (state->validPolicyTree) {
1.2163 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.2164 + ((PKIX_PL_Object *)state->validPolicyTree, plContext),
1.2165 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.2166 + }
1.2167 +
1.2168 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.2169 + ((PKIX_PL_Object *)state, plContext),
1.2170 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.2171 +
1.2172 +#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
1.2173 + if (state->validPolicyTree) {
1.2174 + PKIX_CHECK(PKIX_PL_Object_ToString
1.2175 + ((PKIX_PL_Object*)state, &stateString, plContext),
1.2176 + PKIX_OBJECTTOSTRINGFAILED);
1.2177 +
1.2178 + PKIX_CHECK(PKIX_PL_String_GetEncoded
1.2179 + (stateString,
1.2180 + PKIX_ESCASCII,
1.2181 + (void **)&stateAscii,
1.2182 + &length,
1.2183 + plContext),
1.2184 + PKIX_STRINGGETENCODEDFAILED);
1.2185 +
1.2186 + PKIX_DEBUG_ARG
1.2187 + ("After CalculateIntersection:\n%s\n", stateAscii);
1.2188 +
1.2189 + PKIX_FREE(stateAscii);
1.2190 + PKIX_DECREF(stateString);
1.2191 + } else {
1.2192 + PKIX_DEBUG("validPolicyTree is NULL\n");
1.2193 + }
1.2194 +#endif
1.2195 +
1.2196 + /* Section 6.1.5(g)(iii)(4) ... */
1.2197 +
1.2198 + if (state->validPolicyTree) {
1.2199 +
1.2200 + PKIX_CHECK(pkix_PolicyNode_Prune
1.2201 + (state->validPolicyTree,
1.2202 + state->numCerts,
1.2203 + &shouldBePruned,
1.2204 + plContext),
1.2205 + PKIX_POLICYNODEPRUNEFAILED);
1.2206 +
1.2207 + if (shouldBePruned) {
1.2208 + PKIX_DECREF(state->validPolicyTree);
1.2209 + }
1.2210 + }
1.2211 +
1.2212 + if (state->validPolicyTree) {
1.2213 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.2214 + ((PKIX_PL_Object *)state->validPolicyTree, plContext),
1.2215 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.2216 + }
1.2217 +
1.2218 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.2219 + ((PKIX_PL_Object *)state, plContext),
1.2220 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.2221 +
1.2222 +#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
1.2223 + PKIX_CHECK(PKIX_PL_Object_ToString
1.2224 + ((PKIX_PL_Object*)state, &stateString, plContext),
1.2225 + PKIX_OBJECTTOSTRINGFAILED);
1.2226 + PKIX_CHECK(PKIX_PL_String_GetEncoded
1.2227 + (stateString,
1.2228 + PKIX_ESCASCII,
1.2229 + (void **)&stateAscii,
1.2230 + &length,
1.2231 + plContext),
1.2232 + PKIX_STRINGGETENCODEDFAILED);
1.2233 + PKIX_DEBUG_ARG("%s\n", stateAscii);
1.2234 +
1.2235 + PKIX_FREE(stateAscii);
1.2236 + PKIX_DECREF(stateString);
1.2237 +#endif
1.2238 +
1.2239 +cleanup:
1.2240 +
1.2241 + PKIX_DECREF(nominees);
1.2242 +
1.2243 + PKIX_RETURN(CERTCHAINCHECKER);
1.2244 +}
1.2245 +
1.2246 +
1.2247 +/*
1.2248 + * FUNCTION: pkix_PolicyChecker_Check
1.2249 + * (see comments in pkix_checker.h for PKIX_CertChainChecker_CheckCallback)
1.2250 + *
1.2251 + * Labels referring to sections, such as "Section 6.1.3(d)", refer to
1.2252 + * sections of RFC3280, Section 6.1.3 Basic Certificate Processing.
1.2253 + *
1.2254 + * If a non-fatal error occurs, it is unlikely that policy processing can
1.2255 + * continue. But it is still possible that chain validation could succeed if
1.2256 + * policy processing is non-critical. So if this function receives a non-fatal
1.2257 + * error from a lower level routine, it aborts policy processing by setting
1.2258 + * the validPolicyTree to NULL and tries to continue.
1.2259 + *
1.2260 + */
1.2261 +static PKIX_Error *
1.2262 +pkix_PolicyChecker_Check(
1.2263 + PKIX_CertChainChecker *checker,
1.2264 + PKIX_PL_Cert *cert,
1.2265 + PKIX_List *unresolvedCriticals, /* OIDs */
1.2266 + void **pNBIOContext,
1.2267 + void *plContext)
1.2268 +{
1.2269 + PKIX_UInt32 numPolicies = 0;
1.2270 + PKIX_UInt32 polX = 0;
1.2271 + PKIX_Boolean result = PKIX_FALSE;
1.2272 + PKIX_Int32 inhibitMappingSkipCerts = 0;
1.2273 + PKIX_Int32 explicitPolicySkipCerts = 0;
1.2274 + PKIX_Int32 inhibitAnyPolicySkipCerts = 0;
1.2275 + PKIX_Boolean shouldBePruned = PKIX_FALSE;
1.2276 + PKIX_Boolean isSelfIssued = PKIX_FALSE;
1.2277 + PKIX_Boolean certPoliciesIncludeAny = PKIX_FALSE;
1.2278 + PKIX_Boolean doAnyPolicyProcessing = PKIX_FALSE;
1.2279 +
1.2280 + PKIX_PolicyCheckerState *state = NULL;
1.2281 + PKIX_List *certPolicyInfos = NULL; /* CertPolicyInfos */
1.2282 + PKIX_PL_CertPolicyInfo *policy = NULL;
1.2283 + PKIX_PL_OID *policyOID = NULL;
1.2284 + PKIX_List *qualsOfAny = NULL; /* CertPolicyQualifiers */
1.2285 + PKIX_List *policyQualifiers = NULL; /* CertPolicyQualifiers */
1.2286 + PKIX_List *policyMaps = NULL; /* CertPolicyMaps */
1.2287 + PKIX_List *mappedPolicies = NULL; /* OIDs */
1.2288 + PKIX_Error *subroutineErr = NULL;
1.2289 +#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
1.2290 + PKIX_PL_String *stateString = NULL;
1.2291 + char *stateAscii = NULL;
1.2292 + PKIX_PL_String *certString = NULL;
1.2293 + char *certAscii = NULL;
1.2294 + PKIX_UInt32 length;
1.2295 +#endif
1.2296 +
1.2297 + PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Check");
1.2298 + PKIX_NULLCHECK_FOUR(checker, cert, unresolvedCriticals, pNBIOContext);
1.2299 +
1.2300 + *pNBIOContext = NULL; /* we never block on pending I/O */
1.2301 +
1.2302 + PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
1.2303 + (checker, (PKIX_PL_Object **)&state, plContext),
1.2304 + PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
1.2305 +
1.2306 + PKIX_NULLCHECK_TWO(state, state->certPoliciesExtension);
1.2307 +
1.2308 +#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
1.2309 + PKIX_CHECK(PKIX_PL_Object_ToString
1.2310 + ((PKIX_PL_Object*)state, &stateString, plContext),
1.2311 + PKIX_OBJECTTOSTRINGFAILED);
1.2312 + PKIX_CHECK(PKIX_PL_String_GetEncoded
1.2313 + (stateString,
1.2314 + PKIX_ESCASCII,
1.2315 + (void **)&stateAscii,
1.2316 + &length,
1.2317 + plContext),
1.2318 + PKIX_STRINGGETENCODEDFAILED);
1.2319 + PKIX_DEBUG_ARG("On entry %s\n", stateAscii);
1.2320 + PKIX_FREE(stateAscii);
1.2321 + PKIX_DECREF(stateString);
1.2322 +#endif
1.2323 +
1.2324 + /*
1.2325 + * Section 6.1.4(a)
1.2326 + * If this is not the last certificate, and if
1.2327 + * policyMapping extension is present, check that no
1.2328 + * issuerDomainPolicy or subjectDomainPolicy is equal to the
1.2329 + * special policy anyPolicy.
1.2330 + */
1.2331 + if (state->certsProcessed != (state->numCerts - 1)) {
1.2332 + PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings
1.2333 + (cert, &policyMaps, plContext),
1.2334 + PKIX_CERTGETPOLICYMAPPINGSFAILED);
1.2335 + }
1.2336 +
1.2337 + if (policyMaps) {
1.2338 +
1.2339 + PKIX_CHECK(pkix_PolicyChecker_MapContains
1.2340 + (policyMaps, state->anyPolicyOID, &result, plContext),
1.2341 + PKIX_POLICYCHECKERMAPCONTAINSFAILED);
1.2342 +
1.2343 + if (result) {
1.2344 + PKIX_ERROR(PKIX_INVALIDPOLICYMAPPINGINCLUDESANYPOLICY);
1.2345 + }
1.2346 +
1.2347 + PKIX_CHECK(pkix_PolicyChecker_MapGetMappedPolicies
1.2348 + (policyMaps, &mappedPolicies, plContext),
1.2349 + PKIX_POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED);
1.2350 +
1.2351 + PKIX_DECREF(state->mappedPolicyOIDs);
1.2352 + PKIX_INCREF(mappedPolicies);
1.2353 + state->mappedPolicyOIDs = mappedPolicies;
1.2354 + }
1.2355 +
1.2356 + /* Section 6.1.3(d) */
1.2357 + if (state->validPolicyTree) {
1.2358 +
1.2359 + PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
1.2360 + (cert, &certPolicyInfos, plContext),
1.2361 + PKIX_CERTGETPOLICYINFORMATIONFAILED);
1.2362 +
1.2363 + if (certPolicyInfos) {
1.2364 + PKIX_CHECK(PKIX_List_GetLength
1.2365 + (certPolicyInfos, &numPolicies, plContext),
1.2366 + PKIX_LISTGETLENGTHFAILED);
1.2367 + }
1.2368 +
1.2369 + if (numPolicies > 0) {
1.2370 +
1.2371 + PKIX_CHECK(PKIX_PL_Cert_AreCertPoliciesCritical
1.2372 + (cert, &(state->certPoliciesCritical), plContext),
1.2373 + PKIX_CERTARECERTPOLICIESCRITICALFAILED);
1.2374 +
1.2375 + /* Section 6.1.3(d)(1) For each policy not equal to anyPolicy */
1.2376 + for (polX = 0; polX < numPolicies; polX++) {
1.2377 +
1.2378 + PKIX_CHECK(PKIX_List_GetItem
1.2379 + (certPolicyInfos,
1.2380 + polX,
1.2381 + (PKIX_PL_Object **)&policy,
1.2382 + plContext),
1.2383 + PKIX_LISTGETITEMFAILED);
1.2384 +
1.2385 + PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
1.2386 + (policy, &policyOID, plContext),
1.2387 + PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
1.2388 +
1.2389 + PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolQualifiers
1.2390 + (policy, &policyQualifiers, plContext),
1.2391 + PKIX_CERTPOLICYINFOGETPOLQUALIFIERSFAILED);
1.2392 +
1.2393 + PKIX_EQUALS
1.2394 + (state->anyPolicyOID,
1.2395 + policyOID,
1.2396 + &result,
1.2397 + plContext,
1.2398 + PKIX_OIDEQUALFAILED);
1.2399 +
1.2400 + if (result == PKIX_FALSE) {
1.2401 +
1.2402 + /* Section 6.1.3(d)(1)(i) */
1.2403 + subroutineErr = pkix_PolicyChecker_CheckPolicy
1.2404 + (policyOID,
1.2405 + policyQualifiers,
1.2406 + cert,
1.2407 + policyMaps,
1.2408 + state,
1.2409 + plContext);
1.2410 + if (subroutineErr) {
1.2411 + goto subrErrorCleanup;
1.2412 + }
1.2413 +
1.2414 + } else {
1.2415 + /*
1.2416 + * No descent (yet) for anyPolicy, but we will need
1.2417 + * the policyQualifiers for anyPolicy in 6.1.3(d)(2)
1.2418 + */
1.2419 + PKIX_DECREF(qualsOfAny);
1.2420 + PKIX_INCREF(policyQualifiers);
1.2421 + qualsOfAny = policyQualifiers;
1.2422 + certPoliciesIncludeAny = PKIX_TRUE;
1.2423 + }
1.2424 + PKIX_DECREF(policy);
1.2425 + PKIX_DECREF(policyOID);
1.2426 + PKIX_DECREF(policyQualifiers);
1.2427 + }
1.2428 +
1.2429 + /* Section 6.1.3(d)(2) */
1.2430 + if (certPoliciesIncludeAny == PKIX_TRUE) {
1.2431 + if (state->inhibitAnyPolicy > 0) {
1.2432 + doAnyPolicyProcessing = PKIX_TRUE;
1.2433 + } else {
1.2434 + /* We haven't yet counted the current cert */
1.2435 + if (((state->certsProcessed) + 1) <
1.2436 + (state->numCerts)) {
1.2437 +
1.2438 + PKIX_CHECK(pkix_IsCertSelfIssued
1.2439 + (cert,
1.2440 + &doAnyPolicyProcessing,
1.2441 + plContext),
1.2442 + PKIX_ISCERTSELFISSUEDFAILED);
1.2443 + }
1.2444 + }
1.2445 + if (doAnyPolicyProcessing) {
1.2446 + subroutineErr = pkix_PolicyChecker_CheckAny
1.2447 + (state->validPolicyTree,
1.2448 + qualsOfAny,
1.2449 + policyMaps,
1.2450 + state,
1.2451 + plContext);
1.2452 + if (subroutineErr) {
1.2453 + goto subrErrorCleanup;
1.2454 + }
1.2455 + }
1.2456 + }
1.2457 +
1.2458 + /* Section 6.1.3(d)(3) */
1.2459 + if (state->validPolicyTree) {
1.2460 + subroutineErr = pkix_PolicyNode_Prune
1.2461 + (state->validPolicyTree,
1.2462 + state->certsProcessed + 1,
1.2463 + &shouldBePruned,
1.2464 + plContext);
1.2465 + if (subroutineErr) {
1.2466 + goto subrErrorCleanup;
1.2467 + }
1.2468 + if (shouldBePruned) {
1.2469 + PKIX_DECREF(state->validPolicyTree);
1.2470 + PKIX_DECREF(state->anyPolicyNodeAtBottom);
1.2471 + }
1.2472 + }
1.2473 +
1.2474 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.2475 + ((PKIX_PL_Object *)state, plContext),
1.2476 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.2477 +
1.2478 + } else {
1.2479 + /* Section 6.1.3(e) */
1.2480 + PKIX_DECREF(state->validPolicyTree);
1.2481 + PKIX_DECREF(state->anyPolicyNodeAtBottom);
1.2482 + PKIX_DECREF(state->newAnyPolicyNode);
1.2483 +
1.2484 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.2485 + ((PKIX_PL_Object *)state, plContext),
1.2486 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.2487 + }
1.2488 + }
1.2489 +
1.2490 + /* Section 6.1.3(f) */
1.2491 + if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
1.2492 + PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
1.2493 + }
1.2494 +
1.2495 + /*
1.2496 + * Remove Policy OIDs from list of unresolved critical
1.2497 + * extensions, if present.
1.2498 + */
1.2499 + PKIX_CHECK(pkix_List_Remove
1.2500 + (unresolvedCriticals,
1.2501 + (PKIX_PL_Object *)state->certPoliciesExtension,
1.2502 + plContext),
1.2503 + PKIX_LISTREMOVEFAILED);
1.2504 +
1.2505 + PKIX_CHECK(pkix_List_Remove
1.2506 + (unresolvedCriticals,
1.2507 + (PKIX_PL_Object *)state->policyMappingsExtension,
1.2508 + plContext),
1.2509 + PKIX_LISTREMOVEFAILED);
1.2510 +
1.2511 + PKIX_CHECK(pkix_List_Remove
1.2512 + (unresolvedCriticals,
1.2513 + (PKIX_PL_Object *)state->policyConstraintsExtension,
1.2514 + plContext),
1.2515 + PKIX_LISTREMOVEFAILED);
1.2516 +
1.2517 + PKIX_CHECK(pkix_List_Remove
1.2518 + (unresolvedCriticals,
1.2519 + (PKIX_PL_Object *)state->inhibitAnyPolicyExtension,
1.2520 + plContext),
1.2521 + PKIX_LISTREMOVEFAILED);
1.2522 +
1.2523 + state->certsProcessed++;
1.2524 +
1.2525 + /* If this was not the last certificate, do next-cert preparation */
1.2526 + if (state->certsProcessed != state->numCerts) {
1.2527 +
1.2528 + if (policyMaps) {
1.2529 + subroutineErr = pkix_PolicyChecker_PolicyMapProcessing
1.2530 + (policyMaps,
1.2531 + certPoliciesIncludeAny,
1.2532 + qualsOfAny,
1.2533 + state,
1.2534 + plContext);
1.2535 + if (subroutineErr) {
1.2536 + goto subrErrorCleanup;
1.2537 + }
1.2538 + }
1.2539 +
1.2540 + /* update anyPolicyNodeAtBottom pointer */
1.2541 + PKIX_DECREF(state->anyPolicyNodeAtBottom);
1.2542 + state->anyPolicyNodeAtBottom = state->newAnyPolicyNode;
1.2543 + state->newAnyPolicyNode = NULL;
1.2544 +
1.2545 + /* Section 6.1.4(h) */
1.2546 + PKIX_CHECK(pkix_IsCertSelfIssued
1.2547 + (cert, &isSelfIssued, plContext),
1.2548 + PKIX_ISCERTSELFISSUEDFAILED);
1.2549 +
1.2550 + if (!isSelfIssued) {
1.2551 + if (state->explicitPolicy > 0) {
1.2552 + state->explicitPolicy--;
1.2553 + }
1.2554 + if (state->policyMapping > 0) {
1.2555 + state->policyMapping--;
1.2556 + }
1.2557 + if (state->inhibitAnyPolicy > 0) {
1.2558 + state->inhibitAnyPolicy--;
1.2559 + }
1.2560 + }
1.2561 +
1.2562 + /* Section 6.1.4(i) */
1.2563 + PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
1.2564 + (cert, &explicitPolicySkipCerts, plContext),
1.2565 + PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
1.2566 +
1.2567 + if (explicitPolicySkipCerts != -1) {
1.2568 + if (((PKIX_UInt32)explicitPolicySkipCerts) <
1.2569 + (state->explicitPolicy)) {
1.2570 + state->explicitPolicy =
1.2571 + ((PKIX_UInt32) explicitPolicySkipCerts);
1.2572 + }
1.2573 + }
1.2574 +
1.2575 + PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited
1.2576 + (cert, &inhibitMappingSkipCerts, plContext),
1.2577 + PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED);
1.2578 +
1.2579 + if (inhibitMappingSkipCerts != -1) {
1.2580 + if (((PKIX_UInt32)inhibitMappingSkipCerts) <
1.2581 + (state->policyMapping)) {
1.2582 + state->policyMapping =
1.2583 + ((PKIX_UInt32)inhibitMappingSkipCerts);
1.2584 + }
1.2585 + }
1.2586 +
1.2587 + PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy
1.2588 + (cert, &inhibitAnyPolicySkipCerts, plContext),
1.2589 + PKIX_CERTGETINHIBITANYPOLICYFAILED);
1.2590 +
1.2591 + if (inhibitAnyPolicySkipCerts != -1) {
1.2592 + if (((PKIX_UInt32)inhibitAnyPolicySkipCerts) <
1.2593 + (state->inhibitAnyPolicy)) {
1.2594 + state->inhibitAnyPolicy =
1.2595 + ((PKIX_UInt32)inhibitAnyPolicySkipCerts);
1.2596 + }
1.2597 + }
1.2598 +
1.2599 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.2600 + ((PKIX_PL_Object *)state, plContext),
1.2601 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.2602 +
1.2603 + } else { /* If this was the last certificate, do wrap-up processing */
1.2604 +
1.2605 + /* Section 6.1.5 */
1.2606 + subroutineErr = pkix_PolicyChecker_WrapUpProcessing
1.2607 + (cert, state, plContext);
1.2608 + if (subroutineErr) {
1.2609 + goto subrErrorCleanup;
1.2610 + }
1.2611 +
1.2612 + if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
1.2613 + PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
1.2614 + }
1.2615 +
1.2616 + PKIX_DECREF(state->anyPolicyNodeAtBottom);
1.2617 + PKIX_DECREF(state->newAnyPolicyNode);
1.2618 + }
1.2619 +
1.2620 +
1.2621 + if (subroutineErr) {
1.2622 +
1.2623 +subrErrorCleanup:
1.2624 + /* We had an error. Was it a fatal error? */
1.2625 + pkixErrorClass = subroutineErr->errClass;
1.2626 + if (pkixErrorClass == PKIX_FATAL_ERROR) {
1.2627 + pkixErrorResult = subroutineErr;
1.2628 + subroutineErr = NULL;
1.2629 + goto cleanup;
1.2630 + }
1.2631 + /*
1.2632 + * Abort policy processing, and then determine whether
1.2633 + * we can continue without policy processing.
1.2634 + */
1.2635 + PKIX_DECREF(state->validPolicyTree);
1.2636 + PKIX_DECREF(state->anyPolicyNodeAtBottom);
1.2637 + PKIX_DECREF(state->newAnyPolicyNode);
1.2638 + if (state->explicitPolicy == 0) {
1.2639 + PKIX_ERROR
1.2640 + (PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
1.2641 + }
1.2642 + }
1.2643 +
1.2644 + /* Checking is complete. Save state for the next certificate. */
1.2645 + PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
1.2646 + (checker, (PKIX_PL_Object *)state, plContext),
1.2647 + PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
1.2648 +
1.2649 +cleanup:
1.2650 +
1.2651 +#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
1.2652 + if (cert) {
1.2653 + PKIX_CHECK(PKIX_PL_Object_ToString
1.2654 + ((PKIX_PL_Object*)cert, &certString, plContext),
1.2655 + PKIX_OBJECTTOSTRINGFAILED);
1.2656 + PKIX_CHECK(PKIX_PL_String_GetEncoded
1.2657 + (certString,
1.2658 + PKIX_ESCASCII,
1.2659 + (void **)&certAscii,
1.2660 + &length,
1.2661 + plContext),
1.2662 + PKIX_STRINGGETENCODEDFAILED);
1.2663 + PKIX_DEBUG_ARG("Cert was %s\n", certAscii);
1.2664 + PKIX_FREE(certAscii);
1.2665 + PKIX_DECREF(certString);
1.2666 + }
1.2667 + if (state) {
1.2668 + PKIX_CHECK(PKIX_PL_Object_ToString
1.2669 + ((PKIX_PL_Object*)state, &stateString, plContext),
1.2670 + PKIX_OBJECTTOSTRINGFAILED);
1.2671 + PKIX_CHECK(PKIX_PL_String_GetEncoded
1.2672 + (stateString,
1.2673 + PKIX_ESCASCII,
1.2674 + (void **)&stateAscii,
1.2675 + &length,
1.2676 + plContext),
1.2677 + PKIX_STRINGGETENCODEDFAILED);
1.2678 + PKIX_DEBUG_ARG("On exit %s\n", stateAscii);
1.2679 + PKIX_FREE(stateAscii);
1.2680 + PKIX_DECREF(stateString);
1.2681 + }
1.2682 +#endif
1.2683 +
1.2684 + PKIX_DECREF(state);
1.2685 + PKIX_DECREF(certPolicyInfos);
1.2686 + PKIX_DECREF(policy);
1.2687 + PKIX_DECREF(qualsOfAny);
1.2688 + PKIX_DECREF(policyQualifiers);
1.2689 + PKIX_DECREF(policyOID);
1.2690 + PKIX_DECREF(subroutineErr);
1.2691 + PKIX_DECREF(policyMaps);
1.2692 + PKIX_DECREF(mappedPolicies);
1.2693 +
1.2694 + PKIX_RETURN(CERTCHAINCHECKER);
1.2695 +}
1.2696 +
1.2697 +/*
1.2698 + * FUNCTION: pkix_PolicyChecker_Initialize
1.2699 + * DESCRIPTION:
1.2700 + *
1.2701 + * Creates and initializes a PolicyChecker, using the List pointed to
1.2702 + * by "initialPolicies" for the user-initial-policy-set, the Boolean value
1.2703 + * of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
1.2704 + * the Boolean value of "initialPolicyMappingInhibit" for the
1.2705 + * inhibitPolicyMappings parameter, the Boolean value of
1.2706 + * "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
1.2707 + * Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
1.2708 + * parameter, and the UInt32 value of "numCerts" as the number of
1.2709 + * certificates in the chain; and stores the Checker at "pChecker".
1.2710 + *
1.2711 + * PARAMETERS:
1.2712 + * "initialPolicies"
1.2713 + * Address of List of OIDs comprising the user-initial-policy-set; the List
1.2714 + * may be empty or NULL
1.2715 + * "policyQualifiersRejected"
1.2716 + * Boolean value of the policyQualifiersRejected parameter
1.2717 + * "initialPolicyMappingInhibit"
1.2718 + * Boolean value of the inhibitPolicyMappings parameter
1.2719 + * "initialExplicitPolicy"
1.2720 + * Boolean value of the initialExplicitPolicy parameter
1.2721 + * "initialAnyPolicyInhibit"
1.2722 + * Boolean value of the inhibitAnyPolicy parameter
1.2723 + * "numCerts"
1.2724 + * Number of certificates in the chain to be validated
1.2725 + * "pChecker"
1.2726 + * Address to store the created PolicyChecker. Must be non-NULL.
1.2727 + * "plContext"
1.2728 + * Platform-specific context pointer.
1.2729 + * THREAD SAFETY:
1.2730 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.2731 + * RETURNS:
1.2732 + * Returns NULL if the function succeeds
1.2733 + * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1.2734 + * Returns a Fatal Error if the function fails in an unrecoverable way
1.2735 + */
1.2736 +PKIX_Error *
1.2737 +pkix_PolicyChecker_Initialize(
1.2738 + PKIX_List *initialPolicies,
1.2739 + PKIX_Boolean policyQualifiersRejected,
1.2740 + PKIX_Boolean initialPolicyMappingInhibit,
1.2741 + PKIX_Boolean initialExplicitPolicy,
1.2742 + PKIX_Boolean initialAnyPolicyInhibit,
1.2743 + PKIX_UInt32 numCerts,
1.2744 + PKIX_CertChainChecker **pChecker,
1.2745 + void *plContext)
1.2746 +{
1.2747 + PKIX_PolicyCheckerState *polCheckerState = NULL;
1.2748 + PKIX_List *policyExtensions = NULL; /* OIDs */
1.2749 + PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Initialize");
1.2750 + PKIX_NULLCHECK_ONE(pChecker);
1.2751 +
1.2752 + PKIX_CHECK(pkix_PolicyCheckerState_Create
1.2753 + (initialPolicies,
1.2754 + policyQualifiersRejected,
1.2755 + initialPolicyMappingInhibit,
1.2756 + initialExplicitPolicy,
1.2757 + initialAnyPolicyInhibit,
1.2758 + numCerts,
1.2759 + &polCheckerState,
1.2760 + plContext),
1.2761 + PKIX_POLICYCHECKERSTATECREATEFAILED);
1.2762 +
1.2763 + /* Create the list of extensions that we handle */
1.2764 + PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
1.2765 + ((PKIX_PL_Object *)(polCheckerState->certPoliciesExtension),
1.2766 + PKIX_TRUE,
1.2767 + &policyExtensions,
1.2768 + plContext),
1.2769 + PKIX_POLICYCHECKERMAKESINGLETONFAILED);
1.2770 +
1.2771 + PKIX_CHECK(PKIX_CertChainChecker_Create
1.2772 + (pkix_PolicyChecker_Check,
1.2773 + PKIX_FALSE, /* forwardCheckingSupported */
1.2774 + PKIX_FALSE,
1.2775 + policyExtensions,
1.2776 + (PKIX_PL_Object *)polCheckerState,
1.2777 + pChecker,
1.2778 + plContext),
1.2779 + PKIX_CERTCHAINCHECKERCREATEFAILED);
1.2780 +
1.2781 +cleanup:
1.2782 + PKIX_DECREF(polCheckerState);
1.2783 + PKIX_DECREF(policyExtensions);
1.2784 + PKIX_RETURN(CERTCHAINCHECKER);
1.2785 +
1.2786 +}
