1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,870 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * pkix_crlselector.c
1.9 + *
1.10 + * CRLSelector Function Definitions
1.11 + *
1.12 + */
1.13 +
1.14 +#include "pkix_crlselector.h"
1.15 +
1.16 +/* --CRLSelector Private-Functions-------------------------------------- */
1.17 +
1.18 +/*
1.19 + * FUNCTION: pkix_CRLSelector_Destroy
1.20 + * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
1.21 + */
1.22 +static PKIX_Error *
1.23 +pkix_CRLSelector_Destroy(
1.24 + PKIX_PL_Object *object,
1.25 + void *plContext)
1.26 +{
1.27 + PKIX_CRLSelector *selector = NULL;
1.28 +
1.29 + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Destroy");
1.30 + PKIX_NULLCHECK_ONE(object);
1.31 +
1.32 + PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
1.33 + PKIX_OBJECTNOTCRLSELECTOR);
1.34 +
1.35 + selector = (PKIX_CRLSelector *)object;
1.36 +
1.37 + selector->matchCallback = NULL;
1.38 +
1.39 + PKIX_DECREF(selector->params);
1.40 + PKIX_DECREF(selector->context);
1.41 +
1.42 +cleanup:
1.43 +
1.44 + PKIX_RETURN(CRLSELECTOR);
1.45 +}
1.46 +
1.47 +/*
1.48 + * FUNCTION: pkix_CRLSelector_ToString_Helper
1.49 + *
1.50 + * DESCRIPTION:
1.51 + * Helper function that creates a string representation of CRLSelector
1.52 + * pointed to by "crlParams" and stores its address in the object pointed to
1.53 + * by "pString".
1.54 + *
1.55 + * PARAMETERS
1.56 + * "list"
1.57 + * Address of CRLSelector whose string representation is desired.
1.58 + * Must be non-NULL.
1.59 + * "pString"
1.60 + * Address of object pointer's destination. Must be non-NULL.
1.61 + * "plContext" - Platform-specific context pointer.
1.62 + *
1.63 + * THREAD SAFETY:
1.64 + * Conditionally Thread Safe
1.65 + * (see Thread Safety Definitions in Programmer's Guide)
1.66 + *
1.67 + * RETURNS:
1.68 + * Returns NULL if the function succeeds.
1.69 + * Returns a CRLSelector Error if the function fails in a non-fatal way.
1.70 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.71 + */
1.72 +static PKIX_Error *
1.73 +pkix_CRLSelector_ToString_Helper(
1.74 + PKIX_CRLSelector *crlSelector,
1.75 + PKIX_PL_String **pString,
1.76 + void *plContext)
1.77 +{
1.78 + PKIX_PL_String *crlSelectorString = NULL;
1.79 + PKIX_PL_String *formatString = NULL;
1.80 + PKIX_PL_String *crlParamsString = NULL;
1.81 + PKIX_PL_String *crlContextString = NULL;
1.82 + char *asciiFormat = NULL;
1.83 +
1.84 + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString_Helper");
1.85 + PKIX_NULLCHECK_TWO(crlSelector, pString);
1.86 + PKIX_NULLCHECK_ONE(crlSelector->params);
1.87 +
1.88 + asciiFormat =
1.89 + "\n\t[\n"
1.90 + "\tMatchCallback: 0x%x\n"
1.91 + "\tParams: %s\n"
1.92 + "\tContext: %s\n"
1.93 + "\t]\n";
1.94 +
1.95 + PKIX_CHECK(PKIX_PL_String_Create
1.96 + (PKIX_ESCASCII,
1.97 + asciiFormat,
1.98 + 0,
1.99 + &formatString,
1.100 + plContext),
1.101 + PKIX_STRINGCREATEFAILED);
1.102 +
1.103 + /* Params */
1.104 + PKIX_TOSTRING
1.105 + ((PKIX_PL_Object *)crlSelector->params,
1.106 + &crlParamsString,
1.107 + plContext,
1.108 + PKIX_COMCRLSELPARAMSTOSTRINGFAILED);
1.109 +
1.110 + /* Context */
1.111 + PKIX_TOSTRING(crlSelector->context, &crlContextString, plContext,
1.112 + PKIX_LISTTOSTRINGFAILED);
1.113 +
1.114 + PKIX_CHECK(PKIX_PL_Sprintf
1.115 + (&crlSelectorString,
1.116 + plContext,
1.117 + formatString,
1.118 + crlSelector->matchCallback,
1.119 + crlParamsString,
1.120 + crlContextString),
1.121 + PKIX_SPRINTFFAILED);
1.122 +
1.123 + *pString = crlSelectorString;
1.124 +
1.125 +cleanup:
1.126 +
1.127 + PKIX_DECREF(crlParamsString);
1.128 + PKIX_DECREF(crlContextString);
1.129 + PKIX_DECREF(formatString);
1.130 +
1.131 + PKIX_RETURN(CRLSELECTOR);
1.132 +}
1.133 +
1.134 +/*
1.135 + * FUNCTION: pkix_CRLSelector_ToString
1.136 + * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
1.137 + */
1.138 +static PKIX_Error *
1.139 +pkix_CRLSelector_ToString(
1.140 + PKIX_PL_Object *object,
1.141 + PKIX_PL_String **pString,
1.142 + void *plContext)
1.143 +{
1.144 + PKIX_PL_String *crlSelectorString = NULL;
1.145 + PKIX_CRLSelector *crlSelector = NULL;
1.146 +
1.147 + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString");
1.148 + PKIX_NULLCHECK_TWO(object, pString);
1.149 +
1.150 + PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
1.151 + PKIX_OBJECTNOTCRLSELECTOR);
1.152 +
1.153 + crlSelector = (PKIX_CRLSelector *) object;
1.154 +
1.155 + PKIX_CHECK(pkix_CRLSelector_ToString_Helper
1.156 + (crlSelector, &crlSelectorString, plContext),
1.157 + PKIX_CRLSELECTORTOSTRINGHELPERFAILED);
1.158 +
1.159 + *pString = crlSelectorString;
1.160 +
1.161 +cleanup:
1.162 +
1.163 + PKIX_RETURN(CRLSELECTOR);
1.164 +}
1.165 +
1.166 +/*
1.167 + * FUNCTION: pkix_CRLSelector_Hashcode
1.168 + * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
1.169 + */
1.170 +static PKIX_Error *
1.171 +pkix_CRLSelector_Hashcode(
1.172 + PKIX_PL_Object *object,
1.173 + PKIX_UInt32 *pHashcode,
1.174 + void *plContext)
1.175 +{
1.176 + PKIX_UInt32 paramsHash = 0;
1.177 + PKIX_UInt32 contextHash = 0;
1.178 + PKIX_UInt32 hash = 0;
1.179 +
1.180 + PKIX_CRLSelector *crlSelector = NULL;
1.181 +
1.182 + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Hashcode");
1.183 + PKIX_NULLCHECK_TWO(object, pHashcode);
1.184 +
1.185 + PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
1.186 + PKIX_OBJECTNOTCRLSELECTOR);
1.187 +
1.188 + crlSelector = (PKIX_CRLSelector *)object;
1.189 +
1.190 + PKIX_HASHCODE(crlSelector->params, ¶msHash, plContext,
1.191 + PKIX_OBJECTHASHCODEFAILED);
1.192 +
1.193 + PKIX_HASHCODE(crlSelector->context, &contextHash, plContext,
1.194 + PKIX_OBJECTHASHCODEFAILED);
1.195 +
1.196 + hash = 31 * ((PKIX_UInt32)crlSelector->matchCallback +
1.197 + (contextHash << 3)) + paramsHash;
1.198 +
1.199 + *pHashcode = hash;
1.200 +
1.201 +cleanup:
1.202 +
1.203 + PKIX_RETURN(CRLSELECTOR);
1.204 +}
1.205 +
1.206 +/*
1.207 + * FUNCTION: pkix_CRLSelector_Equals
1.208 + * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
1.209 + */
1.210 +static PKIX_Error *
1.211 +pkix_CRLSelector_Equals(
1.212 + PKIX_PL_Object *firstObject,
1.213 + PKIX_PL_Object *secondObject,
1.214 + PKIX_Boolean *pResult,
1.215 + void *plContext)
1.216 +{
1.217 + PKIX_CRLSelector *firstCrlSelector = NULL;
1.218 + PKIX_CRLSelector *secondCrlSelector = NULL;
1.219 + PKIX_UInt32 secondType;
1.220 + PKIX_Boolean cmpResult = PKIX_FALSE;
1.221 +
1.222 + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Equals");
1.223 + PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
1.224 +
1.225 + /* test that firstObject is a CRLSelector */
1.226 + PKIX_CHECK(pkix_CheckType
1.227 + (firstObject, PKIX_CRLSELECTOR_TYPE, plContext),
1.228 + PKIX_FIRSTOBJECTNOTCRLSELECTOR);
1.229 +
1.230 + firstCrlSelector = (PKIX_CRLSelector *)firstObject;
1.231 + secondCrlSelector = (PKIX_CRLSelector *)secondObject;
1.232 +
1.233 + /*
1.234 + * Since we know firstObject is a CRLSelector, if both references are
1.235 + * identical, they must be equal
1.236 + */
1.237 + if (firstCrlSelector == secondCrlSelector){
1.238 + *pResult = PKIX_TRUE;
1.239 + goto cleanup;
1.240 + }
1.241 +
1.242 + /*
1.243 + * If secondCRLSelector isn't a CRLSelector, we don't throw an error.
1.244 + * We simply return a Boolean result of FALSE
1.245 + */
1.246 + *pResult = PKIX_FALSE;
1.247 + PKIX_CHECK(PKIX_PL_Object_GetType
1.248 + ((PKIX_PL_Object *)secondCrlSelector,
1.249 + &secondType,
1.250 + plContext),
1.251 + PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
1.252 +
1.253 + if (secondType != PKIX_CRLSELECTOR_TYPE) {
1.254 + goto cleanup;
1.255 + }
1.256 +
1.257 + /* Compare MatchCallback address */
1.258 + cmpResult = (firstCrlSelector->matchCallback ==
1.259 + secondCrlSelector->matchCallback);
1.260 +
1.261 + if (cmpResult == PKIX_FALSE) {
1.262 + goto cleanup;
1.263 + }
1.264 +
1.265 + /* Compare Common CRL Selector Params */
1.266 + PKIX_EQUALS
1.267 + (firstCrlSelector->params,
1.268 + secondCrlSelector->params,
1.269 + &cmpResult,
1.270 + plContext,
1.271 + PKIX_COMCRLSELPARAMSEQUALSFAILED);
1.272 +
1.273 +
1.274 + if (cmpResult == PKIX_FALSE) {
1.275 + goto cleanup;
1.276 + }
1.277 +
1.278 + /* Compare Context */
1.279 + PKIX_EQUALS
1.280 + (firstCrlSelector->context,
1.281 + secondCrlSelector->context,
1.282 + &cmpResult,
1.283 + plContext,
1.284 + PKIX_COMCRLSELPARAMSEQUALSFAILED);
1.285 +
1.286 + *pResult = cmpResult;
1.287 +
1.288 +cleanup:
1.289 +
1.290 + PKIX_RETURN(CRLSELECTOR);
1.291 +}
1.292 +
1.293 +/*
1.294 + * FUNCTION: pkix_CRLSelector_Duplicate
1.295 + * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
1.296 + */
1.297 +static PKIX_Error *
1.298 +pkix_CRLSelector_Duplicate(
1.299 + PKIX_PL_Object *object,
1.300 + PKIX_PL_Object **pNewObject,
1.301 + void *plContext)
1.302 +{
1.303 + PKIX_CRLSelector *old;
1.304 + PKIX_CRLSelector *new = NULL;
1.305 +
1.306 + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Duplicate");
1.307 + PKIX_NULLCHECK_TWO(object, pNewObject);
1.308 +
1.309 + PKIX_CHECK(pkix_CheckType
1.310 + (object, PKIX_CRLSELECTOR_TYPE, plContext),
1.311 + PKIX_OBJECTNOTCRLSELECTOR);
1.312 +
1.313 + old = (PKIX_CRLSelector *)object;
1.314 +
1.315 + PKIX_CHECK(PKIX_PL_Object_Alloc
1.316 + (PKIX_CRLSELECTOR_TYPE,
1.317 + (PKIX_UInt32)(sizeof (PKIX_CRLSelector)),
1.318 + (PKIX_PL_Object **)&new,
1.319 + plContext),
1.320 + PKIX_CREATECRLSELECTORDUPLICATEOBJECTFAILED);
1.321 +
1.322 + new->matchCallback = old->matchCallback;
1.323 +
1.324 + PKIX_DUPLICATE(old->params, &new->params, plContext,
1.325 + PKIX_OBJECTDUPLICATEPARAMSFAILED);
1.326 +
1.327 + PKIX_DUPLICATE(old->context, &new->context, plContext,
1.328 + PKIX_OBJECTDUPLICATECONTEXTFAILED);
1.329 +
1.330 + *pNewObject = (PKIX_PL_Object *)new;
1.331 +
1.332 +cleanup:
1.333 +
1.334 + if (PKIX_ERROR_RECEIVED){
1.335 + PKIX_DECREF(new);
1.336 + }
1.337 +
1.338 + PKIX_RETURN(CRLSELECTOR);
1.339 +}
1.340 +
1.341 +/*
1.342 + * FUNCTION: pkix_CRLSelector_DefaultMatch
1.343 + *
1.344 + * DESCRIPTION:
1.345 + * This function compares the parameter values (Issuer, date, and CRL number)
1.346 + * set in the ComCRLSelParams of the CRLSelector pointed to by "selector" with
1.347 + * the corresponding values in the CRL pointed to by "crl". When all the
1.348 + * criteria set in the parameter values match the values in "crl", PKIX_TRUE is
1.349 + * stored at "pMatch". If the CRL does not match the CRLSelector's criteria,
1.350 + * PKIX_FALSE is stored at "pMatch".
1.351 + *
1.352 + * PARAMETERS
1.353 + * "selector"
1.354 + * Address of CRLSelector which is verified for a match
1.355 + * Must be non-NULL.
1.356 + * "crl"
1.357 + * Address of the CRL object to be verified. Must be non-NULL.
1.358 + * "pMatch"
1.359 + * Address at which Boolean result is stored. Must be non-NULL.
1.360 + * "plContext"
1.361 + * Platform-specific context pointer.
1.362 + *
1.363 + * THREAD SAFETY:
1.364 + * Conditionally Thread Safe
1.365 + * (see Thread Safety Definitions in Programmer's Guide)
1.366 + *
1.367 + * RETURNS:
1.368 + * Returns NULL if the function succeeds.
1.369 + * Returns a CRLSelector Error if the function fails in a non-fatal way.
1.370 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.371 + */
1.372 +static PKIX_Error *
1.373 +pkix_CRLSelector_DefaultMatch(
1.374 + PKIX_CRLSelector *selector,
1.375 + PKIX_PL_CRL *crl,
1.376 + PKIX_Boolean *pMatch,
1.377 + void *plContext)
1.378 +{
1.379 + PKIX_ComCRLSelParams *params = NULL;
1.380 + PKIX_PL_X500Name *crlIssuerName = NULL;
1.381 + PKIX_PL_X500Name *issuerName = NULL;
1.382 + PKIX_List *selIssuerNames = NULL;
1.383 + PKIX_PL_Date *selDate = NULL;
1.384 + PKIX_Boolean result = PKIX_TRUE;
1.385 + PKIX_UInt32 numIssuers = 0;
1.386 + PKIX_UInt32 i;
1.387 + PKIX_PL_BigInt *minCRLNumber = NULL;
1.388 + PKIX_PL_BigInt *maxCRLNumber = NULL;
1.389 + PKIX_PL_BigInt *crlNumber = NULL;
1.390 + PKIX_Boolean nistPolicyEnabled = PKIX_FALSE;
1.391 +
1.392 + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_DefaultMatch");
1.393 + PKIX_NULLCHECK_TWO(selector, crl);
1.394 +
1.395 + *pMatch = PKIX_TRUE;
1.396 + params = selector->params;
1.397 +
1.398 + /* No matching parameter provided, just a match */
1.399 + if (params == NULL) {
1.400 + goto cleanup;
1.401 + }
1.402 +
1.403 + PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames
1.404 + (params, &selIssuerNames, plContext),
1.405 + PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED);
1.406 +
1.407 + /* Check for Issuers */
1.408 + if (selIssuerNames != NULL){
1.409 +
1.410 + result = PKIX_FALSE;
1.411 +
1.412 + PKIX_CHECK(PKIX_PL_CRL_GetIssuer
1.413 + (crl, &crlIssuerName, plContext),
1.414 + PKIX_CRLGETISSUERFAILED);
1.415 +
1.416 + PKIX_CHECK(PKIX_List_GetLength
1.417 + (selIssuerNames, &numIssuers, plContext),
1.418 + PKIX_LISTGETLENGTHFAILED);
1.419 +
1.420 + for (i = 0; i < numIssuers; i++){
1.421 +
1.422 + PKIX_CHECK(PKIX_List_GetItem
1.423 + (selIssuerNames,
1.424 + i,
1.425 + (PKIX_PL_Object **)&issuerName,
1.426 + plContext),
1.427 + PKIX_LISTGETITEMFAILED);
1.428 +
1.429 + PKIX_CHECK(PKIX_PL_X500Name_Match
1.430 + (crlIssuerName,
1.431 + issuerName,
1.432 + &result,
1.433 + plContext),
1.434 + PKIX_X500NAMEMATCHFAILED);
1.435 +
1.436 + PKIX_DECREF(issuerName);
1.437 +
1.438 + if (result == PKIX_TRUE) {
1.439 + break;
1.440 + }
1.441 + }
1.442 +
1.443 + if (result == PKIX_FALSE) {
1.444 + PKIX_CRLSELECTOR_DEBUG("Issuer Match Failed\N");
1.445 + *pMatch = PKIX_FALSE;
1.446 + goto cleanup;
1.447 + }
1.448 +
1.449 + }
1.450 +
1.451 + PKIX_CHECK(PKIX_ComCRLSelParams_GetDateAndTime
1.452 + (params, &selDate, plContext),
1.453 + PKIX_COMCRLSELPARAMSGETDATEANDTIMEFAILED);
1.454 +
1.455 + /* Check for Date */
1.456 + if (selDate != NULL){
1.457 +
1.458 + PKIX_CHECK(PKIX_ComCRLSelParams_GetNISTPolicyEnabled
1.459 + (params, &nistPolicyEnabled, plContext),
1.460 + PKIX_COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED);
1.461 +
1.462 + /* check crl dates only for if NIST policies enforced */
1.463 + if (nistPolicyEnabled) {
1.464 + result = PKIX_FALSE;
1.465 +
1.466 + PKIX_CHECK(PKIX_PL_CRL_VerifyUpdateTime
1.467 + (crl, selDate, &result, plContext),
1.468 + PKIX_CRLVERIFYUPDATETIMEFAILED);
1.469 +
1.470 + if (result == PKIX_FALSE) {
1.471 + *pMatch = PKIX_FALSE;
1.472 + goto cleanup;
1.473 + }
1.474 + }
1.475 +
1.476 + }
1.477 +
1.478 + /* Check for CRL number in range */
1.479 + PKIX_CHECK(PKIX_PL_CRL_GetCRLNumber(crl, &crlNumber, plContext),
1.480 + PKIX_CRLGETCRLNUMBERFAILED);
1.481 +
1.482 + if (crlNumber != NULL) {
1.483 + result = PKIX_FALSE;
1.484 +
1.485 + PKIX_CHECK(PKIX_ComCRLSelParams_GetMinCRLNumber
1.486 + (params, &minCRLNumber, plContext),
1.487 + PKIX_COMCRLSELPARAMSGETMINCRLNUMBERFAILED);
1.488 +
1.489 + if (minCRLNumber != NULL) {
1.490 +
1.491 + PKIX_CHECK(PKIX_PL_Object_Compare
1.492 + ((PKIX_PL_Object *)minCRLNumber,
1.493 + (PKIX_PL_Object *)crlNumber,
1.494 + &result,
1.495 + plContext),
1.496 + PKIX_OBJECTCOMPARATORFAILED);
1.497 +
1.498 + if (result == 1) {
1.499 + PKIX_CRLSELECTOR_DEBUG
1.500 + ("CRL MinNumber Range Match Failed\n");
1.501 + *pMatch = PKIX_FALSE;
1.502 + goto cleanup;
1.503 + }
1.504 + }
1.505 +
1.506 + PKIX_CHECK(PKIX_ComCRLSelParams_GetMaxCRLNumber
1.507 + (params, &maxCRLNumber, plContext),
1.508 + PKIX_COMCRLSELPARAMSGETMAXCRLNUMBERFAILED);
1.509 +
1.510 + if (maxCRLNumber != NULL) {
1.511 +
1.512 + PKIX_CHECK(PKIX_PL_Object_Compare
1.513 + ((PKIX_PL_Object *)crlNumber,
1.514 + (PKIX_PL_Object *)maxCRLNumber,
1.515 + &result,
1.516 + plContext),
1.517 + PKIX_OBJECTCOMPARATORFAILED);
1.518 +
1.519 + if (result == 1) {
1.520 + PKIX_CRLSELECTOR_DEBUG
1.521 + (PKIX_CRLMAXNUMBERRANGEMATCHFAILED);
1.522 + *pMatch = PKIX_FALSE;
1.523 + goto cleanup;
1.524 + }
1.525 + }
1.526 + }
1.527 +
1.528 +cleanup:
1.529 +
1.530 + PKIX_DECREF(selIssuerNames);
1.531 + PKIX_DECREF(selDate);
1.532 + PKIX_DECREF(crlIssuerName);
1.533 + PKIX_DECREF(issuerName);
1.534 + PKIX_DECREF(crlNumber);
1.535 + PKIX_DECREF(minCRLNumber);
1.536 + PKIX_DECREF(maxCRLNumber);
1.537 +
1.538 + PKIX_RETURN(CRLSELECTOR);
1.539 +}
1.540 +
1.541 +/*
1.542 + * FUNCTION: pkix_CRLSelector_RegisterSelf
1.543 + * DESCRIPTION:
1.544 + * Registers PKIX_CRLSELECTOR_TYPE and its related functions with
1.545 + * systemClasses[]
1.546 + * THREAD SAFETY:
1.547 + * Not Thread Safe - for performance and complexity reasons
1.548 + *
1.549 + * Since this function is only called by PKIX_PL_Initialize, which should
1.550 + * only be called once, it is acceptable that this function is not
1.551 + * thread-safe.
1.552 + */
1.553 +PKIX_Error *
1.554 +pkix_CRLSelector_RegisterSelf(void *plContext)
1.555 +{
1.556 + extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
1.557 + pkix_ClassTable_Entry entry;
1.558 +
1.559 + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_RegisterSelf");
1.560 +
1.561 + entry.description = "CRLSelector";
1.562 + entry.objCounter = 0;
1.563 + entry.typeObjectSize = sizeof(PKIX_CRLSelector);
1.564 + entry.destructor = pkix_CRLSelector_Destroy;
1.565 + entry.equalsFunction = pkix_CRLSelector_Equals;
1.566 + entry.hashcodeFunction = pkix_CRLSelector_Hashcode;
1.567 + entry.toStringFunction = pkix_CRLSelector_ToString;
1.568 + entry.comparator = NULL;
1.569 + entry.duplicateFunction = pkix_CRLSelector_Duplicate;
1.570 +
1.571 + systemClasses[PKIX_CRLSELECTOR_TYPE] = entry;
1.572 +
1.573 + PKIX_RETURN(CRLSELECTOR);
1.574 +}
1.575 +
1.576 +/* --CRLSelector-Public-Functions---------------------------------------- */
1.577 +PKIX_Error *
1.578 +pkix_CRLSelector_Create(
1.579 + PKIX_CRLSelector_MatchCallback callback,
1.580 + PKIX_PL_Object *crlSelectorContext,
1.581 + PKIX_CRLSelector **pSelector,
1.582 + void *plContext)
1.583 +{
1.584 + PKIX_CRLSelector *selector = NULL;
1.585 +
1.586 + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Create");
1.587 + PKIX_NULLCHECK_ONE(pSelector);
1.588 +
1.589 + PKIX_CHECK(PKIX_PL_Object_Alloc
1.590 + (PKIX_CRLSELECTOR_TYPE,
1.591 + sizeof (PKIX_CRLSelector),
1.592 + (PKIX_PL_Object **)&selector,
1.593 + plContext),
1.594 + PKIX_COULDNOTCREATECRLSELECTOROBJECT);
1.595 +
1.596 + /*
1.597 + * if user specified a particular match callback, we use that one.
1.598 + * otherwise, we use the default match provided.
1.599 + */
1.600 +
1.601 + if (callback != NULL){
1.602 + selector->matchCallback = callback;
1.603 + } else {
1.604 + selector->matchCallback = pkix_CRLSelector_DefaultMatch;
1.605 + }
1.606 +
1.607 + /* initialize other fields */
1.608 + selector->params = NULL;
1.609 +
1.610 + PKIX_INCREF(crlSelectorContext);
1.611 + selector->context = crlSelectorContext;
1.612 +
1.613 + *pSelector = selector;
1.614 + selector = NULL;
1.615 +
1.616 +cleanup:
1.617 +
1.618 + PKIX_DECREF(selector);
1.619 +
1.620 + PKIX_RETURN(CRLSELECTOR);
1.621 +}
1.622 +
1.623 +/*
1.624 + * FUNCTION: PKIX_CRLSelector_Create (see comments in pkix_crlsel.h)
1.625 + */
1.626 +PKIX_Error *
1.627 +PKIX_CRLSelector_Create(
1.628 + PKIX_PL_Cert *issuer,
1.629 + PKIX_List *crldpList,
1.630 + PKIX_PL_Date *date,
1.631 + PKIX_CRLSelector **pCrlSelector,
1.632 + void *plContext)
1.633 +{
1.634 + PKIX_PL_X500Name *issuerName = NULL;
1.635 + PKIX_PL_Date *nowDate = NULL;
1.636 + PKIX_ComCRLSelParams *comCrlSelParams = NULL;
1.637 + PKIX_CRLSelector *crlSelector = NULL;
1.638 +
1.639 + PKIX_ENTER(CERTCHAINCHECKER, "PKIX_CrlSelector_Create");
1.640 + PKIX_NULLCHECK_ONE(issuer);
1.641 +
1.642 + PKIX_CHECK(
1.643 + PKIX_PL_Cert_GetSubject(issuer, &issuerName, plContext),
1.644 + PKIX_CERTGETISSUERFAILED);
1.645 +
1.646 + if (date != NULL) {
1.647 + PKIX_INCREF(date);
1.648 + nowDate = date;
1.649 + } else {
1.650 + PKIX_CHECK(
1.651 + PKIX_PL_Date_Create_UTCTime(NULL, &nowDate, plContext),
1.652 + PKIX_DATECREATEUTCTIMEFAILED);
1.653 + }
1.654 +
1.655 + PKIX_CHECK(
1.656 + PKIX_ComCRLSelParams_Create(&comCrlSelParams, plContext),
1.657 + PKIX_COMCRLSELPARAMSCREATEFAILED);
1.658 +
1.659 + PKIX_CHECK(
1.660 + PKIX_ComCRLSelParams_AddIssuerName(comCrlSelParams, issuerName,
1.661 + plContext),
1.662 + PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
1.663 +
1.664 + PKIX_CHECK(
1.665 + PKIX_ComCRLSelParams_SetCrlDp(comCrlSelParams, crldpList,
1.666 + plContext),
1.667 + PKIX_COMCRLSELPARAMSSETCERTFAILED);
1.668 +
1.669 + PKIX_CHECK(
1.670 + PKIX_ComCRLSelParams_SetDateAndTime(comCrlSelParams, nowDate,
1.671 + plContext),
1.672 + PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
1.673 +
1.674 + PKIX_CHECK(
1.675 + pkix_CRLSelector_Create(NULL, NULL, &crlSelector, plContext),
1.676 + PKIX_CRLSELECTORCREATEFAILED);
1.677 +
1.678 + PKIX_CHECK(
1.679 + PKIX_CRLSelector_SetCommonCRLSelectorParams(crlSelector,
1.680 + comCrlSelParams,
1.681 + plContext),
1.682 + PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
1.683 +
1.684 + *pCrlSelector = crlSelector;
1.685 + crlSelector = NULL;
1.686 +
1.687 +cleanup:
1.688 +
1.689 + PKIX_DECREF(issuerName);
1.690 + PKIX_DECREF(nowDate);
1.691 + PKIX_DECREF(comCrlSelParams);
1.692 + PKIX_DECREF(crlSelector);
1.693 +
1.694 + PKIX_RETURN(CERTCHAINCHECKER);
1.695 +}
1.696 +
1.697 +/*
1.698 + * FUNCTION: PKIX_CRLSelector_GetMatchCallback (see comments in pkix_crlsel.h)
1.699 + */
1.700 +PKIX_Error *
1.701 +PKIX_CRLSelector_GetMatchCallback(
1.702 + PKIX_CRLSelector *selector,
1.703 + PKIX_CRLSelector_MatchCallback *pCallback,
1.704 + void *plContext)
1.705 +{
1.706 + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetMatchCallback");
1.707 + PKIX_NULLCHECK_TWO(selector, pCallback);
1.708 +
1.709 + *pCallback = selector->matchCallback;
1.710 +
1.711 + PKIX_RETURN(CRLSELECTOR);
1.712 +}
1.713 +
1.714 +
1.715 +/*
1.716 + * FUNCTION: PKIX_CRLSelector_GetCRLSelectorContext
1.717 + * (see comments in pkix_crlsel.h)
1.718 + */
1.719 +PKIX_Error *
1.720 +PKIX_CRLSelector_GetCRLSelectorContext(
1.721 + PKIX_CRLSelector *selector,
1.722 + void **pCrlSelectorContext,
1.723 + void *plContext)
1.724 +{
1.725 + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCRLSelectorContext");
1.726 + PKIX_NULLCHECK_TWO(selector, pCrlSelectorContext);
1.727 +
1.728 + PKIX_INCREF(selector->context);
1.729 +
1.730 + *pCrlSelectorContext = selector->context;
1.731 +
1.732 +cleanup:
1.733 + PKIX_RETURN(CRLSELECTOR);
1.734 +}
1.735 +
1.736 +/*
1.737 + * FUNCTION: PKIX_CRLSelector_GetCommonCRLSelectorParams
1.738 + * (see comments in pkix_crlsel.h)
1.739 + */
1.740 +PKIX_Error *
1.741 +PKIX_CRLSelector_GetCommonCRLSelectorParams(
1.742 + PKIX_CRLSelector *selector,
1.743 + PKIX_ComCRLSelParams **pParams,
1.744 + void *plContext)
1.745 +{
1.746 + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCommonCRLSelectorParams");
1.747 + PKIX_NULLCHECK_TWO(selector, pParams);
1.748 +
1.749 + PKIX_INCREF(selector->params);
1.750 +
1.751 + *pParams = selector->params;
1.752 +
1.753 +cleanup:
1.754 + PKIX_RETURN(CRLSELECTOR);
1.755 +}
1.756 +
1.757 +/*
1.758 + * FUNCTION: PKIX_CRLSelector_SetCommonCRLSelectorParams
1.759 + * (see comments in pkix_crlsel.h)
1.760 + */
1.761 +PKIX_Error *
1.762 +PKIX_CRLSelector_SetCommonCRLSelectorParams(
1.763 + PKIX_CRLSelector *selector,
1.764 + PKIX_ComCRLSelParams *params,
1.765 + void *plContext)
1.766 +{
1.767 + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_SetCommonCRLSelectorParams");
1.768 + PKIX_NULLCHECK_TWO(selector, params);
1.769 +
1.770 + PKIX_DECREF(selector->params);
1.771 +
1.772 + PKIX_INCREF(params);
1.773 + selector->params = params;
1.774 +
1.775 + PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1.776 + ((PKIX_PL_Object *)selector, plContext),
1.777 + PKIX_OBJECTINVALIDATECACHEFAILED);
1.778 +
1.779 +cleanup:
1.780 +
1.781 + PKIX_RETURN(CRLSELECTOR);
1.782 +}
1.783 +
1.784 +/*
1.785 + * FUNCTION: pkix_CRLSelector_Select
1.786 + * DESCRIPTION:
1.787 + *
1.788 + * This function applies the selector pointed to by "selector" to each CRL,
1.789 + * in turn, in the List pointed to by "before", and creates a List containing
1.790 + * all the CRLs that matched, or passed the selection process, storing that
1.791 + * List at "pAfter". If no CRLs match, an empty List is stored at "pAfter".
1.792 + *
1.793 + * The List returned in "pAfter" is immutable.
1.794 + *
1.795 + * PARAMETERS:
1.796 + * "selector"
1.797 + * Address of CRLSelelector to be applied to the List. Must be non-NULL.
1.798 + * "before"
1.799 + * Address of List that is to be filtered. Must be non-NULL.
1.800 + * "pAfter"
1.801 + * Address at which resulting List, possibly empty, is stored. Must be
1.802 + * non-NULL.
1.803 + * "plContext"
1.804 + * Platform-specific context pointer.
1.805 + * THREAD SAFETY:
1.806 + * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1.807 + * RETURNS:
1.808 + * Returns NULL if the function succeeds.
1.809 + * Returns a CRLSelector Error if the function fails in a non-fatal way.
1.810 + * Returns a Fatal Error if the function fails in an unrecoverable way.
1.811 + */
1.812 +PKIX_Error *
1.813 +pkix_CRLSelector_Select(
1.814 + PKIX_CRLSelector *selector,
1.815 + PKIX_List *before,
1.816 + PKIX_List **pAfter,
1.817 + void *plContext)
1.818 +{
1.819 + PKIX_Boolean match = PKIX_FALSE;
1.820 + PKIX_UInt32 numBefore = 0;
1.821 + PKIX_UInt32 i = 0;
1.822 + PKIX_List *filtered = NULL;
1.823 + PKIX_PL_CRL *candidate = NULL;
1.824 +
1.825 + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Select");
1.826 + PKIX_NULLCHECK_THREE(selector, before, pAfter);
1.827 +
1.828 + PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
1.829 + PKIX_LISTCREATEFAILED);
1.830 +
1.831 + PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
1.832 + PKIX_LISTGETLENGTHFAILED);
1.833 +
1.834 + for (i = 0; i < numBefore; i++) {
1.835 +
1.836 + PKIX_CHECK(PKIX_List_GetItem
1.837 + (before, i, (PKIX_PL_Object **)&candidate, plContext),
1.838 + PKIX_LISTGETITEMFAILED);
1.839 +
1.840 + PKIX_CHECK_ONLY_FATAL(selector->matchCallback
1.841 + (selector, candidate, &match, plContext),
1.842 + PKIX_CRLSELECTORMATCHCALLBACKFAILED);
1.843 +
1.844 + if (!(PKIX_ERROR_RECEIVED) && match == PKIX_TRUE) {
1.845 +
1.846 + PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
1.847 + (filtered,
1.848 + (PKIX_PL_Object *)candidate,
1.849 + plContext),
1.850 + PKIX_LISTAPPENDITEMFAILED);
1.851 + }
1.852 +
1.853 + pkixTempErrorReceived = PKIX_FALSE;
1.854 + PKIX_DECREF(candidate);
1.855 + }
1.856 +
1.857 + PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
1.858 + PKIX_LISTSETIMMUTABLEFAILED);
1.859 +
1.860 + /* Don't throw away the list if one CRL was bad! */
1.861 + pkixTempErrorReceived = PKIX_FALSE;
1.862 +
1.863 + *pAfter = filtered;
1.864 + filtered = NULL;
1.865 +
1.866 +cleanup:
1.867 +
1.868 + PKIX_DECREF(filtered);
1.869 + PKIX_DECREF(candidate);
1.870 +
1.871 + PKIX_RETURN(CRLSELECTOR);
1.872 +
1.873 +}
