1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,525 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * pkix_trustanchor.c
1.9 + *
1.10 + * TrustAnchor Object Functions
1.11 + *
1.12 + */
1.13 +
1.14 +#include "pkix_trustanchor.h"
1.15 +
1.16 +/* --Private-Functions-------------------------------------------- */
1.17 +
1.18 +/*
1.19 + * FUNCTION: pkix_TrustAnchor_Destroy
1.20 + * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
1.21 + */
1.22 +static PKIX_Error *
1.23 +pkix_TrustAnchor_Destroy(
1.24 + PKIX_PL_Object *object,
1.25 + void *plContext)
1.26 +{
1.27 + PKIX_TrustAnchor *anchor = NULL;
1.28 +
1.29 + PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_Destroy");
1.30 + PKIX_NULLCHECK_ONE(object);
1.31 +
1.32 + /* Check that this object is a trust anchor */
1.33 + PKIX_CHECK(pkix_CheckType(object, PKIX_TRUSTANCHOR_TYPE, plContext),
1.34 + PKIX_OBJECTNOTTRUSTANCHOR);
1.35 +
1.36 + anchor = (PKIX_TrustAnchor *)object;
1.37 +
1.38 + PKIX_DECREF(anchor->trustedCert);
1.39 + PKIX_DECREF(anchor->caName);
1.40 + PKIX_DECREF(anchor->caPubKey);
1.41 + PKIX_DECREF(anchor->nameConstraints);
1.42 +
1.43 +cleanup:
1.44 +
1.45 + PKIX_RETURN(TRUSTANCHOR);
1.46 +}
1.47 +
1.48 +/*
1.49 + * FUNCTION: pkix_TrustAnchor_Equals
1.50 + * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
1.51 + */
1.52 +static PKIX_Error *
1.53 +pkix_TrustAnchor_Equals(
1.54 + PKIX_PL_Object *first,
1.55 + PKIX_PL_Object *second,
1.56 + PKIX_Boolean *pResult,
1.57 + void *plContext)
1.58 +{
1.59 + PKIX_UInt32 secondType;
1.60 + PKIX_Boolean cmpResult;
1.61 + PKIX_TrustAnchor *firstAnchor = NULL;
1.62 + PKIX_TrustAnchor *secondAnchor = NULL;
1.63 + PKIX_PL_Cert *firstCert = NULL;
1.64 + PKIX_PL_Cert *secondCert = NULL;
1.65 +
1.66 + PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_Equals");
1.67 + PKIX_NULLCHECK_THREE(first, second, pResult);
1.68 +
1.69 + PKIX_CHECK(pkix_CheckType(first, PKIX_TRUSTANCHOR_TYPE, plContext),
1.70 + PKIX_FIRSTOBJECTNOTTRUSTANCHOR);
1.71 +
1.72 + PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
1.73 + PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
1.74 +
1.75 + *pResult = PKIX_FALSE;
1.76 +
1.77 + if (secondType != PKIX_TRUSTANCHOR_TYPE) goto cleanup;
1.78 +
1.79 + firstAnchor = (PKIX_TrustAnchor *)first;
1.80 + secondAnchor = (PKIX_TrustAnchor *)second;
1.81 +
1.82 + firstCert = firstAnchor->trustedCert;
1.83 + secondCert = secondAnchor->trustedCert;
1.84 +
1.85 + if ((firstCert && !secondCert) || (!firstCert && secondCert)){
1.86 + goto cleanup;
1.87 + }
1.88 +
1.89 + if (firstCert && secondCert){
1.90 + PKIX_CHECK(PKIX_PL_Object_Equals
1.91 + ((PKIX_PL_Object *)firstCert,
1.92 + (PKIX_PL_Object *)secondCert,
1.93 + &cmpResult,
1.94 + plContext),
1.95 + PKIX_OBJECTEQUALSFAILED);
1.96 + } else {
1.97 + PKIX_CHECK(PKIX_PL_Object_Equals
1.98 + ((PKIX_PL_Object *)firstAnchor->caName,
1.99 + (PKIX_PL_Object *)secondAnchor->caName,
1.100 + &cmpResult,
1.101 + plContext),
1.102 + PKIX_OBJECTEQUALSFAILED);
1.103 +
1.104 + if (!cmpResult) goto cleanup;
1.105 +
1.106 + PKIX_CHECK(PKIX_PL_Object_Equals
1.107 + ((PKIX_PL_Object *)firstAnchor->caPubKey,
1.108 + (PKIX_PL_Object *)secondAnchor->caPubKey,
1.109 + &cmpResult,
1.110 + plContext),
1.111 + PKIX_OBJECTEQUALSFAILED);
1.112 +
1.113 + if (!cmpResult) goto cleanup;
1.114 +
1.115 + PKIX_EQUALS
1.116 + (firstAnchor->nameConstraints,
1.117 + secondAnchor->nameConstraints,
1.118 + &cmpResult,
1.119 + plContext,
1.120 + PKIX_OBJECTEQUALSFAILED);
1.121 +
1.122 + if (!cmpResult) goto cleanup;
1.123 +
1.124 + }
1.125 +
1.126 + *pResult = cmpResult;
1.127 +
1.128 +cleanup:
1.129 +
1.130 + PKIX_RETURN(TRUSTANCHOR);
1.131 +}
1.132 +
1.133 +/*
1.134 + * FUNCTION: pkix_TrustAnchor_Hashcode
1.135 + * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
1.136 + */
1.137 +static PKIX_Error *
1.138 +pkix_TrustAnchor_Hashcode(
1.139 + PKIX_PL_Object *object,
1.140 + PKIX_UInt32 *pHashcode,
1.141 + void *plContext)
1.142 +{
1.143 + PKIX_TrustAnchor *anchor = NULL;
1.144 + PKIX_PL_Cert *cert = NULL;
1.145 + PKIX_UInt32 hash = 0;
1.146 + PKIX_UInt32 certHash = 0;
1.147 + PKIX_UInt32 nameHash = 0;
1.148 + PKIX_UInt32 pubKeyHash = 0;
1.149 + PKIX_UInt32 ncHash = 0;
1.150 +
1.151 + PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_Hashcode");
1.152 + PKIX_NULLCHECK_TWO(object, pHashcode);
1.153 +
1.154 + PKIX_CHECK(pkix_CheckType(object, PKIX_TRUSTANCHOR_TYPE, plContext),
1.155 + PKIX_OBJECTNOTTRUSTANCHOR);
1.156 +
1.157 + anchor = (PKIX_TrustAnchor*)object;
1.158 + cert = anchor->trustedCert;
1.159 +
1.160 + if (cert){
1.161 + PKIX_CHECK(PKIX_PL_Object_Hashcode
1.162 + ((PKIX_PL_Object *)cert,
1.163 + &certHash,
1.164 + plContext),
1.165 + PKIX_OBJECTHASHCODEFAILED);
1.166 +
1.167 + hash = certHash;
1.168 +
1.169 + } else {
1.170 + PKIX_CHECK(PKIX_PL_Object_Hashcode
1.171 + ((PKIX_PL_Object *)anchor->caName,
1.172 + &nameHash,
1.173 + plContext),
1.174 + PKIX_OBJECTHASHCODEFAILED);
1.175 +
1.176 + PKIX_CHECK(PKIX_PL_Object_Hashcode
1.177 + ((PKIX_PL_Object *)anchor->caPubKey,
1.178 + &pubKeyHash,
1.179 + plContext),
1.180 + PKIX_OBJECTHASHCODEFAILED);
1.181 +
1.182 + PKIX_HASHCODE(anchor->nameConstraints, &ncHash, plContext,
1.183 + PKIX_OBJECTHASHCODEFAILED);
1.184 +
1.185 + hash = 31 * nameHash + pubKeyHash + ncHash;
1.186 +
1.187 + }
1.188 +
1.189 + *pHashcode = hash;
1.190 +
1.191 +cleanup:
1.192 +
1.193 + PKIX_RETURN(TRUSTANCHOR);
1.194 +}
1.195 +
1.196 +/*
1.197 + * FUNCTION: pkix_TrustAnchor_ToString
1.198 + * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
1.199 + */
1.200 +static PKIX_Error *
1.201 +pkix_TrustAnchor_ToString(
1.202 + PKIX_PL_Object *object,
1.203 + PKIX_PL_String **pString,
1.204 + void *plContext)
1.205 +{
1.206 + PKIX_TrustAnchor *anchor = NULL;
1.207 + char *asciiFormat = NULL;
1.208 + PKIX_PL_String *formatString = NULL;
1.209 + PKIX_PL_String *anchorString = NULL;
1.210 + PKIX_PL_String *certString = NULL;
1.211 + PKIX_PL_String *nameString = NULL;
1.212 + PKIX_PL_String *pubKeyString = NULL;
1.213 + PKIX_PL_String *nameConstraintsString = NULL;
1.214 +
1.215 + PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_ToString");
1.216 + PKIX_NULLCHECK_TWO(object, pString);
1.217 +
1.218 + PKIX_CHECK(pkix_CheckType(object, PKIX_TRUSTANCHOR_TYPE, plContext),
1.219 + PKIX_OBJECTNOTTRUSTANCHOR);
1.220 +
1.221 + anchor = (PKIX_TrustAnchor*)object;
1.222 +
1.223 + if (anchor->trustedCert){
1.224 + asciiFormat =
1.225 + "[\n"
1.226 + "\tTrusted Cert: %s\n"
1.227 + "]\n";
1.228 +
1.229 + PKIX_CHECK(PKIX_PL_String_Create
1.230 + (PKIX_ESCASCII,
1.231 + asciiFormat,
1.232 + 0,
1.233 + &formatString,
1.234 + plContext),
1.235 + PKIX_STRINGCREATEFAILED);
1.236 +
1.237 + PKIX_CHECK(PKIX_PL_Object_ToString
1.238 + ((PKIX_PL_Object *)anchor->trustedCert,
1.239 + &certString,
1.240 + plContext),
1.241 + PKIX_OBJECTTOSTRINGFAILED);
1.242 +
1.243 + PKIX_CHECK(PKIX_PL_Sprintf
1.244 + (&anchorString,
1.245 + plContext,
1.246 + formatString,
1.247 + certString),
1.248 + PKIX_SPRINTFFAILED);
1.249 + } else {
1.250 + asciiFormat =
1.251 + "[\n"
1.252 + "\tTrusted CA Name: %s\n"
1.253 + "\tTrusted CA PublicKey: %s\n"
1.254 + "\tInitial Name Constraints:%s\n"
1.255 + "]\n";
1.256 +
1.257 + PKIX_CHECK(PKIX_PL_String_Create
1.258 + (PKIX_ESCASCII,
1.259 + asciiFormat,
1.260 + 0,
1.261 + &formatString,
1.262 + plContext),
1.263 + PKIX_STRINGCREATEFAILED);
1.264 +
1.265 + PKIX_CHECK(PKIX_PL_Object_ToString
1.266 + ((PKIX_PL_Object *)anchor->caName,
1.267 + &nameString,
1.268 + plContext),
1.269 + PKIX_OBJECTTOSTRINGFAILED);
1.270 +
1.271 + PKIX_CHECK(PKIX_PL_Object_ToString
1.272 + ((PKIX_PL_Object *)anchor->caPubKey,
1.273 + &pubKeyString,
1.274 + plContext),
1.275 + PKIX_OBJECTTOSTRINGFAILED);
1.276 +
1.277 + PKIX_TOSTRING
1.278 + (anchor->nameConstraints,
1.279 + &nameConstraintsString,
1.280 + plContext,
1.281 + PKIX_OBJECTTOSTRINGFAILED);
1.282 +
1.283 + PKIX_CHECK(PKIX_PL_Sprintf
1.284 + (&anchorString,
1.285 + plContext,
1.286 + formatString,
1.287 + nameString,
1.288 + pubKeyString,
1.289 + nameConstraintsString),
1.290 + PKIX_SPRINTFFAILED);
1.291 + }
1.292 +
1.293 + *pString = anchorString;
1.294 +
1.295 +cleanup:
1.296 +
1.297 + PKIX_DECREF(formatString);
1.298 + PKIX_DECREF(certString);
1.299 + PKIX_DECREF(nameString);
1.300 + PKIX_DECREF(pubKeyString);
1.301 + PKIX_DECREF(nameConstraintsString);
1.302 +
1.303 + PKIX_RETURN(TRUSTANCHOR);
1.304 +}
1.305 +
1.306 +/*
1.307 + * FUNCTION: pkix_TrustAnchor_RegisterSelf
1.308 + * DESCRIPTION:
1.309 + * Registers PKIX_TRUSTANCHOR_TYPE and its related functions with
1.310 + * systemClasses[]
1.311 + * THREAD SAFETY:
1.312 + * Not Thread Safe - for performance and complexity reasons
1.313 + *
1.314 + * Since this function is only called by PKIX_PL_Initialize, which should
1.315 + * only be called once, it is acceptable that this function is not
1.316 + * thread-safe.
1.317 + */
1.318 +PKIX_Error *
1.319 +pkix_TrustAnchor_RegisterSelf(void *plContext)
1.320 +{
1.321 + extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
1.322 + pkix_ClassTable_Entry entry;
1.323 +
1.324 + PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_RegisterSelf");
1.325 +
1.326 + entry.description = "TrustAnchor";
1.327 + entry.objCounter = 0;
1.328 + entry.typeObjectSize = sizeof(PKIX_TrustAnchor);
1.329 + entry.destructor = pkix_TrustAnchor_Destroy;
1.330 + entry.equalsFunction = pkix_TrustAnchor_Equals;
1.331 + entry.hashcodeFunction = pkix_TrustAnchor_Hashcode;
1.332 + entry.toStringFunction = pkix_TrustAnchor_ToString;
1.333 + entry.comparator = NULL;
1.334 + entry.duplicateFunction = pkix_duplicateImmutable;
1.335 +
1.336 + systemClasses[PKIX_TRUSTANCHOR_TYPE] = entry;
1.337 +
1.338 + PKIX_RETURN(TRUSTANCHOR);
1.339 +}
1.340 +
1.341 +/* --Public-Functions--------------------------------------------- */
1.342 +
1.343 +
1.344 +/*
1.345 + * FUNCTION: PKIX_TrustAnchor_CreateWithCert (see comments in pkix_params.h)
1.346 + */
1.347 +PKIX_Error *
1.348 +PKIX_TrustAnchor_CreateWithCert(
1.349 + PKIX_PL_Cert *cert,
1.350 + PKIX_TrustAnchor **pAnchor,
1.351 + void *plContext)
1.352 +{
1.353 + PKIX_TrustAnchor *anchor = NULL;
1.354 +
1.355 + PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_CreateWithCert");
1.356 + PKIX_NULLCHECK_TWO(cert, pAnchor);
1.357 +
1.358 + PKIX_CHECK(PKIX_PL_Object_Alloc
1.359 + (PKIX_TRUSTANCHOR_TYPE,
1.360 + sizeof (PKIX_TrustAnchor),
1.361 + (PKIX_PL_Object **)&anchor,
1.362 + plContext),
1.363 + PKIX_COULDNOTCREATETRUSTANCHOROBJECT);
1.364 +
1.365 + /* initialize fields */
1.366 + PKIX_CHECK(
1.367 + PKIX_PL_Cert_SetAsTrustAnchor(cert, plContext),
1.368 + PKIX_CERTSETASTRUSTANCHORFAILED);
1.369 +
1.370 + PKIX_INCREF(cert);
1.371 + anchor->trustedCert = cert;
1.372 +
1.373 + anchor->caName = NULL;
1.374 + anchor->caPubKey = NULL;
1.375 +
1.376 + PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
1.377 + (anchor->trustedCert, &anchor->nameConstraints, plContext),
1.378 + PKIX_CERTGETNAMECONSTRAINTSFAILED);
1.379 +
1.380 +
1.381 + *pAnchor = anchor;
1.382 + anchor = NULL;
1.383 +
1.384 +cleanup:
1.385 +
1.386 + PKIX_DECREF(anchor);
1.387 +
1.388 + PKIX_RETURN(TRUSTANCHOR);
1.389 +
1.390 +}
1.391 +
1.392 +/*
1.393 + * FUNCTION: PKIX_TrustAnchor_CreateWithNameKeyPair
1.394 + * (see comments in pkix_params.h)
1.395 + */
1.396 +PKIX_Error *
1.397 +PKIX_TrustAnchor_CreateWithNameKeyPair(
1.398 + PKIX_PL_X500Name *name,
1.399 + PKIX_PL_PublicKey *pubKey,
1.400 + PKIX_PL_CertNameConstraints *nameConstraints,
1.401 + PKIX_TrustAnchor **pAnchor,
1.402 + void *plContext)
1.403 +{
1.404 + PKIX_TrustAnchor *anchor = NULL;
1.405 +
1.406 + PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_CreateWithNameKeyPair");
1.407 +
1.408 +#ifndef BUILD_LIBPKIX_TESTS
1.409 + /* Nss creates trust anchors by using PKIX_TrustAnchor_CreateWithCert
1.410 + * function as the complete trusted cert structure, and not only cert
1.411 + * public key, is required for chain building and validation processes.
1.412 + * Restricting this function for been used only in libpkix unit
1.413 + * tests. */
1.414 + PKIX_ERROR(PKIX_FUNCTIONMUSTNOTBEUSED);
1.415 +#endif
1.416 +
1.417 + PKIX_NULLCHECK_THREE(name, pubKey, pAnchor);
1.418 +
1.419 + PKIX_CHECK(PKIX_PL_Object_Alloc
1.420 + (PKIX_TRUSTANCHOR_TYPE,
1.421 + sizeof (PKIX_TrustAnchor),
1.422 + (PKIX_PL_Object **)&anchor,
1.423 + plContext),
1.424 + PKIX_COULDNOTCREATETRUSTANCHOROBJECT);
1.425 +
1.426 + /* initialize fields */
1.427 + anchor->trustedCert = NULL;
1.428 +
1.429 + PKIX_INCREF(name);
1.430 + anchor->caName = name;
1.431 +
1.432 + PKIX_INCREF(pubKey);
1.433 + anchor->caPubKey = pubKey;
1.434 +
1.435 + PKIX_INCREF(nameConstraints);
1.436 + anchor->nameConstraints = nameConstraints;
1.437 +
1.438 + *pAnchor = anchor;
1.439 + anchor = NULL;
1.440 +cleanup:
1.441 +
1.442 + PKIX_DECREF(anchor);
1.443 +
1.444 + PKIX_RETURN(TRUSTANCHOR);
1.445 +}
1.446 +
1.447 +/*
1.448 + * FUNCTION: PKIX_TrustAnchor_GetTrustedCert (see comments in pkix_params.h)
1.449 + */
1.450 +PKIX_Error *
1.451 +PKIX_TrustAnchor_GetTrustedCert(
1.452 + PKIX_TrustAnchor *anchor,
1.453 + PKIX_PL_Cert **pCert,
1.454 + void *plContext)
1.455 +{
1.456 + PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_GetTrustedCert");
1.457 + PKIX_NULLCHECK_TWO(anchor, pCert);
1.458 +
1.459 + PKIX_INCREF(anchor->trustedCert);
1.460 +
1.461 + *pCert = anchor->trustedCert;
1.462 +
1.463 +cleanup:
1.464 + PKIX_RETURN(TRUSTANCHOR);
1.465 +
1.466 +}
1.467 +
1.468 +/*
1.469 + * FUNCTION: PKIX_TrustAnchor_GetCAName (see comments in pkix_params.h)
1.470 + */
1.471 +PKIX_Error *
1.472 +PKIX_TrustAnchor_GetCAName(
1.473 + PKIX_TrustAnchor *anchor,
1.474 + PKIX_PL_X500Name **pCAName,
1.475 + void *plContext)
1.476 +{
1.477 + PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_GetCAName");
1.478 + PKIX_NULLCHECK_TWO(anchor, pCAName);
1.479 +
1.480 + PKIX_INCREF(anchor->caName);
1.481 +
1.482 + *pCAName = anchor->caName;
1.483 +
1.484 +cleanup:
1.485 + PKIX_RETURN(TRUSTANCHOR);
1.486 +
1.487 +}
1.488 +
1.489 +/*
1.490 + * FUNCTION: PKIX_TrustAnchor_GetCAPublicKey (see comments in pkix_params.h)
1.491 + */
1.492 +PKIX_Error *
1.493 +PKIX_TrustAnchor_GetCAPublicKey(
1.494 + PKIX_TrustAnchor *anchor,
1.495 + PKIX_PL_PublicKey **pPubKey,
1.496 + void *plContext)
1.497 +{
1.498 + PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_GetCAPublicKey");
1.499 + PKIX_NULLCHECK_TWO(anchor, pPubKey);
1.500 +
1.501 + PKIX_INCREF(anchor->caPubKey);
1.502 +
1.503 + *pPubKey = anchor->caPubKey;
1.504 +
1.505 +cleanup:
1.506 + PKIX_RETURN(TRUSTANCHOR);
1.507 +}
1.508 +
1.509 +/*
1.510 + * FUNCTION: PKIX_TrustAnchor_GetNameConstraints
1.511 + * (see comments in pkix_params.h)
1.512 + */
1.513 +PKIX_Error *
1.514 +PKIX_TrustAnchor_GetNameConstraints(
1.515 + PKIX_TrustAnchor *anchor,
1.516 + PKIX_PL_CertNameConstraints **pNameConstraints,
1.517 + void *plContext)
1.518 +{
1.519 + PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_GetNameConstraints");
1.520 + PKIX_NULLCHECK_TWO(anchor, pNameConstraints);
1.521 +
1.522 + PKIX_INCREF(anchor->nameConstraints);
1.523 +
1.524 + *pNameConstraints = anchor->nameConstraints;
1.525 +
1.526 +cleanup:
1.527 + PKIX_RETURN(TRUSTANCHOR);
1.528 +}
