1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/ssl/cmpcert.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,90 @@
1.4 +/*
1.5 + * NSS utility functions
1.6 + *
1.7 + * This Source Code Form is subject to the terms of the Mozilla Public
1.8 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.9 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.10 +
1.11 +#include <stdio.h>
1.12 +#include <string.h>
1.13 +#include "prerror.h"
1.14 +#include "secitem.h"
1.15 +#include "prnetdb.h"
1.16 +#include "cert.h"
1.17 +#include "nspr.h"
1.18 +#include "secder.h"
1.19 +#include "key.h"
1.20 +#include "nss.h"
1.21 +
1.22 +/*
1.23 + * Look to see if any of the signers in the cert chain for "cert" are found
1.24 + * in the list of caNames.
1.25 + * Returns SECSuccess if so, SECFailure if not.
1.26 + */
1.27 +SECStatus
1.28 +NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
1.29 +{
1.30 + SECItem * caname;
1.31 + CERTCertificate * curcert;
1.32 + CERTCertificate * oldcert;
1.33 + PRInt32 contentlen;
1.34 + int j;
1.35 + int headerlen;
1.36 + int depth;
1.37 + SECStatus rv;
1.38 + SECItem issuerName;
1.39 + SECItem compatIssuerName;
1.40 +
1.41 + if (!cert || !caNames || !caNames->nnames || !caNames->names ||
1.42 + !caNames->names->data)
1.43 + return SECFailure;
1.44 + depth=0;
1.45 + curcert = CERT_DupCertificate(cert);
1.46 +
1.47 + while( curcert ) {
1.48 + issuerName = curcert->derIssuer;
1.49 +
1.50 + /* compute an alternate issuer name for compatibility with 2.0
1.51 + * enterprise server, which send the CA names without
1.52 + * the outer layer of DER header
1.53 + */
1.54 + rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
1.55 + if ( rv == SECSuccess ) {
1.56 + compatIssuerName.data = &issuerName.data[headerlen];
1.57 + compatIssuerName.len = issuerName.len - headerlen;
1.58 + } else {
1.59 + compatIssuerName.data = NULL;
1.60 + compatIssuerName.len = 0;
1.61 + }
1.62 +
1.63 + for (j = 0; j < caNames->nnames; j++) {
1.64 + caname = &caNames->names[j];
1.65 + if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
1.66 + rv = SECSuccess;
1.67 + CERT_DestroyCertificate(curcert);
1.68 + goto done;
1.69 + } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
1.70 + rv = SECSuccess;
1.71 + CERT_DestroyCertificate(curcert);
1.72 + goto done;
1.73 + }
1.74 + }
1.75 + if ( ( depth <= 20 ) &&
1.76 + ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject)
1.77 + != SECEqual ) ) {
1.78 + oldcert = curcert;
1.79 + curcert = CERT_FindCertByName(curcert->dbhandle,
1.80 + &curcert->derIssuer);
1.81 + CERT_DestroyCertificate(oldcert);
1.82 + depth++;
1.83 + } else {
1.84 + CERT_DestroyCertificate(curcert);
1.85 + curcert = NULL;
1.86 + }
1.87 + }
1.88 + rv = SECFailure;
1.89 +
1.90 +done:
1.91 + return rv;
1.92 +}
1.93 +
