security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c@6474c204b198
security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rwxr-xr-x
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * pkix_policychecker.c
6 *
7 * Functions for Policy Checker
8 *
9 */
10 #include "pkix_policychecker.h"
12 /* --Forward declarations----------------------------------------------- */
14 static PKIX_Error *
15 pkix_PolicyChecker_MakeSingleton(
16 PKIX_PL_Object *listItem,
17 PKIX_Boolean immutability,
18 PKIX_List **pList,
19 void *plContext);
21 /* --Private-PolicyCheckerState-Functions---------------------------------- */
23 /*
24 * FUNCTION:pkix_PolicyCheckerState_Destroy
25 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
26 */
27 static PKIX_Error *
28 pkix_PolicyCheckerState_Destroy(
29 PKIX_PL_Object *object,
30 void *plContext)
31 {
32 PKIX_PolicyCheckerState *checkerState = NULL;
34 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy");
35 PKIX_NULLCHECK_ONE(object);
37 PKIX_CHECK(pkix_CheckType
38 (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
39 PKIX_OBJECTNOTPOLICYCHECKERSTATE);
41 checkerState = (PKIX_PolicyCheckerState *)object;
43 PKIX_DECREF(checkerState->certPoliciesExtension);
44 PKIX_DECREF(checkerState->policyMappingsExtension);
45 PKIX_DECREF(checkerState->policyConstraintsExtension);
46 PKIX_DECREF(checkerState->inhibitAnyPolicyExtension);
47 PKIX_DECREF(checkerState->anyPolicyOID);
48 PKIX_DECREF(checkerState->validPolicyTree);
49 PKIX_DECREF(checkerState->userInitialPolicySet);
50 PKIX_DECREF(checkerState->mappedUserInitialPolicySet);
52 checkerState->policyQualifiersRejected = PKIX_FALSE;
53 checkerState->explicitPolicy = 0;
54 checkerState->inhibitAnyPolicy = 0;
55 checkerState->policyMapping = 0;
56 checkerState->numCerts = 0;
57 checkerState->certsProcessed = 0;
58 checkerState->certPoliciesCritical = PKIX_FALSE;
60 PKIX_DECREF(checkerState->anyPolicyNodeAtBottom);
61 PKIX_DECREF(checkerState->newAnyPolicyNode);
62 PKIX_DECREF(checkerState->mappedPolicyOIDs);
64 cleanup:
66 PKIX_RETURN(CERTPOLICYCHECKERSTATE);
67 }
69 /*
70 * FUNCTION: pkix_PolicyCheckerState_ToString
71 * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
72 */
73 static PKIX_Error *
74 pkix_PolicyCheckerState_ToString(
75 PKIX_PL_Object *object,
76 PKIX_PL_String **pCheckerStateString,
77 void *plContext)
78 {
79 PKIX_PolicyCheckerState *state = NULL;
80 PKIX_PL_String *resultString = NULL;
81 PKIX_PL_String *policiesExtOIDString = NULL;
82 PKIX_PL_String *policyMapOIDString = NULL;
83 PKIX_PL_String *policyConstrOIDString = NULL;
84 PKIX_PL_String *inhAnyPolOIDString = NULL;
85 PKIX_PL_String *anyPolicyOIDString = NULL;
86 PKIX_PL_String *validPolicyTreeString = NULL;
87 PKIX_PL_String *userInitialPolicySetString = NULL;
88 PKIX_PL_String *mappedUserPolicySetString = NULL;
89 PKIX_PL_String *mappedPolicyOIDsString = NULL;
90 PKIX_PL_String *anyAtBottomString = NULL;
91 PKIX_PL_String *newAnyPolicyString = NULL;
92 PKIX_PL_String *formatString = NULL;
93 PKIX_PL_String *trueString = NULL;
94 PKIX_PL_String *falseString = NULL;
95 PKIX_PL_String *nullString = NULL;
96 PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
97 PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
98 PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
99 PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE;
100 PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
101 PKIX_Boolean certPoliciesCritical = PKIX_FALSE;
102 char *asciiFormat =
103 "{\n"
104 "\tcertPoliciesExtension: \t%s\n"
105 "\tpolicyMappingsExtension: \t%s\n"
106 "\tpolicyConstraintsExtension:\t%s\n"
107 "\tinhibitAnyPolicyExtension:\t%s\n"
108 "\tanyPolicyOID: \t%s\n"
109 "\tinitialIsAnyPolicy: \t%s\n"
110 "\tvalidPolicyTree: \t%s\n"
111 "\tuserInitialPolicySet: \t%s\n"
112 "\tmappedUserPolicySet: \t%s\n"
113 "\tpolicyQualifiersRejected: \t%s\n"
114 "\tinitialPolMappingInhibit: \t%s\n"
115 "\tinitialExplicitPolicy: \t%s\n"
116 "\tinitialAnyPolicyInhibit: \t%s\n"
117 "\texplicitPolicy: \t%d\n"
118 "\tinhibitAnyPolicy: \t%d\n"
119 "\tpolicyMapping: \t%d\n"
120 "\tnumCerts: \t%d\n"
121 "\tcertsProcessed: \t%d\n"
122 "\tanyPolicyNodeAtBottom: \t%s\n"
123 "\tnewAnyPolicyNode: \t%s\n"
124 "\tcertPoliciesCritical: \t%s\n"
125 "\tmappedPolicyOIDs: \t%s\n"
126 "}";
128 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString");
130 PKIX_NULLCHECK_TWO(object, pCheckerStateString);
132 PKIX_CHECK(pkix_CheckType
133 (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
134 PKIX_OBJECTNOTPOLICYCHECKERSTATE);
136 state = (PKIX_PolicyCheckerState *)object;
137 PKIX_NULLCHECK_THREE
138 (state->certPoliciesExtension,
139 state->policyMappingsExtension,
140 state->policyConstraintsExtension);
141 PKIX_NULLCHECK_THREE
142 (state->inhibitAnyPolicyExtension,
143 state->anyPolicyOID,
144 state->userInitialPolicySet);
146 PKIX_CHECK(PKIX_PL_String_Create
147 (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
148 PKIX_STRINGCREATEFAILED);
149 /*
150 * Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a
151 * PKIX_PL_String is complicated enough, it's worth checking, for
152 * each, to make sure the string is needed.
153 */
154 initialPolicyMappingInhibit = state->initialPolicyMappingInhibit;
155 initialExplicitPolicy = state->initialExplicitPolicy;
156 initialAnyPolicyInhibit = state->initialAnyPolicyInhibit;
157 initialIsAnyPolicy = state->initialIsAnyPolicy;
158 policyQualifiersRejected = state->policyQualifiersRejected;
159 certPoliciesCritical = state->certPoliciesCritical;
161 if (initialPolicyMappingInhibit || initialExplicitPolicy ||
162 initialAnyPolicyInhibit || initialIsAnyPolicy ||
163 policyQualifiersRejected || certPoliciesCritical) {
164 PKIX_CHECK(PKIX_PL_String_Create
165 (PKIX_ESCASCII, "TRUE", 0, &trueString, plContext),
166 PKIX_STRINGCREATEFAILED);
167 }
168 if (!initialPolicyMappingInhibit || !initialExplicitPolicy ||
169 !initialAnyPolicyInhibit || !initialIsAnyPolicy ||
170 !policyQualifiersRejected || !certPoliciesCritical) {
171 PKIX_CHECK(PKIX_PL_String_Create
172 (PKIX_ESCASCII, "FALSE", 0, &falseString, plContext),
173 PKIX_STRINGCREATEFAILED);
174 }
175 if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) {
176 PKIX_CHECK(PKIX_PL_String_Create
177 (PKIX_ESCASCII, "(null)", 0, &nullString, plContext),
178 PKIX_STRINGCREATEFAILED);
179 }
181 PKIX_TOSTRING
182 (state->certPoliciesExtension, &policiesExtOIDString, plContext,
183 PKIX_OBJECTTOSTRINGFAILED);
185 PKIX_TOSTRING
186 (state->policyMappingsExtension,
187 &policyMapOIDString,
188 plContext,
189 PKIX_OBJECTTOSTRINGFAILED);
191 PKIX_TOSTRING
192 (state->policyConstraintsExtension,
193 &policyConstrOIDString,
194 plContext,
195 PKIX_OBJECTTOSTRINGFAILED);
197 PKIX_TOSTRING
198 (state->inhibitAnyPolicyExtension,
199 &inhAnyPolOIDString,
200 plContext,
201 PKIX_OBJECTTOSTRINGFAILED);
203 PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext,
204 PKIX_OBJECTTOSTRINGFAILED);
206 PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext,
207 PKIX_OBJECTTOSTRINGFAILED);
209 PKIX_TOSTRING
210 (state->userInitialPolicySet,
211 &userInitialPolicySetString,
212 plContext,
213 PKIX_OBJECTTOSTRINGFAILED);
215 PKIX_TOSTRING
216 (state->mappedUserInitialPolicySet,
217 &mappedUserPolicySetString,
218 plContext,
219 PKIX_OBJECTTOSTRINGFAILED);
221 if (state->anyPolicyNodeAtBottom) {
222 PKIX_CHECK(pkix_SinglePolicyNode_ToString
223 (state->anyPolicyNodeAtBottom,
224 &anyAtBottomString,
225 plContext),
226 PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
227 } else {
228 PKIX_INCREF(nullString);
229 anyAtBottomString = nullString;
230 }
232 if (state->newAnyPolicyNode) {
233 PKIX_CHECK(pkix_SinglePolicyNode_ToString
234 (state->newAnyPolicyNode,
235 &newAnyPolicyString,
236 plContext),
237 PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
238 } else {
239 PKIX_INCREF(nullString);
240 newAnyPolicyString = nullString;
241 }
243 PKIX_TOSTRING
244 (state->mappedPolicyOIDs,
245 &mappedPolicyOIDsString,
246 plContext,
247 PKIX_OBJECTTOSTRINGFAILED);
249 PKIX_CHECK(PKIX_PL_Sprintf
250 (&resultString,
251 plContext,
252 formatString,
253 policiesExtOIDString,
254 policyMapOIDString,
255 policyConstrOIDString,
256 inhAnyPolOIDString,
257 anyPolicyOIDString,
258 initialIsAnyPolicy?trueString:falseString,
259 validPolicyTreeString,
260 userInitialPolicySetString,
261 mappedUserPolicySetString,
262 policyQualifiersRejected?trueString:falseString,
263 initialPolicyMappingInhibit?trueString:falseString,
264 initialExplicitPolicy?trueString:falseString,
265 initialAnyPolicyInhibit?trueString:falseString,
266 state->explicitPolicy,
267 state->inhibitAnyPolicy,
268 state->policyMapping,
269 state->numCerts,
270 state->certsProcessed,
271 anyAtBottomString,
272 newAnyPolicyString,
273 certPoliciesCritical?trueString:falseString,
274 mappedPolicyOIDsString),
275 PKIX_SPRINTFFAILED);
277 *pCheckerStateString = resultString;
279 cleanup:
280 PKIX_DECREF(policiesExtOIDString);
281 PKIX_DECREF(policyMapOIDString);
282 PKIX_DECREF(policyConstrOIDString);
283 PKIX_DECREF(inhAnyPolOIDString);
284 PKIX_DECREF(anyPolicyOIDString);
285 PKIX_DECREF(validPolicyTreeString);
286 PKIX_DECREF(userInitialPolicySetString);
287 PKIX_DECREF(mappedUserPolicySetString);
288 PKIX_DECREF(anyAtBottomString);
289 PKIX_DECREF(newAnyPolicyString);
290 PKIX_DECREF(mappedPolicyOIDsString);
291 PKIX_DECREF(formatString);
292 PKIX_DECREF(trueString);
293 PKIX_DECREF(falseString);
294 PKIX_DECREF(nullString);
296 PKIX_RETURN(CERTPOLICYCHECKERSTATE);
297 }
299 /*
300 * FUNCTION: pkix_PolicyCheckerState_RegisterSelf
301 * DESCRIPTION:
302 *
303 * Registers PKIX_POLICYCHECKERSTATE_TYPE and its related functions
304 * with systemClasses[]
305 *
306 * PARAMETERS:
307 * "plContext"
308 * Platform-specific context pointer.
309 * THREAD SAFETY:
310 * Not Thread Safe - for performance and complexity reasons
311 *
312 * Since this function is only called by PKIX_PL_Initialize, which should
313 * only be called once, it is acceptable that this function is not
314 * thread-safe.
315 */
316 PKIX_Error *
317 pkix_PolicyCheckerState_RegisterSelf(void *plContext)
318 {
319 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
320 pkix_ClassTable_Entry entry;
322 PKIX_ENTER
323 (CERTPOLICYCHECKERSTATE,
324 "pkix_PolicyCheckerState_RegisterSelf");
326 entry.description = "PolicyCheckerState";
327 entry.objCounter = 0;
328 entry.typeObjectSize = sizeof(PKIX_PolicyCheckerState);
329 entry.destructor = pkix_PolicyCheckerState_Destroy;
330 entry.equalsFunction = NULL;
331 entry.hashcodeFunction = NULL;
332 entry.toStringFunction = pkix_PolicyCheckerState_ToString;
333 entry.comparator = NULL;
334 entry.duplicateFunction = NULL;
336 systemClasses[PKIX_CERTPOLICYCHECKERSTATE_TYPE] = entry;
338 PKIX_RETURN(CERTPOLICYCHECKERSTATE);
339 }
341 /*
342 * FUNCTION:pkix_PolicyCheckerState_Create
343 * DESCRIPTION:
344 *
345 * Creates a PolicyCheckerState Object, using the List pointed to
346 * by "initialPolicies" for the user-initial-policy-set, the Boolean value
347 * of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
348 * the Boolean value of "initialPolicyMappingInhibit" for the
349 * inhibitPolicyMappings parameter, the Boolean value of
350 * "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
351 * Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
352 * parameter, and the UInt32 value of "numCerts" as the number of
353 * certificates in the chain; and stores the Object at "pCheckerState".
354 *
355 * PARAMETERS:
356 * "initialPolicies"
357 * Address of List of OIDs comprising the user-initial-policy-set; the List
358 * may be empty, but must be non-NULL
359 * "policyQualifiersRejected"
360 * Boolean value of the policyQualifiersRejected parameter
361 * "initialPolicyMappingInhibit"
362 * Boolean value of the inhibitPolicyMappings parameter
363 * "initialExplicitPolicy"
364 * Boolean value of the initialExplicitPolicy parameter
365 * "initialAnyPolicyInhibit"
366 * Boolean value of the inhibitAnyPolicy parameter
367 * "numCerts"
368 * Number of certificates in the chain to be validated
369 * "pCheckerState"
370 * Address where PolicyCheckerState will be stored. Must be non-NULL.
371 * "plContext"
372 * Platform-specific context pointer.
373 * THREAD SAFETY:
374 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
375 * RETURNS:
376 * Returns NULL if the function succeeds
377 * Returns a CertPolicyCheckerState Error if the functions fails in a
378 * non-fatal way
379 * Returns a Fatal Error if the function fails in an unrecoverable way
380 */
381 static PKIX_Error *
382 pkix_PolicyCheckerState_Create(
383 PKIX_List *initialPolicies,
384 PKIX_Boolean policyQualifiersRejected,
385 PKIX_Boolean initialPolicyMappingInhibit,
386 PKIX_Boolean initialExplicitPolicy,
387 PKIX_Boolean initialAnyPolicyInhibit,
388 PKIX_UInt32 numCerts,
389 PKIX_PolicyCheckerState **pCheckerState,
390 void *plContext)
391 {
392 PKIX_PolicyCheckerState *checkerState = NULL;
393 PKIX_PolicyNode *policyNode = NULL;
394 PKIX_List *anyPolicyList = NULL;
395 PKIX_Boolean initialPoliciesIsEmpty = PKIX_FALSE;
397 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Create");
398 PKIX_NULLCHECK_TWO(initialPolicies, pCheckerState);
400 PKIX_CHECK(PKIX_PL_Object_Alloc
401 (PKIX_CERTPOLICYCHECKERSTATE_TYPE,
402 sizeof (PKIX_PolicyCheckerState),
403 (PKIX_PL_Object **)&checkerState,
404 plContext),
405 PKIX_COULDNOTCREATEPOLICYCHECKERSTATEOBJECT);
407 /* Create constant PKIX_PL_OIDs: */
409 PKIX_CHECK(PKIX_PL_OID_Create
410 (PKIX_CERTIFICATEPOLICIES_OID,
411 &(checkerState->certPoliciesExtension),
412 plContext),
413 PKIX_OIDCREATEFAILED);
415 PKIX_CHECK(PKIX_PL_OID_Create
416 (PKIX_POLICYMAPPINGS_OID,
417 &(checkerState->policyMappingsExtension),
418 plContext),
419 PKIX_OIDCREATEFAILED);
421 PKIX_CHECK(PKIX_PL_OID_Create
422 (PKIX_POLICYCONSTRAINTS_OID,
423 &(checkerState->policyConstraintsExtension),
424 plContext),
425 PKIX_OIDCREATEFAILED);
427 PKIX_CHECK(PKIX_PL_OID_Create
428 (PKIX_INHIBITANYPOLICY_OID,
429 &(checkerState->inhibitAnyPolicyExtension),
430 plContext),
431 PKIX_OIDCREATEFAILED);
433 PKIX_CHECK(PKIX_PL_OID_Create
434 (PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID,
435 &(checkerState->anyPolicyOID),
436 plContext),
437 PKIX_OIDCREATEFAILED);
439 /* Create an initial policy set from argument supplied */
440 PKIX_INCREF(initialPolicies);
441 checkerState->userInitialPolicySet = initialPolicies;
442 PKIX_INCREF(initialPolicies);
443 checkerState->mappedUserInitialPolicySet = initialPolicies;
445 PKIX_CHECK(PKIX_List_IsEmpty
446 (initialPolicies,
447 &initialPoliciesIsEmpty,
448 plContext),
449 PKIX_LISTISEMPTYFAILED);
450 if (initialPoliciesIsEmpty) {
451 checkerState->initialIsAnyPolicy = PKIX_TRUE;
452 } else {
453 PKIX_CHECK(pkix_List_Contains
454 (initialPolicies,
455 (PKIX_PL_Object *)(checkerState->anyPolicyOID),
456 &(checkerState->initialIsAnyPolicy),
457 plContext),
458 PKIX_LISTCONTAINSFAILED);
459 }
461 checkerState->policyQualifiersRejected =
462 policyQualifiersRejected;
463 checkerState->initialExplicitPolicy = initialExplicitPolicy;
464 checkerState->explicitPolicy =
465 (initialExplicitPolicy? 0: numCerts + 1);
466 checkerState->initialAnyPolicyInhibit = initialAnyPolicyInhibit;
467 checkerState->inhibitAnyPolicy =
468 (initialAnyPolicyInhibit? 0: numCerts + 1);
469 checkerState->initialPolicyMappingInhibit = initialPolicyMappingInhibit;
470 checkerState->policyMapping =
471 (initialPolicyMappingInhibit? 0: numCerts + 1);
472 ;
473 checkerState->numCerts = numCerts;
474 checkerState->certsProcessed = 0;
475 checkerState->certPoliciesCritical = PKIX_FALSE;
477 /* Create a valid_policy_tree as in RFC3280 6.1.2(a) */
478 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
479 ((PKIX_PL_Object *)(checkerState->anyPolicyOID),
480 PKIX_TRUE,
481 &anyPolicyList,
482 plContext),
483 PKIX_POLICYCHECKERMAKESINGLETONFAILED);
485 PKIX_CHECK(pkix_PolicyNode_Create
486 (checkerState->anyPolicyOID, /* validPolicy */
487 NULL, /* qualifier set */
488 PKIX_FALSE, /* criticality */
489 anyPolicyList, /* expectedPolicySet */
490 &policyNode,
491 plContext),
492 PKIX_POLICYNODECREATEFAILED);
493 checkerState->validPolicyTree = policyNode;
495 /*
496 * Since the initial validPolicyTree specifies
497 * ANY_POLICY, begin with a pointer to the root node.
498 */
499 PKIX_INCREF(policyNode);
500 checkerState->anyPolicyNodeAtBottom = policyNode;
502 checkerState->newAnyPolicyNode = NULL;
504 checkerState->mappedPolicyOIDs = NULL;
506 *pCheckerState = checkerState;
507 checkerState = NULL;
509 cleanup:
511 PKIX_DECREF(checkerState);
513 PKIX_DECREF(anyPolicyList);
515 PKIX_RETURN(CERTPOLICYCHECKERSTATE);
516 }
518 /* --Private-PolicyChecker-Functions--------------------------------------- */
520 /*
521 * FUNCTION: pkix_PolicyChecker_MapContains
522 * DESCRIPTION:
523 *
524 * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to
525 * determine whether the OID pointed to by "policy" is among the
526 * issuerDomainPolicies or subjectDomainPolicies of "certPolicyMaps", and
527 * stores the result in "pFound".
528 *
529 * This function is intended to allow an efficient check that the proscription
530 * against anyPolicy being mapped, described in RFC3280 Section 6.1.4(a), is
531 * not violated.
532 *
533 * PARAMETERS:
534 * "certPolicyMaps"
535 * Address of List of CertPolicyMaps to be searched. May be empty, but
536 * must be non-NULL
537 * "policy"
538 * Address of OID to be checked for. Must be non-NULL
539 * "pFound"
540 * Address where the result of the search will be stored. Must be non-NULL.
541 * "plContext"
542 * platform-specific context pointer
543 * THREAD SAFETY:
544 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
545 * RETURNS:
546 * Returns NULL if the function succeeds
547 * Returns a CertChainChecker Error if the function fails in a non-fatal way.
548 * Returns a Fatal Error if the function fails in an unrecoverable way
549 */
550 PKIX_Error *
551 pkix_PolicyChecker_MapContains(
552 PKIX_List *certPolicyMaps,
553 PKIX_PL_OID *policy,
554 PKIX_Boolean *pFound,
555 void *plContext)
556 {
557 PKIX_PL_CertPolicyMap *map = NULL;
558 PKIX_UInt32 numEntries = 0;
559 PKIX_UInt32 index = 0;
560 PKIX_Boolean match = PKIX_FALSE;
561 PKIX_PL_OID *issuerDomainPolicy = NULL;
562 PKIX_PL_OID *subjectDomainPolicy = NULL;
564 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MapContains");
565 PKIX_NULLCHECK_THREE(certPolicyMaps, policy, pFound);
567 PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
568 PKIX_LISTGETLENGTHFAILED);
570 for (index = 0; (!match) && (index < numEntries); index++) {
571 PKIX_CHECK(PKIX_List_GetItem
572 (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
573 PKIX_LISTGETITEMFAILED);
575 PKIX_NULLCHECK_ONE(map);
577 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
578 (map, &issuerDomainPolicy, plContext),
579 PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
581 PKIX_EQUALS
582 (policy, issuerDomainPolicy, &match, plContext,
583 PKIX_OBJECTEQUALSFAILED);
585 if (!match) {
586 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
587 (map, &subjectDomainPolicy, plContext),
588 PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
590 PKIX_EQUALS
591 (policy, subjectDomainPolicy, &match, plContext,
592 PKIX_OBJECTEQUALSFAILED);
593 }
595 PKIX_DECREF(map);
596 PKIX_DECREF(issuerDomainPolicy);
597 PKIX_DECREF(subjectDomainPolicy);
598 }
600 *pFound = match;
602 cleanup:
604 PKIX_DECREF(map);
605 PKIX_DECREF(issuerDomainPolicy);
606 PKIX_DECREF(subjectDomainPolicy);
607 PKIX_RETURN(CERTCHAINCHECKER);
608 }
610 /*
611 * FUNCTION: pkix_PolicyChecker_MapGetSubjectDomainPolicies
612 * DESCRIPTION:
613 *
614 * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to create
615 * a list of all SubjectDomainPolicies for which the IssuerDomainPolicy is the
616 * policy pointed to by "policy", and stores the result in
617 * "pSubjectDomainPolicies".
618 *
619 * If the List of CertPolicyMaps provided in "certPolicyMaps" is NULL, the
620 * resulting List will be NULL. If there are CertPolicyMaps, but none that
621 * include "policy" as an IssuerDomainPolicy, the returned List pointer will
622 * be NULL. Otherwise, the returned List will contain the SubjectDomainPolicies
623 * of all CertPolicyMaps for which "policy" is the IssuerDomainPolicy. If a
624 * List is returned it will be immutable.
625 *
626 * PARAMETERS:
627 * "certPolicyMaps"
628 * Address of List of CertPolicyMaps to be searched. May be empty or NULL.
629 * "policy"
630 * Address of OID to be checked for. Must be non-NULL
631 * "pSubjectDomainPolicies"
632 * Address where the result of the search will be stored. Must be non-NULL.
633 * "plContext"
634 * platform-specific context pointer
635 * THREAD SAFETY:
636 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
637 * RETURNS:
638 * Returns NULL if the function succeeds
639 * Returns a CertChainChecker Error if the function fails in a non-fatal way.
640 * Returns a Fatal Error if the function fails in an unrecoverable way
641 */
642 PKIX_Error *
643 pkix_PolicyChecker_MapGetSubjectDomainPolicies(
644 PKIX_List *certPolicyMaps,
645 PKIX_PL_OID *policy,
646 PKIX_List **pSubjectDomainPolicies,
647 void *plContext)
648 {
649 PKIX_PL_CertPolicyMap *map = NULL;
650 PKIX_List *subjectList = NULL;
651 PKIX_UInt32 numEntries = 0;
652 PKIX_UInt32 index = 0;
653 PKIX_Boolean match = PKIX_FALSE;
654 PKIX_PL_OID *issuerDomainPolicy = NULL;
655 PKIX_PL_OID *subjectDomainPolicy = NULL;
657 PKIX_ENTER
658 (CERTCHAINCHECKER,
659 "pkix_PolicyChecker_MapGetSubjectDomainPolicies");
660 PKIX_NULLCHECK_TWO(policy, pSubjectDomainPolicies);
662 if (certPolicyMaps) {
663 PKIX_CHECK(PKIX_List_GetLength
664 (certPolicyMaps,
665 &numEntries,
666 plContext),
667 PKIX_LISTGETLENGTHFAILED);
668 }
670 for (index = 0; index < numEntries; index++) {
671 PKIX_CHECK(PKIX_List_GetItem
672 (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
673 PKIX_LISTGETITEMFAILED);
675 PKIX_NULLCHECK_ONE(map);
677 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
678 (map, &issuerDomainPolicy, plContext),
679 PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
681 PKIX_EQUALS
682 (policy, issuerDomainPolicy, &match, plContext,
683 PKIX_OBJECTEQUALSFAILED);
685 if (match) {
686 if (!subjectList) {
687 PKIX_CHECK(PKIX_List_Create(&subjectList, plContext),
688 PKIX_LISTCREATEFAILED);
689 }
691 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
692 (map, &subjectDomainPolicy, plContext),
693 PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
695 PKIX_CHECK(PKIX_List_AppendItem
696 (subjectList,
697 (PKIX_PL_Object *)subjectDomainPolicy,
698 plContext),
699 PKIX_LISTAPPENDITEMFAILED);
700 }
702 PKIX_DECREF(map);
703 PKIX_DECREF(issuerDomainPolicy);
704 PKIX_DECREF(subjectDomainPolicy);
705 }
707 if (subjectList) {
708 PKIX_CHECK(PKIX_List_SetImmutable(subjectList, plContext),
709 PKIX_LISTSETIMMUTABLEFAILED);
710 }
712 *pSubjectDomainPolicies = subjectList;
714 cleanup:
716 if (PKIX_ERROR_RECEIVED) {
717 PKIX_DECREF(subjectList);
718 }
720 PKIX_DECREF(map);
721 PKIX_DECREF(issuerDomainPolicy);
722 PKIX_DECREF(subjectDomainPolicy);
724 PKIX_RETURN(CERTCHAINCHECKER);
725 }
727 /*
728 * FUNCTION: pkix_PolicyChecker_MapGetMappedPolicies
729 * DESCRIPTION:
730 *
731 * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps" to create a
732 * List of all IssuerDomainPolicies, and stores the result in
733 * "pMappedPolicies".
734 *
735 * The caller may not rely on the IssuerDomainPolicies to be in any particular
736 * order. IssuerDomainPolicies that appear in more than one CertPolicyMap will
737 * only appear once in "pMappedPolicies". If "certPolicyMaps" is empty the
738 * result will be an empty List. The created List is mutable.
739 *
740 * PARAMETERS:
741 * "certPolicyMaps"
742 * Address of List of CertPolicyMaps to be searched. May be empty, but
743 * must be non-NULL.
744 * "pMappedPolicies"
745 * Address where the result will be stored. Must be non-NULL.
746 * "plContext"
747 * platform-specific context pointer
748 * THREAD SAFETY:
749 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
750 * RETURNS:
751 * Returns NULL if the function succeeds
752 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
753 * Returns a Fatal Error if the function fails in an unrecoverable way
754 */
755 PKIX_Error *
756 pkix_PolicyChecker_MapGetMappedPolicies(
757 PKIX_List *certPolicyMaps,
758 PKIX_List **pMappedPolicies,
759 void *plContext)
760 {
761 PKIX_PL_CertPolicyMap *map = NULL;
762 PKIX_List *mappedList = NULL;
763 PKIX_UInt32 numEntries = 0;
764 PKIX_UInt32 index = 0;
765 PKIX_Boolean isContained = PKIX_FALSE;
766 PKIX_PL_OID *issuerDomainPolicy = NULL;
768 PKIX_ENTER
769 (CERTCHAINCHECKER, "pkix_PolicyChecker_MapGetMappedPolicies");
770 PKIX_NULLCHECK_TWO(certPolicyMaps, pMappedPolicies);
772 PKIX_CHECK(PKIX_List_Create(&mappedList, plContext),
773 PKIX_LISTCREATEFAILED);
775 PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
776 PKIX_LISTGETLENGTHFAILED);
778 for (index = 0; index < numEntries; index++) {
779 PKIX_CHECK(PKIX_List_GetItem
780 (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
781 PKIX_LISTGETITEMFAILED);
783 PKIX_NULLCHECK_ONE(map);
785 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
786 (map, &issuerDomainPolicy, plContext),
787 PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
789 PKIX_CHECK(pkix_List_Contains
790 (mappedList,
791 (PKIX_PL_Object *)issuerDomainPolicy,
792 &isContained,
793 plContext),
794 PKIX_LISTCONTAINSFAILED);
796 if (isContained == PKIX_FALSE) {
797 PKIX_CHECK(PKIX_List_AppendItem
798 (mappedList,
799 (PKIX_PL_Object *)issuerDomainPolicy,
800 plContext),
801 PKIX_LISTAPPENDITEMFAILED);
802 }
804 PKIX_DECREF(map);
805 PKIX_DECREF(issuerDomainPolicy);
806 }
808 *pMappedPolicies = mappedList;
810 cleanup:
812 if (PKIX_ERROR_RECEIVED) {
813 PKIX_DECREF(mappedList);
814 }
816 PKIX_DECREF(map);
817 PKIX_DECREF(issuerDomainPolicy);
819 PKIX_RETURN(CERTCHAINCHECKER);
820 }
822 /*
823 * FUNCTION: pkix_PolicyChecker_MakeMutableCopy
824 * DESCRIPTION:
825 *
826 * Creates a mutable copy of the List pointed to by "list", which may or may
827 * not be immutable, and stores the address at "pMutableCopy".
828 *
829 * PARAMETERS:
830 * "list"
831 * Address of List to be copied. Must be non-NULL.
832 * "pMutableCopy"
833 * Address where mutable copy will be stored. Must be non-NULL.
834 * "plContext"
835 * Platform-specific context pointer.
836 * THREAD SAFETY:
837 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
838 * RETURNS:
839 * Returns NULL if the function succeeds
840 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
841 * Returns a Fatal Error if the function fails in an unrecoverable way
842 */
843 static PKIX_Error *
844 pkix_PolicyChecker_MakeMutableCopy(
845 PKIX_List *list,
846 PKIX_List **pMutableCopy,
847 void *plContext)
848 {
849 PKIX_List *newList = NULL;
850 PKIX_UInt32 listLen = 0;
851 PKIX_UInt32 listIx = 0;
852 PKIX_PL_Object *object = NULL;
854 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeMutableCopy");
855 PKIX_NULLCHECK_TWO(list, pMutableCopy);
857 PKIX_CHECK(PKIX_List_Create(&newList, plContext),
858 PKIX_LISTCREATEFAILED);
860 PKIX_CHECK(PKIX_List_GetLength(list, &listLen, plContext),
861 PKIX_LISTGETLENGTHFAILED);
863 for (listIx = 0; listIx < listLen; listIx++) {
865 PKIX_CHECK(PKIX_List_GetItem(list, listIx, &object, plContext),
866 PKIX_LISTGETITEMFAILED);
868 PKIX_CHECK(PKIX_List_AppendItem(newList, object, plContext),
869 PKIX_LISTAPPENDITEMFAILED);
871 PKIX_DECREF(object);
872 }
874 *pMutableCopy = newList;
875 newList = NULL;
877 cleanup:
878 PKIX_DECREF(newList);
879 PKIX_DECREF(object);
881 PKIX_RETURN(CERTCHAINCHECKER);
882 }
884 /*
885 * FUNCTION: pkix_PolicyChecker_MakeSingleton
886 * DESCRIPTION:
887 *
888 * Creates a new List containing the Object pointed to by "listItem", using
889 * the Boolean value of "immutability" to determine whether to set the List
890 * immutable, and stores the address at "pList".
891 *
892 * PARAMETERS:
893 * "listItem"
894 * Address of Object to be inserted into the new List. Must be non-NULL.
895 * "immutability"
896 * Boolean value indicating whether new List is to be immutable
897 * "pList"
898 * Address where List will be stored. Must be non-NULL.
899 * "plContext"
900 * Platform-specific context pointer.
901 * THREAD SAFETY:
902 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
903 * RETURNS:
904 * Returns NULL if the function succeeds
905 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
906 * Returns a Fatal Error if the function fails in an unrecoverable way
907 */
908 static PKIX_Error *
909 pkix_PolicyChecker_MakeSingleton(
910 PKIX_PL_Object *listItem,
911 PKIX_Boolean immutability,
912 PKIX_List **pList,
913 void *plContext)
914 {
915 PKIX_List *newList = NULL;
917 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeSingleton");
918 PKIX_NULLCHECK_TWO(listItem, pList);
920 PKIX_CHECK(PKIX_List_Create(&newList, plContext),
921 PKIX_LISTCREATEFAILED);
923 PKIX_CHECK(PKIX_List_AppendItem
924 (newList, (PKIX_PL_Object *)listItem, plContext),
925 PKIX_LISTAPPENDITEMFAILED);
927 if (immutability) {
928 PKIX_CHECK(PKIX_List_SetImmutable(newList, plContext),
929 PKIX_LISTSETIMMUTABLEFAILED);
930 }
932 *pList = newList;
934 cleanup:
935 if (PKIX_ERROR_RECEIVED) {
936 PKIX_DECREF(newList);
937 }
939 PKIX_RETURN(CERTCHAINCHECKER);
940 }
942 /*
943 * FUNCTION: pkix_PolicyChecker_Spawn
944 * DESCRIPTION:
945 *
946 * Creates a new childNode for the parent pointed to by "parent", using
947 * the OID pointed to by "policyOID", the List of CertPolicyQualifiers
948 * pointed to by "qualifiers", the List of OIDs pointed to by
949 * "subjectDomainPolicies", and the PolicyCheckerState pointed to by
950 * "state". The new node will be added to "parent".
951 *
952 * The validPolicy of the new node is set from the OID pointed to by
953 * "policyOID". The policy qualifiers for the new node is set from the
954 * List of qualifiers pointed to by "qualifiers", and may be NULL or
955 * empty if the argument provided was NULL or empty. The criticality is
956 * set according to the criticality obtained from the PolicyCheckerState.
957 * If "subjectDomainPolicies" is NULL, the expectedPolicySet of the
958 * child is set to contain the same policy as the validPolicy. If
959 * "subjectDomainPolicies" is not NULL, it is used as the value for
960 * the expectedPolicySet.
961 *
962 * The PolicyCheckerState also contains a constant, anyPolicy, which is
963 * compared to "policyOID". If they match, the address of the childNode
964 * is saved in the state's newAnyPolicyNode.
965 *
966 * PARAMETERS:
967 * "parent"
968 * Address of PolicyNode to which the child will be linked. Must be
969 * non-NULL.
970 * "policyOID"
971 * Address of OID of the new child's validPolicy and also, if
972 * subjectDomainPolicies is NULL, of the new child's expectedPolicySet.
973 * Must be non-NULL.
974 * "qualifiers"
975 * Address of List of CertPolicyQualifiers. May be NULL or empty.
976 * "subjectDomainPolicies"
977 * Address of List of OIDs indicating the policies to which "policy" is
978 * mapped. May be empty or NULL.
979 * "state"
980 * Address of the current PKIX_PolicyCheckerState. Must be non-NULL..
981 * "plContext"
982 * Platform-specific context pointer.
983 * THREAD SAFETY:
984 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
985 * RETURNS:
986 * Returns NULL if the function succeeds
987 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
988 * Returns a Fatal Error if the function fails in an unrecoverable way
989 */
990 static PKIX_Error *
991 pkix_PolicyChecker_Spawn(
992 PKIX_PolicyNode *parent,
993 PKIX_PL_OID *policyOID,
994 PKIX_List *qualifiers, /* CertPolicyQualifiers */
995 PKIX_List *subjectDomainPolicies,
996 PKIX_PolicyCheckerState *state,
997 void *plContext)
998 {
999 PKIX_List *expectedSet = NULL; /* OIDs */
1000 PKIX_PolicyNode *childNode = NULL;
1001 PKIX_Boolean match = PKIX_FALSE;
1003 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Spawn");
1004 PKIX_NULLCHECK_THREE(policyOID, parent, state);
1006 if (subjectDomainPolicies) {
1008 PKIX_INCREF(subjectDomainPolicies);
1009 expectedSet = subjectDomainPolicies;
1011 } else {
1012 /* Create the child's ExpectedPolicy Set */
1013 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
1014 ((PKIX_PL_Object *)policyOID,
1015 PKIX_TRUE, /* make expectedPolicySet immutable */
1016 &expectedSet,
1017 plContext),
1018 PKIX_POLICYCHECKERMAKESINGLETONFAILED);
1019 }
1021 PKIX_CHECK(pkix_PolicyNode_Create
1022 (policyOID,
1023 qualifiers,
1024 state->certPoliciesCritical,
1025 expectedSet,
1026 &childNode,
1027 plContext),
1028 PKIX_POLICYNODECREATEFAILED);
1030 /*
1031 * If we had a non-empty mapping, we know the new node could not
1032 * have been created with a validPolicy of anyPolicy. Otherwise,
1033 * check whether we just created a new node with anyPolicy, because
1034 * in that case we want to save the child pointer in newAnyPolicyNode.
1035 */
1036 if (!subjectDomainPolicies) {
1037 PKIX_EQUALS(policyOID, state->anyPolicyOID, &match, plContext,
1038 PKIX_OBJECTEQUALSFAILED);
1040 if (match) {
1041 PKIX_DECREF(state->newAnyPolicyNode);
1042 PKIX_INCREF(childNode);
1043 state->newAnyPolicyNode = childNode;
1044 }
1045 }
1047 PKIX_CHECK(pkix_PolicyNode_AddToParent(parent, childNode, plContext),
1048 PKIX_POLICYNODEADDTOPARENTFAILED);
1050 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1051 ((PKIX_PL_Object *)state, plContext),
1052 PKIX_OBJECTINVALIDATECACHEFAILED);
1054 cleanup:
1055 PKIX_DECREF(childNode);
1056 PKIX_DECREF(expectedSet);
1057 PKIX_RETURN(CERTCHAINCHECKER);
1058 }
1060 /*
1061 * FUNCTION: pkix_PolicyChecker_CheckPolicyRecursive
1062 * DESCRIPTION:
1063 *
1064 * Performs policy processing for the policy whose OID is pointed to by
1065 * "policyOID" and whose List of CertPolicyQualifiers is pointed to by
1066 * "policyQualifiers", using the List of policy OIDs pointed to by
1067 * "subjectDomainPolicies" and the PolicyNode pointed to by "currentNode",
1068 * in accordance with the current PolicyCheckerState pointed to by "state",
1069 * and setting "pChildNodeCreated" to TRUE if a new childNode is created.
1070 * Note: "pChildNodeCreated" is not set to FALSE if no childNode is created.
1071 * The intent of the design is that the caller can set a variable to FALSE
1072 * initially, prior to a recursive set of calls. At the end, the variable
1073 * can be tested to see whether *any* of the calls created a child node.
1074 *
1075 * If the currentNode is not at the bottom of the tree, this function
1076 * calls itself recursively for each child of currentNode. At the bottom of
1077 * the tree, it creates new child nodes as appropriate. This function will
1078 * never be called with policy = anyPolicy.
1079 *
1080 * This function implements the processing described in RFC3280
1081 * Section 6.1.3(d)(1)(i).
1082 *
1083 * PARAMETERS:
1084 * "policyOID"
1085 * Address of OID of the policy to be checked for. Must be non-NULL.
1086 * "policyQualifiers"
1087 * Address of List of CertPolicyQualifiers of the policy to be checked for.
1088 * May be empty or NULL.
1089 * "subjectDomainPolicies"
1090 * Address of List of OIDs indicating the policies to which "policy" is
1091 * mapped. May be empty or NULL.
1092 * "currentNode"
1093 * Address of PolicyNode whose descendants will be checked, if not at the
1094 * bottom of the tree; or whose expectedPolicySet will be compared to
1095 * "policy", if at the bottom. Must be non-NULL.
1096 * "state"
1097 * Address of PolicyCheckerState of the current PolicyChecker. Must be
1098 * non-NULL.
1099 * "pChildNodeCreated"
1100 * Address of the Boolean that will be set TRUE if this function
1101 * creates a child node. Must be non-NULL.
1102 * "plContext"
1103 * Platform-specific context pointer.
1104 * THREAD SAFETY:
1105 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1106 * RETURNS:
1107 * Returns NULL if the function succeeds
1108 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1109 * Returns a Fatal Error if the function fails in an unrecoverable way
1110 */
1111 static PKIX_Error *
1112 pkix_PolicyChecker_CheckPolicyRecursive(
1113 PKIX_PL_OID *policyOID,
1114 PKIX_List *policyQualifiers,
1115 PKIX_List *subjectDomainPolicies,
1116 PKIX_PolicyNode *currentNode,
1117 PKIX_PolicyCheckerState *state,
1118 PKIX_Boolean *pChildNodeCreated,
1119 void *plContext)
1120 {
1121 PKIX_UInt32 depth = 0;
1122 PKIX_UInt32 numChildren = 0;
1123 PKIX_UInt32 childIx = 0;
1124 PKIX_Boolean isIncluded = PKIX_FALSE;
1125 PKIX_List *children = NULL; /* PolicyNodes */
1126 PKIX_PolicyNode *childNode = NULL;
1127 PKIX_List *expectedPolicies = NULL; /* OIDs */
1129 PKIX_ENTER
1130 (CERTCHAINCHECKER,
1131 "pkix_PolicyChecker_CheckPolicyRecursive");
1132 PKIX_NULLCHECK_FOUR(policyOID, currentNode, state, pChildNodeCreated);
1134 /* if not at the bottom of the tree */
1135 PKIX_CHECK(PKIX_PolicyNode_GetDepth
1136 (currentNode, &depth, plContext),
1137 PKIX_POLICYNODEGETDEPTHFAILED);
1139 if (depth < (state->certsProcessed)) {
1140 PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
1141 (currentNode, &children, plContext),
1142 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
1144 if (children) {
1145 PKIX_CHECK(PKIX_List_GetLength
1146 (children, &numChildren, plContext),
1147 PKIX_LISTGETLENGTHFAILED);
1148 }
1150 for (childIx = 0; childIx < numChildren; childIx++) {
1152 PKIX_CHECK(PKIX_List_GetItem
1153 (children,
1154 childIx,
1155 (PKIX_PL_Object **)&childNode,
1156 plContext),
1157 PKIX_LISTGETITEMFAILED);
1159 PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
1160 (policyOID,
1161 policyQualifiers,
1162 subjectDomainPolicies,
1163 childNode,
1164 state,
1165 pChildNodeCreated,
1166 plContext),
1167 PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
1169 PKIX_DECREF(childNode);
1170 }
1171 } else { /* if at the bottom of the tree */
1173 /* Check whether policy is in this node's expectedPolicySet */
1174 PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
1175 (currentNode, &expectedPolicies, plContext),
1176 PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
1178 PKIX_NULLCHECK_ONE(expectedPolicies);
1180 PKIX_CHECK(pkix_List_Contains
1181 (expectedPolicies,
1182 (PKIX_PL_Object *)policyOID,
1183 &isIncluded,
1184 plContext),
1185 PKIX_LISTCONTAINSFAILED);
1187 if (isIncluded) {
1188 PKIX_CHECK(pkix_PolicyChecker_Spawn
1189 (currentNode,
1190 policyOID,
1191 policyQualifiers,
1192 subjectDomainPolicies,
1193 state,
1194 plContext),
1195 PKIX_POLICYCHECKERSPAWNFAILED);
1197 *pChildNodeCreated = PKIX_TRUE;
1198 }
1199 }
1201 cleanup:
1203 PKIX_DECREF(children);
1204 PKIX_DECREF(childNode);
1205 PKIX_DECREF(expectedPolicies);
1207 PKIX_RETURN(CERTCHAINCHECKER);
1208 }
1210 /*
1211 * FUNCTION: pkix_PolicyChecker_CheckPolicy
1212 * DESCRIPTION:
1213 *
1214 * Performs the non-recursive portion of the policy processing for the policy
1215 * whose OID is pointed to by "policyOID" and whose List of
1216 * CertPolicyQualifiers is pointed to by "policyQualifiers", for the
1217 * Certificate pointed to by "cert" with the List of CertPolicyMaps pointed
1218 * to by "maps", in accordance with the current PolicyCheckerState pointed
1219 * to by "state".
1220 *
1221 * This function implements the processing described in RFC3280
1222 * Section 6.1.3(d)(1)(i).
1223 *
1224 * PARAMETERS:
1225 * "policyOID"
1226 * Address of OID of the policy to be checked for. Must be non-NULL.
1227 * "policyQualifiers"
1228 * Address of List of CertPolicyQualifiers of the policy to be checked for.
1229 * May be empty or NULL.
1230 * "cert"
1231 * Address of the current certificate. Must be non-NULL.
1232 * "maps"
1233 * Address of List of CertPolicyMaps for the current certificate
1234 * "state"
1235 * Address of PolicyCheckerState of the current PolicyChecker. Must be
1236 * non-NULL.
1237 * "plContext"
1238 * Platform-specific context pointer.
1239 * THREAD SAFETY:
1240 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1241 * RETURNS:
1242 * Returns NULL if the function succeeds
1243 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1244 * Returns a Fatal Error if the function fails in an unrecoverable way
1245 */
1246 static PKIX_Error *
1247 pkix_PolicyChecker_CheckPolicy(
1248 PKIX_PL_OID *policyOID,
1249 PKIX_List *policyQualifiers,
1250 PKIX_PL_Cert *cert,
1251 PKIX_List *maps,
1252 PKIX_PolicyCheckerState *state,
1253 void *plContext)
1254 {
1255 PKIX_Boolean childNodeCreated = PKIX_FALSE;
1256 PKIX_Boolean okToSpawn = PKIX_FALSE;
1257 PKIX_Boolean found = PKIX_FALSE;
1258 PKIX_List *subjectDomainPolicies = NULL;
1260 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckPolicy");
1261 PKIX_NULLCHECK_THREE(policyOID, cert, state);
1263 /*
1264 * If this is not the last certificate, get the set of
1265 * subjectDomainPolicies that "policy" maps to, according to the
1266 * current cert's policy mapping extension. That set will be NULL
1267 * if the current cert does not have a policy mapping extension,
1268 * or if the current policy is not mapped.
1269 */
1270 if (state->certsProcessed != (state->numCerts - 1)) {
1271 PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
1272 (maps, policyOID, &subjectDomainPolicies, plContext),
1273 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
1274 }
1276 /*
1277 * Section 6.1.4(b)(2) tells us that if policyMapping is zero, we
1278 * will have to delete any nodes created with validPolicies equal to
1279 * policies that appear as issuerDomainPolicies in a policy mapping
1280 * extension. Let's avoid creating any such nodes.
1281 */
1282 if ((state->policyMapping) == 0) {
1283 if (subjectDomainPolicies) {
1284 goto cleanup;
1285 }
1286 }
1288 PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
1289 (policyOID,
1290 policyQualifiers,
1291 subjectDomainPolicies,
1292 state->validPolicyTree,
1293 state,
1294 &childNodeCreated,
1295 plContext),
1296 PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
1298 if (!childNodeCreated) {
1299 /*
1300 * Section 6.1.3(d)(1)(ii)
1301 * There was no match. If there was a node at
1302 * depth i-1 with valid policy anyPolicy,
1303 * generate a node subordinate to that.
1304 *
1305 * But that means this created node would be in
1306 * the valid-policy-node-set, and will be
1307 * pruned in 6.1.5(g)(iii)(2) unless it is in
1308 * the user-initial-policy-set or the user-
1309 * initial-policy-set is {anyPolicy}. So check,
1310 * and don't create it if it will be pruned.
1311 */
1312 if (state->anyPolicyNodeAtBottom) {
1313 if (state->initialIsAnyPolicy) {
1314 okToSpawn = PKIX_TRUE;
1315 } else {
1316 PKIX_CHECK(pkix_List_Contains
1317 (state->mappedUserInitialPolicySet,
1318 (PKIX_PL_Object *)policyOID,
1319 &okToSpawn,
1320 plContext),
1321 PKIX_LISTCONTAINSFAILED);
1322 }
1323 if (okToSpawn) {
1324 PKIX_CHECK(pkix_PolicyChecker_Spawn
1325 (state->anyPolicyNodeAtBottom,
1326 policyOID,
1327 policyQualifiers,
1328 subjectDomainPolicies,
1329 state,
1330 plContext),
1331 PKIX_POLICYCHECKERSPAWNFAILED);
1332 childNodeCreated = PKIX_TRUE;
1333 }
1334 }
1335 }
1337 if (childNodeCreated) {
1338 /*
1339 * If this policy had qualifiers, and the certificate policies
1340 * extension was marked critical, and the user cannot deal with
1341 * policy qualifiers, throw an error.
1342 */
1343 if (policyQualifiers &&
1344 state->certPoliciesCritical &&
1345 state->policyQualifiersRejected) {
1346 PKIX_ERROR
1347 (PKIX_QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION);
1348 }
1349 /*
1350 * If the policy we just propagated was in the list of mapped
1351 * policies, remove it from the list. That list is used, at the
1352 * end, to determine policies that have not been propagated.
1353 */
1354 if (state->mappedPolicyOIDs) {
1355 PKIX_CHECK(pkix_List_Contains
1356 (state->mappedPolicyOIDs,
1357 (PKIX_PL_Object *)policyOID,
1358 &found,
1359 plContext),
1360 PKIX_LISTCONTAINSFAILED);
1361 if (found) {
1362 PKIX_CHECK(pkix_List_Remove
1363 (state->mappedPolicyOIDs,
1364 (PKIX_PL_Object *)policyOID,
1365 plContext),
1366 PKIX_LISTREMOVEFAILED);
1367 }
1368 }
1369 }
1371 cleanup:
1373 PKIX_DECREF(subjectDomainPolicies);
1375 PKIX_RETURN(CERTCHAINCHECKER);
1376 }
1378 /*
1379 * FUNCTION: pkix_PolicyChecker_CheckAny
1380 * DESCRIPTION:
1381 * Performs the creation of PolicyNodes, for the PolicyNode pointed to by
1382 * "currentNode" and PolicyNodes subordinate to it, using the List of
1383 * qualifiers pointed to by "qualsOfAny", in accordance with the current
1384 * certificate's PolicyMaps pointed to by "policyMaps" and the current
1385 * PolicyCheckerState pointed to by "state".
1386 *
1387 * If the currentNode is not just above the bottom of the validPolicyTree, this
1388 * function calls itself recursively for each child of currentNode. At the
1389 * level just above the bottom, for each policy in the currentNode's
1390 * expectedPolicySet not already present in a child node, it creates a new
1391 * child node. The validPolicy of the child created, and its expectedPolicySet,
1392 * will be the policy from the currentNode's expectedPolicySet. The policy
1393 * qualifiers will be the qualifiers from the current certificate's anyPolicy,
1394 * the "qualsOfAny" parameter. If the currentNode's expectedSet includes
1395 * anyPolicy, a childNode will be created with a policy of anyPolicy. This is
1396 * the only way such a node can be created.
1397 *
1398 * This function is called only when anyPolicy is one of the current
1399 * certificate's policies. This function implements the processing described
1400 * in RFC3280 Section 6.1.3(d)(2).
1401 *
1402 * PARAMETERS:
1403 * "currentNode"
1404 * Address of PolicyNode whose descendants will be checked, if not at the
1405 * bottom of the tree; or whose expectedPolicySet will be compared to those
1406 * in "alreadyPresent", if at the bottom. Must be non-NULL.
1407 * "qualsOfAny"
1408 * Address of List of qualifiers of the anyPolicy in the current
1409 * certificate. May be empty or NULL.
1410 * "policyMaps"
1411 * Address of the List of PolicyMaps of the current certificate. May be
1412 * empty or NULL.
1413 * "state"
1414 * Address of the current state of the PKIX_PolicyChecker.
1415 * Must be non-NULL.
1416 * "plContext"
1417 * Platform-specific context pointer.
1418 * THREAD SAFETY:
1419 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1420 * RETURNS:
1421 * Returns NULL if the function succeeds
1422 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1423 * Returns a Fatal Error if the function fails in an unrecoverable way
1424 */
1425 static PKIX_Error *
1426 pkix_PolicyChecker_CheckAny(
1427 PKIX_PolicyNode *currentNode,
1428 PKIX_List *qualsOfAny, /* CertPolicyQualifiers */
1429 PKIX_List *policyMaps, /* CertPolicyMaps */
1430 PKIX_PolicyCheckerState *state,
1431 void *plContext)
1432 {
1433 PKIX_UInt32 depth = 0;
1434 PKIX_UInt32 numChildren = 0;
1435 PKIX_UInt32 childIx = 0;
1436 PKIX_UInt32 numPolicies = 0;
1437 PKIX_UInt32 polx = 0;
1438 PKIX_Boolean isIncluded = PKIX_FALSE;
1439 PKIX_List *children = NULL; /* PolicyNodes */
1440 PKIX_PolicyNode *childNode = NULL;
1441 PKIX_List *expectedPolicies = NULL; /* OIDs */
1442 PKIX_PL_OID *policyOID = NULL;
1443 PKIX_PL_OID *childPolicy = NULL;
1444 PKIX_List *subjectDomainPolicies = NULL; /* OIDs */
1446 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckAny");
1447 PKIX_NULLCHECK_TWO(currentNode, state);
1449 PKIX_CHECK(PKIX_PolicyNode_GetDepth
1450 (currentNode, &depth, plContext),
1451 PKIX_POLICYNODEGETDEPTHFAILED);
1453 PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
1454 (currentNode, &children, plContext),
1455 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
1457 if (children) {
1458 PKIX_CHECK(PKIX_List_GetLength
1459 (children, &numChildren, plContext),
1460 PKIX_LISTGETLENGTHFAILED);
1461 }
1463 if (depth < (state->certsProcessed)) {
1464 for (childIx = 0; childIx < numChildren; childIx++) {
1466 PKIX_CHECK(PKIX_List_GetItem
1467 (children,
1468 childIx,
1469 (PKIX_PL_Object **)&childNode,
1470 plContext),
1471 PKIX_LISTGETITEMFAILED);
1473 PKIX_NULLCHECK_ONE(childNode);
1474 PKIX_CHECK(pkix_PolicyChecker_CheckAny
1475 (childNode,
1476 qualsOfAny,
1477 policyMaps,
1478 state,
1479 plContext),
1480 PKIX_POLICYCHECKERCHECKANYFAILED);
1482 PKIX_DECREF(childNode);
1483 }
1484 } else { /* if at the bottom of the tree */
1486 PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
1487 (currentNode, &expectedPolicies, plContext),
1488 PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
1490 /* Expected Policy Set is not allowed to be NULL */
1491 PKIX_NULLCHECK_ONE(expectedPolicies);
1493 PKIX_CHECK(PKIX_List_GetLength
1494 (expectedPolicies, &numPolicies, plContext),
1495 PKIX_LISTGETLENGTHFAILED);
1497 for (polx = 0; polx < numPolicies; polx++) {
1498 PKIX_CHECK(PKIX_List_GetItem
1499 (expectedPolicies,
1500 polx,
1501 (PKIX_PL_Object **)&policyOID,
1502 plContext),
1503 PKIX_LISTGETITEMFAILED);
1505 PKIX_NULLCHECK_ONE(policyOID);
1507 isIncluded = PKIX_FALSE;
1509 for (childIx = 0;
1510 (!isIncluded && (childIx < numChildren));
1511 childIx++) {
1513 PKIX_CHECK(PKIX_List_GetItem
1514 (children,
1515 childIx,
1516 (PKIX_PL_Object **)&childNode,
1517 plContext),
1518 PKIX_LISTGETITEMFAILED);
1520 PKIX_NULLCHECK_ONE(childNode);
1522 PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
1523 (childNode, &childPolicy, plContext),
1524 PKIX_POLICYNODEGETVALIDPOLICYFAILED);
1526 PKIX_NULLCHECK_ONE(childPolicy);
1528 PKIX_EQUALS(policyOID, childPolicy, &isIncluded, plContext,
1529 PKIX_OBJECTEQUALSFAILED);
1531 PKIX_DECREF(childNode);
1532 PKIX_DECREF(childPolicy);
1533 }
1535 if (!isIncluded) {
1536 if (policyMaps) {
1537 PKIX_CHECK
1538 (pkix_PolicyChecker_MapGetSubjectDomainPolicies
1539 (policyMaps,
1540 policyOID,
1541 &subjectDomainPolicies,
1542 plContext),
1543 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
1544 }
1545 PKIX_CHECK(pkix_PolicyChecker_Spawn
1546 (currentNode,
1547 policyOID,
1548 qualsOfAny,
1549 subjectDomainPolicies,
1550 state,
1551 plContext),
1552 PKIX_POLICYCHECKERSPAWNFAILED);
1553 PKIX_DECREF(subjectDomainPolicies);
1554 }
1556 PKIX_DECREF(policyOID);
1557 }
1558 }
1560 cleanup:
1562 PKIX_DECREF(children);
1563 PKIX_DECREF(childNode);
1564 PKIX_DECREF(expectedPolicies);
1565 PKIX_DECREF(policyOID);
1566 PKIX_DECREF(childPolicy);
1567 PKIX_DECREF(subjectDomainPolicies);
1569 PKIX_RETURN(CERTCHAINCHECKER);
1571 }
1573 /*
1574 * FUNCTION: pkix_PolicyChecker_CalculateIntersection
1575 * DESCRIPTION:
1576 *
1577 * Processes the PolicyNode pointed to by "currentNode", and its descendants,
1578 * using the PolicyCheckerState pointed to by "state", using the List at
1579 * the address pointed to by "nominees" the OIDs of policies that are in the
1580 * user-initial-policy-set but are not represented among the nodes at the
1581 * bottom of the tree, and storing at "pShouldBePruned" the value TRUE if
1582 * currentNode is childless at the end of this processing, FALSE if it has
1583 * children or is at the bottom of the tree.
1584 *
1585 * When this function is called at the top level, "nominees" should be the List
1586 * of all policies in the user-initial-policy-set. Policies that are
1587 * represented in the valid-policy-node-set are removed from this List. As a
1588 * result when nodes are created according to 6.1.5.(g)(iii)(3)(b), a node will
1589 * be created for each policy remaining in this List.
1590 *
1591 * This function implements the calculation of the intersection of the
1592 * validPolicyTree with the user-initial-policy-set, as described in
1593 * RFC 3280 6.1.5(g)(iii).
1594 *
1595 * PARAMETERS:
1596 * "currentNode"
1597 * Address of PolicyNode whose descendants will be processed as described.
1598 * Must be non-NULL.
1599 * "state"
1600 * Address of the current state of the PKIX_PolicyChecker. Must be non-NULL
1601 * "nominees"
1602 * Address of List of the OIDs for which nodes should be created to replace
1603 * anyPolicy nodes. Must be non-NULL but may be empty.
1604 * "pShouldBePruned"
1605 * Address where Boolean return value, set to TRUE if this PolicyNode
1606 * should be deleted, is stored. Must be non-NULL.
1607 * "plContext"
1608 * Platform-specific context pointer.
1609 * THREAD SAFETY:
1610 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1611 * RETURNS:
1612 * Returns NULL if the function succeeds
1613 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1614 * Returns a Fatal Error if the function fails in an unrecoverable way
1615 */
1616 static PKIX_Error *
1617 pkix_PolicyChecker_CalculateIntersection(
1618 PKIX_PolicyNode *currentNode,
1619 PKIX_PolicyCheckerState *state,
1620 PKIX_List *nominees, /* OIDs */
1621 PKIX_Boolean *pShouldBePruned,
1622 void *plContext)
1623 {
1624 PKIX_Boolean currentPolicyIsAny = PKIX_FALSE;
1625 PKIX_Boolean parentPolicyIsAny = PKIX_FALSE;
1626 PKIX_Boolean currentPolicyIsValid = PKIX_FALSE;
1627 PKIX_Boolean shouldBePruned = PKIX_FALSE;
1628 PKIX_Boolean priorCriticality = PKIX_FALSE;
1629 PKIX_UInt32 depth = 0;
1630 PKIX_UInt32 numChildren = 0;
1631 PKIX_UInt32 childIndex = 0;
1632 PKIX_UInt32 numNominees = 0;
1633 PKIX_UInt32 polIx = 0;
1634 PKIX_PL_OID *currentPolicy = NULL;
1635 PKIX_PL_OID *parentPolicy = NULL;
1636 PKIX_PL_OID *substPolicy = NULL;
1637 PKIX_PolicyNode *parent = NULL;
1638 PKIX_PolicyNode *child = NULL;
1639 PKIX_List *children = NULL; /* PolicyNodes */
1640 PKIX_List *policyQualifiers = NULL;
1642 PKIX_ENTER
1643 (CERTCHAINCHECKER,
1644 "pkix_PolicyChecker_CalculateIntersection");
1646 /*
1647 * We call this function if the valid_policy_tree is not NULL and
1648 * the user-initial-policy-set is not any-policy.
1649 */
1650 if (!state->validPolicyTree || state->initialIsAnyPolicy) {
1651 PKIX_ERROR(PKIX_PRECONDITIONFAILED);
1652 }
1654 PKIX_NULLCHECK_FOUR(currentNode, state, nominees, pShouldBePruned);
1656 PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
1657 (currentNode, ¤tPolicy, plContext),
1658 PKIX_POLICYNODEGETVALIDPOLICYFAILED);
1660 PKIX_NULLCHECK_TWO(state->anyPolicyOID, currentPolicy);
1662 PKIX_EQUALS
1663 (state->anyPolicyOID,
1664 currentPolicy,
1665 ¤tPolicyIsAny,
1666 plContext,
1667 PKIX_OBJECTEQUALSFAILED);
1669 PKIX_CHECK(PKIX_PolicyNode_GetParent(currentNode, &parent, plContext),
1670 PKIX_POLICYNODEGETPARENTFAILED);
1672 if (currentPolicyIsAny == PKIX_FALSE) {
1674 /*
1675 * If we are at the top of the tree, or if our
1676 * parent's validPolicy is anyPolicy, we are in
1677 * the valid policy node set.
1678 */
1679 if (parent) {
1680 PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
1681 (parent, &parentPolicy, plContext),
1682 PKIX_POLICYNODEGETVALIDPOLICYFAILED);
1684 PKIX_NULLCHECK_ONE(parentPolicy);
1686 PKIX_EQUALS
1687 (state->anyPolicyOID,
1688 parentPolicy,
1689 &parentPolicyIsAny,
1690 plContext,
1691 PKIX_OBJECTEQUALSFAILED);
1692 }
1694 /*
1695 * Section 6.1.5(g)(iii)(2)
1696 * If this node's policy is not in the user-initial-policy-set,
1697 * it is not in the intersection. Prune it.
1698 */
1699 if (!parent || parentPolicyIsAny) {
1700 PKIX_CHECK(pkix_List_Contains
1701 (state->userInitialPolicySet,
1702 (PKIX_PL_Object *)currentPolicy,
1703 ¤tPolicyIsValid,
1704 plContext),
1705 PKIX_LISTCONTAINSFAILED);
1706 if (!currentPolicyIsValid) {
1707 *pShouldBePruned = PKIX_TRUE;
1708 goto cleanup;
1709 }
1711 /*
1712 * If this node's policy is in the user-initial-policy-
1713 * set, it will propagate that policy into the next
1714 * level of the tree. Remove the policy from the list
1715 * of policies that an anyPolicy will spawn.
1716 */
1717 PKIX_CHECK(pkix_List_Remove
1718 (nominees,
1719 (PKIX_PL_Object *)currentPolicy,
1720 plContext),
1721 PKIX_LISTREMOVEFAILED);
1722 }
1723 }
1726 /* Are we at the bottom of the tree? */
1728 PKIX_CHECK(PKIX_PolicyNode_GetDepth
1729 (currentNode, &depth, plContext),
1730 PKIX_POLICYNODEGETDEPTHFAILED);
1732 if (depth == (state->numCerts)) {
1733 /*
1734 * Section 6.1.5(g)(iii)(3)
1735 * Replace anyPolicy nodes...
1736 */
1737 if (currentPolicyIsAny == PKIX_TRUE) {
1739 /* replace this node */
1741 PKIX_CHECK(PKIX_List_GetLength
1742 (nominees, &numNominees, plContext),
1743 PKIX_LISTGETLENGTHFAILED);
1745 if (numNominees) {
1747 PKIX_CHECK(PKIX_PolicyNode_GetPolicyQualifiers
1748 (currentNode,
1749 &policyQualifiers,
1750 plContext),
1751 PKIX_POLICYNODEGETPOLICYQUALIFIERSFAILED);
1753 PKIX_CHECK(PKIX_PolicyNode_IsCritical
1754 (currentNode, &priorCriticality, plContext),
1755 PKIX_POLICYNODEISCRITICALFAILED);
1756 }
1758 PKIX_NULLCHECK_ONE(parent);
1760 for (polIx = 0; polIx < numNominees; polIx++) {
1762 PKIX_CHECK(PKIX_List_GetItem
1763 (nominees,
1764 polIx,
1765 (PKIX_PL_Object **)&substPolicy,
1766 plContext),
1767 PKIX_LISTGETITEMFAILED);
1769 PKIX_CHECK(pkix_PolicyChecker_Spawn
1770 (parent,
1771 substPolicy,
1772 policyQualifiers,
1773 NULL,
1774 state,
1775 plContext),
1776 PKIX_POLICYCHECKERSPAWNFAILED);
1778 PKIX_DECREF(substPolicy);
1780 }
1781 /* remove currentNode from parent */
1782 *pShouldBePruned = PKIX_TRUE;
1783 /*
1784 * We can get away with augmenting the parent's List
1785 * of children because we started at the end and went
1786 * toward the beginning. New nodes are added at the end.
1787 */
1788 }
1789 } else {
1790 /*
1791 * Section 6.1.5(g)(iii)(4)
1792 * Prune any childless nodes above the bottom level
1793 */
1794 PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
1795 (currentNode, &children, plContext),
1796 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
1798 /* CurrentNode should have been pruned if childless. */
1799 PKIX_NULLCHECK_ONE(children);
1801 PKIX_CHECK(PKIX_List_GetLength
1802 (children, &numChildren, plContext),
1803 PKIX_LISTGETLENGTHFAILED);
1805 for (childIndex = numChildren; childIndex > 0; childIndex--) {
1807 PKIX_CHECK(PKIX_List_GetItem
1808 (children,
1809 childIndex - 1,
1810 (PKIX_PL_Object **)&child,
1811 plContext),
1812 PKIX_LISTGETITEMFAILED);
1814 PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
1815 (child, state, nominees, &shouldBePruned, plContext),
1816 PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
1818 if (PKIX_TRUE == shouldBePruned) {
1820 PKIX_CHECK(PKIX_List_DeleteItem
1821 (children, childIndex - 1, plContext),
1822 PKIX_LISTDELETEITEMFAILED);
1823 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1824 ((PKIX_PL_Object *)state, plContext),
1825 PKIX_OBJECTINVALIDATECACHEFAILED);
1826 }
1828 PKIX_DECREF(child);
1829 }
1831 PKIX_CHECK(PKIX_List_GetLength
1832 (children, &numChildren, plContext),
1833 PKIX_LISTGETLENGTHFAILED);
1835 if (numChildren == 0) {
1836 *pShouldBePruned = PKIX_TRUE;
1837 }
1838 }
1839 cleanup:
1840 PKIX_DECREF(currentPolicy);
1841 PKIX_DECREF(parentPolicy);
1842 PKIX_DECREF(substPolicy);
1843 PKIX_DECREF(parent);
1844 PKIX_DECREF(child);
1845 PKIX_DECREF(children);
1846 PKIX_DECREF(policyQualifiers);
1848 PKIX_RETURN(CERTCHAINCHECKER);
1850 }
1852 /*
1853 * FUNCTION: pkix_PolicyChecker_PolicyMapProcessing
1854 * DESCRIPTION:
1855 *
1856 * Performs the processing of Policies in the List of CertPolicyMaps pointed
1857 * to by "policyMaps", using and updating the PolicyCheckerState pointed to by
1858 * "state".
1859 *
1860 * This function implements the policyMap processing described in RFC3280
1861 * Section 6.1.4(b)(1), after certificate i has been processed, in preparation
1862 * for certificate i+1. Section references are to that document.
1863 *
1864 * PARAMETERS:
1865 * "policyMaps"
1866 * Address of the List of CertPolicyMaps presented by certificate i.
1867 * Must be non-NULL.
1868 * "certPoliciesIncludeAny"
1869 * Boolean value which is PKIX_TRUE if the current certificate asserts
1870 * anyPolicy, PKIX_FALSE otherwise.
1871 * "qualsOfAny"
1872 * Address of List of qualifiers of the anyPolicy in the current
1873 * certificate. May be empty or NULL.
1874 * "state"
1875 * Address of the current state of the PKIX_PolicyChecker.
1876 * Must be non-NULL.
1877 * "plContext"
1878 * Platform-specific context pointer.
1879 * THREAD SAFETY:
1880 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1881 * RETURNS:
1882 * Returns NULL if the function succeeds
1883 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
1884 * Returns a Fatal Error if the function fails in an unrecoverable way
1885 */
1886 static PKIX_Error *
1887 pkix_PolicyChecker_PolicyMapProcessing(
1888 PKIX_List *policyMaps, /* CertPolicyMaps */
1889 PKIX_Boolean certPoliciesIncludeAny,
1890 PKIX_List *qualsOfAny,
1891 PKIX_PolicyCheckerState *state,
1892 void *plContext)
1893 {
1894 PKIX_UInt32 numPolicies = 0;
1895 PKIX_UInt32 polX = 0;
1896 PKIX_PL_OID *policyOID = NULL;
1897 PKIX_List *newMappedPolicies = NULL; /* OIDs */
1898 PKIX_List *subjectDomainPolicies = NULL; /* OIDs */
1900 PKIX_ENTER
1901 (CERTCHAINCHECKER,
1902 "pkix_PolicyChecker_PolicyMapProcessing");
1903 PKIX_NULLCHECK_THREE
1904 (policyMaps,
1905 state,
1906 state->mappedUserInitialPolicySet);
1908 /*
1909 * For each policy in mappedUserInitialPolicySet, if it is not mapped,
1910 * append it to new policySet; if it is mapped, append its
1911 * subjectDomainPolicies to new policySet. When done, this new
1912 * policySet will replace mappedUserInitialPolicySet.
1913 */
1914 PKIX_CHECK(PKIX_List_Create
1915 (&newMappedPolicies, plContext),
1916 PKIX_LISTCREATEFAILED);
1918 PKIX_CHECK(PKIX_List_GetLength
1919 (state->mappedUserInitialPolicySet,
1920 &numPolicies,
1921 plContext),
1922 PKIX_LISTGETLENGTHFAILED);
1924 for (polX = 0; polX < numPolicies; polX++) {
1926 PKIX_CHECK(PKIX_List_GetItem
1927 (state->mappedUserInitialPolicySet,
1928 polX,
1929 (PKIX_PL_Object **)&policyOID,
1930 plContext),
1931 PKIX_LISTGETITEMFAILED);
1933 PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
1934 (policyMaps,
1935 policyOID,
1936 &subjectDomainPolicies,
1937 plContext),
1938 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
1940 if (subjectDomainPolicies) {
1942 PKIX_CHECK(pkix_List_AppendUnique
1943 (newMappedPolicies,
1944 subjectDomainPolicies,
1945 plContext),
1946 PKIX_LISTAPPENDUNIQUEFAILED);
1948 PKIX_DECREF(subjectDomainPolicies);
1950 } else {
1951 PKIX_CHECK(PKIX_List_AppendItem
1952 (newMappedPolicies,
1953 (PKIX_PL_Object *)policyOID,
1954 plContext),
1955 PKIX_LISTAPPENDITEMFAILED);
1956 }
1957 PKIX_DECREF(policyOID);
1958 }
1960 /*
1961 * For each policy ID-P remaining in mappedPolicyOIDs, it has not been
1962 * propagated to the bottom of the tree (depth i). If policyMapping
1963 * is greater than zero and this cert contains anyPolicy and the tree
1964 * contains an anyPolicy node at depth i-1, then we must create a node
1965 * with validPolicy ID-P, the policy qualifiers of anyPolicy in
1966 * this certificate, and expectedPolicySet the subjectDomainPolicies
1967 * that ID-P maps to. We also then add those subjectDomainPolicies to
1968 * the list of policies that will be accepted in the next certificate,
1969 * the mappedUserInitialPolicySet.
1970 */
1972 if ((state->policyMapping > 0) && (certPoliciesIncludeAny) &&
1973 (state->anyPolicyNodeAtBottom) && (state->mappedPolicyOIDs)) {
1975 PKIX_CHECK(PKIX_List_GetLength
1976 (state->mappedPolicyOIDs,
1977 &numPolicies,
1978 plContext),
1979 PKIX_LISTGETLENGTHFAILED);
1981 for (polX = 0; polX < numPolicies; polX++) {
1983 PKIX_CHECK(PKIX_List_GetItem
1984 (state->mappedPolicyOIDs,
1985 polX,
1986 (PKIX_PL_Object **)&policyOID,
1987 plContext),
1988 PKIX_LISTGETITEMFAILED);
1990 PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
1991 (policyMaps,
1992 policyOID,
1993 &subjectDomainPolicies,
1994 plContext),
1995 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
1997 PKIX_CHECK(pkix_PolicyChecker_Spawn
1998 (state->anyPolicyNodeAtBottom,
1999 policyOID,
2000 qualsOfAny,
2001 subjectDomainPolicies,
2002 state,
2003 plContext),
2004 PKIX_POLICYCHECKERSPAWNFAILED);
2006 PKIX_CHECK(pkix_List_AppendUnique
2007 (newMappedPolicies,
2008 subjectDomainPolicies,
2009 plContext),
2010 PKIX_LISTAPPENDUNIQUEFAILED);
2012 PKIX_DECREF(subjectDomainPolicies);
2013 PKIX_DECREF(policyOID);
2014 }
2015 }
2017 PKIX_CHECK(PKIX_List_SetImmutable(newMappedPolicies, plContext),
2018 PKIX_LISTSETIMMUTABLEFAILED);
2020 PKIX_DECREF(state->mappedUserInitialPolicySet);
2021 PKIX_INCREF(newMappedPolicies);
2023 state->mappedUserInitialPolicySet = newMappedPolicies;
2025 cleanup:
2027 PKIX_DECREF(policyOID);
2028 PKIX_DECREF(newMappedPolicies);
2029 PKIX_DECREF(subjectDomainPolicies);
2031 PKIX_RETURN(CERTCHAINCHECKER);
2032 }
2034 /*
2035 * FUNCTION: pkix_PolicyChecker_WrapUpProcessing
2036 * DESCRIPTION:
2037 *
2038 * Performs the wrap-up processing for the Cert pointed to by "cert",
2039 * using and updating the PolicyCheckerState pointed to by "state".
2040 *
2041 * This function implements the wrap-up processing described in RFC3280
2042 * Section 6.1.5, after the final certificate has been processed. Section
2043 * references in the comments are to that document.
2044 *
2045 * PARAMETERS:
2046 * "cert"
2047 * Address of the current (presumably the end entity) certificate.
2048 * Must be non-NULL.
2049 * "state"
2050 * Address of the current state of the PKIX_PolicyChecker.
2051 * Must be non-NULL.
2052 * "plContext"
2053 * Platform-specific context pointer.
2054 * THREAD SAFETY:
2055 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
2056 * RETURNS:
2057 * Returns NULL if the function succeeds
2058 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
2059 * Returns a Fatal Error if the function fails in an unrecoverable way
2060 */
2061 static PKIX_Error *
2062 pkix_PolicyChecker_WrapUpProcessing(
2063 PKIX_PL_Cert *cert,
2064 PKIX_PolicyCheckerState *state,
2065 void *plContext)
2066 {
2067 PKIX_Int32 explicitPolicySkipCerts = 0;
2068 PKIX_Boolean isSelfIssued = PKIX_FALSE;
2069 PKIX_Boolean shouldBePruned = PKIX_FALSE;
2070 PKIX_List *nominees = NULL; /* OIDs */
2071 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
2072 PKIX_PL_String *stateString = NULL;
2073 char *stateAscii = NULL;
2074 PKIX_UInt32 length;
2075 #endif
2077 PKIX_ENTER
2078 (CERTCHAINCHECKER,
2079 "pkix_PolicyChecker_WrapUpProcessing");
2080 PKIX_NULLCHECK_THREE(cert, state, state->userInitialPolicySet);
2082 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
2083 PKIX_CHECK(PKIX_PL_Object_ToString
2084 ((PKIX_PL_Object*)state, &stateString, plContext),
2085 PKIX_OBJECTTOSTRINGFAILED);
2087 PKIX_CHECK(PKIX_PL_String_GetEncoded
2088 (stateString,
2089 PKIX_ESCASCII,
2090 (void **)&stateAscii,
2091 &length,
2092 plContext),
2093 PKIX_STRINGGETENCODEDFAILED);
2095 PKIX_DEBUG_ARG("%s\n", stateAscii);
2097 PKIX_FREE(stateAscii);
2098 PKIX_DECREF(stateString);
2099 #endif
2101 /* Section 6.1.5(a) ... */
2102 PKIX_CHECK(pkix_IsCertSelfIssued
2103 (cert, &isSelfIssued, plContext),
2104 PKIX_ISCERTSELFISSUEDFAILED);
2106 if (!isSelfIssued) {
2107 if (state->explicitPolicy > 0) {
2109 state->explicitPolicy--;
2111 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
2112 ((PKIX_PL_Object *)state, plContext),
2113 PKIX_OBJECTINVALIDATECACHEFAILED);
2114 }
2115 }
2117 /* Section 6.1.5(b) ... */
2118 PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
2119 (cert, &explicitPolicySkipCerts, plContext),
2120 PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
2122 if (explicitPolicySkipCerts == 0) {
2123 state->explicitPolicy = 0;
2124 }
2126 /* Section 6.1.5(g)(i) ... */
2128 if (!(state->validPolicyTree)) {
2129 goto cleanup;
2130 }
2132 /* Section 6.1.5(g)(ii) ... */
2134 if (state->initialIsAnyPolicy) {
2135 goto cleanup;
2136 }
2138 /*
2139 * Section 6.1.5(g)(iii) ...
2140 * Create a list of policies which could be substituted for anyPolicy.
2141 * Start with a (mutable) copy of user-initial-policy-set.
2142 */
2143 PKIX_CHECK(pkix_PolicyChecker_MakeMutableCopy
2144 (state->userInitialPolicySet, &nominees, plContext),
2145 PKIX_POLICYCHECKERMAKEMUTABLECOPYFAILED);
2147 PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
2148 (state->validPolicyTree, /* node at top of tree */
2149 state,
2150 nominees,
2151 &shouldBePruned,
2152 plContext),
2153 PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
2155 if (PKIX_TRUE == shouldBePruned) {
2156 PKIX_DECREF(state->validPolicyTree);
2157 }
2159 if (state->validPolicyTree) {
2160 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
2161 ((PKIX_PL_Object *)state->validPolicyTree, plContext),
2162 PKIX_OBJECTINVALIDATECACHEFAILED);
2163 }
2165 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
2166 ((PKIX_PL_Object *)state, plContext),
2167 PKIX_OBJECTINVALIDATECACHEFAILED);
2169 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
2170 if (state->validPolicyTree) {
2171 PKIX_CHECK(PKIX_PL_Object_ToString
2172 ((PKIX_PL_Object*)state, &stateString, plContext),
2173 PKIX_OBJECTTOSTRINGFAILED);
2175 PKIX_CHECK(PKIX_PL_String_GetEncoded
2176 (stateString,
2177 PKIX_ESCASCII,
2178 (void **)&stateAscii,
2179 &length,
2180 plContext),
2181 PKIX_STRINGGETENCODEDFAILED);
2183 PKIX_DEBUG_ARG
2184 ("After CalculateIntersection:\n%s\n", stateAscii);
2186 PKIX_FREE(stateAscii);
2187 PKIX_DECREF(stateString);
2188 } else {
2189 PKIX_DEBUG("validPolicyTree is NULL\n");
2190 }
2191 #endif
2193 /* Section 6.1.5(g)(iii)(4) ... */
2195 if (state->validPolicyTree) {
2197 PKIX_CHECK(pkix_PolicyNode_Prune
2198 (state->validPolicyTree,
2199 state->numCerts,
2200 &shouldBePruned,
2201 plContext),
2202 PKIX_POLICYNODEPRUNEFAILED);
2204 if (shouldBePruned) {
2205 PKIX_DECREF(state->validPolicyTree);
2206 }
2207 }
2209 if (state->validPolicyTree) {
2210 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
2211 ((PKIX_PL_Object *)state->validPolicyTree, plContext),
2212 PKIX_OBJECTINVALIDATECACHEFAILED);
2213 }
2215 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
2216 ((PKIX_PL_Object *)state, plContext),
2217 PKIX_OBJECTINVALIDATECACHEFAILED);
2219 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
2220 PKIX_CHECK(PKIX_PL_Object_ToString
2221 ((PKIX_PL_Object*)state, &stateString, plContext),
2222 PKIX_OBJECTTOSTRINGFAILED);
2223 PKIX_CHECK(PKIX_PL_String_GetEncoded
2224 (stateString,
2225 PKIX_ESCASCII,
2226 (void **)&stateAscii,
2227 &length,
2228 plContext),
2229 PKIX_STRINGGETENCODEDFAILED);
2230 PKIX_DEBUG_ARG("%s\n", stateAscii);
2232 PKIX_FREE(stateAscii);
2233 PKIX_DECREF(stateString);
2234 #endif
2236 cleanup:
2238 PKIX_DECREF(nominees);
2240 PKIX_RETURN(CERTCHAINCHECKER);
2241 }
2244 /*
2245 * FUNCTION: pkix_PolicyChecker_Check
2246 * (see comments in pkix_checker.h for PKIX_CertChainChecker_CheckCallback)
2247 *
2248 * Labels referring to sections, such as "Section 6.1.3(d)", refer to
2249 * sections of RFC3280, Section 6.1.3 Basic Certificate Processing.
2250 *
2251 * If a non-fatal error occurs, it is unlikely that policy processing can
2252 * continue. But it is still possible that chain validation could succeed if
2253 * policy processing is non-critical. So if this function receives a non-fatal
2254 * error from a lower level routine, it aborts policy processing by setting
2255 * the validPolicyTree to NULL and tries to continue.
2256 *
2257 */
2258 static PKIX_Error *
2259 pkix_PolicyChecker_Check(
2260 PKIX_CertChainChecker *checker,
2261 PKIX_PL_Cert *cert,
2262 PKIX_List *unresolvedCriticals, /* OIDs */
2263 void **pNBIOContext,
2264 void *plContext)
2265 {
2266 PKIX_UInt32 numPolicies = 0;
2267 PKIX_UInt32 polX = 0;
2268 PKIX_Boolean result = PKIX_FALSE;
2269 PKIX_Int32 inhibitMappingSkipCerts = 0;
2270 PKIX_Int32 explicitPolicySkipCerts = 0;
2271 PKIX_Int32 inhibitAnyPolicySkipCerts = 0;
2272 PKIX_Boolean shouldBePruned = PKIX_FALSE;
2273 PKIX_Boolean isSelfIssued = PKIX_FALSE;
2274 PKIX_Boolean certPoliciesIncludeAny = PKIX_FALSE;
2275 PKIX_Boolean doAnyPolicyProcessing = PKIX_FALSE;
2277 PKIX_PolicyCheckerState *state = NULL;
2278 PKIX_List *certPolicyInfos = NULL; /* CertPolicyInfos */
2279 PKIX_PL_CertPolicyInfo *policy = NULL;
2280 PKIX_PL_OID *policyOID = NULL;
2281 PKIX_List *qualsOfAny = NULL; /* CertPolicyQualifiers */
2282 PKIX_List *policyQualifiers = NULL; /* CertPolicyQualifiers */
2283 PKIX_List *policyMaps = NULL; /* CertPolicyMaps */
2284 PKIX_List *mappedPolicies = NULL; /* OIDs */
2285 PKIX_Error *subroutineErr = NULL;
2286 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
2287 PKIX_PL_String *stateString = NULL;
2288 char *stateAscii = NULL;
2289 PKIX_PL_String *certString = NULL;
2290 char *certAscii = NULL;
2291 PKIX_UInt32 length;
2292 #endif
2294 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Check");
2295 PKIX_NULLCHECK_FOUR(checker, cert, unresolvedCriticals, pNBIOContext);
2297 *pNBIOContext = NULL; /* we never block on pending I/O */
2299 PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
2300 (checker, (PKIX_PL_Object **)&state, plContext),
2301 PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
2303 PKIX_NULLCHECK_TWO(state, state->certPoliciesExtension);
2305 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
2306 PKIX_CHECK(PKIX_PL_Object_ToString
2307 ((PKIX_PL_Object*)state, &stateString, plContext),
2308 PKIX_OBJECTTOSTRINGFAILED);
2309 PKIX_CHECK(PKIX_PL_String_GetEncoded
2310 (stateString,
2311 PKIX_ESCASCII,
2312 (void **)&stateAscii,
2313 &length,
2314 plContext),
2315 PKIX_STRINGGETENCODEDFAILED);
2316 PKIX_DEBUG_ARG("On entry %s\n", stateAscii);
2317 PKIX_FREE(stateAscii);
2318 PKIX_DECREF(stateString);
2319 #endif
2321 /*
2322 * Section 6.1.4(a)
2323 * If this is not the last certificate, and if
2324 * policyMapping extension is present, check that no
2325 * issuerDomainPolicy or subjectDomainPolicy is equal to the
2326 * special policy anyPolicy.
2327 */
2328 if (state->certsProcessed != (state->numCerts - 1)) {
2329 PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings
2330 (cert, &policyMaps, plContext),
2331 PKIX_CERTGETPOLICYMAPPINGSFAILED);
2332 }
2334 if (policyMaps) {
2336 PKIX_CHECK(pkix_PolicyChecker_MapContains
2337 (policyMaps, state->anyPolicyOID, &result, plContext),
2338 PKIX_POLICYCHECKERMAPCONTAINSFAILED);
2340 if (result) {
2341 PKIX_ERROR(PKIX_INVALIDPOLICYMAPPINGINCLUDESANYPOLICY);
2342 }
2344 PKIX_CHECK(pkix_PolicyChecker_MapGetMappedPolicies
2345 (policyMaps, &mappedPolicies, plContext),
2346 PKIX_POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED);
2348 PKIX_DECREF(state->mappedPolicyOIDs);
2349 PKIX_INCREF(mappedPolicies);
2350 state->mappedPolicyOIDs = mappedPolicies;
2351 }
2353 /* Section 6.1.3(d) */
2354 if (state->validPolicyTree) {
2356 PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
2357 (cert, &certPolicyInfos, plContext),
2358 PKIX_CERTGETPOLICYINFORMATIONFAILED);
2360 if (certPolicyInfos) {
2361 PKIX_CHECK(PKIX_List_GetLength
2362 (certPolicyInfos, &numPolicies, plContext),
2363 PKIX_LISTGETLENGTHFAILED);
2364 }
2366 if (numPolicies > 0) {
2368 PKIX_CHECK(PKIX_PL_Cert_AreCertPoliciesCritical
2369 (cert, &(state->certPoliciesCritical), plContext),
2370 PKIX_CERTARECERTPOLICIESCRITICALFAILED);
2372 /* Section 6.1.3(d)(1) For each policy not equal to anyPolicy */
2373 for (polX = 0; polX < numPolicies; polX++) {
2375 PKIX_CHECK(PKIX_List_GetItem
2376 (certPolicyInfos,
2377 polX,
2378 (PKIX_PL_Object **)&policy,
2379 plContext),
2380 PKIX_LISTGETITEMFAILED);
2382 PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
2383 (policy, &policyOID, plContext),
2384 PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
2386 PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolQualifiers
2387 (policy, &policyQualifiers, plContext),
2388 PKIX_CERTPOLICYINFOGETPOLQUALIFIERSFAILED);
2390 PKIX_EQUALS
2391 (state->anyPolicyOID,
2392 policyOID,
2393 &result,
2394 plContext,
2395 PKIX_OIDEQUALFAILED);
2397 if (result == PKIX_FALSE) {
2399 /* Section 6.1.3(d)(1)(i) */
2400 subroutineErr = pkix_PolicyChecker_CheckPolicy
2401 (policyOID,
2402 policyQualifiers,
2403 cert,
2404 policyMaps,
2405 state,
2406 plContext);
2407 if (subroutineErr) {
2408 goto subrErrorCleanup;
2409 }
2411 } else {
2412 /*
2413 * No descent (yet) for anyPolicy, but we will need
2414 * the policyQualifiers for anyPolicy in 6.1.3(d)(2)
2415 */
2416 PKIX_DECREF(qualsOfAny);
2417 PKIX_INCREF(policyQualifiers);
2418 qualsOfAny = policyQualifiers;
2419 certPoliciesIncludeAny = PKIX_TRUE;
2420 }
2421 PKIX_DECREF(policy);
2422 PKIX_DECREF(policyOID);
2423 PKIX_DECREF(policyQualifiers);
2424 }
2426 /* Section 6.1.3(d)(2) */
2427 if (certPoliciesIncludeAny == PKIX_TRUE) {
2428 if (state->inhibitAnyPolicy > 0) {
2429 doAnyPolicyProcessing = PKIX_TRUE;
2430 } else {
2431 /* We haven't yet counted the current cert */
2432 if (((state->certsProcessed) + 1) <
2433 (state->numCerts)) {
2435 PKIX_CHECK(pkix_IsCertSelfIssued
2436 (cert,
2437 &doAnyPolicyProcessing,
2438 plContext),
2439 PKIX_ISCERTSELFISSUEDFAILED);
2440 }
2441 }
2442 if (doAnyPolicyProcessing) {
2443 subroutineErr = pkix_PolicyChecker_CheckAny
2444 (state->validPolicyTree,
2445 qualsOfAny,
2446 policyMaps,
2447 state,
2448 plContext);
2449 if (subroutineErr) {
2450 goto subrErrorCleanup;
2451 }
2452 }
2453 }
2455 /* Section 6.1.3(d)(3) */
2456 if (state->validPolicyTree) {
2457 subroutineErr = pkix_PolicyNode_Prune
2458 (state->validPolicyTree,
2459 state->certsProcessed + 1,
2460 &shouldBePruned,
2461 plContext);
2462 if (subroutineErr) {
2463 goto subrErrorCleanup;
2464 }
2465 if (shouldBePruned) {
2466 PKIX_DECREF(state->validPolicyTree);
2467 PKIX_DECREF(state->anyPolicyNodeAtBottom);
2468 }
2469 }
2471 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
2472 ((PKIX_PL_Object *)state, plContext),
2473 PKIX_OBJECTINVALIDATECACHEFAILED);
2475 } else {
2476 /* Section 6.1.3(e) */
2477 PKIX_DECREF(state->validPolicyTree);
2478 PKIX_DECREF(state->anyPolicyNodeAtBottom);
2479 PKIX_DECREF(state->newAnyPolicyNode);
2481 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
2482 ((PKIX_PL_Object *)state, plContext),
2483 PKIX_OBJECTINVALIDATECACHEFAILED);
2484 }
2485 }
2487 /* Section 6.1.3(f) */
2488 if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
2489 PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
2490 }
2492 /*
2493 * Remove Policy OIDs from list of unresolved critical
2494 * extensions, if present.
2495 */
2496 PKIX_CHECK(pkix_List_Remove
2497 (unresolvedCriticals,
2498 (PKIX_PL_Object *)state->certPoliciesExtension,
2499 plContext),
2500 PKIX_LISTREMOVEFAILED);
2502 PKIX_CHECK(pkix_List_Remove
2503 (unresolvedCriticals,
2504 (PKIX_PL_Object *)state->policyMappingsExtension,
2505 plContext),
2506 PKIX_LISTREMOVEFAILED);
2508 PKIX_CHECK(pkix_List_Remove
2509 (unresolvedCriticals,
2510 (PKIX_PL_Object *)state->policyConstraintsExtension,
2511 plContext),
2512 PKIX_LISTREMOVEFAILED);
2514 PKIX_CHECK(pkix_List_Remove
2515 (unresolvedCriticals,
2516 (PKIX_PL_Object *)state->inhibitAnyPolicyExtension,
2517 plContext),
2518 PKIX_LISTREMOVEFAILED);
2520 state->certsProcessed++;
2522 /* If this was not the last certificate, do next-cert preparation */
2523 if (state->certsProcessed != state->numCerts) {
2525 if (policyMaps) {
2526 subroutineErr = pkix_PolicyChecker_PolicyMapProcessing
2527 (policyMaps,
2528 certPoliciesIncludeAny,
2529 qualsOfAny,
2530 state,
2531 plContext);
2532 if (subroutineErr) {
2533 goto subrErrorCleanup;
2534 }
2535 }
2537 /* update anyPolicyNodeAtBottom pointer */
2538 PKIX_DECREF(state->anyPolicyNodeAtBottom);
2539 state->anyPolicyNodeAtBottom = state->newAnyPolicyNode;
2540 state->newAnyPolicyNode = NULL;
2542 /* Section 6.1.4(h) */
2543 PKIX_CHECK(pkix_IsCertSelfIssued
2544 (cert, &isSelfIssued, plContext),
2545 PKIX_ISCERTSELFISSUEDFAILED);
2547 if (!isSelfIssued) {
2548 if (state->explicitPolicy > 0) {
2549 state->explicitPolicy--;
2550 }
2551 if (state->policyMapping > 0) {
2552 state->policyMapping--;
2553 }
2554 if (state->inhibitAnyPolicy > 0) {
2555 state->inhibitAnyPolicy--;
2556 }
2557 }
2559 /* Section 6.1.4(i) */
2560 PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
2561 (cert, &explicitPolicySkipCerts, plContext),
2562 PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
2564 if (explicitPolicySkipCerts != -1) {
2565 if (((PKIX_UInt32)explicitPolicySkipCerts) <
2566 (state->explicitPolicy)) {
2567 state->explicitPolicy =
2568 ((PKIX_UInt32) explicitPolicySkipCerts);
2569 }
2570 }
2572 PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited
2573 (cert, &inhibitMappingSkipCerts, plContext),
2574 PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED);
2576 if (inhibitMappingSkipCerts != -1) {
2577 if (((PKIX_UInt32)inhibitMappingSkipCerts) <
2578 (state->policyMapping)) {
2579 state->policyMapping =
2580 ((PKIX_UInt32)inhibitMappingSkipCerts);
2581 }
2582 }
2584 PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy
2585 (cert, &inhibitAnyPolicySkipCerts, plContext),
2586 PKIX_CERTGETINHIBITANYPOLICYFAILED);
2588 if (inhibitAnyPolicySkipCerts != -1) {
2589 if (((PKIX_UInt32)inhibitAnyPolicySkipCerts) <
2590 (state->inhibitAnyPolicy)) {
2591 state->inhibitAnyPolicy =
2592 ((PKIX_UInt32)inhibitAnyPolicySkipCerts);
2593 }
2594 }
2596 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
2597 ((PKIX_PL_Object *)state, plContext),
2598 PKIX_OBJECTINVALIDATECACHEFAILED);
2600 } else { /* If this was the last certificate, do wrap-up processing */
2602 /* Section 6.1.5 */
2603 subroutineErr = pkix_PolicyChecker_WrapUpProcessing
2604 (cert, state, plContext);
2605 if (subroutineErr) {
2606 goto subrErrorCleanup;
2607 }
2609 if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
2610 PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
2611 }
2613 PKIX_DECREF(state->anyPolicyNodeAtBottom);
2614 PKIX_DECREF(state->newAnyPolicyNode);
2615 }
2618 if (subroutineErr) {
2620 subrErrorCleanup:
2621 /* We had an error. Was it a fatal error? */
2622 pkixErrorClass = subroutineErr->errClass;
2623 if (pkixErrorClass == PKIX_FATAL_ERROR) {
2624 pkixErrorResult = subroutineErr;
2625 subroutineErr = NULL;
2626 goto cleanup;
2627 }
2628 /*
2629 * Abort policy processing, and then determine whether
2630 * we can continue without policy processing.
2631 */
2632 PKIX_DECREF(state->validPolicyTree);
2633 PKIX_DECREF(state->anyPolicyNodeAtBottom);
2634 PKIX_DECREF(state->newAnyPolicyNode);
2635 if (state->explicitPolicy == 0) {
2636 PKIX_ERROR
2637 (PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
2638 }
2639 }
2641 /* Checking is complete. Save state for the next certificate. */
2642 PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
2643 (checker, (PKIX_PL_Object *)state, plContext),
2644 PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
2646 cleanup:
2648 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG
2649 if (cert) {
2650 PKIX_CHECK(PKIX_PL_Object_ToString
2651 ((PKIX_PL_Object*)cert, &certString, plContext),
2652 PKIX_OBJECTTOSTRINGFAILED);
2653 PKIX_CHECK(PKIX_PL_String_GetEncoded
2654 (certString,
2655 PKIX_ESCASCII,
2656 (void **)&certAscii,
2657 &length,
2658 plContext),
2659 PKIX_STRINGGETENCODEDFAILED);
2660 PKIX_DEBUG_ARG("Cert was %s\n", certAscii);
2661 PKIX_FREE(certAscii);
2662 PKIX_DECREF(certString);
2663 }
2664 if (state) {
2665 PKIX_CHECK(PKIX_PL_Object_ToString
2666 ((PKIX_PL_Object*)state, &stateString, plContext),
2667 PKIX_OBJECTTOSTRINGFAILED);
2668 PKIX_CHECK(PKIX_PL_String_GetEncoded
2669 (stateString,
2670 PKIX_ESCASCII,
2671 (void **)&stateAscii,
2672 &length,
2673 plContext),
2674 PKIX_STRINGGETENCODEDFAILED);
2675 PKIX_DEBUG_ARG("On exit %s\n", stateAscii);
2676 PKIX_FREE(stateAscii);
2677 PKIX_DECREF(stateString);
2678 }
2679 #endif
2681 PKIX_DECREF(state);
2682 PKIX_DECREF(certPolicyInfos);
2683 PKIX_DECREF(policy);
2684 PKIX_DECREF(qualsOfAny);
2685 PKIX_DECREF(policyQualifiers);
2686 PKIX_DECREF(policyOID);
2687 PKIX_DECREF(subroutineErr);
2688 PKIX_DECREF(policyMaps);
2689 PKIX_DECREF(mappedPolicies);
2691 PKIX_RETURN(CERTCHAINCHECKER);
2692 }
2694 /*
2695 * FUNCTION: pkix_PolicyChecker_Initialize
2696 * DESCRIPTION:
2697 *
2698 * Creates and initializes a PolicyChecker, using the List pointed to
2699 * by "initialPolicies" for the user-initial-policy-set, the Boolean value
2700 * of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
2701 * the Boolean value of "initialPolicyMappingInhibit" for the
2702 * inhibitPolicyMappings parameter, the Boolean value of
2703 * "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
2704 * Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
2705 * parameter, and the UInt32 value of "numCerts" as the number of
2706 * certificates in the chain; and stores the Checker at "pChecker".
2707 *
2708 * PARAMETERS:
2709 * "initialPolicies"
2710 * Address of List of OIDs comprising the user-initial-policy-set; the List
2711 * may be empty or NULL
2712 * "policyQualifiersRejected"
2713 * Boolean value of the policyQualifiersRejected parameter
2714 * "initialPolicyMappingInhibit"
2715 * Boolean value of the inhibitPolicyMappings parameter
2716 * "initialExplicitPolicy"
2717 * Boolean value of the initialExplicitPolicy parameter
2718 * "initialAnyPolicyInhibit"
2719 * Boolean value of the inhibitAnyPolicy parameter
2720 * "numCerts"
2721 * Number of certificates in the chain to be validated
2722 * "pChecker"
2723 * Address to store the created PolicyChecker. Must be non-NULL.
2724 * "plContext"
2725 * Platform-specific context pointer.
2726 * THREAD SAFETY:
2727 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
2728 * RETURNS:
2729 * Returns NULL if the function succeeds
2730 * Returns a CertChainChecker Error if the functions fails in a non-fatal way
2731 * Returns a Fatal Error if the function fails in an unrecoverable way
2732 */
2733 PKIX_Error *
2734 pkix_PolicyChecker_Initialize(
2735 PKIX_List *initialPolicies,
2736 PKIX_Boolean policyQualifiersRejected,
2737 PKIX_Boolean initialPolicyMappingInhibit,
2738 PKIX_Boolean initialExplicitPolicy,
2739 PKIX_Boolean initialAnyPolicyInhibit,
2740 PKIX_UInt32 numCerts,
2741 PKIX_CertChainChecker **pChecker,
2742 void *plContext)
2743 {
2744 PKIX_PolicyCheckerState *polCheckerState = NULL;
2745 PKIX_List *policyExtensions = NULL; /* OIDs */
2746 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Initialize");
2747 PKIX_NULLCHECK_ONE(pChecker);
2749 PKIX_CHECK(pkix_PolicyCheckerState_Create
2750 (initialPolicies,
2751 policyQualifiersRejected,
2752 initialPolicyMappingInhibit,
2753 initialExplicitPolicy,
2754 initialAnyPolicyInhibit,
2755 numCerts,
2756 &polCheckerState,
2757 plContext),
2758 PKIX_POLICYCHECKERSTATECREATEFAILED);
2760 /* Create the list of extensions that we handle */
2761 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
2762 ((PKIX_PL_Object *)(polCheckerState->certPoliciesExtension),
2763 PKIX_TRUE,
2764 &policyExtensions,
2765 plContext),
2766 PKIX_POLICYCHECKERMAKESINGLETONFAILED);
2768 PKIX_CHECK(PKIX_CertChainChecker_Create
2769 (pkix_PolicyChecker_Check,
2770 PKIX_FALSE, /* forwardCheckingSupported */
2771 PKIX_FALSE,
2772 policyExtensions,
2773 (PKIX_PL_Object *)polCheckerState,
2774 pChecker,
2775 plContext),
2776 PKIX_CERTCHAINCHECKERCREATEFAILED);
2778 cleanup:
2779 PKIX_DECREF(polCheckerState);
2780 PKIX_DECREF(policyExtensions);
2781 PKIX_RETURN(CERTCHAINCHECKER);
2783 }
