security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c@b8a032363ba2
security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rwxr-xr-x
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * pkix_crlselector.c
6 *
7 * CRLSelector Function Definitions
8 *
9 */
11 #include "pkix_crlselector.h"
13 /* --CRLSelector Private-Functions-------------------------------------- */
15 /*
16 * FUNCTION: pkix_CRLSelector_Destroy
17 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
18 */
19 static PKIX_Error *
20 pkix_CRLSelector_Destroy(
21 PKIX_PL_Object *object,
22 void *plContext)
23 {
24 PKIX_CRLSelector *selector = NULL;
26 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Destroy");
27 PKIX_NULLCHECK_ONE(object);
29 PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
30 PKIX_OBJECTNOTCRLSELECTOR);
32 selector = (PKIX_CRLSelector *)object;
34 selector->matchCallback = NULL;
36 PKIX_DECREF(selector->params);
37 PKIX_DECREF(selector->context);
39 cleanup:
41 PKIX_RETURN(CRLSELECTOR);
42 }
44 /*
45 * FUNCTION: pkix_CRLSelector_ToString_Helper
46 *
47 * DESCRIPTION:
48 * Helper function that creates a string representation of CRLSelector
49 * pointed to by "crlParams" and stores its address in the object pointed to
50 * by "pString".
51 *
52 * PARAMETERS
53 * "list"
54 * Address of CRLSelector whose string representation is desired.
55 * Must be non-NULL.
56 * "pString"
57 * Address of object pointer's destination. Must be non-NULL.
58 * "plContext" - Platform-specific context pointer.
59 *
60 * THREAD SAFETY:
61 * Conditionally Thread Safe
62 * (see Thread Safety Definitions in Programmer's Guide)
63 *
64 * RETURNS:
65 * Returns NULL if the function succeeds.
66 * Returns a CRLSelector Error if the function fails in a non-fatal way.
67 * Returns a Fatal Error if the function fails in an unrecoverable way.
68 */
69 static PKIX_Error *
70 pkix_CRLSelector_ToString_Helper(
71 PKIX_CRLSelector *crlSelector,
72 PKIX_PL_String **pString,
73 void *plContext)
74 {
75 PKIX_PL_String *crlSelectorString = NULL;
76 PKIX_PL_String *formatString = NULL;
77 PKIX_PL_String *crlParamsString = NULL;
78 PKIX_PL_String *crlContextString = NULL;
79 char *asciiFormat = NULL;
81 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString_Helper");
82 PKIX_NULLCHECK_TWO(crlSelector, pString);
83 PKIX_NULLCHECK_ONE(crlSelector->params);
85 asciiFormat =
86 "\n\t[\n"
87 "\tMatchCallback: 0x%x\n"
88 "\tParams: %s\n"
89 "\tContext: %s\n"
90 "\t]\n";
92 PKIX_CHECK(PKIX_PL_String_Create
93 (PKIX_ESCASCII,
94 asciiFormat,
95 0,
96 &formatString,
97 plContext),
98 PKIX_STRINGCREATEFAILED);
100 /* Params */
101 PKIX_TOSTRING
102 ((PKIX_PL_Object *)crlSelector->params,
103 &crlParamsString,
104 plContext,
105 PKIX_COMCRLSELPARAMSTOSTRINGFAILED);
107 /* Context */
108 PKIX_TOSTRING(crlSelector->context, &crlContextString, plContext,
109 PKIX_LISTTOSTRINGFAILED);
111 PKIX_CHECK(PKIX_PL_Sprintf
112 (&crlSelectorString,
113 plContext,
114 formatString,
115 crlSelector->matchCallback,
116 crlParamsString,
117 crlContextString),
118 PKIX_SPRINTFFAILED);
120 *pString = crlSelectorString;
122 cleanup:
124 PKIX_DECREF(crlParamsString);
125 PKIX_DECREF(crlContextString);
126 PKIX_DECREF(formatString);
128 PKIX_RETURN(CRLSELECTOR);
129 }
131 /*
132 * FUNCTION: pkix_CRLSelector_ToString
133 * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
134 */
135 static PKIX_Error *
136 pkix_CRLSelector_ToString(
137 PKIX_PL_Object *object,
138 PKIX_PL_String **pString,
139 void *plContext)
140 {
141 PKIX_PL_String *crlSelectorString = NULL;
142 PKIX_CRLSelector *crlSelector = NULL;
144 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString");
145 PKIX_NULLCHECK_TWO(object, pString);
147 PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
148 PKIX_OBJECTNOTCRLSELECTOR);
150 crlSelector = (PKIX_CRLSelector *) object;
152 PKIX_CHECK(pkix_CRLSelector_ToString_Helper
153 (crlSelector, &crlSelectorString, plContext),
154 PKIX_CRLSELECTORTOSTRINGHELPERFAILED);
156 *pString = crlSelectorString;
158 cleanup:
160 PKIX_RETURN(CRLSELECTOR);
161 }
163 /*
164 * FUNCTION: pkix_CRLSelector_Hashcode
165 * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
166 */
167 static PKIX_Error *
168 pkix_CRLSelector_Hashcode(
169 PKIX_PL_Object *object,
170 PKIX_UInt32 *pHashcode,
171 void *plContext)
172 {
173 PKIX_UInt32 paramsHash = 0;
174 PKIX_UInt32 contextHash = 0;
175 PKIX_UInt32 hash = 0;
177 PKIX_CRLSelector *crlSelector = NULL;
179 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Hashcode");
180 PKIX_NULLCHECK_TWO(object, pHashcode);
182 PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
183 PKIX_OBJECTNOTCRLSELECTOR);
185 crlSelector = (PKIX_CRLSelector *)object;
187 PKIX_HASHCODE(crlSelector->params, ¶msHash, plContext,
188 PKIX_OBJECTHASHCODEFAILED);
190 PKIX_HASHCODE(crlSelector->context, &contextHash, plContext,
191 PKIX_OBJECTHASHCODEFAILED);
193 hash = 31 * ((PKIX_UInt32)crlSelector->matchCallback +
194 (contextHash << 3)) + paramsHash;
196 *pHashcode = hash;
198 cleanup:
200 PKIX_RETURN(CRLSELECTOR);
201 }
203 /*
204 * FUNCTION: pkix_CRLSelector_Equals
205 * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
206 */
207 static PKIX_Error *
208 pkix_CRLSelector_Equals(
209 PKIX_PL_Object *firstObject,
210 PKIX_PL_Object *secondObject,
211 PKIX_Boolean *pResult,
212 void *plContext)
213 {
214 PKIX_CRLSelector *firstCrlSelector = NULL;
215 PKIX_CRLSelector *secondCrlSelector = NULL;
216 PKIX_UInt32 secondType;
217 PKIX_Boolean cmpResult = PKIX_FALSE;
219 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Equals");
220 PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
222 /* test that firstObject is a CRLSelector */
223 PKIX_CHECK(pkix_CheckType
224 (firstObject, PKIX_CRLSELECTOR_TYPE, plContext),
225 PKIX_FIRSTOBJECTNOTCRLSELECTOR);
227 firstCrlSelector = (PKIX_CRLSelector *)firstObject;
228 secondCrlSelector = (PKIX_CRLSelector *)secondObject;
230 /*
231 * Since we know firstObject is a CRLSelector, if both references are
232 * identical, they must be equal
233 */
234 if (firstCrlSelector == secondCrlSelector){
235 *pResult = PKIX_TRUE;
236 goto cleanup;
237 }
239 /*
240 * If secondCRLSelector isn't a CRLSelector, we don't throw an error.
241 * We simply return a Boolean result of FALSE
242 */
243 *pResult = PKIX_FALSE;
244 PKIX_CHECK(PKIX_PL_Object_GetType
245 ((PKIX_PL_Object *)secondCrlSelector,
246 &secondType,
247 plContext),
248 PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
250 if (secondType != PKIX_CRLSELECTOR_TYPE) {
251 goto cleanup;
252 }
254 /* Compare MatchCallback address */
255 cmpResult = (firstCrlSelector->matchCallback ==
256 secondCrlSelector->matchCallback);
258 if (cmpResult == PKIX_FALSE) {
259 goto cleanup;
260 }
262 /* Compare Common CRL Selector Params */
263 PKIX_EQUALS
264 (firstCrlSelector->params,
265 secondCrlSelector->params,
266 &cmpResult,
267 plContext,
268 PKIX_COMCRLSELPARAMSEQUALSFAILED);
271 if (cmpResult == PKIX_FALSE) {
272 goto cleanup;
273 }
275 /* Compare Context */
276 PKIX_EQUALS
277 (firstCrlSelector->context,
278 secondCrlSelector->context,
279 &cmpResult,
280 plContext,
281 PKIX_COMCRLSELPARAMSEQUALSFAILED);
283 *pResult = cmpResult;
285 cleanup:
287 PKIX_RETURN(CRLSELECTOR);
288 }
290 /*
291 * FUNCTION: pkix_CRLSelector_Duplicate
292 * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
293 */
294 static PKIX_Error *
295 pkix_CRLSelector_Duplicate(
296 PKIX_PL_Object *object,
297 PKIX_PL_Object **pNewObject,
298 void *plContext)
299 {
300 PKIX_CRLSelector *old;
301 PKIX_CRLSelector *new = NULL;
303 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Duplicate");
304 PKIX_NULLCHECK_TWO(object, pNewObject);
306 PKIX_CHECK(pkix_CheckType
307 (object, PKIX_CRLSELECTOR_TYPE, plContext),
308 PKIX_OBJECTNOTCRLSELECTOR);
310 old = (PKIX_CRLSelector *)object;
312 PKIX_CHECK(PKIX_PL_Object_Alloc
313 (PKIX_CRLSELECTOR_TYPE,
314 (PKIX_UInt32)(sizeof (PKIX_CRLSelector)),
315 (PKIX_PL_Object **)&new,
316 plContext),
317 PKIX_CREATECRLSELECTORDUPLICATEOBJECTFAILED);
319 new->matchCallback = old->matchCallback;
321 PKIX_DUPLICATE(old->params, &new->params, plContext,
322 PKIX_OBJECTDUPLICATEPARAMSFAILED);
324 PKIX_DUPLICATE(old->context, &new->context, plContext,
325 PKIX_OBJECTDUPLICATECONTEXTFAILED);
327 *pNewObject = (PKIX_PL_Object *)new;
329 cleanup:
331 if (PKIX_ERROR_RECEIVED){
332 PKIX_DECREF(new);
333 }
335 PKIX_RETURN(CRLSELECTOR);
336 }
338 /*
339 * FUNCTION: pkix_CRLSelector_DefaultMatch
340 *
341 * DESCRIPTION:
342 * This function compares the parameter values (Issuer, date, and CRL number)
343 * set in the ComCRLSelParams of the CRLSelector pointed to by "selector" with
344 * the corresponding values in the CRL pointed to by "crl". When all the
345 * criteria set in the parameter values match the values in "crl", PKIX_TRUE is
346 * stored at "pMatch". If the CRL does not match the CRLSelector's criteria,
347 * PKIX_FALSE is stored at "pMatch".
348 *
349 * PARAMETERS
350 * "selector"
351 * Address of CRLSelector which is verified for a match
352 * Must be non-NULL.
353 * "crl"
354 * Address of the CRL object to be verified. Must be non-NULL.
355 * "pMatch"
356 * Address at which Boolean result is stored. Must be non-NULL.
357 * "plContext"
358 * Platform-specific context pointer.
359 *
360 * THREAD SAFETY:
361 * Conditionally Thread Safe
362 * (see Thread Safety Definitions in Programmer's Guide)
363 *
364 * RETURNS:
365 * Returns NULL if the function succeeds.
366 * Returns a CRLSelector Error if the function fails in a non-fatal way.
367 * Returns a Fatal Error if the function fails in an unrecoverable way.
368 */
369 static PKIX_Error *
370 pkix_CRLSelector_DefaultMatch(
371 PKIX_CRLSelector *selector,
372 PKIX_PL_CRL *crl,
373 PKIX_Boolean *pMatch,
374 void *plContext)
375 {
376 PKIX_ComCRLSelParams *params = NULL;
377 PKIX_PL_X500Name *crlIssuerName = NULL;
378 PKIX_PL_X500Name *issuerName = NULL;
379 PKIX_List *selIssuerNames = NULL;
380 PKIX_PL_Date *selDate = NULL;
381 PKIX_Boolean result = PKIX_TRUE;
382 PKIX_UInt32 numIssuers = 0;
383 PKIX_UInt32 i;
384 PKIX_PL_BigInt *minCRLNumber = NULL;
385 PKIX_PL_BigInt *maxCRLNumber = NULL;
386 PKIX_PL_BigInt *crlNumber = NULL;
387 PKIX_Boolean nistPolicyEnabled = PKIX_FALSE;
389 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_DefaultMatch");
390 PKIX_NULLCHECK_TWO(selector, crl);
392 *pMatch = PKIX_TRUE;
393 params = selector->params;
395 /* No matching parameter provided, just a match */
396 if (params == NULL) {
397 goto cleanup;
398 }
400 PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames
401 (params, &selIssuerNames, plContext),
402 PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED);
404 /* Check for Issuers */
405 if (selIssuerNames != NULL){
407 result = PKIX_FALSE;
409 PKIX_CHECK(PKIX_PL_CRL_GetIssuer
410 (crl, &crlIssuerName, plContext),
411 PKIX_CRLGETISSUERFAILED);
413 PKIX_CHECK(PKIX_List_GetLength
414 (selIssuerNames, &numIssuers, plContext),
415 PKIX_LISTGETLENGTHFAILED);
417 for (i = 0; i < numIssuers; i++){
419 PKIX_CHECK(PKIX_List_GetItem
420 (selIssuerNames,
421 i,
422 (PKIX_PL_Object **)&issuerName,
423 plContext),
424 PKIX_LISTGETITEMFAILED);
426 PKIX_CHECK(PKIX_PL_X500Name_Match
427 (crlIssuerName,
428 issuerName,
429 &result,
430 plContext),
431 PKIX_X500NAMEMATCHFAILED);
433 PKIX_DECREF(issuerName);
435 if (result == PKIX_TRUE) {
436 break;
437 }
438 }
440 if (result == PKIX_FALSE) {
441 PKIX_CRLSELECTOR_DEBUG("Issuer Match Failed\N");
442 *pMatch = PKIX_FALSE;
443 goto cleanup;
444 }
446 }
448 PKIX_CHECK(PKIX_ComCRLSelParams_GetDateAndTime
449 (params, &selDate, plContext),
450 PKIX_COMCRLSELPARAMSGETDATEANDTIMEFAILED);
452 /* Check for Date */
453 if (selDate != NULL){
455 PKIX_CHECK(PKIX_ComCRLSelParams_GetNISTPolicyEnabled
456 (params, &nistPolicyEnabled, plContext),
457 PKIX_COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED);
459 /* check crl dates only for if NIST policies enforced */
460 if (nistPolicyEnabled) {
461 result = PKIX_FALSE;
463 PKIX_CHECK(PKIX_PL_CRL_VerifyUpdateTime
464 (crl, selDate, &result, plContext),
465 PKIX_CRLVERIFYUPDATETIMEFAILED);
467 if (result == PKIX_FALSE) {
468 *pMatch = PKIX_FALSE;
469 goto cleanup;
470 }
471 }
473 }
475 /* Check for CRL number in range */
476 PKIX_CHECK(PKIX_PL_CRL_GetCRLNumber(crl, &crlNumber, plContext),
477 PKIX_CRLGETCRLNUMBERFAILED);
479 if (crlNumber != NULL) {
480 result = PKIX_FALSE;
482 PKIX_CHECK(PKIX_ComCRLSelParams_GetMinCRLNumber
483 (params, &minCRLNumber, plContext),
484 PKIX_COMCRLSELPARAMSGETMINCRLNUMBERFAILED);
486 if (minCRLNumber != NULL) {
488 PKIX_CHECK(PKIX_PL_Object_Compare
489 ((PKIX_PL_Object *)minCRLNumber,
490 (PKIX_PL_Object *)crlNumber,
491 &result,
492 plContext),
493 PKIX_OBJECTCOMPARATORFAILED);
495 if (result == 1) {
496 PKIX_CRLSELECTOR_DEBUG
497 ("CRL MinNumber Range Match Failed\n");
498 *pMatch = PKIX_FALSE;
499 goto cleanup;
500 }
501 }
503 PKIX_CHECK(PKIX_ComCRLSelParams_GetMaxCRLNumber
504 (params, &maxCRLNumber, plContext),
505 PKIX_COMCRLSELPARAMSGETMAXCRLNUMBERFAILED);
507 if (maxCRLNumber != NULL) {
509 PKIX_CHECK(PKIX_PL_Object_Compare
510 ((PKIX_PL_Object *)crlNumber,
511 (PKIX_PL_Object *)maxCRLNumber,
512 &result,
513 plContext),
514 PKIX_OBJECTCOMPARATORFAILED);
516 if (result == 1) {
517 PKIX_CRLSELECTOR_DEBUG
518 (PKIX_CRLMAXNUMBERRANGEMATCHFAILED);
519 *pMatch = PKIX_FALSE;
520 goto cleanup;
521 }
522 }
523 }
525 cleanup:
527 PKIX_DECREF(selIssuerNames);
528 PKIX_DECREF(selDate);
529 PKIX_DECREF(crlIssuerName);
530 PKIX_DECREF(issuerName);
531 PKIX_DECREF(crlNumber);
532 PKIX_DECREF(minCRLNumber);
533 PKIX_DECREF(maxCRLNumber);
535 PKIX_RETURN(CRLSELECTOR);
536 }
538 /*
539 * FUNCTION: pkix_CRLSelector_RegisterSelf
540 * DESCRIPTION:
541 * Registers PKIX_CRLSELECTOR_TYPE and its related functions with
542 * systemClasses[]
543 * THREAD SAFETY:
544 * Not Thread Safe - for performance and complexity reasons
545 *
546 * Since this function is only called by PKIX_PL_Initialize, which should
547 * only be called once, it is acceptable that this function is not
548 * thread-safe.
549 */
550 PKIX_Error *
551 pkix_CRLSelector_RegisterSelf(void *plContext)
552 {
553 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
554 pkix_ClassTable_Entry entry;
556 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_RegisterSelf");
558 entry.description = "CRLSelector";
559 entry.objCounter = 0;
560 entry.typeObjectSize = sizeof(PKIX_CRLSelector);
561 entry.destructor = pkix_CRLSelector_Destroy;
562 entry.equalsFunction = pkix_CRLSelector_Equals;
563 entry.hashcodeFunction = pkix_CRLSelector_Hashcode;
564 entry.toStringFunction = pkix_CRLSelector_ToString;
565 entry.comparator = NULL;
566 entry.duplicateFunction = pkix_CRLSelector_Duplicate;
568 systemClasses[PKIX_CRLSELECTOR_TYPE] = entry;
570 PKIX_RETURN(CRLSELECTOR);
571 }
573 /* --CRLSelector-Public-Functions---------------------------------------- */
574 PKIX_Error *
575 pkix_CRLSelector_Create(
576 PKIX_CRLSelector_MatchCallback callback,
577 PKIX_PL_Object *crlSelectorContext,
578 PKIX_CRLSelector **pSelector,
579 void *plContext)
580 {
581 PKIX_CRLSelector *selector = NULL;
583 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Create");
584 PKIX_NULLCHECK_ONE(pSelector);
586 PKIX_CHECK(PKIX_PL_Object_Alloc
587 (PKIX_CRLSELECTOR_TYPE,
588 sizeof (PKIX_CRLSelector),
589 (PKIX_PL_Object **)&selector,
590 plContext),
591 PKIX_COULDNOTCREATECRLSELECTOROBJECT);
593 /*
594 * if user specified a particular match callback, we use that one.
595 * otherwise, we use the default match provided.
596 */
598 if (callback != NULL){
599 selector->matchCallback = callback;
600 } else {
601 selector->matchCallback = pkix_CRLSelector_DefaultMatch;
602 }
604 /* initialize other fields */
605 selector->params = NULL;
607 PKIX_INCREF(crlSelectorContext);
608 selector->context = crlSelectorContext;
610 *pSelector = selector;
611 selector = NULL;
613 cleanup:
615 PKIX_DECREF(selector);
617 PKIX_RETURN(CRLSELECTOR);
618 }
620 /*
621 * FUNCTION: PKIX_CRLSelector_Create (see comments in pkix_crlsel.h)
622 */
623 PKIX_Error *
624 PKIX_CRLSelector_Create(
625 PKIX_PL_Cert *issuer,
626 PKIX_List *crldpList,
627 PKIX_PL_Date *date,
628 PKIX_CRLSelector **pCrlSelector,
629 void *plContext)
630 {
631 PKIX_PL_X500Name *issuerName = NULL;
632 PKIX_PL_Date *nowDate = NULL;
633 PKIX_ComCRLSelParams *comCrlSelParams = NULL;
634 PKIX_CRLSelector *crlSelector = NULL;
636 PKIX_ENTER(CERTCHAINCHECKER, "PKIX_CrlSelector_Create");
637 PKIX_NULLCHECK_ONE(issuer);
639 PKIX_CHECK(
640 PKIX_PL_Cert_GetSubject(issuer, &issuerName, plContext),
641 PKIX_CERTGETISSUERFAILED);
643 if (date != NULL) {
644 PKIX_INCREF(date);
645 nowDate = date;
646 } else {
647 PKIX_CHECK(
648 PKIX_PL_Date_Create_UTCTime(NULL, &nowDate, plContext),
649 PKIX_DATECREATEUTCTIMEFAILED);
650 }
652 PKIX_CHECK(
653 PKIX_ComCRLSelParams_Create(&comCrlSelParams, plContext),
654 PKIX_COMCRLSELPARAMSCREATEFAILED);
656 PKIX_CHECK(
657 PKIX_ComCRLSelParams_AddIssuerName(comCrlSelParams, issuerName,
658 plContext),
659 PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
661 PKIX_CHECK(
662 PKIX_ComCRLSelParams_SetCrlDp(comCrlSelParams, crldpList,
663 plContext),
664 PKIX_COMCRLSELPARAMSSETCERTFAILED);
666 PKIX_CHECK(
667 PKIX_ComCRLSelParams_SetDateAndTime(comCrlSelParams, nowDate,
668 plContext),
669 PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
671 PKIX_CHECK(
672 pkix_CRLSelector_Create(NULL, NULL, &crlSelector, plContext),
673 PKIX_CRLSELECTORCREATEFAILED);
675 PKIX_CHECK(
676 PKIX_CRLSelector_SetCommonCRLSelectorParams(crlSelector,
677 comCrlSelParams,
678 plContext),
679 PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
681 *pCrlSelector = crlSelector;
682 crlSelector = NULL;
684 cleanup:
686 PKIX_DECREF(issuerName);
687 PKIX_DECREF(nowDate);
688 PKIX_DECREF(comCrlSelParams);
689 PKIX_DECREF(crlSelector);
691 PKIX_RETURN(CERTCHAINCHECKER);
692 }
694 /*
695 * FUNCTION: PKIX_CRLSelector_GetMatchCallback (see comments in pkix_crlsel.h)
696 */
697 PKIX_Error *
698 PKIX_CRLSelector_GetMatchCallback(
699 PKIX_CRLSelector *selector,
700 PKIX_CRLSelector_MatchCallback *pCallback,
701 void *plContext)
702 {
703 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetMatchCallback");
704 PKIX_NULLCHECK_TWO(selector, pCallback);
706 *pCallback = selector->matchCallback;
708 PKIX_RETURN(CRLSELECTOR);
709 }
712 /*
713 * FUNCTION: PKIX_CRLSelector_GetCRLSelectorContext
714 * (see comments in pkix_crlsel.h)
715 */
716 PKIX_Error *
717 PKIX_CRLSelector_GetCRLSelectorContext(
718 PKIX_CRLSelector *selector,
719 void **pCrlSelectorContext,
720 void *plContext)
721 {
722 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCRLSelectorContext");
723 PKIX_NULLCHECK_TWO(selector, pCrlSelectorContext);
725 PKIX_INCREF(selector->context);
727 *pCrlSelectorContext = selector->context;
729 cleanup:
730 PKIX_RETURN(CRLSELECTOR);
731 }
733 /*
734 * FUNCTION: PKIX_CRLSelector_GetCommonCRLSelectorParams
735 * (see comments in pkix_crlsel.h)
736 */
737 PKIX_Error *
738 PKIX_CRLSelector_GetCommonCRLSelectorParams(
739 PKIX_CRLSelector *selector,
740 PKIX_ComCRLSelParams **pParams,
741 void *plContext)
742 {
743 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCommonCRLSelectorParams");
744 PKIX_NULLCHECK_TWO(selector, pParams);
746 PKIX_INCREF(selector->params);
748 *pParams = selector->params;
750 cleanup:
751 PKIX_RETURN(CRLSELECTOR);
752 }
754 /*
755 * FUNCTION: PKIX_CRLSelector_SetCommonCRLSelectorParams
756 * (see comments in pkix_crlsel.h)
757 */
758 PKIX_Error *
759 PKIX_CRLSelector_SetCommonCRLSelectorParams(
760 PKIX_CRLSelector *selector,
761 PKIX_ComCRLSelParams *params,
762 void *plContext)
763 {
764 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_SetCommonCRLSelectorParams");
765 PKIX_NULLCHECK_TWO(selector, params);
767 PKIX_DECREF(selector->params);
769 PKIX_INCREF(params);
770 selector->params = params;
772 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
773 ((PKIX_PL_Object *)selector, plContext),
774 PKIX_OBJECTINVALIDATECACHEFAILED);
776 cleanup:
778 PKIX_RETURN(CRLSELECTOR);
779 }
781 /*
782 * FUNCTION: pkix_CRLSelector_Select
783 * DESCRIPTION:
784 *
785 * This function applies the selector pointed to by "selector" to each CRL,
786 * in turn, in the List pointed to by "before", and creates a List containing
787 * all the CRLs that matched, or passed the selection process, storing that
788 * List at "pAfter". If no CRLs match, an empty List is stored at "pAfter".
789 *
790 * The List returned in "pAfter" is immutable.
791 *
792 * PARAMETERS:
793 * "selector"
794 * Address of CRLSelelector to be applied to the List. Must be non-NULL.
795 * "before"
796 * Address of List that is to be filtered. Must be non-NULL.
797 * "pAfter"
798 * Address at which resulting List, possibly empty, is stored. Must be
799 * non-NULL.
800 * "plContext"
801 * Platform-specific context pointer.
802 * THREAD SAFETY:
803 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
804 * RETURNS:
805 * Returns NULL if the function succeeds.
806 * Returns a CRLSelector Error if the function fails in a non-fatal way.
807 * Returns a Fatal Error if the function fails in an unrecoverable way.
808 */
809 PKIX_Error *
810 pkix_CRLSelector_Select(
811 PKIX_CRLSelector *selector,
812 PKIX_List *before,
813 PKIX_List **pAfter,
814 void *plContext)
815 {
816 PKIX_Boolean match = PKIX_FALSE;
817 PKIX_UInt32 numBefore = 0;
818 PKIX_UInt32 i = 0;
819 PKIX_List *filtered = NULL;
820 PKIX_PL_CRL *candidate = NULL;
822 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Select");
823 PKIX_NULLCHECK_THREE(selector, before, pAfter);
825 PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
826 PKIX_LISTCREATEFAILED);
828 PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
829 PKIX_LISTGETLENGTHFAILED);
831 for (i = 0; i < numBefore; i++) {
833 PKIX_CHECK(PKIX_List_GetItem
834 (before, i, (PKIX_PL_Object **)&candidate, plContext),
835 PKIX_LISTGETITEMFAILED);
837 PKIX_CHECK_ONLY_FATAL(selector->matchCallback
838 (selector, candidate, &match, plContext),
839 PKIX_CRLSELECTORMATCHCALLBACKFAILED);
841 if (!(PKIX_ERROR_RECEIVED) && match == PKIX_TRUE) {
843 PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
844 (filtered,
845 (PKIX_PL_Object *)candidate,
846 plContext),
847 PKIX_LISTAPPENDITEMFAILED);
848 }
850 pkixTempErrorReceived = PKIX_FALSE;
851 PKIX_DECREF(candidate);
852 }
854 PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
855 PKIX_LISTSETIMMUTABLEFAILED);
857 /* Don't throw away the list if one CRL was bad! */
858 pkixTempErrorReceived = PKIX_FALSE;
860 *pAfter = filtered;
861 filtered = NULL;
863 cleanup:
865 PKIX_DECREF(filtered);
866 PKIX_DECREF(candidate);
868 PKIX_RETURN(CRLSELECTOR);
870 }
