michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: /* michael@0: * Certificate handling code michael@0: */ michael@0: michael@0: #include "nssilock.h" michael@0: #include "prmon.h" michael@0: #include "prtime.h" michael@0: #include "cert.h" michael@0: #include "certi.h" michael@0: #include "secder.h" michael@0: #include "secoid.h" michael@0: #include "secasn1.h" michael@0: #include "genname.h" michael@0: #include "keyhi.h" michael@0: #include "secitem.h" michael@0: #include "certdb.h" michael@0: #include "prprf.h" michael@0: #include "sechash.h" michael@0: #include "prlong.h" michael@0: #include "certxutl.h" michael@0: #include "portreg.h" michael@0: #include "secerr.h" michael@0: #include "sslerr.h" michael@0: #include "pk11func.h" michael@0: #include "xconst.h" /* for CERT_DecodeAltNameExtension */ michael@0: michael@0: #include "pki.h" michael@0: #include "pki3hack.h" michael@0: michael@0: SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate) michael@0: SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) michael@0: SEC_ASN1_MKSUB(SEC_BitStringTemplate) michael@0: SEC_ASN1_MKSUB(SEC_IntegerTemplate) michael@0: SEC_ASN1_MKSUB(SEC_SkipTemplate) michael@0: michael@0: /* michael@0: * Certificate database handling code michael@0: */ michael@0: michael@0: michael@0: const SEC_ASN1Template CERT_CertExtensionTemplate[] = { michael@0: { SEC_ASN1_SEQUENCE, michael@0: 0, NULL, sizeof(CERTCertExtension) }, michael@0: { SEC_ASN1_OBJECT_ID, michael@0: offsetof(CERTCertExtension,id) }, michael@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */ michael@0: offsetof(CERTCertExtension,critical) }, michael@0: { SEC_ASN1_OCTET_STRING, michael@0: offsetof(CERTCertExtension,value) }, michael@0: { 0, } michael@0: }; michael@0: michael@0: const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[] = { michael@0: { SEC_ASN1_SEQUENCE_OF, 0, CERT_CertExtensionTemplate } michael@0: }; michael@0: michael@0: const SEC_ASN1Template CERT_TimeChoiceTemplate[] = { michael@0: { SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) }, michael@0: { SEC_ASN1_UTC_TIME, 0, 0, siUTCTime }, michael@0: { SEC_ASN1_GENERALIZED_TIME, 0, 0, siGeneralizedTime }, michael@0: { 0 } michael@0: }; michael@0: michael@0: const SEC_ASN1Template CERT_ValidityTemplate[] = { michael@0: { SEC_ASN1_SEQUENCE, michael@0: 0, NULL, sizeof(CERTValidity) }, michael@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN, michael@0: offsetof(CERTValidity,notBefore), michael@0: SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 }, michael@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN, michael@0: offsetof(CERTValidity,notAfter), michael@0: SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 }, michael@0: { 0 } michael@0: }; michael@0: michael@0: const SEC_ASN1Template CERT_CertificateTemplate[] = { michael@0: { SEC_ASN1_SEQUENCE, michael@0: 0, NULL, sizeof(CERTCertificate) }, michael@0: { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | michael@0: SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, /* XXX DER_DEFAULT */ michael@0: offsetof(CERTCertificate,version), michael@0: SEC_ASN1_SUB(SEC_IntegerTemplate) }, michael@0: { SEC_ASN1_INTEGER, michael@0: offsetof(CERTCertificate,serialNumber) }, michael@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN, michael@0: offsetof(CERTCertificate,signature), michael@0: SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, michael@0: { SEC_ASN1_SAVE, michael@0: offsetof(CERTCertificate,derIssuer) }, michael@0: { SEC_ASN1_INLINE, michael@0: offsetof(CERTCertificate,issuer), michael@0: CERT_NameTemplate }, michael@0: { SEC_ASN1_INLINE, michael@0: offsetof(CERTCertificate,validity), michael@0: CERT_ValidityTemplate }, michael@0: { SEC_ASN1_SAVE, michael@0: offsetof(CERTCertificate,derSubject) }, michael@0: { SEC_ASN1_INLINE, michael@0: offsetof(CERTCertificate,subject), michael@0: CERT_NameTemplate }, michael@0: { SEC_ASN1_SAVE, michael@0: offsetof(CERTCertificate,derPublicKey) }, michael@0: { SEC_ASN1_INLINE, michael@0: offsetof(CERTCertificate,subjectPublicKeyInfo), michael@0: CERT_SubjectPublicKeyInfoTemplate }, michael@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, michael@0: offsetof(CERTCertificate,issuerID), michael@0: SEC_ASN1_SUB(SEC_BitStringTemplate) }, michael@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2, michael@0: offsetof(CERTCertificate,subjectID), michael@0: SEC_ASN1_SUB(SEC_BitStringTemplate) }, michael@0: { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | michael@0: SEC_ASN1_CONTEXT_SPECIFIC | 3, michael@0: offsetof(CERTCertificate,extensions), michael@0: CERT_SequenceOfCertExtensionTemplate }, michael@0: { 0 } michael@0: }; michael@0: michael@0: const SEC_ASN1Template SEC_SignedCertificateTemplate[] = michael@0: { michael@0: { SEC_ASN1_SEQUENCE, michael@0: 0, NULL, sizeof(CERTCertificate) }, michael@0: { SEC_ASN1_SAVE, michael@0: offsetof(CERTCertificate,signatureWrap.data) }, michael@0: { SEC_ASN1_INLINE, michael@0: 0, CERT_CertificateTemplate }, michael@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN, michael@0: offsetof(CERTCertificate,signatureWrap.signatureAlgorithm), michael@0: SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, michael@0: { SEC_ASN1_BIT_STRING, michael@0: offsetof(CERTCertificate,signatureWrap.signature) }, michael@0: { 0 } michael@0: }; michael@0: michael@0: /* michael@0: * Find the subjectName in a DER encoded certificate michael@0: */ michael@0: const SEC_ASN1Template SEC_CertSubjectTemplate[] = { michael@0: { SEC_ASN1_SEQUENCE, michael@0: 0, NULL, sizeof(SECItem) }, michael@0: { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | michael@0: SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, michael@0: 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ michael@0: { SEC_ASN1_SKIP }, /* serial number */ michael@0: { SEC_ASN1_SKIP }, /* signature algorithm */ michael@0: { SEC_ASN1_SKIP }, /* issuer */ michael@0: { SEC_ASN1_SKIP }, /* validity */ michael@0: { SEC_ASN1_ANY, 0, NULL }, /* subject */ michael@0: { SEC_ASN1_SKIP_REST }, michael@0: { 0 } michael@0: }; michael@0: michael@0: /* michael@0: * Find the issuerName in a DER encoded certificate michael@0: */ michael@0: const SEC_ASN1Template SEC_CertIssuerTemplate[] = { michael@0: { SEC_ASN1_SEQUENCE, michael@0: 0, NULL, sizeof(SECItem) }, michael@0: { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | michael@0: SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, michael@0: 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ michael@0: { SEC_ASN1_SKIP }, /* serial number */ michael@0: { SEC_ASN1_SKIP }, /* signature algorithm */ michael@0: { SEC_ASN1_ANY, 0, NULL }, /* issuer */ michael@0: { SEC_ASN1_SKIP_REST }, michael@0: { 0 } michael@0: }; michael@0: /* michael@0: * Find the subjectName in a DER encoded certificate michael@0: */ michael@0: const SEC_ASN1Template SEC_CertSerialNumberTemplate[] = { michael@0: { SEC_ASN1_SEQUENCE, michael@0: 0, NULL, sizeof(SECItem) }, michael@0: { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | michael@0: SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, michael@0: 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ michael@0: { SEC_ASN1_ANY, 0, NULL }, /* serial number */ michael@0: { SEC_ASN1_SKIP_REST }, michael@0: { 0 } michael@0: }; michael@0: michael@0: /* michael@0: * Find the issuer and serialNumber in a DER encoded certificate. michael@0: * This data is used as the database lookup key since its the unique michael@0: * identifier of a certificate. michael@0: */ michael@0: const SEC_ASN1Template CERT_CertKeyTemplate[] = { michael@0: { SEC_ASN1_SEQUENCE, michael@0: 0, NULL, sizeof(CERTCertKey) }, michael@0: { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | michael@0: SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, michael@0: 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ michael@0: { SEC_ASN1_INTEGER, michael@0: offsetof(CERTCertKey,serialNumber) }, michael@0: { SEC_ASN1_SKIP }, /* signature algorithm */ michael@0: { SEC_ASN1_ANY, michael@0: offsetof(CERTCertKey,derIssuer) }, michael@0: { SEC_ASN1_SKIP_REST }, michael@0: { 0 } michael@0: }; michael@0: michael@0: SEC_ASN1_CHOOSER_IMPLEMENT(CERT_TimeChoiceTemplate) michael@0: SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateTemplate) michael@0: SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SignedCertificateTemplate) michael@0: SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SequenceOfCertExtensionTemplate) michael@0: michael@0: SECStatus michael@0: CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer, SECItem *sn, michael@0: SECItem *key) michael@0: { michael@0: key->len = sn->len + issuer->len; michael@0: michael@0: if ((sn->data == NULL) || (issuer->data == NULL)) { michael@0: goto loser; michael@0: } michael@0: michael@0: key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len); michael@0: if ( !key->data ) { michael@0: goto loser; michael@0: } michael@0: michael@0: /* copy the serialNumber */ michael@0: PORT_Memcpy(key->data, sn->data, sn->len); michael@0: michael@0: /* copy the issuer */ michael@0: PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len); michael@0: michael@0: return(SECSuccess); michael@0: michael@0: loser: michael@0: return(SECFailure); michael@0: } michael@0: michael@0: michael@0: /* michael@0: * Extract the subject name from a DER certificate michael@0: */ michael@0: SECStatus michael@0: CERT_NameFromDERCert(SECItem *derCert, SECItem *derName) michael@0: { michael@0: int rv; michael@0: PLArenaPool *arena; michael@0: CERTSignedData sd; michael@0: void *tmpptr; michael@0: michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: michael@0: if ( ! arena ) { michael@0: return(SECFailure); michael@0: } michael@0: michael@0: PORT_Memset(&sd, 0, sizeof(CERTSignedData)); michael@0: rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert); michael@0: michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PORT_Memset(derName, 0, sizeof(SECItem)); michael@0: rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSubjectTemplate, &sd.data); michael@0: michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: tmpptr = derName->data; michael@0: derName->data = (unsigned char*)PORT_Alloc(derName->len); michael@0: if ( derName->data == NULL ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PORT_Memcpy(derName->data, tmpptr, derName->len); michael@0: michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: return(SECSuccess); michael@0: michael@0: loser: michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: return(SECFailure); michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName) michael@0: { michael@0: int rv; michael@0: PLArenaPool *arena; michael@0: CERTSignedData sd; michael@0: void *tmpptr; michael@0: michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: michael@0: if ( ! arena ) { michael@0: return(SECFailure); michael@0: } michael@0: michael@0: PORT_Memset(&sd, 0, sizeof(CERTSignedData)); michael@0: rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert); michael@0: michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PORT_Memset(derName, 0, sizeof(SECItem)); michael@0: rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertIssuerTemplate, &sd.data); michael@0: michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: tmpptr = derName->data; michael@0: derName->data = (unsigned char*)PORT_Alloc(derName->len); michael@0: if ( derName->data == NULL ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PORT_Memcpy(derName->data, tmpptr, derName->len); michael@0: michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: return(SECSuccess); michael@0: michael@0: loser: michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: return(SECFailure); michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_SerialNumberFromDERCert(SECItem *derCert, SECItem *derName) michael@0: { michael@0: int rv; michael@0: PLArenaPool *arena; michael@0: CERTSignedData sd; michael@0: void *tmpptr; michael@0: michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: michael@0: if ( ! arena ) { michael@0: return(SECFailure); michael@0: } michael@0: michael@0: PORT_Memset(&sd, 0, sizeof(CERTSignedData)); michael@0: rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert); michael@0: michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PORT_Memset(derName, 0, sizeof(SECItem)); michael@0: rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSerialNumberTemplate, &sd.data); michael@0: michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: tmpptr = derName->data; michael@0: derName->data = (unsigned char*)PORT_Alloc(derName->len); michael@0: if ( derName->data == NULL ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PORT_Memcpy(derName->data, tmpptr, derName->len); michael@0: michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: return(SECSuccess); michael@0: michael@0: loser: michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: return(SECFailure); michael@0: } michael@0: michael@0: /* michael@0: * Generate a database key, based on serial number and issuer, from a michael@0: * DER certificate. michael@0: */ michael@0: SECStatus michael@0: CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert, SECItem *key) michael@0: { michael@0: int rv; michael@0: CERTSignedData sd; michael@0: CERTCertKey certkey; michael@0: michael@0: if (!reqArena) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: michael@0: PORT_Memset(&sd, 0, sizeof(CERTSignedData)); michael@0: rv = SEC_QuickDERDecodeItem(reqArena, &sd, CERT_SignedDataTemplate, michael@0: derCert); michael@0: michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PORT_Memset(&certkey, 0, sizeof(CERTCertKey)); michael@0: rv = SEC_QuickDERDecodeItem(reqArena, &certkey, CERT_CertKeyTemplate, michael@0: &sd.data); michael@0: michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: return(CERT_KeyFromIssuerAndSN(reqArena, &certkey.derIssuer, michael@0: &certkey.serialNumber, key)); michael@0: loser: michael@0: return(SECFailure); michael@0: } michael@0: michael@0: /* michael@0: * fill in keyUsage field of the cert based on the cert extension michael@0: * if the extension is not critical, then we allow all uses michael@0: */ michael@0: static SECStatus michael@0: GetKeyUsage(CERTCertificate *cert) michael@0: { michael@0: SECStatus rv; michael@0: SECItem tmpitem; michael@0: michael@0: rv = CERT_FindKeyUsageExtension(cert, &tmpitem); michael@0: if ( rv == SECSuccess ) { michael@0: /* remember the actual value of the extension */ michael@0: cert->rawKeyUsage = tmpitem.data[0]; michael@0: cert->keyUsagePresent = PR_TRUE; michael@0: cert->keyUsage = tmpitem.data[0]; michael@0: michael@0: PORT_Free(tmpitem.data); michael@0: tmpitem.data = NULL; michael@0: michael@0: } else { michael@0: /* if the extension is not present, then we allow all uses */ michael@0: cert->keyUsage = KU_ALL; michael@0: cert->rawKeyUsage = KU_ALL; michael@0: cert->keyUsagePresent = PR_FALSE; michael@0: } michael@0: michael@0: if ( CERT_GovtApprovedBitSet(cert) ) { michael@0: cert->keyUsage |= KU_NS_GOVT_APPROVED; michael@0: cert->rawKeyUsage |= KU_NS_GOVT_APPROVED; michael@0: } michael@0: michael@0: return(SECSuccess); michael@0: } michael@0: michael@0: michael@0: static SECStatus michael@0: findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum) michael@0: { michael@0: SECItem **oids; michael@0: SECItem *oid; michael@0: SECStatus rv = SECFailure; michael@0: michael@0: if (seq != NULL) { michael@0: oids = seq->oids; michael@0: while (oids != NULL && *oids != NULL) { michael@0: oid = *oids; michael@0: if (SECOID_FindOIDTag(oid) == tagnum) { michael@0: rv = SECSuccess; michael@0: break; michael@0: } michael@0: oids++; michael@0: } michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: /* michael@0: * fill in nsCertType field of the cert based on the cert extension michael@0: */ michael@0: SECStatus michael@0: cert_GetCertType(CERTCertificate *cert) michael@0: { michael@0: PRUint32 nsCertType; michael@0: michael@0: if (cert->nsCertType) { michael@0: /* once set, no need to recalculate */ michael@0: return SECSuccess; michael@0: } michael@0: nsCertType = cert_ComputeCertType(cert); michael@0: michael@0: /* Assert that it is safe to cast &cert->nsCertType to "PRInt32 *" */ michael@0: PORT_Assert(sizeof(cert->nsCertType) == sizeof(PRInt32)); michael@0: PR_ATOMIC_SET((PRInt32 *)&cert->nsCertType, nsCertType); michael@0: return SECSuccess; michael@0: } michael@0: michael@0: PRUint32 michael@0: cert_ComputeCertType(CERTCertificate *cert) michael@0: { michael@0: SECStatus rv; michael@0: SECItem tmpitem; michael@0: SECItem encodedExtKeyUsage; michael@0: CERTOidSequence *extKeyUsage = NULL; michael@0: PRBool basicConstraintPresent = PR_FALSE; michael@0: CERTBasicConstraints basicConstraint; michael@0: PRUint32 nsCertType = 0; michael@0: michael@0: tmpitem.data = NULL; michael@0: CERT_FindNSCertTypeExtension(cert, &tmpitem); michael@0: encodedExtKeyUsage.data = NULL; michael@0: rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, michael@0: &encodedExtKeyUsage); michael@0: if (rv == SECSuccess) { michael@0: extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage); michael@0: } michael@0: rv = CERT_FindBasicConstraintExten(cert, &basicConstraint); michael@0: if (rv == SECSuccess) { michael@0: basicConstraintPresent = PR_TRUE; michael@0: } michael@0: if (tmpitem.data != NULL || extKeyUsage != NULL) { michael@0: if (tmpitem.data == NULL) { michael@0: nsCertType = 0; michael@0: } else { michael@0: nsCertType = tmpitem.data[0]; michael@0: } michael@0: michael@0: /* free tmpitem data pointer to avoid memory leak */ michael@0: PORT_Free(tmpitem.data); michael@0: tmpitem.data = NULL; michael@0: michael@0: /* michael@0: * for this release, we will allow SSL certs with an email address michael@0: * to be used for email michael@0: */ michael@0: if ( ( nsCertType & NS_CERT_TYPE_SSL_CLIENT ) && michael@0: cert->emailAddr && cert->emailAddr[0]) { michael@0: nsCertType |= NS_CERT_TYPE_EMAIL; michael@0: } michael@0: /* michael@0: * for this release, we will allow SSL intermediate CAs to be michael@0: * email intermediate CAs too. michael@0: */ michael@0: if ( nsCertType & NS_CERT_TYPE_SSL_CA ) { michael@0: nsCertType |= NS_CERT_TYPE_EMAIL_CA; michael@0: } michael@0: /* michael@0: * allow a cert with the extended key usage of EMail Protect michael@0: * to be used for email or as an email CA, if basic constraints michael@0: * indicates that it is a CA. michael@0: */ michael@0: if (findOIDinOIDSeqByTagNum(extKeyUsage, michael@0: SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) == michael@0: SECSuccess) { michael@0: if (basicConstraintPresent == PR_TRUE && michael@0: (basicConstraint.isCA)) { michael@0: nsCertType |= NS_CERT_TYPE_EMAIL_CA; michael@0: } else { michael@0: nsCertType |= NS_CERT_TYPE_EMAIL; michael@0: } michael@0: } michael@0: if (findOIDinOIDSeqByTagNum(extKeyUsage, michael@0: SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) == michael@0: SECSuccess){ michael@0: if (basicConstraintPresent == PR_TRUE && michael@0: (basicConstraint.isCA)) { michael@0: nsCertType |= NS_CERT_TYPE_SSL_CA; michael@0: } else { michael@0: nsCertType |= NS_CERT_TYPE_SSL_SERVER; michael@0: } michael@0: } michael@0: /* michael@0: * Treat certs with step-up OID as also having SSL server type. michael@0: * COMODO needs this behaviour until June 2020. See Bug 737802. michael@0: */ michael@0: if (findOIDinOIDSeqByTagNum(extKeyUsage, michael@0: SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) == michael@0: SECSuccess){ michael@0: if (basicConstraintPresent == PR_TRUE && michael@0: (basicConstraint.isCA)) { michael@0: nsCertType |= NS_CERT_TYPE_SSL_CA; michael@0: } else { michael@0: nsCertType |= NS_CERT_TYPE_SSL_SERVER; michael@0: } michael@0: } michael@0: if (findOIDinOIDSeqByTagNum(extKeyUsage, michael@0: SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == michael@0: SECSuccess){ michael@0: if (basicConstraintPresent == PR_TRUE && michael@0: (basicConstraint.isCA)) { michael@0: nsCertType |= NS_CERT_TYPE_SSL_CA; michael@0: } else { michael@0: nsCertType |= NS_CERT_TYPE_SSL_CLIENT; michael@0: } michael@0: } michael@0: if (findOIDinOIDSeqByTagNum(extKeyUsage, michael@0: SEC_OID_EXT_KEY_USAGE_CODE_SIGN) == michael@0: SECSuccess) { michael@0: if (basicConstraintPresent == PR_TRUE && michael@0: (basicConstraint.isCA)) { michael@0: nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA; michael@0: } else { michael@0: nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING; michael@0: } michael@0: } michael@0: if (findOIDinOIDSeqByTagNum(extKeyUsage, michael@0: SEC_OID_EXT_KEY_USAGE_TIME_STAMP) == michael@0: SECSuccess) { michael@0: nsCertType |= EXT_KEY_USAGE_TIME_STAMP; michael@0: } michael@0: if (findOIDinOIDSeqByTagNum(extKeyUsage, michael@0: SEC_OID_OCSP_RESPONDER) == michael@0: SECSuccess) { michael@0: nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER; michael@0: } michael@0: } else { michael@0: /* If no NS Cert Type extension and no EKU extension, then */ michael@0: nsCertType = 0; michael@0: if (CERT_IsCACert(cert, &nsCertType)) michael@0: nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER; michael@0: /* if the basic constraint extension says the cert is a CA, then michael@0: allow SSL CA and EMAIL CA and Status Responder */ michael@0: if (basicConstraintPresent && basicConstraint.isCA ) { michael@0: nsCertType |= (NS_CERT_TYPE_SSL_CA | michael@0: NS_CERT_TYPE_EMAIL_CA | michael@0: EXT_KEY_USAGE_STATUS_RESPONDER); michael@0: } michael@0: /* allow any ssl or email (no ca or object signing. */ michael@0: nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | michael@0: NS_CERT_TYPE_EMAIL; michael@0: } michael@0: michael@0: if (encodedExtKeyUsage.data != NULL) { michael@0: PORT_Free(encodedExtKeyUsage.data); michael@0: } michael@0: if (extKeyUsage != NULL) { michael@0: CERT_DestroyOidSequence(extKeyUsage); michael@0: } michael@0: return nsCertType; michael@0: } michael@0: michael@0: /* michael@0: * cert_GetKeyID() - extract or generate the subjectKeyID from a certificate michael@0: */ michael@0: SECStatus michael@0: cert_GetKeyID(CERTCertificate *cert) michael@0: { michael@0: SECItem tmpitem; michael@0: SECStatus rv; michael@0: michael@0: cert->subjectKeyID.len = 0; michael@0: michael@0: /* see of the cert has a key identifier extension */ michael@0: rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem); michael@0: if ( rv == SECSuccess ) { michael@0: cert->subjectKeyID.data = (unsigned char*) PORT_ArenaAlloc(cert->arena, tmpitem.len); michael@0: if ( cert->subjectKeyID.data != NULL ) { michael@0: PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len); michael@0: cert->subjectKeyID.len = tmpitem.len; michael@0: cert->keyIDGenerated = PR_FALSE; michael@0: } michael@0: michael@0: PORT_Free(tmpitem.data); michael@0: } michael@0: michael@0: /* if the cert doesn't have a key identifier extension, then generate one*/ michael@0: if ( cert->subjectKeyID.len == 0 ) { michael@0: /* michael@0: * pkix says that if the subjectKeyID is not present, then we should michael@0: * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert michael@0: */ michael@0: cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH); michael@0: if ( cert->subjectKeyID.data != NULL ) { michael@0: rv = PK11_HashBuf(SEC_OID_SHA1,cert->subjectKeyID.data, michael@0: cert->derPublicKey.data, michael@0: cert->derPublicKey.len); michael@0: if ( rv == SECSuccess ) { michael@0: cert->subjectKeyID.len = SHA1_LENGTH; michael@0: } michael@0: } michael@0: } michael@0: michael@0: if ( cert->subjectKeyID.len == 0 ) { michael@0: return(SECFailure); michael@0: } michael@0: return(SECSuccess); michael@0: michael@0: } michael@0: michael@0: static PRBool michael@0: cert_IsRootCert(CERTCertificate *cert) michael@0: { michael@0: SECStatus rv; michael@0: SECItem tmpitem; michael@0: michael@0: /* cache the authKeyID extension, if present */ michael@0: cert->authKeyID = CERT_FindAuthKeyIDExten(cert->arena, cert); michael@0: michael@0: /* it MUST be self-issued to be a root */ michael@0: if (cert->derIssuer.len == 0 || michael@0: !SECITEM_ItemsAreEqual(&cert->derIssuer, &cert->derSubject)) michael@0: { michael@0: return PR_FALSE; michael@0: } michael@0: michael@0: /* check the authKeyID extension */ michael@0: if (cert->authKeyID) { michael@0: /* authority key identifier is present */ michael@0: if (cert->authKeyID->keyID.len > 0) { michael@0: /* the keyIdentifier field is set, look for subjectKeyID */ michael@0: rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem); michael@0: if (rv == SECSuccess) { michael@0: PRBool match; michael@0: /* also present, they MUST match for it to be a root */ michael@0: match = SECITEM_ItemsAreEqual(&cert->authKeyID->keyID, michael@0: &tmpitem); michael@0: PORT_Free(tmpitem.data); michael@0: if (!match) return PR_FALSE; /* else fall through */ michael@0: } else { michael@0: /* the subject key ID is required when AKI is present */ michael@0: return PR_FALSE; michael@0: } michael@0: } michael@0: if (cert->authKeyID->authCertIssuer) { michael@0: SECItem *caName; michael@0: caName = (SECItem *)CERT_GetGeneralNameByType( michael@0: cert->authKeyID->authCertIssuer, michael@0: certDirectoryName, PR_TRUE); michael@0: if (caName) { michael@0: if (!SECITEM_ItemsAreEqual(&cert->derIssuer, caName)) { michael@0: return PR_FALSE; michael@0: } /* else fall through */ michael@0: } /* else ??? could not get general name as directory name? */ michael@0: } michael@0: if (cert->authKeyID->authCertSerialNumber.len > 0) { michael@0: if (!SECITEM_ItemsAreEqual(&cert->serialNumber, michael@0: &cert->authKeyID->authCertSerialNumber)) { michael@0: return PR_FALSE; michael@0: } /* else fall through */ michael@0: } michael@0: /* all of the AKI fields that were present passed the test */ michael@0: return PR_TRUE; michael@0: } michael@0: /* else the AKI was not present, so this is a root */ michael@0: return PR_TRUE; michael@0: } michael@0: michael@0: /* michael@0: * take a DER certificate and decode it into a certificate structure michael@0: */ michael@0: CERTCertificate * michael@0: CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER, michael@0: char *nickname) michael@0: { michael@0: CERTCertificate *cert; michael@0: PLArenaPool *arena; michael@0: void *data; michael@0: int rv; michael@0: int len; michael@0: char *tmpname; michael@0: michael@0: /* make a new arena */ michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: michael@0: if ( !arena ) { michael@0: return 0; michael@0: } michael@0: michael@0: /* allocate the certificate structure */ michael@0: cert = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate)); michael@0: michael@0: if ( !cert ) { michael@0: goto loser; michael@0: } michael@0: michael@0: cert->arena = arena; michael@0: michael@0: if ( copyDER ) { michael@0: /* copy the DER data for the cert into this arena */ michael@0: data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len); michael@0: if ( !data ) { michael@0: goto loser; michael@0: } michael@0: cert->derCert.data = (unsigned char *)data; michael@0: cert->derCert.len = derSignedCert->len; michael@0: PORT_Memcpy(data, derSignedCert->data, derSignedCert->len); michael@0: } else { michael@0: /* point to passed in DER data */ michael@0: cert->derCert = *derSignedCert; michael@0: } michael@0: michael@0: /* decode the certificate info */ michael@0: rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate, michael@0: &cert->derCert); michael@0: michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: if (cert_HasUnknownCriticalExten (cert->extensions) == PR_TRUE) { michael@0: cert->options.bits.hasUnsupportedCriticalExt = PR_TRUE; michael@0: } michael@0: michael@0: /* generate and save the database key for the cert */ michael@0: rv = CERT_KeyFromIssuerAndSN(arena, &cert->derIssuer, &cert->serialNumber, michael@0: &cert->certKey); michael@0: if ( rv ) { michael@0: goto loser; michael@0: } michael@0: michael@0: /* set the nickname */ michael@0: if ( nickname == NULL ) { michael@0: cert->nickname = NULL; michael@0: } else { michael@0: /* copy and install the nickname */ michael@0: len = PORT_Strlen(nickname) + 1; michael@0: cert->nickname = (char*)PORT_ArenaAlloc(arena, len); michael@0: if ( cert->nickname == NULL ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PORT_Memcpy(cert->nickname, nickname, len); michael@0: } michael@0: michael@0: /* set the email address */ michael@0: cert->emailAddr = cert_GetCertificateEmailAddresses(cert); michael@0: michael@0: /* initialize the subjectKeyID */ michael@0: rv = cert_GetKeyID(cert); michael@0: if ( rv != SECSuccess ) { michael@0: goto loser; michael@0: } michael@0: michael@0: /* initialize keyUsage */ michael@0: rv = GetKeyUsage(cert); michael@0: if ( rv != SECSuccess ) { michael@0: goto loser; michael@0: } michael@0: michael@0: /* determine if this is a root cert */ michael@0: cert->isRoot = cert_IsRootCert(cert); michael@0: michael@0: /* initialize the certType */ michael@0: rv = cert_GetCertType(cert); michael@0: if ( rv != SECSuccess ) { michael@0: goto loser; michael@0: } michael@0: michael@0: tmpname = CERT_NameToAscii(&cert->subject); michael@0: if ( tmpname != NULL ) { michael@0: cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname); michael@0: PORT_Free(tmpname); michael@0: } michael@0: michael@0: tmpname = CERT_NameToAscii(&cert->issuer); michael@0: if ( tmpname != NULL ) { michael@0: cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname); michael@0: PORT_Free(tmpname); michael@0: } michael@0: michael@0: cert->referenceCount = 1; michael@0: cert->slot = NULL; michael@0: cert->pkcs11ID = CK_INVALID_HANDLE; michael@0: cert->dbnickname = NULL; michael@0: michael@0: return(cert); michael@0: michael@0: loser: michael@0: michael@0: if ( arena ) { michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: } michael@0: michael@0: return(0); michael@0: } michael@0: michael@0: CERTCertificate * michael@0: __CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER, michael@0: char *nickname) michael@0: { michael@0: return CERT_DecodeDERCertificate(derSignedCert, copyDER, nickname); michael@0: } michael@0: michael@0: michael@0: CERTValidity * michael@0: CERT_CreateValidity(PRTime notBefore, PRTime notAfter) michael@0: { michael@0: CERTValidity *v; michael@0: int rv; michael@0: PLArenaPool *arena; michael@0: michael@0: if (notBefore > notAfter) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return NULL; michael@0: } michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: michael@0: if ( !arena ) { michael@0: return(0); michael@0: } michael@0: michael@0: v = (CERTValidity*) PORT_ArenaZAlloc(arena, sizeof(CERTValidity)); michael@0: if (v) { michael@0: v->arena = arena; michael@0: rv = DER_EncodeTimeChoice(arena, &v->notBefore, notBefore); michael@0: if (rv) goto loser; michael@0: rv = DER_EncodeTimeChoice(arena, &v->notAfter, notAfter); michael@0: if (rv) goto loser; michael@0: } michael@0: return v; michael@0: michael@0: loser: michael@0: CERT_DestroyValidity(v); michael@0: return 0; michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_CopyValidity(PLArenaPool *arena, CERTValidity *to, CERTValidity *from) michael@0: { michael@0: SECStatus rv; michael@0: michael@0: CERT_DestroyValidity(to); michael@0: to->arena = arena; michael@0: michael@0: rv = SECITEM_CopyItem(arena, &to->notBefore, &from->notBefore); michael@0: if (rv) return rv; michael@0: rv = SECITEM_CopyItem(arena, &to->notAfter, &from->notAfter); michael@0: return rv; michael@0: } michael@0: michael@0: void michael@0: CERT_DestroyValidity(CERTValidity *v) michael@0: { michael@0: if (v && v->arena) { michael@0: PORT_FreeArena(v->arena, PR_FALSE); michael@0: } michael@0: return; michael@0: } michael@0: michael@0: /* michael@0: ** Amount of time that a certifiate is allowed good before it is actually michael@0: ** good. This is used for pending certificates, ones that are about to be michael@0: ** valid. The slop is designed to allow for some variance in the clocks michael@0: ** of the machine checking the certificate. michael@0: */ michael@0: #define PENDING_SLOP (24L*60L*60L) /* seconds per day */ michael@0: static PRInt32 pendingSlop = PENDING_SLOP; /* seconds */ michael@0: michael@0: PRInt32 michael@0: CERT_GetSlopTime(void) michael@0: { michael@0: return pendingSlop; /* seconds */ michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_SetSlopTime(PRInt32 slop) /* seconds */ michael@0: { michael@0: if (slop < 0) michael@0: return SECFailure; michael@0: pendingSlop = slop; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_GetCertTimes(const CERTCertificate *c, PRTime *notBefore, PRTime *notAfter) michael@0: { michael@0: SECStatus rv; michael@0: michael@0: if (!c || !notBefore || !notAfter) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* convert DER not-before time */ michael@0: rv = DER_DecodeTimeChoice(notBefore, &c->validity.notBefore); michael@0: if (rv) { michael@0: return(SECFailure); michael@0: } michael@0: michael@0: /* convert DER not-after time */ michael@0: rv = DER_DecodeTimeChoice(notAfter, &c->validity.notAfter); michael@0: if (rv) { michael@0: return(SECFailure); michael@0: } michael@0: michael@0: return(SECSuccess); michael@0: } michael@0: michael@0: /* michael@0: * Check the validity times of a certificate michael@0: */ michael@0: SECCertTimeValidity michael@0: CERT_CheckCertValidTimes(const CERTCertificate *c, PRTime t, michael@0: PRBool allowOverride) michael@0: { michael@0: PRTime notBefore, notAfter, llPendingSlop, tmp1; michael@0: SECStatus rv; michael@0: michael@0: if (!c) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return(secCertTimeUndetermined); michael@0: } michael@0: /* if cert is already marked OK, then don't bother to check */ michael@0: if ( allowOverride && c->timeOK ) { michael@0: return(secCertTimeValid); michael@0: } michael@0: michael@0: rv = CERT_GetCertTimes(c, ¬Before, ¬After); michael@0: michael@0: if (rv) { michael@0: return(secCertTimeExpired); /*XXX is this the right thing to do here?*/ michael@0: } michael@0: michael@0: LL_I2L(llPendingSlop, pendingSlop); michael@0: /* convert to micro seconds */ michael@0: LL_UI2L(tmp1, PR_USEC_PER_SEC); michael@0: LL_MUL(llPendingSlop, llPendingSlop, tmp1); michael@0: LL_SUB(notBefore, notBefore, llPendingSlop); michael@0: if ( LL_CMP( t, <, notBefore ) ) { michael@0: PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE); michael@0: return(secCertTimeNotValidYet); michael@0: } michael@0: if ( LL_CMP( t, >, notAfter) ) { michael@0: PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE); michael@0: return(secCertTimeExpired); michael@0: } michael@0: michael@0: return(secCertTimeValid); michael@0: } michael@0: michael@0: SECStatus michael@0: SEC_GetCrlTimes(CERTCrl *date, PRTime *notBefore, PRTime *notAfter) michael@0: { michael@0: int rv; michael@0: michael@0: /* convert DER not-before time */ michael@0: rv = DER_DecodeTimeChoice(notBefore, &date->lastUpdate); michael@0: if (rv) { michael@0: return(SECFailure); michael@0: } michael@0: michael@0: /* convert DER not-after time */ michael@0: if (date->nextUpdate.data) { michael@0: rv = DER_DecodeTimeChoice(notAfter, &date->nextUpdate); michael@0: if (rv) { michael@0: return(SECFailure); michael@0: } michael@0: } michael@0: else { michael@0: LL_I2L(*notAfter, 0L); michael@0: } michael@0: return(SECSuccess); michael@0: } michael@0: michael@0: /* These routines should probably be combined with the cert michael@0: * routines using an common extraction routine. michael@0: */ michael@0: SECCertTimeValidity michael@0: SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) { michael@0: PRTime notBefore, notAfter, llPendingSlop, tmp1; michael@0: SECStatus rv; michael@0: michael@0: rv = SEC_GetCrlTimes(crl, ¬Before, ¬After); michael@0: michael@0: if (rv) { michael@0: return(secCertTimeExpired); michael@0: } michael@0: michael@0: LL_I2L(llPendingSlop, pendingSlop); michael@0: /* convert to micro seconds */ michael@0: LL_I2L(tmp1, PR_USEC_PER_SEC); michael@0: LL_MUL(llPendingSlop, llPendingSlop, tmp1); michael@0: LL_SUB(notBefore, notBefore, llPendingSlop); michael@0: if ( LL_CMP( t, <, notBefore ) ) { michael@0: return(secCertTimeNotValidYet); michael@0: } michael@0: michael@0: /* If next update is omitted and the test for notBefore passes, then michael@0: we assume that the crl is up to date. michael@0: */ michael@0: if ( LL_IS_ZERO(notAfter) ) { michael@0: return(secCertTimeValid); michael@0: } michael@0: michael@0: if ( LL_CMP( t, >, notAfter) ) { michael@0: return(secCertTimeExpired); michael@0: } michael@0: michael@0: return(secCertTimeValid); michael@0: } michael@0: michael@0: PRBool michael@0: SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) { michael@0: PRTime newNotBefore, newNotAfter; michael@0: PRTime oldNotBefore, oldNotAfter; michael@0: SECStatus rv; michael@0: michael@0: /* problems with the new CRL? reject it */ michael@0: rv = SEC_GetCrlTimes(inNew, &newNotBefore, &newNotAfter); michael@0: if (rv) return PR_FALSE; michael@0: michael@0: /* problems with the old CRL? replace it */ michael@0: rv = SEC_GetCrlTimes(old, &oldNotBefore, &oldNotAfter); michael@0: if (rv) return PR_TRUE; michael@0: michael@0: /* Question: what about the notAfter's? */ michael@0: return ((PRBool)LL_CMP(oldNotBefore, <, newNotBefore)); michael@0: } michael@0: michael@0: /* michael@0: * return required key usage and cert type based on cert usage michael@0: */ michael@0: SECStatus michael@0: CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, michael@0: PRBool ca, michael@0: unsigned int *retKeyUsage, michael@0: unsigned int *retCertType) michael@0: { michael@0: unsigned int requiredKeyUsage = 0; michael@0: unsigned int requiredCertType = 0; michael@0: michael@0: if ( ca ) { michael@0: switch ( usage ) { michael@0: case certUsageSSLServerWithStepUp: michael@0: requiredKeyUsage = KU_NS_GOVT_APPROVED | KU_KEY_CERT_SIGN; michael@0: requiredCertType = NS_CERT_TYPE_SSL_CA; michael@0: break; michael@0: case certUsageSSLClient: michael@0: requiredKeyUsage = KU_KEY_CERT_SIGN; michael@0: requiredCertType = NS_CERT_TYPE_SSL_CA; michael@0: break; michael@0: case certUsageSSLServer: michael@0: requiredKeyUsage = KU_KEY_CERT_SIGN; michael@0: requiredCertType = NS_CERT_TYPE_SSL_CA; michael@0: break; michael@0: case certUsageSSLCA: michael@0: requiredKeyUsage = KU_KEY_CERT_SIGN; michael@0: requiredCertType = NS_CERT_TYPE_SSL_CA; michael@0: break; michael@0: case certUsageEmailSigner: michael@0: requiredKeyUsage = KU_KEY_CERT_SIGN; michael@0: requiredCertType = NS_CERT_TYPE_EMAIL_CA; michael@0: break; michael@0: case certUsageEmailRecipient: michael@0: requiredKeyUsage = KU_KEY_CERT_SIGN; michael@0: requiredCertType = NS_CERT_TYPE_EMAIL_CA; michael@0: break; michael@0: case certUsageObjectSigner: michael@0: requiredKeyUsage = KU_KEY_CERT_SIGN; michael@0: requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA; michael@0: break; michael@0: case certUsageAnyCA: michael@0: case certUsageVerifyCA: michael@0: case certUsageStatusResponder: michael@0: requiredKeyUsage = KU_KEY_CERT_SIGN; michael@0: requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA | michael@0: NS_CERT_TYPE_EMAIL_CA | michael@0: NS_CERT_TYPE_SSL_CA; michael@0: break; michael@0: default: michael@0: PORT_Assert(0); michael@0: goto loser; michael@0: } michael@0: } else { michael@0: switch ( usage ) { michael@0: case certUsageSSLClient: michael@0: /* michael@0: * RFC 5280 lists digitalSignature and keyAgreement for michael@0: * id-kp-clientAuth. NSS does not support the *_fixed_dh and michael@0: * *_fixed_ecdh client certificate types. michael@0: */ michael@0: requiredKeyUsage = KU_DIGITAL_SIGNATURE; michael@0: requiredCertType = NS_CERT_TYPE_SSL_CLIENT; michael@0: break; michael@0: case certUsageSSLServer: michael@0: requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT; michael@0: requiredCertType = NS_CERT_TYPE_SSL_SERVER; michael@0: break; michael@0: case certUsageSSLServerWithStepUp: michael@0: requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT | michael@0: KU_NS_GOVT_APPROVED; michael@0: requiredCertType = NS_CERT_TYPE_SSL_SERVER; michael@0: break; michael@0: case certUsageSSLCA: michael@0: requiredKeyUsage = KU_KEY_CERT_SIGN; michael@0: requiredCertType = NS_CERT_TYPE_SSL_CA; michael@0: break; michael@0: case certUsageEmailSigner: michael@0: requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION; michael@0: requiredCertType = NS_CERT_TYPE_EMAIL; michael@0: break; michael@0: case certUsageEmailRecipient: michael@0: requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT; michael@0: requiredCertType = NS_CERT_TYPE_EMAIL; michael@0: break; michael@0: case certUsageObjectSigner: michael@0: /* RFC 5280 lists only digitalSignature for id-kp-codeSigning. */ michael@0: requiredKeyUsage = KU_DIGITAL_SIGNATURE; michael@0: requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING; michael@0: break; michael@0: case certUsageStatusResponder: michael@0: requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION; michael@0: requiredCertType = EXT_KEY_USAGE_STATUS_RESPONDER; michael@0: break; michael@0: default: michael@0: PORT_Assert(0); michael@0: goto loser; michael@0: } michael@0: } michael@0: michael@0: if ( retKeyUsage != NULL ) { michael@0: *retKeyUsage = requiredKeyUsage; michael@0: } michael@0: if ( retCertType != NULL ) { michael@0: *retCertType = requiredCertType; michael@0: } michael@0: michael@0: return(SECSuccess); michael@0: loser: michael@0: return(SECFailure); michael@0: } michael@0: michael@0: /* michael@0: * check the key usage of a cert against a set of required values michael@0: */ michael@0: SECStatus michael@0: CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage) michael@0: { michael@0: if (!cert) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: /* choose between key agreement or key encipherment based on key michael@0: * type in cert michael@0: */ michael@0: if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) { michael@0: KeyType keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo); michael@0: /* turn off the special bit */ michael@0: requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT); michael@0: michael@0: switch (keyType) { michael@0: case rsaKey: michael@0: requiredUsage |= KU_KEY_ENCIPHERMENT; michael@0: break; michael@0: case dsaKey: michael@0: requiredUsage |= KU_DIGITAL_SIGNATURE; michael@0: break; michael@0: case dhKey: michael@0: requiredUsage |= KU_KEY_AGREEMENT; michael@0: break; michael@0: case ecKey: michael@0: /* Accept either signature or agreement. */ michael@0: if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT))) michael@0: goto loser; michael@0: break; michael@0: default: michael@0: goto loser; michael@0: } michael@0: } michael@0: michael@0: /* Allow either digital signature or non-repudiation */ michael@0: if ( requiredUsage & KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION ) { michael@0: /* turn off the special bit */ michael@0: requiredUsage &= (~KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION); michael@0: michael@0: if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION))) michael@0: goto loser; michael@0: } michael@0: michael@0: if ( (cert->keyUsage & requiredUsage) == requiredUsage ) michael@0: return SECSuccess; michael@0: michael@0: loser: michael@0: PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); michael@0: return SECFailure; michael@0: } michael@0: michael@0: michael@0: CERTCertificate * michael@0: CERT_DupCertificate(CERTCertificate *c) michael@0: { michael@0: if (c) { michael@0: NSSCertificate *tmp = STAN_GetNSSCertificate(c); michael@0: nssCertificate_AddRef(tmp); michael@0: } michael@0: return c; michael@0: } michael@0: michael@0: /* michael@0: * Allow use of default cert database, so that apps(such as mozilla) don't michael@0: * have to pass the handle all over the place. michael@0: */ michael@0: static CERTCertDBHandle *default_cert_db_handle = 0; michael@0: michael@0: void michael@0: CERT_SetDefaultCertDB(CERTCertDBHandle *handle) michael@0: { michael@0: default_cert_db_handle = handle; michael@0: michael@0: return; michael@0: } michael@0: michael@0: CERTCertDBHandle * michael@0: CERT_GetDefaultCertDB(void) michael@0: { michael@0: return(default_cert_db_handle); michael@0: } michael@0: michael@0: /* XXX this would probably be okay/better as an xp routine? */ michael@0: static void michael@0: sec_lower_string(char *s) michael@0: { michael@0: if ( s == NULL ) { michael@0: return; michael@0: } michael@0: michael@0: while ( *s ) { michael@0: *s = PORT_Tolower(*s); michael@0: s++; michael@0: } michael@0: michael@0: return; michael@0: } michael@0: michael@0: static PRBool michael@0: cert_IsIPAddr(const char *hn) michael@0: { michael@0: PRBool isIPaddr = PR_FALSE; michael@0: PRNetAddr netAddr; michael@0: isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr)); michael@0: return isIPaddr; michael@0: } michael@0: michael@0: /* michael@0: ** Add a domain name to the list of names that the user has explicitly michael@0: ** allowed (despite cert name mismatches) for use with a server cert. michael@0: */ michael@0: SECStatus michael@0: CERT_AddOKDomainName(CERTCertificate *cert, const char *hn) michael@0: { michael@0: CERTOKDomainName *domainOK; michael@0: int newNameLen; michael@0: michael@0: if (!hn || !(newNameLen = strlen(hn))) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(cert->arena, michael@0: (sizeof *domainOK) + newNameLen); michael@0: if (!domainOK) michael@0: return SECFailure; /* error code is already set. */ michael@0: michael@0: PORT_Strcpy(domainOK->name, hn); michael@0: sec_lower_string(domainOK->name); michael@0: michael@0: /* put at head of list. */ michael@0: domainOK->next = cert->domainOK; michael@0: cert->domainOK = domainOK; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* returns SECSuccess if hn matches pattern cn, michael@0: ** returns SECFailure with SSL_ERROR_BAD_CERT_DOMAIN if no match, michael@0: ** returns SECFailure with some other error code if another error occurs. michael@0: ** michael@0: ** This function may modify string cn, so caller must pass a modifiable copy. michael@0: */ michael@0: static SECStatus michael@0: cert_TestHostName(char * cn, const char * hn) michael@0: { michael@0: static int useShellExp = -1; michael@0: michael@0: if (useShellExp < 0) { michael@0: useShellExp = (NULL != PR_GetEnv("NSS_USE_SHEXP_IN_CERT_NAME")); michael@0: } michael@0: if (useShellExp) { michael@0: /* Backward compatible code, uses Shell Expressions (SHEXP). */ michael@0: int regvalid = PORT_RegExpValid(cn); michael@0: if (regvalid != NON_SXP) { michael@0: SECStatus rv; michael@0: /* cn is a regular expression, try to match the shexp */ michael@0: int match = PORT_RegExpCaseSearch(hn, cn); michael@0: michael@0: if ( match == 0 ) { michael@0: rv = SECSuccess; michael@0: } else { michael@0: PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); michael@0: rv = SECFailure; michael@0: } michael@0: return rv; michael@0: } michael@0: } else { michael@0: /* New approach conforms to RFC 6125. */ michael@0: char *wildcard = PORT_Strchr(cn, '*'); michael@0: char *firstcndot = PORT_Strchr(cn, '.'); michael@0: char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; michael@0: char *firsthndot = PORT_Strchr(hn, '.'); michael@0: michael@0: /* For a cn pattern to be considered valid, the wildcard character... michael@0: * - may occur only in a DNS name with at least 3 components, and michael@0: * - may occur only as last character in the first component, and michael@0: * - may be preceded by additional characters, and michael@0: * - must not be preceded by an IDNA ACE prefix (xn--) michael@0: */ michael@0: if (wildcard && secondcndot && secondcndot[1] && firsthndot michael@0: && firstcndot - wildcard == 1 /* wildcard is last char in first component */ michael@0: && secondcndot - firstcndot > 1 /* second component is non-empty */ michael@0: && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ michael@0: && !PORT_Strncasecmp(cn, hn, wildcard - cn) michael@0: && !PORT_Strcasecmp(firstcndot, firsthndot) michael@0: /* If hn starts with xn--, then cn must start with wildcard */ michael@0: && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { michael@0: /* valid wildcard pattern match */ michael@0: return SECSuccess; michael@0: } michael@0: } michael@0: /* String cn has no wildcard or shell expression. michael@0: * Compare entire string hn with cert name. michael@0: */ michael@0: if (PORT_Strcasecmp(hn, cn) == 0) { michael@0: return SECSuccess; michael@0: } michael@0: michael@0: PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); michael@0: return SECFailure; michael@0: } michael@0: michael@0: michael@0: SECStatus michael@0: cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn) michael@0: { michael@0: PLArenaPool * arena = NULL; michael@0: CERTGeneralName * nameList = NULL; michael@0: CERTGeneralName * current; michael@0: char * cn; michael@0: int cnBufLen; michael@0: unsigned int hnLen; michael@0: int DNSextCount = 0; michael@0: int IPextCount = 0; michael@0: PRBool isIPaddr = PR_FALSE; michael@0: SECStatus rv = SECFailure; michael@0: SECItem subAltName; michael@0: PRNetAddr netAddr; michael@0: char cnbuf[128]; michael@0: michael@0: subAltName.data = NULL; michael@0: hnLen = strlen(hn); michael@0: cn = cnbuf; michael@0: cnBufLen = sizeof cnbuf; michael@0: michael@0: rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, michael@0: &subAltName); michael@0: if (rv != SECSuccess) { michael@0: goto fail; michael@0: } michael@0: isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr)); michael@0: rv = SECFailure; michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: if (!arena) michael@0: goto fail; michael@0: michael@0: nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName); michael@0: if (!current) michael@0: goto fail; michael@0: michael@0: do { michael@0: switch (current->type) { michael@0: case certDNSName: michael@0: if (!isIPaddr) { michael@0: /* DNS name current->name.other.data is not null terminated. michael@0: ** so must copy it. michael@0: */ michael@0: int cnLen = current->name.other.len; michael@0: rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen, michael@0: (char *)current->name.other.data, michael@0: cnLen); michael@0: if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_OUTPUT_LEN) { michael@0: cnBufLen = cnLen * 3 + 3; /* big enough for worst case */ michael@0: cn = (char *)PORT_ArenaAlloc(arena, cnBufLen); michael@0: if (!cn) michael@0: goto fail; michael@0: rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen, michael@0: (char *)current->name.other.data, michael@0: cnLen); michael@0: } michael@0: if (rv == SECSuccess) michael@0: rv = cert_TestHostName(cn ,hn); michael@0: if (rv == SECSuccess) michael@0: goto finish; michael@0: } michael@0: DNSextCount++; michael@0: break; michael@0: case certIPAddress: michael@0: if (isIPaddr) { michael@0: int match = 0; michael@0: PRIPv6Addr v6Addr; michael@0: if (current->name.other.len == 4 && /* IP v4 address */ michael@0: netAddr.inet.family == PR_AF_INET) { michael@0: match = !memcmp(&netAddr.inet.ip, michael@0: current->name.other.data, 4); michael@0: } else if (current->name.other.len == 16 && /* IP v6 address */ michael@0: netAddr.ipv6.family == PR_AF_INET6) { michael@0: match = !memcmp(&netAddr.ipv6.ip, michael@0: current->name.other.data, 16); michael@0: } else if (current->name.other.len == 16 && /* IP v6 address */ michael@0: netAddr.inet.family == PR_AF_INET) { michael@0: /* convert netAddr to ipv6, then compare. */ michael@0: /* ipv4 must be in Network Byte Order on input. */ michael@0: PR_ConvertIPv4AddrToIPv6(netAddr.inet.ip, &v6Addr); michael@0: match = !memcmp(&v6Addr, current->name.other.data, 16); michael@0: } else if (current->name.other.len == 4 && /* IP v4 address */ michael@0: netAddr.inet.family == PR_AF_INET6) { michael@0: /* convert netAddr to ipv6, then compare. */ michael@0: PRUint32 ipv4 = (current->name.other.data[0] << 24) | michael@0: (current->name.other.data[1] << 16) | michael@0: (current->name.other.data[2] << 8) | michael@0: current->name.other.data[3]; michael@0: /* ipv4 must be in Network Byte Order on input. */ michael@0: PR_ConvertIPv4AddrToIPv6(PR_htonl(ipv4), &v6Addr); michael@0: match = !memcmp(&netAddr.ipv6.ip, &v6Addr, 16); michael@0: } michael@0: if (match) { michael@0: rv = SECSuccess; michael@0: goto finish; michael@0: } michael@0: } michael@0: IPextCount++; michael@0: break; michael@0: default: michael@0: break; michael@0: } michael@0: current = CERT_GetNextGeneralName(current); michael@0: } while (current != nameList); michael@0: michael@0: fail: michael@0: michael@0: if (!(isIPaddr ? IPextCount : DNSextCount)) { michael@0: /* no relevant value in the extension was found. */ michael@0: PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND); michael@0: } else { michael@0: PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); michael@0: } michael@0: rv = SECFailure; michael@0: michael@0: finish: michael@0: michael@0: /* Don't free nameList, it's part of the arena. */ michael@0: if (arena) { michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: } michael@0: michael@0: if (subAltName.data) { michael@0: SECITEM_FreeItem(&subAltName, PR_FALSE); michael@0: } michael@0: michael@0: return rv; michael@0: } michael@0: michael@0: /* michael@0: * If found: michael@0: * - subAltName contains the extension (caller must free) michael@0: * - return value is the decoded namelist (allocated off arena) michael@0: * if not found, or if failure to decode: michael@0: * - return value is NULL michael@0: */ michael@0: CERTGeneralName * michael@0: cert_GetSubjectAltNameList(const CERTCertificate *cert, PLArenaPool *arena) michael@0: { michael@0: CERTGeneralName * nameList = NULL; michael@0: SECStatus rv = SECFailure; michael@0: SECItem subAltName; michael@0: michael@0: if (!cert || !arena) michael@0: return NULL; michael@0: michael@0: subAltName.data = NULL; michael@0: michael@0: rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, michael@0: &subAltName); michael@0: if (rv != SECSuccess) michael@0: return NULL; michael@0: michael@0: nameList = CERT_DecodeAltNameExtension(arena, &subAltName); michael@0: SECITEM_FreeItem(&subAltName, PR_FALSE); michael@0: return nameList; michael@0: } michael@0: michael@0: PRUint32 michael@0: cert_CountDNSPatterns(CERTGeneralName *firstName) michael@0: { michael@0: CERTGeneralName * current; michael@0: PRUint32 count = 0; michael@0: michael@0: if (!firstName) michael@0: return 0; michael@0: michael@0: current = firstName; michael@0: do { michael@0: switch (current->type) { michael@0: case certDNSName: michael@0: case certIPAddress: michael@0: ++count; michael@0: break; michael@0: default: michael@0: break; michael@0: } michael@0: current = CERT_GetNextGeneralName(current); michael@0: } while (current != firstName); michael@0: michael@0: return count; michael@0: } michael@0: michael@0: #ifndef INET6_ADDRSTRLEN michael@0: #define INET6_ADDRSTRLEN 46 michael@0: #endif michael@0: michael@0: /* will fill nickNames, michael@0: * will allocate all data from nickNames->arena, michael@0: * numberOfGeneralNames should have been obtained from cert_CountDNSPatterns, michael@0: * will ensure the numberOfGeneralNames matches the number of output entries. michael@0: */ michael@0: SECStatus michael@0: cert_GetDNSPatternsFromGeneralNames(CERTGeneralName *firstName, michael@0: PRUint32 numberOfGeneralNames, michael@0: CERTCertNicknames *nickNames) michael@0: { michael@0: CERTGeneralName *currentInput; michael@0: char **currentOutput; michael@0: michael@0: if (!firstName || !nickNames || !numberOfGeneralNames) michael@0: return SECFailure; michael@0: michael@0: nickNames->numnicknames = numberOfGeneralNames; michael@0: nickNames->nicknames = PORT_ArenaAlloc(nickNames->arena, michael@0: sizeof(char *) * numberOfGeneralNames); michael@0: if (!nickNames->nicknames) michael@0: return SECFailure; michael@0: michael@0: currentInput = firstName; michael@0: currentOutput = nickNames->nicknames; michael@0: do { michael@0: char *cn = NULL; michael@0: char ipbuf[INET6_ADDRSTRLEN]; michael@0: PRNetAddr addr; michael@0: michael@0: if (numberOfGeneralNames < 1) { michael@0: /* internal consistency error */ michael@0: return SECFailure; michael@0: } michael@0: michael@0: switch (currentInput->type) { michael@0: case certDNSName: michael@0: /* DNS name currentInput->name.other.data is not null terminated. michael@0: ** so must copy it. michael@0: */ michael@0: cn = (char *)PORT_ArenaAlloc(nickNames->arena, michael@0: currentInput->name.other.len + 1); michael@0: if (!cn) michael@0: return SECFailure; michael@0: PORT_Memcpy(cn, currentInput->name.other.data, michael@0: currentInput->name.other.len); michael@0: cn[currentInput->name.other.len] = 0; michael@0: break; michael@0: case certIPAddress: michael@0: if (currentInput->name.other.len == 4) { michael@0: addr.inet.family = PR_AF_INET; michael@0: memcpy(&addr.inet.ip, currentInput->name.other.data, michael@0: currentInput->name.other.len); michael@0: } else if (currentInput->name.other.len == 16) { michael@0: addr.ipv6.family = PR_AF_INET6; michael@0: memcpy(&addr.ipv6.ip, currentInput->name.other.data, michael@0: currentInput->name.other.len); michael@0: } michael@0: if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf)) == PR_FAILURE) michael@0: return SECFailure; michael@0: cn = PORT_ArenaStrdup(nickNames->arena, ipbuf); michael@0: if (!cn) michael@0: return SECFailure; michael@0: break; michael@0: default: michael@0: break; michael@0: } michael@0: if (cn) { michael@0: *currentOutput = cn; michael@0: nickNames->totallen += PORT_Strlen(cn); michael@0: ++currentOutput; michael@0: --numberOfGeneralNames; michael@0: } michael@0: currentInput = CERT_GetNextGeneralName(currentInput); michael@0: } while (currentInput != firstName); michael@0: michael@0: return (numberOfGeneralNames == 0) ? SECSuccess : SECFailure; michael@0: } michael@0: michael@0: /* michael@0: * Collect all valid DNS names from the given cert. michael@0: * The output arena will reference some temporaray data, michael@0: * but this saves us from dealing with two arenas. michael@0: * The caller may free all data by freeing CERTCertNicknames->arena. michael@0: */ michael@0: CERTCertNicknames * michael@0: CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert) michael@0: { michael@0: CERTGeneralName *generalNames; michael@0: CERTCertNicknames *nickNames; michael@0: PLArenaPool *arena; michael@0: char *singleName; michael@0: michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: if (!arena) { michael@0: return NULL; michael@0: } michael@0: michael@0: nickNames = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames)); michael@0: if (!nickNames) { michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: return NULL; michael@0: } michael@0: michael@0: /* init the structure */ michael@0: nickNames->arena = arena; michael@0: nickNames->head = NULL; michael@0: nickNames->numnicknames = 0; michael@0: nickNames->nicknames = NULL; michael@0: nickNames->totallen = 0; michael@0: michael@0: generalNames = cert_GetSubjectAltNameList(cert, arena); michael@0: if (generalNames) { michael@0: SECStatus rv_getnames = SECFailure; michael@0: PRUint32 numNames = cert_CountDNSPatterns(generalNames); michael@0: michael@0: if (numNames) { michael@0: rv_getnames = cert_GetDNSPatternsFromGeneralNames(generalNames, michael@0: numNames, nickNames); michael@0: } michael@0: michael@0: /* if there were names, we'll exit now, either with success or failure */ michael@0: if (numNames) { michael@0: if (rv_getnames == SECSuccess) { michael@0: return nickNames; michael@0: } michael@0: michael@0: /* failure to produce output */ michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: return NULL; michael@0: } michael@0: } michael@0: michael@0: /* no SAN extension or no names found in extension */ michael@0: singleName = CERT_GetCommonName(&cert->subject); michael@0: if (singleName) { michael@0: nickNames->numnicknames = 1; michael@0: nickNames->nicknames = PORT_ArenaAlloc(arena, sizeof(char *)); michael@0: if (nickNames->nicknames) { michael@0: *nickNames->nicknames = PORT_ArenaStrdup(arena, singleName); michael@0: } michael@0: PORT_Free(singleName); michael@0: michael@0: /* Did we allocate both the buffer of pointers and the string? */ michael@0: if (nickNames->nicknames && *nickNames->nicknames) { michael@0: return nickNames; michael@0: } michael@0: } michael@0: michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: return NULL; michael@0: } michael@0: michael@0: /* Make sure that the name of the host we are connecting to matches the michael@0: * name that is incoded in the common-name component of the certificate michael@0: * that they are using. michael@0: */ michael@0: SECStatus michael@0: CERT_VerifyCertName(const CERTCertificate *cert, const char *hn) michael@0: { michael@0: char * cn; michael@0: SECStatus rv; michael@0: CERTOKDomainName *domainOK; michael@0: michael@0: if (!hn || !strlen(hn)) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* if the name is one that the user has already approved, it's OK. */ michael@0: for (domainOK = cert->domainOK; domainOK; domainOK = domainOK->next) { michael@0: if (0 == PORT_Strcasecmp(hn, domainOK->name)) { michael@0: return SECSuccess; michael@0: } michael@0: } michael@0: michael@0: /* Per RFC 2818, if the SubjectAltName extension is present, it must michael@0: ** be used as the cert's identity. michael@0: */ michael@0: rv = cert_VerifySubjectAltName(cert, hn); michael@0: if (rv == SECSuccess || PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) michael@0: return rv; michael@0: michael@0: cn = CERT_GetCommonName(&cert->subject); michael@0: if ( cn ) { michael@0: PRBool isIPaddr = cert_IsIPAddr(hn); michael@0: if (isIPaddr) { michael@0: if (PORT_Strcasecmp(hn, cn) == 0) { michael@0: rv = SECSuccess; michael@0: } else { michael@0: PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); michael@0: rv = SECFailure; michael@0: } michael@0: } else { michael@0: rv = cert_TestHostName(cn, hn); michael@0: } michael@0: PORT_Free(cn); michael@0: } else michael@0: PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); michael@0: return rv; michael@0: } michael@0: michael@0: PRBool michael@0: CERT_CompareCerts(const CERTCertificate *c1, const CERTCertificate *c2) michael@0: { michael@0: SECComparison comp; michael@0: michael@0: comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert); michael@0: if ( comp == SECEqual ) { /* certs are the same */ michael@0: return(PR_TRUE); michael@0: } else { michael@0: return(PR_FALSE); michael@0: } michael@0: } michael@0: michael@0: static SECStatus michael@0: StringsEqual(char *s1, char *s2) { michael@0: if ( ( s1 == NULL ) || ( s2 == NULL ) ) { michael@0: if ( s1 != s2 ) { /* only one is null */ michael@0: return(SECFailure); michael@0: } michael@0: return(SECSuccess); /* both are null */ michael@0: } michael@0: michael@0: if ( PORT_Strcmp( s1, s2 ) != 0 ) { michael@0: return(SECFailure); /* not equal */ michael@0: } michael@0: michael@0: return(SECSuccess); /* strings are equal */ michael@0: } michael@0: michael@0: michael@0: PRBool michael@0: CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2) michael@0: { michael@0: SECComparison comp; michael@0: char *c1str, *c2str; michael@0: SECStatus eq; michael@0: michael@0: comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert); michael@0: if ( comp == SECEqual ) { /* certs are the same */ michael@0: return(PR_TRUE); michael@0: } michael@0: michael@0: /* check if they are issued by the same CA */ michael@0: comp = SECITEM_CompareItem(&c1->derIssuer, &c2->derIssuer); michael@0: if ( comp != SECEqual ) { /* different issuer */ michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: /* check country name */ michael@0: c1str = CERT_GetCountryName(&c1->subject); michael@0: c2str = CERT_GetCountryName(&c2->subject); michael@0: eq = StringsEqual(c1str, c2str); michael@0: PORT_Free(c1str); michael@0: PORT_Free(c2str); michael@0: if ( eq != SECSuccess ) { michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: /* check locality name */ michael@0: c1str = CERT_GetLocalityName(&c1->subject); michael@0: c2str = CERT_GetLocalityName(&c2->subject); michael@0: eq = StringsEqual(c1str, c2str); michael@0: PORT_Free(c1str); michael@0: PORT_Free(c2str); michael@0: if ( eq != SECSuccess ) { michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: /* check state name */ michael@0: c1str = CERT_GetStateName(&c1->subject); michael@0: c2str = CERT_GetStateName(&c2->subject); michael@0: eq = StringsEqual(c1str, c2str); michael@0: PORT_Free(c1str); michael@0: PORT_Free(c2str); michael@0: if ( eq != SECSuccess ) { michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: /* check org name */ michael@0: c1str = CERT_GetOrgName(&c1->subject); michael@0: c2str = CERT_GetOrgName(&c2->subject); michael@0: eq = StringsEqual(c1str, c2str); michael@0: PORT_Free(c1str); michael@0: PORT_Free(c2str); michael@0: if ( eq != SECSuccess ) { michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: #ifdef NOTDEF michael@0: /* check orgUnit name */ michael@0: /* michael@0: * We need to revisit this and decide which fields should be allowed to be michael@0: * different michael@0: */ michael@0: c1str = CERT_GetOrgUnitName(&c1->subject); michael@0: c2str = CERT_GetOrgUnitName(&c2->subject); michael@0: eq = StringsEqual(c1str, c2str); michael@0: PORT_Free(c1str); michael@0: PORT_Free(c2str); michael@0: if ( eq != SECSuccess ) { michael@0: return(PR_FALSE); michael@0: } michael@0: #endif michael@0: michael@0: return(PR_TRUE); /* all fields but common name are the same */ michael@0: } michael@0: michael@0: michael@0: /* CERT_CertChainFromCert and CERT_DestroyCertificateList moved michael@0: to certhigh.c */ michael@0: michael@0: michael@0: CERTIssuerAndSN * michael@0: CERT_GetCertIssuerAndSN(PLArenaPool *arena, CERTCertificate *cert) michael@0: { michael@0: CERTIssuerAndSN *result; michael@0: SECStatus rv; michael@0: michael@0: if ( arena == NULL ) { michael@0: arena = cert->arena; michael@0: } michael@0: michael@0: result = (CERTIssuerAndSN*)PORT_ArenaZAlloc(arena, sizeof(*result)); michael@0: if (result == NULL) { michael@0: PORT_SetError (SEC_ERROR_NO_MEMORY); michael@0: return NULL; michael@0: } michael@0: michael@0: rv = SECITEM_CopyItem(arena, &result->derIssuer, &cert->derIssuer); michael@0: if (rv != SECSuccess) michael@0: return NULL; michael@0: michael@0: rv = CERT_CopyName(arena, &result->issuer, &cert->issuer); michael@0: if (rv != SECSuccess) michael@0: return NULL; michael@0: michael@0: rv = SECITEM_CopyItem(arena, &result->serialNumber, &cert->serialNumber); michael@0: if (rv != SECSuccess) michael@0: return NULL; michael@0: michael@0: return result; michael@0: } michael@0: michael@0: char * michael@0: CERT_MakeCANickname(CERTCertificate *cert) michael@0: { michael@0: char *firstname = NULL; michael@0: char *org = NULL; michael@0: char *nickname = NULL; michael@0: int count; michael@0: CERTCertificate *dummycert; michael@0: michael@0: firstname = CERT_GetCommonName(&cert->subject); michael@0: if ( firstname == NULL ) { michael@0: firstname = CERT_GetOrgUnitName(&cert->subject); michael@0: } michael@0: michael@0: org = CERT_GetOrgName(&cert->issuer); michael@0: if (org == NULL) { michael@0: org = CERT_GetDomainComponentName(&cert->issuer); michael@0: if (org == NULL) { michael@0: if (firstname) { michael@0: org = firstname; michael@0: firstname = NULL; michael@0: } else { michael@0: org = PORT_Strdup("Unknown CA"); michael@0: } michael@0: } michael@0: } michael@0: michael@0: /* can only fail if PORT_Strdup fails, in which case michael@0: * we're having memory problems. */ michael@0: if (org == NULL) { michael@0: goto done; michael@0: } michael@0: michael@0: michael@0: count = 1; michael@0: while ( 1 ) { michael@0: michael@0: if ( firstname ) { michael@0: if ( count == 1 ) { michael@0: nickname = PR_smprintf("%s - %s", firstname, org); michael@0: } else { michael@0: nickname = PR_smprintf("%s - %s #%d", firstname, org, count); michael@0: } michael@0: } else { michael@0: if ( count == 1 ) { michael@0: nickname = PR_smprintf("%s", org); michael@0: } else { michael@0: nickname = PR_smprintf("%s #%d", org, count); michael@0: } michael@0: } michael@0: if ( nickname == NULL ) { michael@0: goto done; michael@0: } michael@0: michael@0: /* look up the nickname to make sure it isn't in use already */ michael@0: dummycert = CERT_FindCertByNickname(cert->dbhandle, nickname); michael@0: michael@0: if ( dummycert == NULL ) { michael@0: goto done; michael@0: } michael@0: michael@0: /* found a cert, destroy it and loop */ michael@0: CERT_DestroyCertificate(dummycert); michael@0: michael@0: /* free the nickname */ michael@0: PORT_Free(nickname); michael@0: michael@0: count++; michael@0: } michael@0: michael@0: done: michael@0: if ( firstname ) { michael@0: PORT_Free(firstname); michael@0: } michael@0: if ( org ) { michael@0: PORT_Free(org); michael@0: } michael@0: michael@0: return(nickname); michael@0: } michael@0: michael@0: /* CERT_Import_CAChain moved to certhigh.c */ michael@0: michael@0: void michael@0: CERT_DestroyCrl (CERTSignedCrl *crl) michael@0: { michael@0: SEC_DestroyCrl (crl); michael@0: } michael@0: michael@0: static int michael@0: cert_Version(CERTCertificate *cert) michael@0: { michael@0: int version = 0; michael@0: if (cert && cert->version.data && cert->version.len) { michael@0: version = DER_GetInteger(&cert->version); michael@0: if (version < 0) michael@0: version = 0; michael@0: } michael@0: return version; michael@0: } michael@0: michael@0: static unsigned int michael@0: cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType) michael@0: { michael@0: CERTCertTrust trust; michael@0: SECStatus rv = SECFailure; michael@0: michael@0: rv = CERT_GetCertTrust(cert, &trust); michael@0: michael@0: if (rv == SECSuccess && (trust.sslFlags | michael@0: trust.emailFlags | michael@0: trust.objectSigningFlags)) { michael@0: michael@0: if (trust.sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) michael@0: cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT; michael@0: if (trust.sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) michael@0: cType |= NS_CERT_TYPE_SSL_CA; michael@0: #if defined(CERTDB_NOT_TRUSTED) michael@0: if (trust.sslFlags & CERTDB_NOT_TRUSTED) michael@0: cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT| michael@0: NS_CERT_TYPE_SSL_CA); michael@0: #endif michael@0: if (trust.emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) michael@0: cType |= NS_CERT_TYPE_EMAIL; michael@0: if (trust.emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) michael@0: cType |= NS_CERT_TYPE_EMAIL_CA; michael@0: #if defined(CERTDB_NOT_TRUSTED) michael@0: if (trust.emailFlags & CERTDB_NOT_TRUSTED) michael@0: cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA); michael@0: #endif michael@0: if (trust.objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) michael@0: cType |= NS_CERT_TYPE_OBJECT_SIGNING; michael@0: if (trust.objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) michael@0: cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA; michael@0: #if defined(CERTDB_NOT_TRUSTED) michael@0: if (trust.objectSigningFlags & CERTDB_NOT_TRUSTED) michael@0: cType &= ~(NS_CERT_TYPE_OBJECT_SIGNING| michael@0: NS_CERT_TYPE_OBJECT_SIGNING_CA); michael@0: #endif michael@0: } michael@0: return cType; michael@0: } michael@0: michael@0: /* michael@0: * Does a cert belong to a CA? We decide based on perm database trust michael@0: * flags, Netscape Cert Type Extension, and KeyUsage Extension. michael@0: */ michael@0: PRBool michael@0: CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype) michael@0: { michael@0: unsigned int cType = cert->nsCertType; michael@0: PRBool ret = PR_FALSE; michael@0: michael@0: if (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | michael@0: NS_CERT_TYPE_OBJECT_SIGNING_CA)) { michael@0: ret = PR_TRUE; michael@0: } else { michael@0: SECStatus rv; michael@0: CERTBasicConstraints constraints; michael@0: michael@0: rv = CERT_FindBasicConstraintExten(cert, &constraints); michael@0: if (rv == SECSuccess && constraints.isCA) { michael@0: ret = PR_TRUE; michael@0: cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); michael@0: } michael@0: } michael@0: michael@0: /* finally check if it's an X.509 v1 root CA */ michael@0: if (!ret && michael@0: (cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3)) { michael@0: ret = PR_TRUE; michael@0: cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); michael@0: } michael@0: /* Now apply trust overrides, if any */ michael@0: cType = cert_ComputeTrustOverrides(cert, cType); michael@0: ret = (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | michael@0: NS_CERT_TYPE_OBJECT_SIGNING_CA)) ? PR_TRUE : PR_FALSE; michael@0: michael@0: if (rettype != NULL) { michael@0: *rettype = cType; michael@0: } michael@0: return ret; michael@0: } michael@0: michael@0: PRBool michael@0: CERT_IsCADERCert(SECItem *derCert, unsigned int *type) { michael@0: CERTCertificate *cert; michael@0: PRBool isCA; michael@0: michael@0: /* This is okay -- only looks at extensions */ michael@0: cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL); michael@0: if (cert == NULL) return PR_FALSE; michael@0: michael@0: isCA = CERT_IsCACert(cert,type); michael@0: CERT_DestroyCertificate (cert); michael@0: return isCA; michael@0: } michael@0: michael@0: PRBool michael@0: CERT_IsRootDERCert(SECItem *derCert) michael@0: { michael@0: CERTCertificate *cert; michael@0: PRBool isRoot; michael@0: michael@0: /* This is okay -- only looks at extensions */ michael@0: cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL); michael@0: if (cert == NULL) return PR_FALSE; michael@0: michael@0: isRoot = cert->isRoot; michael@0: CERT_DestroyCertificate (cert); michael@0: return isRoot; michael@0: } michael@0: michael@0: CERTCompareValidityStatus michael@0: CERT_CompareValidityTimes(CERTValidity* val_a, CERTValidity* val_b) michael@0: { michael@0: PRTime notBeforeA, notBeforeB, notAfterA, notAfterB; michael@0: michael@0: if (!val_a || !val_b) michael@0: { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return certValidityUndetermined; michael@0: } michael@0: michael@0: if ( SECSuccess != DER_DecodeTimeChoice(¬BeforeA, &val_a->notBefore) || michael@0: SECSuccess != DER_DecodeTimeChoice(¬BeforeB, &val_b->notBefore) || michael@0: SECSuccess != DER_DecodeTimeChoice(¬AfterA, &val_a->notAfter) || michael@0: SECSuccess != DER_DecodeTimeChoice(¬AfterB, &val_b->notAfter) ) { michael@0: return certValidityUndetermined; michael@0: } michael@0: michael@0: /* sanity check */ michael@0: if (LL_CMP(notBeforeA,>,notAfterA) || LL_CMP(notBeforeB,>,notAfterB)) { michael@0: PORT_SetError(SEC_ERROR_INVALID_TIME); michael@0: return certValidityUndetermined; michael@0: } michael@0: michael@0: if (LL_CMP(notAfterA,!=,notAfterB)) { michael@0: /* one cert validity goes farther into the future, select it */ michael@0: return LL_CMP(notAfterA,<,notAfterB) ? michael@0: certValidityChooseB : certValidityChooseA; michael@0: } michael@0: /* the two certs have the same expiration date */ michael@0: PORT_Assert(LL_CMP(notAfterA, == , notAfterB)); michael@0: /* do they also have the same start date ? */ michael@0: if (LL_CMP(notBeforeA,==,notBeforeB)) { michael@0: return certValidityEqual; michael@0: } michael@0: /* choose cert with the later start date */ michael@0: return LL_CMP(notBeforeA,<,notBeforeB) ? michael@0: certValidityChooseB : certValidityChooseA; michael@0: } michael@0: michael@0: /* michael@0: * is certa newer than certb? If one is expired, pick the other one. michael@0: */ michael@0: PRBool michael@0: CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb) michael@0: { michael@0: PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now; michael@0: SECStatus rv; michael@0: PRBool newerbefore, newerafter; michael@0: michael@0: rv = CERT_GetCertTimes(certa, ¬BeforeA, ¬AfterA); michael@0: if ( rv != SECSuccess ) { michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: rv = CERT_GetCertTimes(certb, ¬BeforeB, ¬AfterB); michael@0: if ( rv != SECSuccess ) { michael@0: return(PR_TRUE); michael@0: } michael@0: michael@0: newerbefore = PR_FALSE; michael@0: if ( LL_CMP(notBeforeA, >, notBeforeB) ) { michael@0: newerbefore = PR_TRUE; michael@0: } michael@0: michael@0: newerafter = PR_FALSE; michael@0: if ( LL_CMP(notAfterA, >, notAfterB) ) { michael@0: newerafter = PR_TRUE; michael@0: } michael@0: michael@0: if ( newerbefore && newerafter ) { michael@0: return(PR_TRUE); michael@0: } michael@0: michael@0: if ( ( !newerbefore ) && ( !newerafter ) ) { michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: /* get current time */ michael@0: now = PR_Now(); michael@0: michael@0: if ( newerbefore ) { michael@0: /* cert A was issued after cert B, but expires sooner */ michael@0: /* if A is expired, then pick B */ michael@0: if ( LL_CMP(notAfterA, <, now ) ) { michael@0: return(PR_FALSE); michael@0: } michael@0: return(PR_TRUE); michael@0: } else { michael@0: /* cert B was issued after cert A, but expires sooner */ michael@0: /* if B is expired, then pick A */ michael@0: if ( LL_CMP(notAfterB, <, now ) ) { michael@0: return(PR_TRUE); michael@0: } michael@0: return(PR_FALSE); michael@0: } michael@0: } michael@0: michael@0: void michael@0: CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts) michael@0: { michael@0: unsigned int i; michael@0: michael@0: if ( certs ) { michael@0: for ( i = 0; i < ncerts; i++ ) { michael@0: if ( certs[i] ) { michael@0: CERT_DestroyCertificate(certs[i]); michael@0: } michael@0: } michael@0: michael@0: PORT_Free(certs); michael@0: } michael@0: michael@0: return; michael@0: } michael@0: michael@0: char * michael@0: CERT_FixupEmailAddr(const char *emailAddr) michael@0: { michael@0: char *retaddr; michael@0: char *str; michael@0: michael@0: if ( emailAddr == NULL ) { michael@0: return(NULL); michael@0: } michael@0: michael@0: /* copy the string */ michael@0: str = retaddr = PORT_Strdup(emailAddr); michael@0: if ( str == NULL ) { michael@0: return(NULL); michael@0: } michael@0: michael@0: /* make it lower case */ michael@0: while ( *str ) { michael@0: *str = tolower( *str ); michael@0: str++; michael@0: } michael@0: michael@0: return(retaddr); michael@0: } michael@0: michael@0: /* michael@0: * NOTE - don't allow encode of govt-approved or invisible bits michael@0: */ michael@0: SECStatus michael@0: CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts) michael@0: { michael@0: unsigned int i; michael@0: unsigned int *pflags; michael@0: michael@0: if (!trust) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: trust->sslFlags = 0; michael@0: trust->emailFlags = 0; michael@0: trust->objectSigningFlags = 0; michael@0: if (!trusts) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: michael@0: pflags = &trust->sslFlags; michael@0: michael@0: for (i=0; i < PORT_Strlen(trusts); i++) { michael@0: switch (trusts[i]) { michael@0: case 'p': michael@0: *pflags = *pflags | CERTDB_TERMINAL_RECORD; michael@0: break; michael@0: michael@0: case 'P': michael@0: *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD; michael@0: break; michael@0: michael@0: case 'w': michael@0: *pflags = *pflags | CERTDB_SEND_WARN; michael@0: break; michael@0: michael@0: case 'c': michael@0: *pflags = *pflags | CERTDB_VALID_CA; michael@0: break; michael@0: michael@0: case 'T': michael@0: *pflags = *pflags | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA; michael@0: break; michael@0: michael@0: case 'C' : michael@0: *pflags = *pflags | CERTDB_TRUSTED_CA | CERTDB_VALID_CA; michael@0: break; michael@0: michael@0: case 'u': michael@0: *pflags = *pflags | CERTDB_USER; michael@0: break; michael@0: michael@0: case 'i': michael@0: *pflags = *pflags | CERTDB_INVISIBLE_CA; michael@0: break; michael@0: case 'g': michael@0: *pflags = *pflags | CERTDB_GOVT_APPROVED_CA; michael@0: break; michael@0: michael@0: case ',': michael@0: if ( pflags == &trust->sslFlags ) { michael@0: pflags = &trust->emailFlags; michael@0: } else { michael@0: pflags = &trust->objectSigningFlags; michael@0: } michael@0: break; michael@0: default: michael@0: return SECFailure; michael@0: } michael@0: } michael@0: michael@0: return SECSuccess; michael@0: } michael@0: michael@0: static void michael@0: EncodeFlags(char *trusts, unsigned int flags) michael@0: { michael@0: if (flags & CERTDB_VALID_CA) michael@0: if (!(flags & CERTDB_TRUSTED_CA) && michael@0: !(flags & CERTDB_TRUSTED_CLIENT_CA)) michael@0: PORT_Strcat(trusts, "c"); michael@0: if (flags & CERTDB_TERMINAL_RECORD) michael@0: if (!(flags & CERTDB_TRUSTED)) michael@0: PORT_Strcat(trusts, "p"); michael@0: if (flags & CERTDB_TRUSTED_CA) michael@0: PORT_Strcat(trusts, "C"); michael@0: if (flags & CERTDB_TRUSTED_CLIENT_CA) michael@0: PORT_Strcat(trusts, "T"); michael@0: if (flags & CERTDB_TRUSTED) michael@0: PORT_Strcat(trusts, "P"); michael@0: if (flags & CERTDB_USER) michael@0: PORT_Strcat(trusts, "u"); michael@0: if (flags & CERTDB_SEND_WARN) michael@0: PORT_Strcat(trusts, "w"); michael@0: if (flags & CERTDB_INVISIBLE_CA) michael@0: PORT_Strcat(trusts, "I"); michael@0: if (flags & CERTDB_GOVT_APPROVED_CA) michael@0: PORT_Strcat(trusts, "G"); michael@0: return; michael@0: } michael@0: michael@0: char * michael@0: CERT_EncodeTrustString(CERTCertTrust *trust) michael@0: { michael@0: char tmpTrustSSL[32]; michael@0: char tmpTrustEmail[32]; michael@0: char tmpTrustSigning[32]; michael@0: char *retstr = NULL; michael@0: michael@0: if ( trust ) { michael@0: tmpTrustSSL[0] = '\0'; michael@0: tmpTrustEmail[0] = '\0'; michael@0: tmpTrustSigning[0] = '\0'; michael@0: michael@0: EncodeFlags(tmpTrustSSL, trust->sslFlags); michael@0: EncodeFlags(tmpTrustEmail, trust->emailFlags); michael@0: EncodeFlags(tmpTrustSigning, trust->objectSigningFlags); michael@0: michael@0: retstr = PR_smprintf("%s,%s,%s", tmpTrustSSL, tmpTrustEmail, michael@0: tmpTrustSigning); michael@0: } michael@0: michael@0: return(retstr); michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, michael@0: unsigned int ncerts, SECItem **derCerts, michael@0: CERTCertificate ***retCerts, PRBool keepCerts, michael@0: PRBool caOnly, char *nickname) michael@0: { michael@0: unsigned int i; michael@0: CERTCertificate **certs = NULL; michael@0: SECStatus rv; michael@0: unsigned int fcerts = 0; michael@0: michael@0: if ( ncerts ) { michael@0: certs = PORT_ZNewArray(CERTCertificate*, ncerts); michael@0: if ( certs == NULL ) { michael@0: return(SECFailure); michael@0: } michael@0: michael@0: /* decode all of the certs into the temporary DB */ michael@0: for ( i = 0, fcerts= 0; i < ncerts; i++) { michael@0: certs[fcerts] = CERT_NewTempCertificate(certdb, michael@0: derCerts[i], michael@0: NULL, michael@0: PR_FALSE, michael@0: PR_TRUE); michael@0: if (certs[fcerts]) { michael@0: SECItem subjKeyID = {siBuffer, NULL, 0}; michael@0: if (CERT_FindSubjectKeyIDExtension(certs[fcerts], michael@0: &subjKeyID) == SECSuccess) { michael@0: if (subjKeyID.data) { michael@0: cert_AddSubjectKeyIDMapping(&subjKeyID, certs[fcerts]); michael@0: } michael@0: SECITEM_FreeItem(&subjKeyID, PR_FALSE); michael@0: } michael@0: fcerts++; michael@0: } michael@0: } michael@0: michael@0: if ( keepCerts ) { michael@0: for ( i = 0; i < fcerts; i++ ) { michael@0: char* canickname = NULL; michael@0: PRBool isCA; michael@0: michael@0: SECKEY_UpdateCertPQG(certs[i]); michael@0: michael@0: isCA = CERT_IsCACert(certs[i], NULL); michael@0: if ( isCA ) { michael@0: canickname = CERT_MakeCANickname(certs[i]); michael@0: } michael@0: michael@0: if(isCA && (fcerts > 1)) { michael@0: /* if we are importing only a single cert and specifying michael@0: * a nickname, we want to use that nickname if it a CA, michael@0: * otherwise if there are more than one cert, we don't michael@0: * know which cert it belongs to. But we still may try michael@0: * the individual canickname from the cert itself. michael@0: */ michael@0: rv = CERT_AddTempCertToPerm(certs[i], canickname, NULL); michael@0: } else { michael@0: rv = CERT_AddTempCertToPerm(certs[i], michael@0: nickname?nickname:canickname, NULL); michael@0: } michael@0: michael@0: PORT_Free(canickname); michael@0: /* don't care if it fails - keep going */ michael@0: } michael@0: } michael@0: } michael@0: michael@0: if ( retCerts ) { michael@0: *retCerts = certs; michael@0: } else { michael@0: if (certs) { michael@0: CERT_DestroyCertArray(certs, fcerts); michael@0: } michael@0: } michael@0: michael@0: return ((fcerts || !ncerts) ? SECSuccess : SECFailure); michael@0: } michael@0: michael@0: /* michael@0: * a real list of certificates - need to convert CERTCertificateList michael@0: * stuff and ASN 1 encoder/decoder over to using this... michael@0: */ michael@0: CERTCertList * michael@0: CERT_NewCertList(void) michael@0: { michael@0: PLArenaPool *arena = NULL; michael@0: CERTCertList *ret = NULL; michael@0: michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: if ( arena == NULL ) { michael@0: goto loser; michael@0: } michael@0: michael@0: ret = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList)); michael@0: if ( ret == NULL ) { michael@0: goto loser; michael@0: } michael@0: michael@0: ret->arena = arena; michael@0: michael@0: PR_INIT_CLIST(&ret->list); michael@0: michael@0: return(ret); michael@0: michael@0: loser: michael@0: if ( arena != NULL ) { michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: } michael@0: michael@0: return(NULL); michael@0: } michael@0: michael@0: void michael@0: CERT_DestroyCertList(CERTCertList *certs) michael@0: { michael@0: PRCList *node; michael@0: michael@0: while( !PR_CLIST_IS_EMPTY(&certs->list) ) { michael@0: node = PR_LIST_HEAD(&certs->list); michael@0: CERT_DestroyCertificate(((CERTCertListNode *)node)->cert); michael@0: PR_REMOVE_LINK(node); michael@0: } michael@0: michael@0: PORT_FreeArena(certs->arena, PR_FALSE); michael@0: michael@0: return; michael@0: } michael@0: michael@0: void michael@0: CERT_RemoveCertListNode(CERTCertListNode *node) michael@0: { michael@0: CERT_DestroyCertificate(node->cert); michael@0: PR_REMOVE_LINK(&node->links); michael@0: return; michael@0: } michael@0: michael@0: michael@0: SECStatus michael@0: CERT_AddCertToListTailWithData(CERTCertList *certs, michael@0: CERTCertificate *cert, void *appData) michael@0: { michael@0: CERTCertListNode *node; michael@0: michael@0: node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena, michael@0: sizeof(CERTCertListNode)); michael@0: if ( node == NULL ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PR_INSERT_BEFORE(&node->links, &certs->list); michael@0: /* certs->count++; */ michael@0: node->cert = cert; michael@0: node->appData = appData; michael@0: return(SECSuccess); michael@0: michael@0: loser: michael@0: return(SECFailure); michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert) michael@0: { michael@0: return CERT_AddCertToListTailWithData(certs, cert, NULL); michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_AddCertToListHeadWithData(CERTCertList *certs, michael@0: CERTCertificate *cert, void *appData) michael@0: { michael@0: CERTCertListNode *node; michael@0: CERTCertListNode *head; michael@0: michael@0: head = CERT_LIST_HEAD(certs); michael@0: michael@0: if (head == NULL) return CERT_AddCertToListTail(certs,cert); michael@0: michael@0: node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena, michael@0: sizeof(CERTCertListNode)); michael@0: if ( node == NULL ) { michael@0: goto loser; michael@0: } michael@0: michael@0: PR_INSERT_BEFORE(&node->links, &head->links); michael@0: /* certs->count++; */ michael@0: node->cert = cert; michael@0: node->appData = appData; michael@0: return(SECSuccess); michael@0: michael@0: loser: michael@0: return(SECFailure); michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert) michael@0: { michael@0: return CERT_AddCertToListHeadWithData(certs, cert, NULL); michael@0: } michael@0: michael@0: /* michael@0: * Sort callback function to determine if cert a is newer than cert b. michael@0: * Not valid certs are considered older than valid certs. michael@0: */ michael@0: PRBool michael@0: CERT_SortCBValidity(CERTCertificate *certa, michael@0: CERTCertificate *certb, michael@0: void *arg) michael@0: { michael@0: PRTime sorttime; michael@0: PRTime notBeforeA, notAfterA, notBeforeB, notAfterB; michael@0: SECStatus rv; michael@0: PRBool newerbefore, newerafter; michael@0: PRBool aNotValid = PR_FALSE, bNotValid = PR_FALSE; michael@0: michael@0: sorttime = *(PRTime *)arg; michael@0: michael@0: rv = CERT_GetCertTimes(certa, ¬BeforeA, ¬AfterA); michael@0: if ( rv != SECSuccess ) { michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: rv = CERT_GetCertTimes(certb, ¬BeforeB, ¬AfterB); michael@0: if ( rv != SECSuccess ) { michael@0: return(PR_TRUE); michael@0: } michael@0: newerbefore = PR_FALSE; michael@0: if ( LL_CMP(notBeforeA, >, notBeforeB) ) { michael@0: newerbefore = PR_TRUE; michael@0: } michael@0: newerafter = PR_FALSE; michael@0: if ( LL_CMP(notAfterA, >, notAfterB) ) { michael@0: newerafter = PR_TRUE; michael@0: } michael@0: michael@0: /* check if A is valid at sorttime */ michael@0: if ( CERT_CheckCertValidTimes(certa, sorttime, PR_FALSE) michael@0: != secCertTimeValid ) { michael@0: aNotValid = PR_TRUE; michael@0: } michael@0: michael@0: /* check if B is valid at sorttime */ michael@0: if ( CERT_CheckCertValidTimes(certb, sorttime, PR_FALSE) michael@0: != secCertTimeValid ) { michael@0: bNotValid = PR_TRUE; michael@0: } michael@0: michael@0: /* a is valid, b is not */ michael@0: if ( bNotValid && ( ! aNotValid ) ) { michael@0: return(PR_TRUE); michael@0: } michael@0: michael@0: /* b is valid, a is not */ michael@0: if ( aNotValid && ( ! bNotValid ) ) { michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: /* a and b are either valid or not valid */ michael@0: if ( newerbefore && newerafter ) { michael@0: return(PR_TRUE); michael@0: } michael@0: michael@0: if ( ( !newerbefore ) && ( !newerafter ) ) { michael@0: return(PR_FALSE); michael@0: } michael@0: michael@0: if ( newerbefore ) { michael@0: /* cert A was issued after cert B, but expires sooner */ michael@0: return(PR_TRUE); michael@0: } else { michael@0: /* cert B was issued after cert A, but expires sooner */ michael@0: return(PR_FALSE); michael@0: } michael@0: } michael@0: michael@0: michael@0: SECStatus michael@0: CERT_AddCertToListSorted(CERTCertList *certs, michael@0: CERTCertificate *cert, michael@0: CERTSortCallback f, michael@0: void *arg) michael@0: { michael@0: CERTCertListNode *node; michael@0: CERTCertListNode *head; michael@0: PRBool ret; michael@0: michael@0: node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena, michael@0: sizeof(CERTCertListNode)); michael@0: if ( node == NULL ) { michael@0: goto loser; michael@0: } michael@0: michael@0: head = CERT_LIST_HEAD(certs); michael@0: michael@0: while ( !CERT_LIST_END(head, certs) ) { michael@0: michael@0: /* if cert is already in the list, then don't add it again */ michael@0: if ( cert == head->cert ) { michael@0: /*XXX*/ michael@0: /* don't keep a reference */ michael@0: CERT_DestroyCertificate(cert); michael@0: goto done; michael@0: } michael@0: michael@0: ret = (* f)(cert, head->cert, arg); michael@0: /* if sort function succeeds, then insert before current node */ michael@0: if ( ret ) { michael@0: PR_INSERT_BEFORE(&node->links, &head->links); michael@0: goto done; michael@0: } michael@0: michael@0: head = CERT_LIST_NEXT(head); michael@0: } michael@0: /* if we get to the end, then just insert it at the tail */ michael@0: PR_INSERT_BEFORE(&node->links, &certs->list); michael@0: michael@0: done: michael@0: /* certs->count++; */ michael@0: node->cert = cert; michael@0: return(SECSuccess); michael@0: michael@0: loser: michael@0: return(SECFailure); michael@0: } michael@0: michael@0: /* This routine is here because pcertdb.c still has a call to it. michael@0: * The SMIME profile code in pcertdb.c should be split into high (find michael@0: * the email cert) and low (store the profile) code. At that point, we michael@0: * can move this to certhigh.c where it belongs. michael@0: * michael@0: * remove certs from a list that don't have keyUsage and certType michael@0: * that match the given usage. michael@0: */ michael@0: SECStatus michael@0: CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage, michael@0: PRBool ca) michael@0: { michael@0: unsigned int requiredKeyUsage; michael@0: unsigned int requiredCertType; michael@0: CERTCertListNode *node, *savenode; michael@0: SECStatus rv; michael@0: michael@0: if (certList == NULL) goto loser; michael@0: michael@0: rv = CERT_KeyUsageAndTypeForCertUsage(usage, ca, &requiredKeyUsage, michael@0: &requiredCertType); michael@0: if ( rv != SECSuccess ) { michael@0: goto loser; michael@0: } michael@0: michael@0: node = CERT_LIST_HEAD(certList); michael@0: michael@0: while ( !CERT_LIST_END(node, certList) ) { michael@0: michael@0: PRBool bad = (PRBool)(!node->cert); michael@0: michael@0: /* bad key usage ? */ michael@0: if ( !bad && michael@0: CERT_CheckKeyUsage(node->cert, requiredKeyUsage) != SECSuccess ) { michael@0: bad = PR_TRUE; michael@0: } michael@0: /* bad cert type ? */ michael@0: if ( !bad ) { michael@0: unsigned int certType = 0; michael@0: if ( ca ) { michael@0: /* This function returns a more comprehensive cert type that michael@0: * takes trust flags into consideration. Should probably michael@0: * fix the cert decoding code to do this. michael@0: */ michael@0: (void)CERT_IsCACert(node->cert, &certType); michael@0: } else { michael@0: certType = node->cert->nsCertType; michael@0: } michael@0: if ( !( certType & requiredCertType ) ) { michael@0: bad = PR_TRUE; michael@0: } michael@0: } michael@0: michael@0: if ( bad ) { michael@0: /* remove the node if it is bad */ michael@0: savenode = CERT_LIST_NEXT(node); michael@0: CERT_RemoveCertListNode(node); michael@0: node = savenode; michael@0: } else { michael@0: node = CERT_LIST_NEXT(node); michael@0: } michael@0: } michael@0: return(SECSuccess); michael@0: michael@0: loser: michael@0: return(SECFailure); michael@0: } michael@0: michael@0: PRBool CERT_IsUserCert(CERTCertificate* cert) michael@0: { michael@0: CERTCertTrust trust; michael@0: SECStatus rv = SECFailure; michael@0: michael@0: rv = CERT_GetCertTrust(cert, &trust); michael@0: if (rv == SECSuccess && michael@0: ((trust.sslFlags & CERTDB_USER ) || michael@0: (trust.emailFlags & CERTDB_USER ) || michael@0: (trust.objectSigningFlags & CERTDB_USER )) ) { michael@0: return PR_TRUE; michael@0: } else { michael@0: return PR_FALSE; michael@0: } michael@0: } michael@0: michael@0: SECStatus michael@0: CERT_FilterCertListForUserCerts(CERTCertList *certList) michael@0: { michael@0: CERTCertListNode *node, *freenode; michael@0: CERTCertificate *cert; michael@0: michael@0: if (!certList) { michael@0: return SECFailure; michael@0: } michael@0: michael@0: node = CERT_LIST_HEAD(certList); michael@0: michael@0: while ( ! CERT_LIST_END(node, certList) ) { michael@0: cert = node->cert; michael@0: if ( PR_TRUE != CERT_IsUserCert(cert) ) { michael@0: /* Not a User Cert, so remove this cert from the list */ michael@0: freenode = node; michael@0: node = CERT_LIST_NEXT(node); michael@0: CERT_RemoveCertListNode(freenode); michael@0: } else { michael@0: /* Is a User cert, so leave it in the list */ michael@0: node = CERT_LIST_NEXT(node); michael@0: } michael@0: } michael@0: michael@0: return(SECSuccess); michael@0: } michael@0: michael@0: static PZLock *certRefCountLock = NULL; michael@0: michael@0: /* michael@0: * Acquire the cert reference count lock michael@0: * There is currently one global lock for all certs, but I'm putting a cert michael@0: * arg here so that it will be easy to make it per-cert in the future if michael@0: * that turns out to be necessary. michael@0: */ michael@0: void michael@0: CERT_LockCertRefCount(CERTCertificate *cert) michael@0: { michael@0: PORT_Assert(certRefCountLock != NULL); michael@0: PZ_Lock(certRefCountLock); michael@0: return; michael@0: } michael@0: michael@0: /* michael@0: * Free the cert reference count lock michael@0: */ michael@0: void michael@0: CERT_UnlockCertRefCount(CERTCertificate *cert) michael@0: { michael@0: PRStatus prstat; michael@0: michael@0: PORT_Assert(certRefCountLock != NULL); michael@0: michael@0: prstat = PZ_Unlock(certRefCountLock); michael@0: michael@0: PORT_Assert(prstat == PR_SUCCESS); michael@0: michael@0: return; michael@0: } michael@0: michael@0: static PZLock *certTrustLock = NULL; michael@0: michael@0: /* michael@0: * Acquire the cert trust lock michael@0: * There is currently one global lock for all certs, but I'm putting a cert michael@0: * arg here so that it will be easy to make it per-cert in the future if michael@0: * that turns out to be necessary. michael@0: */ michael@0: void michael@0: CERT_LockCertTrust(const CERTCertificate *cert) michael@0: { michael@0: PORT_Assert(certTrustLock != NULL); michael@0: PZ_Lock(certTrustLock); michael@0: return; michael@0: } michael@0: michael@0: SECStatus michael@0: cert_InitLocks(void) michael@0: { michael@0: if ( certRefCountLock == NULL ) { michael@0: certRefCountLock = PZ_NewLock(nssILockRefLock); michael@0: PORT_Assert(certRefCountLock != NULL); michael@0: if (!certRefCountLock) { michael@0: return SECFailure; michael@0: } michael@0: } michael@0: michael@0: if ( certTrustLock == NULL ) { michael@0: certTrustLock = PZ_NewLock(nssILockCertDB); michael@0: PORT_Assert(certTrustLock != NULL); michael@0: if (!certTrustLock) { michael@0: PZ_DestroyLock(certRefCountLock); michael@0: certRefCountLock = NULL; michael@0: return SECFailure; michael@0: } michael@0: } michael@0: michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: cert_DestroyLocks(void) michael@0: { michael@0: SECStatus rv = SECSuccess; michael@0: michael@0: PORT_Assert(certRefCountLock != NULL); michael@0: if (certRefCountLock) { michael@0: PZ_DestroyLock(certRefCountLock); michael@0: certRefCountLock = NULL; michael@0: } else { michael@0: rv = SECFailure; michael@0: } michael@0: michael@0: PORT_Assert(certTrustLock != NULL); michael@0: if (certTrustLock) { michael@0: PZ_DestroyLock(certTrustLock); michael@0: certTrustLock = NULL; michael@0: } else { michael@0: rv = SECFailure; michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: /* michael@0: * Free the cert trust lock michael@0: */ michael@0: void michael@0: CERT_UnlockCertTrust(const CERTCertificate *cert) michael@0: { michael@0: PRStatus prstat; michael@0: michael@0: PORT_Assert(certTrustLock != NULL); michael@0: michael@0: prstat = PZ_Unlock(certTrustLock); michael@0: michael@0: PORT_Assert(prstat == PR_SUCCESS); michael@0: michael@0: return; michael@0: } michael@0: michael@0: michael@0: /* michael@0: * Get the StatusConfig data for this handle michael@0: */ michael@0: CERTStatusConfig * michael@0: CERT_GetStatusConfig(CERTCertDBHandle *handle) michael@0: { michael@0: return handle->statusConfig; michael@0: } michael@0: michael@0: /* michael@0: * Set the StatusConfig data for this handle. There michael@0: * should not be another configuration set. michael@0: */ michael@0: void michael@0: CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig) michael@0: { michael@0: PORT_Assert(handle->statusConfig == NULL); michael@0: handle->statusConfig = statusConfig; michael@0: } michael@0: michael@0: /* michael@0: * Code for dealing with subjKeyID to cert mappings. michael@0: */ michael@0: michael@0: static PLHashTable *gSubjKeyIDHash = NULL; michael@0: static PRLock *gSubjKeyIDLock = NULL; michael@0: static PLHashTable *gSubjKeyIDSlotCheckHash = NULL; michael@0: static PRLock *gSubjKeyIDSlotCheckLock = NULL; michael@0: michael@0: static void *cert_AllocTable(void *pool, PRSize size) michael@0: { michael@0: return PORT_Alloc(size); michael@0: } michael@0: michael@0: static void cert_FreeTable(void *pool, void *item) michael@0: { michael@0: PORT_Free(item); michael@0: } michael@0: michael@0: static PLHashEntry* cert_AllocEntry(void *pool, const void *key) michael@0: { michael@0: return PORT_New(PLHashEntry); michael@0: } michael@0: michael@0: static void cert_FreeEntry(void *pool, PLHashEntry *he, PRUintn flag) michael@0: { michael@0: SECITEM_FreeItem((SECItem*)(he->value), PR_TRUE); michael@0: if (flag == HT_FREE_ENTRY) { michael@0: SECITEM_FreeItem((SECItem*)(he->key), PR_TRUE); michael@0: PORT_Free(he); michael@0: } michael@0: } michael@0: michael@0: static PLHashAllocOps cert_AllocOps = { michael@0: cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry michael@0: }; michael@0: michael@0: SECStatus michael@0: cert_CreateSubjectKeyIDSlotCheckHash(void) michael@0: { michael@0: /* michael@0: * This hash is used to remember the series of a slot michael@0: * when we last checked for user certs michael@0: */ michael@0: gSubjKeyIDSlotCheckHash = PL_NewHashTable(0, SECITEM_Hash, michael@0: SECITEM_HashCompare, michael@0: SECITEM_HashCompare, michael@0: &cert_AllocOps, NULL); michael@0: if (!gSubjKeyIDSlotCheckHash) { michael@0: PORT_SetError(SEC_ERROR_NO_MEMORY); michael@0: return SECFailure; michael@0: } michael@0: gSubjKeyIDSlotCheckLock = PR_NewLock(); michael@0: if (!gSubjKeyIDSlotCheckLock) { michael@0: PL_HashTableDestroy(gSubjKeyIDSlotCheckHash); michael@0: gSubjKeyIDSlotCheckHash = NULL; michael@0: PORT_SetError(SEC_ERROR_NO_MEMORY); michael@0: return SECFailure; michael@0: } michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: cert_CreateSubjectKeyIDHashTable(void) michael@0: { michael@0: gSubjKeyIDHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare, michael@0: SECITEM_HashCompare, michael@0: &cert_AllocOps, NULL); michael@0: if (!gSubjKeyIDHash) { michael@0: PORT_SetError(SEC_ERROR_NO_MEMORY); michael@0: return SECFailure; michael@0: } michael@0: gSubjKeyIDLock = PR_NewLock(); michael@0: if (!gSubjKeyIDLock) { michael@0: PL_HashTableDestroy(gSubjKeyIDHash); michael@0: gSubjKeyIDHash = NULL; michael@0: PORT_SetError(SEC_ERROR_NO_MEMORY); michael@0: return SECFailure; michael@0: } michael@0: /* initialize the companion hash (for remembering slot series) */ michael@0: if (cert_CreateSubjectKeyIDSlotCheckHash() != SECSuccess) { michael@0: cert_DestroySubjectKeyIDHashTable(); michael@0: return SECFailure; michael@0: } michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert) michael@0: { michael@0: SECItem *newKeyID, *oldVal, *newVal; michael@0: SECStatus rv = SECFailure; michael@0: michael@0: if (!gSubjKeyIDLock) { michael@0: /* If one is created, then both are there. So only check for one. */ michael@0: return SECFailure; michael@0: } michael@0: michael@0: newVal = SECITEM_DupItem(&cert->derCert); michael@0: if (!newVal) { michael@0: PORT_SetError(SEC_ERROR_NO_MEMORY); michael@0: goto done; michael@0: } michael@0: newKeyID = SECITEM_DupItem(subjKeyID); michael@0: if (!newKeyID) { michael@0: SECITEM_FreeItem(newVal, PR_TRUE); michael@0: PORT_SetError(SEC_ERROR_NO_MEMORY); michael@0: goto done; michael@0: } michael@0: michael@0: PR_Lock(gSubjKeyIDLock); michael@0: /* The hash table implementation does not free up the memory michael@0: * associated with the key of an already existing entry if we add a michael@0: * duplicate, so we would wind up leaking the previously allocated michael@0: * key if we don't remove before adding. michael@0: */ michael@0: oldVal = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID); michael@0: if (oldVal) { michael@0: PL_HashTableRemove(gSubjKeyIDHash, subjKeyID); michael@0: } michael@0: michael@0: rv = (PL_HashTableAdd(gSubjKeyIDHash, newKeyID, newVal)) ? SECSuccess : michael@0: SECFailure; michael@0: PR_Unlock(gSubjKeyIDLock); michael@0: done: michael@0: return rv; michael@0: } michael@0: michael@0: SECStatus michael@0: cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID) michael@0: { michael@0: SECStatus rv; michael@0: if (!gSubjKeyIDLock) michael@0: return SECFailure; michael@0: michael@0: PR_Lock(gSubjKeyIDLock); michael@0: rv = (PL_HashTableRemove(gSubjKeyIDHash, subjKeyID)) ? SECSuccess : michael@0: SECFailure; michael@0: PR_Unlock(gSubjKeyIDLock); michael@0: return rv; michael@0: } michael@0: michael@0: SECStatus michael@0: cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series) michael@0: { michael@0: SECItem *oldSeries, *newSlotid, *newSeries; michael@0: SECStatus rv = SECFailure; michael@0: michael@0: if (!gSubjKeyIDSlotCheckLock) { michael@0: return rv; michael@0: } michael@0: michael@0: newSlotid = SECITEM_DupItem(slotid); michael@0: newSeries = SECITEM_AllocItem(NULL, NULL, sizeof(int)); michael@0: if (!newSlotid || !newSeries ) { michael@0: PORT_SetError(SEC_ERROR_NO_MEMORY); michael@0: goto loser; michael@0: } michael@0: PORT_Memcpy(newSeries->data, &series, sizeof(int)); michael@0: michael@0: PR_Lock(gSubjKeyIDSlotCheckLock); michael@0: oldSeries = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid); michael@0: if (oldSeries) { michael@0: /* michael@0: * make sure we don't leak the key of an existing entry michael@0: * (similar to cert_AddSubjectKeyIDMapping, see comment there) michael@0: */ michael@0: PL_HashTableRemove(gSubjKeyIDSlotCheckHash, slotid); michael@0: } michael@0: rv = (PL_HashTableAdd(gSubjKeyIDSlotCheckHash, newSlotid, newSeries)) ? michael@0: SECSuccess : SECFailure; michael@0: PR_Unlock(gSubjKeyIDSlotCheckLock); michael@0: if (rv == SECSuccess) { michael@0: return rv; michael@0: } michael@0: michael@0: loser: michael@0: if (newSlotid) { michael@0: SECITEM_FreeItem(newSlotid, PR_TRUE); michael@0: } michael@0: if (newSeries) { michael@0: SECITEM_FreeItem(newSeries, PR_TRUE); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: int michael@0: cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid) michael@0: { michael@0: SECItem *seriesItem = NULL; michael@0: int series; michael@0: michael@0: if (!gSubjKeyIDSlotCheckLock) { michael@0: PORT_SetError(SEC_ERROR_NOT_INITIALIZED); michael@0: return -1; michael@0: } michael@0: michael@0: PR_Lock(gSubjKeyIDSlotCheckLock); michael@0: seriesItem = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid); michael@0: PR_Unlock(gSubjKeyIDSlotCheckLock); michael@0: /* getting a null series just means we haven't registered one yet, michael@0: * just return 0 */ michael@0: if (seriesItem == NULL) { michael@0: return 0; michael@0: } michael@0: /* if we got a series back, assert if it's not the proper length. */ michael@0: PORT_Assert(seriesItem->len == sizeof(int)); michael@0: if (seriesItem->len != sizeof(int)) { michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return -1; michael@0: } michael@0: PORT_Memcpy(&series, seriesItem->data, sizeof(int)); michael@0: return series; michael@0: } michael@0: michael@0: SECStatus michael@0: cert_DestroySubjectKeyIDSlotCheckHash(void) michael@0: { michael@0: if (gSubjKeyIDSlotCheckHash) { michael@0: PR_Lock(gSubjKeyIDSlotCheckLock); michael@0: PL_HashTableDestroy(gSubjKeyIDSlotCheckHash); michael@0: gSubjKeyIDSlotCheckHash = NULL; michael@0: PR_Unlock(gSubjKeyIDSlotCheckLock); michael@0: PR_DestroyLock(gSubjKeyIDSlotCheckLock); michael@0: gSubjKeyIDSlotCheckLock = NULL; michael@0: } michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: cert_DestroySubjectKeyIDHashTable(void) michael@0: { michael@0: if (gSubjKeyIDHash) { michael@0: PR_Lock(gSubjKeyIDLock); michael@0: PL_HashTableDestroy(gSubjKeyIDHash); michael@0: gSubjKeyIDHash = NULL; michael@0: PR_Unlock(gSubjKeyIDLock); michael@0: PR_DestroyLock(gSubjKeyIDLock); michael@0: gSubjKeyIDLock = NULL; michael@0: } michael@0: cert_DestroySubjectKeyIDSlotCheckHash(); michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECItem* michael@0: cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID) michael@0: { michael@0: SECItem *val; michael@0: michael@0: if (!gSubjKeyIDLock) michael@0: return NULL; michael@0: michael@0: PR_Lock(gSubjKeyIDLock); michael@0: val = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID); michael@0: if (val) { michael@0: val = SECITEM_DupItem(val); michael@0: } michael@0: PR_Unlock(gSubjKeyIDLock); michael@0: return val; michael@0: } michael@0: michael@0: CERTCertificate* michael@0: CERT_FindCertBySubjectKeyID(CERTCertDBHandle *handle, SECItem *subjKeyID) michael@0: { michael@0: CERTCertificate *cert = NULL; michael@0: SECItem *derCert; michael@0: michael@0: derCert = cert_FindDERCertBySubjectKeyID(subjKeyID); michael@0: if (derCert) { michael@0: cert = CERT_FindCertByDERCert(handle, derCert); michael@0: SECITEM_FreeItem(derCert, PR_TRUE); michael@0: } michael@0: return cert; michael@0: }