michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: /*
michael@0:  * pkix_namechainingchecker.c
michael@0:  *
michael@0:  * Functions for name chaining validation
michael@0:  *
michael@0:  */
michael@0: 
michael@0: 
michael@0: #include "pkix_namechainingchecker.h"
michael@0: 
michael@0: /* --Private-Functions-------------------------------------------- */
michael@0: 
michael@0: /*
michael@0:  * FUNCTION: pkix_NameChainingChecker_Check
michael@0:  * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
michael@0:  */
michael@0: PKIX_Error *
michael@0: pkix_NameChainingChecker_Check(
michael@0:         PKIX_CertChainChecker *checker,
michael@0:         PKIX_PL_Cert *cert,
michael@0:         PKIX_List *unresolvedCriticalExtensions,
michael@0:         void **pNBIOContext,
michael@0:         void *plContext)
michael@0: {
michael@0:         PKIX_PL_X500Name *prevSubject = NULL;
michael@0:         PKIX_PL_X500Name *currIssuer = NULL;
michael@0:         PKIX_PL_X500Name *currSubject = NULL;
michael@0:         PKIX_Boolean result;
michael@0: 
michael@0:         PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameChainingChecker_Check");
michael@0:         PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
michael@0: 
michael@0:         *pNBIOContext = NULL; /* we never block on pending I/O */
michael@0: 
michael@0:         PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
michael@0:                     (checker, (PKIX_PL_Object **)&prevSubject, plContext),
michael@0:                     PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
michael@0: 
michael@0:         PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &currIssuer, plContext),
michael@0:                     PKIX_CERTGETISSUERFAILED);
michael@0: 
michael@0:         if (prevSubject){
michael@0:                 PKIX_CHECK(PKIX_PL_X500Name_Match
michael@0:                             (prevSubject, currIssuer, &result, plContext),
michael@0:                             PKIX_X500NAMEMATCHFAILED);
michael@0:                 if (!result){
michael@0:                         PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
michael@0:                 }
michael@0:         } else {
michael@0:                 PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
michael@0:         }
michael@0: 
michael@0:         PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &currSubject, plContext),
michael@0:                     PKIX_CERTGETSUBJECTFAILED);
michael@0: 
michael@0:         PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
michael@0:                     (checker, (PKIX_PL_Object *)currSubject, plContext),
michael@0:                     PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
michael@0: 
michael@0: cleanup:
michael@0: 
michael@0:         PKIX_DECREF(prevSubject);
michael@0:         PKIX_DECREF(currIssuer);
michael@0:         PKIX_DECREF(currSubject);
michael@0: 
michael@0:         PKIX_RETURN(CERTCHAINCHECKER);
michael@0: 
michael@0: }
michael@0: 
michael@0: /*
michael@0:  * FUNCTION: pkix_NameChainingChecker_Initialize
michael@0:  * DESCRIPTION:
michael@0:  *
michael@0:  *  Creates a new CertChainChecker and stores it at "pChecker", where it will
michael@0:  *  be used by pkix_NameChainingChecker_Check to check that the issuer name
michael@0:  *  of the certificate matches the subject name in the checker's state. The
michael@0:  *  X500Name pointed to by "trustedCAName" is used to initialize the checker's
michael@0:  *  state.
michael@0:  *
michael@0:  * PARAMETERS:
michael@0:  *  "trustedCAName"
michael@0:  *      Address of X500Name representing the trusted CA Name used to
michael@0:  *      initialize the state of this checker. Must be non-NULL.
michael@0:  *  "pChecker"
michael@0:  *      Address where object pointer will be stored. Must be non-NULL.
michael@0:  *  "plContext"
michael@0:  *      Platform-specific context pointer.
michael@0:  * THREAD SAFETY:
michael@0:  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
michael@0:  * RETURNS:
michael@0:  *  Returns NULL if the function succeeds.
michael@0:  *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
michael@0:  *  Returns a Fatal Error if the function fails in an unrecoverable way.
michael@0:  */
michael@0: PKIX_Error *
michael@0: pkix_NameChainingChecker_Initialize(
michael@0:         PKIX_PL_X500Name *trustedCAName,
michael@0:         PKIX_CertChainChecker **pChecker,
michael@0:         void *plContext)
michael@0: {
michael@0:         PKIX_ENTER(CERTCHAINCHECKER, "PKIX_NameChainingChecker_Initialize");
michael@0:         PKIX_NULLCHECK_TWO(pChecker, trustedCAName);
michael@0: 
michael@0:         PKIX_CHECK(PKIX_CertChainChecker_Create
michael@0:                     (pkix_NameChainingChecker_Check,
michael@0:                     PKIX_FALSE,
michael@0:                     PKIX_FALSE,
michael@0:                     NULL,
michael@0:                     (PKIX_PL_Object *)trustedCAName,
michael@0:                     pChecker,
michael@0:                     plContext),
michael@0:                     PKIX_CERTCHAINCHECKERCREATEFAILED);
michael@0: 
michael@0: cleanup:
michael@0: 
michael@0:         PKIX_RETURN(CERTCHAINCHECKER);
michael@0: 
michael@0: }