/*
* FUNCTION: pkix_SingleVerifyNode_ToString
* DESCRIPTION:
*
* Creates a String representation of the attributes of the VerifyNode pointed
* to by "node", other than its children, and stores the result at "pString".
*
* PARAMETERS:
* "node"
* Address of VerifyNode to be described by the string. Must be non-NULL.
* "pString"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Conditionally Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if function succeeds
* Returns a VerifyNode Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in a fatal way
*/
PKIX_Error *
pkix_SingleVerifyNode_ToString(
PKIX_VerifyNode *node,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_PL_String *fmtString = NULL;
PKIX_PL_String *errorString = NULL;
PKIX_PL_String *outString = NULL;
PKIX_PL_X500Name *issuerName = NULL;
PKIX_PL_X500Name *subjectName = NULL;
PKIX_PL_String *issuerString = NULL;
PKIX_PL_String *subjectString = NULL;
PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_ToString");
PKIX_NULLCHECK_THREE(node, pString, node->verifyCert);
PKIX_TOSTRING(node->error, &errorString, plContext,
PKIX_ERRORTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Cert_GetIssuer
(node->verifyCert, &issuerName, plContext),
PKIX_CERTGETISSUERFAILED);
PKIX_TOSTRING(issuerName, &issuerString, plContext,
PKIX_X500NAMETOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Cert_GetSubject
(node->verifyCert, &subjectName, plContext),
PKIX_CERTGETSUBJECTFAILED);
PKIX_TOSTRING(subjectName, &subjectString, plContext,
PKIX_X500NAMETOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
"CERT[Issuer:%s, Subject:%s], depth=%d, error=%s",
0,
&fmtString,
plContext),
PKIX_CANTCREATESTRING);
PKIX_CHECK(PKIX_PL_Sprintf
(&outString,
plContext,
fmtString,
issuerString,
subjectString,
node->depth,
errorString),
PKIX_SPRINTFFAILED);
*pString = outString;
cleanup:
PKIX_DECREF(fmtString);
PKIX_DECREF(errorString);
PKIX_DECREF(issuerName);
PKIX_DECREF(subjectName);
PKIX_DECREF(issuerString);
PKIX_DECREF(subjectString);
PKIX_RETURN(VERIFYNODE);
}
/*
* FUNCTION: pkix_CrlChecker_CheckRemote
*
* DESCRIPTION:
* Check if the Cert has been revoked based the CRLs data. This function
* maintains the checker state to be current.
*
* PARAMETERS
* "checker"
* Address of CertChainChecker which has the state data.
* Must be non-NULL.
* "cert"
* Address of Certificate that is to be validated. Must be non-NULL.
* "unreslvdCrtExts"
* A List OIDs. Not **yet** used in this checker function.
* "plContext"
* Platform-specific context pointer.
*
* THREAD SAFETY:
* Not Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
*
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
* Returns a Fatal Error
*/
PKIX_Error *
pkix_CrlChecker_CheckExternal(
PKIX_PL_Cert *cert,
PKIX_PL_Cert *issuer,
PKIX_PL_Date *date,
pkix_RevocationMethod *checkerObject,
PKIX_ProcessingParams *procParams,
PKIX_UInt32 methodFlags,
PKIX_RevocationStatus *pRevStatus,
PKIX_UInt32 *pReasonCode,
void **pNBIOContext,
void *plContext)
{
PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn = NULL;
PKIX_CertStore_ImportCrlCallback storeImportCrlFn = NULL;
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
PKIX_CertStore *certStore = NULL;
PKIX_CertStore *localStore = NULL;
PKIX_CRLSelector *crlSelector = NULL;
PKIX_PL_X500Name *issuerName = NULL;
pkix_CrlChecker *state = NULL;
PKIX_UInt32 reasonCode = 0;
PKIX_UInt32 crlStoreIndex = 0;
PKIX_UInt32 numCrlStores = 0;
PKIX_Boolean storeIsLocal = PKIX_FALSE;
PKIX_List *crlList = NULL;
PKIX_List *dpList = NULL;
void *nbioContext = NULL;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckExternal");
PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, pNBIOContext);
nbioContext = *pNBIOContext;
*pNBIOContext = NULL; /* prepare for Error exit */
state = (pkix_CrlChecker*)checkerObject;
PKIX_CHECK(
PKIX_List_GetLength(state->certStores, &numCrlStores, plContext),
PKIX_LISTGETLENGTHFAILED);
/* Find a cert store that is capable of storing crls */
for (;crlStoreIndex < numCrlStores;crlStoreIndex++) {
PKIX_CHECK(
PKIX_List_GetItem(state->certStores, crlStoreIndex,
(PKIX_PL_Object **)&certStore,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(
PKIX_CertStore_GetLocalFlag(certStore, &storeIsLocal,
plContext),
PKIX_CERTSTOREGETLOCALFLAGFAILED);
if (storeIsLocal) {
PKIX_CHECK(
PKIX_CertStore_GetImportCrlCallback(certStore,
&storeImportCrlFn,
plContext),
PKIX_CERTSTOREGETCHECKREVBYCRLFAILED);
PKIX_CHECK(
PKIX_CertStore_GetCrlCheckerFn(certStore,
&storeCheckRevocationFn,
plContext),
PKIX_CERTSTOREGETCHECKREVBYCRLFAILED);
if (storeImportCrlFn && storeCheckRevocationFn) {
localStore = certStore;
certStore = NULL;
break;
}
}
PKIX_DECREF(certStore);
} /* while */
/* Report unknown status if we can not check crl in one of the
* local stores. */
if (!localStore) {
PKIX_ERROR_FATAL(PKIX_CRLCHECKERNOLOCALCERTSTOREFOUND);
}
PKIX_CHECK(
PKIX_PL_Cert_VerifyKeyUsage(issuer, PKIX_CRL_SIGN, plContext),
PKIX_CERTCHECKKEYUSAGEFAILED);
PKIX_CHECK(
PKIX_PL_Cert_GetCrlDp(cert, &dpList, plContext),
PKIX_CERTGETCRLDPFAILED);
if (!(methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE) &&
(!dpList || !dpList->length)) {
goto cleanup;
}
PKIX_CHECK(
PKIX_PL_Cert_GetIssuer(cert, &issuerName, plContext),
PKIX_CERTGETISSUERFAILED);
PKIX_CHECK(
PKIX_CRLSelector_Create(issuer, dpList, date, &crlSelector, plContext),
PKIX_CRLCHECKERSETSELECTORFAILED);
/* Fetch crl and store in a local cert store */
for (crlStoreIndex = 0;crlStoreIndex < numCrlStores;crlStoreIndex++) {
PKIX_CertStore_CRLCallback getCrlsFn;
PKIX_CHECK(
PKIX_List_GetItem(state->certStores, crlStoreIndex,
(PKIX_PL_Object **)&certStore,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(
PKIX_CertStore_GetCRLCallback(certStore, &getCrlsFn,
plContext),
PKIX_CERTSTOREGETCRLCALLBACKFAILED);
PKIX_CHECK(
(*getCrlsFn)(certStore, crlSelector, &nbioContext,
&crlList, plContext),
PKIX_GETCRLSFAILED);
PKIX_CHECK(
(*storeImportCrlFn)(localStore, issuerName, crlList, plContext),
PKIX_CERTSTOREFAILTOIMPORTCRLLIST);
PKIX_CHECK(
(*storeCheckRevocationFn)(certStore, cert, issuer, date,
/* done with crl downloading */
PKIX_TRUE,
&reasonCode, &revStatus, plContext),
PKIX_CERTSTORECRLCHECKFAILED);
if (revStatus != PKIX_RevStatus_NoInfo) {
break;
}
PKIX_DECREF(crlList);
PKIX_DECREF(certStore);
} /* while */
cleanup:
/* Update return flags */
if (revStatus == PKIX_RevStatus_NoInfo &&
((dpList && dpList->length > 0) ||
(methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE)) &&
methodFlags & PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
revStatus = PKIX_RevStatus_Revoked;
}
*pRevStatus = revStatus;
PKIX_DECREF(dpList);
PKIX_DECREF(crlList);
PKIX_DECREF(certStore);
PKIX_DECREF(issuerName);
PKIX_DECREF(localStore);
PKIX_DECREF(crlSelector);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector
*
* DESCRIPTION:
* This function creates a CRLSelector suitable for finding a CRL for
* the Cert pointed to by "cert", setting the result in the
* defaultCRLCheckerState pointed to by "state".
*
* PARAMETERS
* "cert"
* Address of Cert for which a CRLSelector is to be constructed. Must be
* non-NULL.
* "state"
* Address of defaultCRLCheckerState whose CRLSelector is to be set. Must
* be non-NULL.
* "plContext"
* Platform-specific context pointer.
*
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
*
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a DefaultCrlCheckerState Error if the function fails in a
* non-fatal way.
* Returns a Fatal Error
*/
PKIX_Error *
pkix_DefaultCRLChecker_Check_SetSelector(
PKIX_PL_Cert *cert,
pkix_DefaultCRLCheckerState *state,
void *plContext)
{
PKIX_PL_X500Name *certIssuer = NULL;
PKIX_PL_BigInt *certSerialNumber = NULL;
PKIX_PL_Date *nowDate = NULL;
PKIX_ComCRLSelParams *comCrlSelParams = NULL;
PKIX_CRLSelector *crlSelector = NULL;
PKIX_ENTER
(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector");
PKIX_NULLCHECK_TWO(cert, state);
PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext),
PKIX_CERTGETISSUERFAILED);
PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
(cert, &certSerialNumber, plContext),
PKIX_CERTGETSERIALNUMBERFAILED);
if (state->testDate != NULL) {
PKIX_INCREF(state->testDate);
nowDate = state->testDate;
} else {
PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
(NULL, &nowDate, plContext),
PKIX_DATECREATEUTCTIMEFAILED);
}
PKIX_CHECK(PKIX_ComCRLSelParams_Create
(&comCrlSelParams, plContext),
PKIX_COMCRLSELPARAMSCREATEFAILED);
PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName
(comCrlSelParams, certIssuer, plContext),
PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime
(comCrlSelParams, nowDate, plContext),
PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
(comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
PKIX_CHECK(PKIX_CRLSelector_Create
(NULL,
NULL, /* never used? (PKIX_PL_Object *)checker, */
&crlSelector,
plContext),
PKIX_CRLSELECTORCREATEFAILED);
PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams
(crlSelector, comCrlSelParams, plContext),
PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
PKIX_DECREF(state->certIssuer);
PKIX_INCREF(certIssuer);
state->certIssuer = certIssuer;
PKIX_DECREF(state->certSerialNumber);
PKIX_INCREF(certSerialNumber);
state->certSerialNumber = certSerialNumber;
PKIX_DECREF(state->crlSelector);
PKIX_INCREF(crlSelector);
state->crlSelector = crlSelector;
state->crlStoreIndex = 0;
PKIX_CHECK(PKIX_List_GetLength
(state->certStores, &(state->numCrlStores), plContext),
PKIX_LISTGETLENGTHFAILED);
state->certHasValidCrl = PKIX_FALSE;
cleanup:
PKIX_DECREF(certIssuer);
PKIX_DECREF(certSerialNumber);
PKIX_DECREF(nowDate);
PKIX_DECREF(comCrlSelParams);
PKIX_DECREF(crlSelector);
PKIX_RETURN(CERTCHAINCHECKER);
}
