static void
test_KeyUsages(void)
{
PKIX_ComCertSelParams *goodParams = NULL;
PKIX_PL_OID *ekuOid = NULL;
PKIX_List *setExtKeyUsage = NULL;
PKIX_List *getExtKeyUsage = NULL;
PKIX_UInt32 getKeyUsage = 0;
PKIX_UInt32 setKeyUsage = 0x1FF;
PKIX_Boolean isEqual = PKIX_FALSE;
PKIX_TEST_STD_VARS();
subTest("PKIX_ComCertSelParams_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext));
subTest("PKIX_ComCertSelParams_SetKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage(goodParams, setKeyUsage, plContext));
subTest("PKIX_ComCertSelParams_GetKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetKeyUsage(goodParams, &getKeyUsage, plContext));
if (setKeyUsage != getKeyUsage) {
testError("unexpected KeyUsage mismatch <expect equal>");
}
subTest("PKIX_PL_OID List create and append");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setExtKeyUsage, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.1", &ekuOid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
PKIX_TEST_DECREF_BC(ekuOid);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.8", &ekuOid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
PKIX_TEST_DECREF_BC(ekuOid);
subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage(goodParams, setExtKeyUsage, plContext));
subTest("PKIX_ComCertSelParams_GetExtendedKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetExtendedKeyUsage(goodParams, &getExtKeyUsage, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setExtKeyUsage,
(PKIX_PL_Object *)getExtKeyUsage,
&isEqual,
plContext));
if (isEqual == PKIX_FALSE) {
testError("unexpected ExtKeyUsage mismatch <expect equal>");
}
cleanup:
PKIX_TEST_DECREF_AC(ekuOid);
PKIX_TEST_DECREF_AC(setExtKeyUsage);
PKIX_TEST_DECREF_AC(getExtKeyUsage);
PKIX_TEST_DECREF_AC(goodParams);
PKIX_TEST_RETURN();
}
/*
* FUNCTION: pkix_pl_CRL_GetSignatureAlgId
*
* DESCRIPTION:
* Retrieves a pointer to the OID that represents the signature algorithm of
* the CRL pointed to by "crl" and stores it at "pSignatureAlgId".
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
*
* PARAMETERS:
* "crl"
* Address of CRL whose signature algorithm OID is to be stored.
* Must be non-NULL.
* "pSignatureAlgId"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CRL Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_pl_CRL_GetSignatureAlgId(
PKIX_PL_CRL *crl,
PKIX_PL_OID **pSignatureAlgId,
void *plContext)
{
CERTCrl *nssCrl = NULL;
PKIX_PL_OID *signatureAlgId = NULL;
SECAlgorithmID algorithm;
SECItem algBytes;
char *asciiOID = NULL;
PKIX_ENTER(CRL, "pkix_pl_CRL_GetSignatureAlgId");
PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pSignatureAlgId);
/* if we don't have a cached copy from before, we create one */
if (crl->signatureAlgId == NULL) {
PKIX_OBJECT_LOCK(crl);
if (crl->signatureAlgId == NULL) {
nssCrl = &(crl->nssSignedCrl->crl);
algorithm = nssCrl->signatureAlg;
algBytes = algorithm.algorithm;
PKIX_NULLCHECK_ONE(algBytes.data);
if (algBytes.len == 0) {
PKIX_ERROR_FATAL(PKIX_OIDBYTESLENGTH0);
}
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&algBytes, &asciiOID, plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(asciiOID, &signatureAlgId, plContext),
PKIX_OIDCREATEFAILED);
/* save a cached copy in case it is asked for again */
crl->signatureAlgId = signatureAlgId;
}
PKIX_OBJECT_UNLOCK(crl);
}
PKIX_INCREF(crl->signatureAlgId);
*pSignatureAlgId = crl->signatureAlgId;
cleanup:
PKIX_FREE(asciiOID);
PKIX_RETURN(CRL);
}
static
void testGetSetInitialPolicies(
PKIX_ProcessingParams *goodObject,
char *asciiPolicyOID)
{
PKIX_PL_OID *policyOID = NULL;
PKIX_List* setPolicyList = NULL;
PKIX_List* getPolicyList = NULL;
PKIX_TEST_STD_VARS();
subTest("PKIX_ProcessingParams_Get/SetInitialPolicies");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(asciiPolicyOID, &policyOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setPolicyList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(setPolicyList, (PKIX_PL_Object *)policyOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_SetImmutable(setPolicyList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies
(goodObject, setPolicyList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetInitialPolicies
(goodObject, &getPolicyList, plContext));
testEqualsHelper
((PKIX_PL_Object *)setPolicyList,
(PKIX_PL_Object *)getPolicyList,
PKIX_TRUE,
plContext);
cleanup:
PKIX_TEST_DECREF_AC(policyOID);
PKIX_TEST_DECREF_AC(setPolicyList);
PKIX_TEST_DECREF_AC(getPolicyList);
PKIX_TEST_RETURN();
}
/*
* FUNCTION: pkix_NameConstraintsCheckerState_Create
*
* DESCRIPTION:
* Allocate and initialize NameConstraintsChecker state data.
*
* PARAMETERS
* "nameConstraints"
* Address of NameConstraints to be stored in state. May be NULL.
* "numCerts"
* Number of certificates in the validation chain. This data is used
* to identify end-entity.
* "pCheckerState"
* Address of NameConstraintsCheckerState that is returned. Must be
* non-NULL.
* "plContext" - Platform-specific context pointer.
*
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
*
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CERTNAMECONSTRAINTSCHECKERSTATE Error if the function fails in
* a non-fatal way.
* Returns a Fatal Error
*/
static PKIX_Error *
pkix_NameConstraintsCheckerState_Create(
PKIX_PL_CertNameConstraints *nameConstraints,
PKIX_UInt32 numCerts,
pkix_NameConstraintsCheckerState **pCheckerState,
void *plContext)
{
pkix_NameConstraintsCheckerState *state = NULL;
PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
"pkix_NameConstraintsCheckerState_Create");
PKIX_NULLCHECK_ONE(pCheckerState);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE,
sizeof (pkix_NameConstraintsCheckerState),
(PKIX_PL_Object **)&state,
plContext),
PKIX_COULDNOTCREATENAMECONSTRAINTSCHECKERSTATEOBJECT);
/* Initialize fields */
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_NAMECONSTRAINTS_OID,
&state->nameConstraintsOID,
plContext),
PKIX_OIDCREATEFAILED);
PKIX_INCREF(nameConstraints);
state->nameConstraints = nameConstraints;
state->certsRemaining = numCerts;
*pCheckerState = state;
state = NULL;
cleanup:
PKIX_DECREF(state);
PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
}
int test_certchainchecker(int argc, char *argv[]) {
PKIX_UInt32 actualMinorVersion;
PKIX_PL_OID *bcOID = NULL;
PKIX_PL_OID *ncOID = NULL;
PKIX_PL_OID *cpOID = NULL;
PKIX_PL_OID *pmOID = NULL;
PKIX_PL_OID *pcOID = NULL;
PKIX_PL_OID *iaOID = NULL;
PKIX_CertChainChecker *dummyChecker = NULL;
PKIX_List *supportedExtensions = NULL;
PKIX_PL_Object *initialState = NULL;
PKIX_UInt32 j = 0;
PKIX_TEST_STD_VARS();
startTests("CertChainChecker");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
(&supportedExtensions, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(PKIX_BASICCONSTRAINTS_OID, &bcOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(supportedExtensions, (PKIX_PL_Object *)bcOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(PKIX_NAMECONSTRAINTS_OID, &ncOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(supportedExtensions, (PKIX_PL_Object *)ncOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(PKIX_CERTIFICATEPOLICIES_OID, &cpOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(supportedExtensions, (PKIX_PL_Object *)cpOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(PKIX_POLICYMAPPINGS_OID, &pmOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(supportedExtensions, (PKIX_PL_Object *)pmOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(PKIX_POLICYCONSTRAINTS_OID, &pcOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(supportedExtensions, (PKIX_PL_Object *)pcOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(PKIX_INHIBITANYPOLICY_OID, &iaOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(supportedExtensions, (PKIX_PL_Object *)iaOID, plContext));
PKIX_TEST_DECREF_BC(bcOID);
PKIX_TEST_DECREF_BC(ncOID);
PKIX_TEST_DECREF_BC(cpOID);
PKIX_TEST_DECREF_BC(pmOID);
PKIX_TEST_DECREF_BC(pcOID);
PKIX_TEST_DECREF_BC(iaOID);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
((PKIX_PL_Object *)supportedExtensions, plContext));
initialState = (PKIX_PL_Object *)supportedExtensions;
subTest("CertChainChecker_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
(dummyChecker_Check, /* PKIX_CertChainChecker_CheckCallback */
PKIX_FALSE, /* forwardCheckingSupported */
PKIX_FALSE, /* forwardDirectionExpected */
supportedExtensions,
NULL, /* PKIX_PL_Object *initialState */
&dummyChecker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_CertChainChecker_SetCertChainCheckerState
(dummyChecker, initialState, plContext));
test_CertChainChecker_Duplicate(dummyChecker);
subTest("CertChainChecker_Destroy");
PKIX_TEST_DECREF_BC(dummyChecker);
cleanup:
PKIX_TEST_DECREF_AC(dummyChecker);
PKIX_TEST_DECREF_AC(initialState);
PKIX_TEST_DECREF_AC(supportedExtensions);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("CertChainChecker");
return (0);
}
static
PKIX_List *policySetParse(char *policyString)
{
char *p = NULL;
char *oid = NULL;
char c = '\0';
PKIX_Boolean validString = PKIX_FALSE;
PKIX_PL_OID *plOID = NULL;
PKIX_List *policySet = NULL;
PKIX_TEST_STD_VARS();
p = policyString;
/*
* There may or may not be quotes around the initial-policy-set
* string. If they are omitted, dbx will strip off the curly braces.
* If they are included, dbx will strip off the quotes, but if you
* are running directly from a script, without dbx, the quotes will
* not be stripped. We need to be able to handle both cases.
*/
if (*p == '"') {
p++;
}
if ('{' != *p++) {
return (NULL);
}
oid = p;
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&policySet, plContext));
/* scan to the end of policyString */
while (!validString) {
/* scan to the end of the current OID string */
c = *oid;
while ((c != '\0') && (c != ':') && (c != '}')) {
c = *++oid;
}
if ((c != ':') || (c != '}')) {
*oid = '\0'; /* store a null terminator */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(p, &plOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(policySet,
(PKIX_PL_Object *)plOID,
plContext));
PKIX_TEST_DECREF_BC(plOID);
plOID = NULL;
if (c == '}') {
/*
* Any exit but this one means
* we were given a badly-formed string.
*/
validString = PKIX_TRUE;
}
p = ++oid;
}
}
cleanup:
if (!validString) {
PKIX_TEST_DECREF_AC(plOID);
PKIX_TEST_DECREF_AC(policySet);
policySet = NULL;
}
PKIX_TEST_RETURN();
return (policySet);
}
static
void testNistTest2(char *dirName)
{
#define PKIX_TEST_NUM_CERTS 2
char *trustAnchor =
"TrustAnchorRootCertificate.crt";
char *intermediateCert =
"GoodCACert.crt";
char *endEntityCert =
"ValidCertificatePathTest1EE.crt";
char *certNames[PKIX_TEST_NUM_CERTS];
char *asciiNist1Policy = "2.16.840.1.101.3.2.1.48.1";
PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };
PKIX_ValidateParams *valParams = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_List *chain = NULL;
PKIX_PL_OID *Nist1PolicyOID = NULL;
PKIX_List *initialPolicies = NULL;
char *anchorName = NULL;
PKIX_TEST_STD_VARS();
subTest("testNistTest2: Creating the cert chain");
/*
* Create a chain, but don't include the first certName.
* That's the anchor, and is supplied separately from
* the chain.
*/
certNames[0] = intermediateCert;
certNames[1] = endEntityCert;
chain = createCertChainPlus
(dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);
subTest("testNistTest2: Creating the Validate Parameters");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(asciiNist1Policy, &Nist1PolicyOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_Create(&initialPolicies, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(initialPolicies, (PKIX_PL_Object *)Nist1PolicyOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
(initialPolicies, plContext));
valParams = createValidateParams
(dirName,
trustAnchor,
NULL,
NULL,
initialPolicies,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
chain,
plContext);
subTest("testNistTest2: Validating the chain");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
(valParams, &valResult, NULL, plContext));
cleanup:
PKIX_PL_Free(anchorName, plContext);
PKIX_TEST_DECREF_AC(Nist1PolicyOID);
PKIX_TEST_DECREF_AC(initialPolicies);
PKIX_TEST_DECREF_AC(valParams);
PKIX_TEST_DECREF_AC(valResult);
PKIX_TEST_DECREF_AC(chain);
PKIX_TEST_RETURN();
}
int test_buildchain_uchecker(int argc, char *argv[])
{
PKIX_BuildResult *buildResult = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_CertChainChecker *checker = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_UInt32 numCerts = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_UInt32 chainLength = 0;
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
char * asciiResult = NULL;
PKIX_Boolean result;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_Boolean supportForward = PKIX_FALSE;
PKIX_List *expectedCerts = NULL;
PKIX_List *userOIDs = NULL;
PKIX_PL_OID *oid = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_PL_String *actualCertsString = NULL;
PKIX_PL_String *expectedCertsString = NULL;
char *actualCertsAscii = NULL;
char *expectedCertsAscii = NULL;
char *oidString = NULL;
void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */
PKIX_TEST_STD_VARS();
if (argc < 5){
printUsage();
return (0);
}
startTests("BuildChain_UserChecker");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
/* OID specified at argv[3+j] */
if (*argv[3+j] != '-') {
if (*argv[3+j] == 'F') {
supportForward = PKIX_TRUE;
oidString = argv[3+j]+1;
} else {
oidString = argv[3+j];
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
(&userOIDs, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(oidString, &oid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(userOIDs, (PKIX_PL_Object *)oid, plContext));
PKIX_TEST_DECREF_BC(oid);
}
subTest(argv[1+j]);
dirName = argv[4+j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
chainLength = argc - j - 5;
for (k = 0; k < chainLength; k++){
dirCert = createCert(dirName, argv[5+k+j], plContext);
if (k == (chainLength - 1)){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_IncRef
((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == 0){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_IncRef
((PKIX_PL_Object *)dirCert,
plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ComCertSelParams_SetCertificate
(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_CertSelector_Create
(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ProcessingParams_SetTargetCertConstraints
(procParams, certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
(testUserChecker,
supportForward,
PKIX_FALSE,
userOIDs,
NULL,
&checker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
(procParams, checker, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
(PKIX_ESCASCII,
dirName,
0,
&dirNameString,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
(dirNameString, &certStore, plContext));
#if 0
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
(&certStore, plContext));
#endif
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(certStores, (PKIX_PL_Object *)certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
(procParams, certStores, plContext));
/* build cert chain using processing params and return buildResult */
pkixTestErrorResult = PKIX_BuildChain
(procParams,
&nbioContext,
&buildState,
&buildResult,
NULL,
plContext);
if (testValid == PKIX_TRUE) { /* ENE */
if (pkixTestErrorResult){
(void) printf("UNEXPECTED RESULT RECEIVED!\n");
} else {
(void) printf("EXPECTED RESULT RECEIVED!\n");
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
}
} else { /* EE */
if (pkixTestErrorResult){
(void) printf("EXPECTED RESULT RECEIVED!\n");
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
} else {
testError("UNEXPECTED RESULT RECEIVED");
}
}
if (buildResult){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_BuildResult_GetCertChain
(buildResult, &certs, NULL));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_GetLength(certs, &numCerts, plContext));
printf("\n");
for (i = 0; i < numCerts; i++){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_GetItem
(certs,
i,
(PKIX_PL_Object**)&cert,
plContext));
asciiResult = PKIX_Cert2ASCII(cert);
printf("CERT[%d]:\n%s\n", i, asciiResult);
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Free(asciiResult, plContext));
asciiResult = NULL;
PKIX_TEST_DECREF_BC(cert);
}
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_Equals
((PKIX_PL_Object*)certs,
(PKIX_PL_Object*)expectedCerts,
&result,
plContext));
if (!result){
testError("BUILT CERTCHAIN IS "
"NOT THE ONE THAT WAS EXPECTED");
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_ToString
((PKIX_PL_Object *)certs,
&actualCertsString,
plContext));
actualCertsAscii = PKIX_String2ASCII
(actualCertsString, plContext);
if (actualCertsAscii == NULL){
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_ToString
((PKIX_PL_Object *)expectedCerts,
&expectedCertsString,
plContext));
expectedCertsAscii = PKIX_String2ASCII
(expectedCertsString, plContext);
if (expectedCertsAscii == NULL){
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
(void) printf("Actual value:\t%s\n", actualCertsAscii);
(void) printf("Expected value:\t%s\n",
expectedCertsAscii);
if (chainLength - 1 != numUserCheckerCalled) {
pkixTestErrorMsg =
"PKIX user defined checker not called";
}
goto cleanup;
}
}
cleanup:
PKIX_PL_Free(asciiResult, plContext);
PKIX_PL_Free(actualCertsAscii, plContext);
PKIX_PL_Free(expectedCertsAscii, plContext);
PKIX_TEST_DECREF_AC(actualCertsString);
PKIX_TEST_DECREF_AC(expectedCertsString);
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(certs);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(buildResult);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(userOIDs);
PKIX_TEST_DECREF_AC(checker);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain_UserChecker");
return (0);
}
static void
test_SubjAlgId_SubjPublicKey(char *dirName)
{
PKIX_ComCertSelParams *goodParams = NULL;
PKIX_PL_OID *setAlgId = NULL;
PKIX_PL_OID *getAlgId = NULL;
PKIX_PL_Cert *goodCert = NULL;
PKIX_PL_PublicKey *setPublicKey = NULL;
PKIX_PL_PublicKey *getPublicKey = NULL;
PKIX_Boolean isEqual = PKIX_FALSE;
PKIX_TEST_STD_VARS();
/* Subject Algorithm Identifier */
subTest("PKIX_PL_OID_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.1.2.3", &setAlgId, plContext));
subTest("PKIX_ComCertSelParams_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext));
subTest("PKIX_ComCertSelParams_SetSubjPKAlgId");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId(goodParams, setAlgId, plContext));
subTest("PKIX_ComCertSelParams_GetSubjPKAlgId");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPKAlgId(goodParams, &getAlgId, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setAlgId,
(PKIX_PL_Object *)getAlgId,
&isEqual,
plContext));
if (isEqual == PKIX_FALSE) {
testError("unexpected Subject Public Key Alg mismatch "
"<expect equal>");
}
/* Subject Public Key */
subTest("Getting Cert for Subject Public Key");
goodCert = createCert(dirName, "nameConstraintsDN2CACert.crt", plContext);
subTest("PKIX_PL_Cert_GetSubjectPublicKey");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(goodCert, &setPublicKey, plContext));
subTest("PKIX_ComCertSelParams_SetSubjPubKey");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey(goodParams, setPublicKey, plContext));
subTest("PKIX_ComCertSelParams_GetSubjPubKey");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPubKey(goodParams, &getPublicKey, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setPublicKey,
(PKIX_PL_Object *)getPublicKey,
&isEqual,
plContext));
if (isEqual == PKIX_FALSE) {
testError("unexpected Subject Public Key mismatch "
"<expect equal>");
}
cleanup:
PKIX_TEST_DECREF_AC(setAlgId);
PKIX_TEST_DECREF_AC(getAlgId);
PKIX_TEST_DECREF_AC(goodParams);
PKIX_TEST_DECREF_AC(goodCert);
PKIX_TEST_DECREF_AC(setPublicKey);
PKIX_TEST_DECREF_AC(getPublicKey);
PKIX_TEST_RETURN();
}
int
test_list2(int argc, char *argv[])
{
PKIX_List *list;
char *temp;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_Int32 cmpResult;
PKIX_PL_OID *testOID;
PKIX_PL_String *testString;
PKIX_PL_Object *obj, *obj2;
PKIX_UInt32 size = 10;
char *testOIDString[10] = {
"2.9.999.1.20",
"1.2.3.4.5.6.7",
"0.1",
"1.2.3.5",
"0.39",
"1.2.3.4.7",
"1.2.3.4.6",
"0.39.1",
"1.2.3.4.5",
"0.39.1.300"
};
PKIX_UInt32 actualMinorVersion;
PKIX_TEST_STD_VARS();
startTests("List Sorting");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
subTest("Creating Unsorted Lists");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
for (i = 0; i < size; i++) {
/* Create a new OID object */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(
testOIDString[i],
&testOID,
plContext));
/* Insert it into the list */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list, (PKIX_PL_Object *)testOID, plContext));
/* Decref the string object */
PKIX_TEST_DECREF_BC(testOID);
}
subTest("Outputting Unsorted List");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)list,
&testString,
plContext));
temp = PKIX_String2ASCII(testString, plContext);
if (temp) {
(void)printf("%s \n", temp);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
}
PKIX_TEST_DECREF_BC(testString);
subTest("Performing Bubble Sort");
for (i = 0; i < size; i++)
for (j = 9; j > i; j--) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j, &obj, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j -
1,
&obj2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare(obj, obj2, &cmpResult, plContext));
if (cmpResult < 0) {
/* Exchange the items */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j, obj2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j -
1,
obj, plContext));
}
/* DecRef objects */
PKIX_TEST_DECREF_BC(obj);
PKIX_TEST_DECREF_BC(obj2);
}
subTest("Outputting Sorted List");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)list,
&testString,
plContext));
temp = PKIX_String2ASCII(testString, plContext);
if (temp) {
(void)printf("%s \n", temp);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
}
cleanup:
PKIX_TEST_DECREF_AC(testString);
PKIX_TEST_DECREF_AC(list);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("List Sorting");
return (0);
}
static PKIX_Error *
testEkuSetup(
PKIX_ValidateParams *valParams,
char *ekuOidString,
PKIX_Boolean *only4EE)
{
PKIX_ProcessingParams *procParams = NULL;
PKIX_List *ekuList = NULL;
PKIX_PL_OID *ekuOid = NULL;
PKIX_ComCertSelParams *selParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_Boolean last_token = PKIX_FALSE;
PKIX_UInt32 i, tokeni;
PKIX_TEST_STD_VARS();
subTest("PKIX_ValidateParams_GetProcessingParams");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
(valParams, &procParams, plContext));
/* Get extended key usage OID(s) from command line, separated by "," */
if (ekuOidString[0] == '"') {
/* erase doble quotes, if any */
i = 1;
while (ekuOidString[i] != '"' && ekuOidString[i] != '\0') {
ekuOidString[i-1] = ekuOidString[i];
i++;
}
ekuOidString[i-1] = '\0';
}
if (ekuOidString[0] == '\0') {
ekuList = NULL;
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
(&ekuList, plContext));
/* if OID string start with E, only check for last cert */
if (ekuOidString[0] == 'E') {
*only4EE = PKIX_TRUE;
tokeni = 2;
i = 1;
} else {
*only4EE = PKIX_FALSE;
tokeni = 1;
i = 0;
}
while (last_token != PKIX_TRUE) {
while (ekuOidString[tokeni] != ',' &&
ekuOidString[tokeni] != '\0') {
tokeni++;
}
if (ekuOidString[tokeni] == '\0') {
last_token = PKIX_TRUE;
} else {
ekuOidString[tokeni] = '\0';
tokeni++;
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(&ekuOidString[i], &ekuOid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(ekuList, (PKIX_PL_Object *)ekuOid, plContext));
PKIX_TEST_DECREF_BC(ekuOid);
i = tokeni;
}
}
/* Set extended key usage link to processing params */
subTest("PKIX_ComCertSelParams_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
(&selParams, plContext));
subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
(selParams, ekuList, plContext));
subTest("PKIX_CertSelector_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
(testCertSelectorMatchCallback,
NULL,
&certSelector,
plContext));
subTest("PKIX_CertSelector_SetCommonCertSelectorParams");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
(certSelector, selParams, plContext));
subTest("PKIX_ProcessingParams_SetTargetCertConstraints");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
(procParams, certSelector, plContext));
cleanup:
PKIX_TEST_DECREF_AC(selParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(ekuOid);
PKIX_TEST_DECREF_AC(ekuList);
PKIX_TEST_RETURN();
return (0);
}
/*
* FUNCTION: pkix_EkuChecker_Create
* DESCRIPTION:
*
* Creates a new Extend Key Usage CheckerState using "params" to retrieve
* application specified EKU for verification and stores it at "pState".
*
* PARAMETERS:
* "params"
* a PKIX_ProcessingParams links to PKIX_ComCertSelParams where a list of
* Extended Key Usage OIDs specified by application can be retrieved for
* verification.
* "pState"
* Address where state pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a UserDefinedModules Error if the function fails in a
* non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_EkuChecker_Create(
PKIX_ProcessingParams *params,
pkix_EkuChecker **pState,
void *plContext)
{
pkix_EkuChecker *state = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_ComCertSelParams *comCertSelParams = NULL;
PKIX_List *requiredOids = NULL;
PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Create");
PKIX_NULLCHECK_TWO(params, pState);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_EKUCHECKER_TYPE,
sizeof (pkix_EkuChecker),
(PKIX_PL_Object **)&state,
plContext),
PKIX_COULDNOTCREATEEKUCHECKERSTATEOBJECT);
PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
(params, &certSelector, plContext),
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
if (certSelector != NULL) {
/* Get initial EKU OIDs from ComCertSelParams, if set */
PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
(certSelector, &comCertSelParams, plContext),
PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
if (comCertSelParams != NULL) {
PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
(comCertSelParams, &requiredOids, plContext),
PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
}
}
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_EXTENDEDKEYUSAGE_OID,
&state->ekuOID,
plContext),
PKIX_OIDCREATEFAILED);
state->requiredExtKeyUsageOids = requiredOids;
requiredOids = NULL;
*pState = state;
state = NULL;
cleanup:
PKIX_DECREF(certSelector);
PKIX_DECREF(comCertSelParams);
PKIX_DECREF(requiredOids);
PKIX_DECREF(state);
PKIX_RETURN(EKUCHECKER);
}
/*
* FUNCTION: pkix_pl_GeneralName_Create
* DESCRIPTION:
*
* Creates new GeneralName which represents the CERTGeneralName pointed to by
* "nssAltName" and stores it at "pGenName".
*
* PARAMETERS:
* "nssAltName"
* Address of CERTGeneralName. Must be non-NULL.
* "pGenName"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext" - Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a GeneralName Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_GeneralName_Create(
CERTGeneralName *nssAltName,
PKIX_PL_GeneralName **pGenName,
void *plContext)
{
PKIX_PL_GeneralName *genName = NULL;
PKIX_PL_X500Name *pkixDN = NULL;
PKIX_PL_OID *pkixOID = NULL;
OtherName *otherName = NULL;
CERTGeneralNameList *nssGenNameList = NULL;
CERTGeneralNameType nameType;
SECItem *secItem = NULL;
char *asciiName = NULL;
SECStatus rv;
PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Create");
PKIX_NULLCHECK_TWO(nssAltName, pGenName);
/* create a PKIX_PL_GeneralName object */
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_GENERALNAME_TYPE,
sizeof (PKIX_PL_GeneralName),
(PKIX_PL_Object **)&genName,
plContext),
PKIX_COULDNOTCREATEOBJECT);
nameType = nssAltName->type;
/*
* We use CERT_CreateGeneralNameList to create just one CERTGeneralName
* item for memory allocation reason. If we want to just create one
* item, we have to use the calling path CERT_NewGeneralName, then
* CERT_CopyOneGeneralName. With this calling path, if we pass
* the arena argument as NULL, in CERT_CopyOneGeneralName's subsequent
* call to CERT_CopyName, it assumes arena should be valid, hence
* segmentation error (not sure this is a NSS bug, certainly it is
* not consistent). But on the other hand, we don't want to keep an
* arena record here explicitely for every PKIX_PL_GeneralName.
* So I concluded it is better to use CERT_CreateGeneralNameList,
* which keeps an arena pointer in its data structure and also masks
* out details calls from this libpkix level.
*/
PKIX_GENERALNAME_DEBUG("\t\tCalling CERT_CreateGeneralNameList).\n");
nssGenNameList = CERT_CreateGeneralNameList(nssAltName);
if (nssGenNameList == NULL) {
PKIX_ERROR(PKIX_CERTCREATEGENERALNAMELISTFAILED);
}
genName->nssGeneralNameList = nssGenNameList;
/* initialize fields */
genName->type = nameType;
genName->directoryName = NULL;
genName->OthName = NULL;
genName->other = NULL;
genName->oid = NULL;
switch (nameType){
case certOtherName:
PKIX_CHECK(pkix_pl_OtherName_Create
(nssAltName, &otherName, plContext),
PKIX_OTHERNAMECREATEFAILED);
genName->OthName = otherName;
break;
case certDirectoryName:
PKIX_CHECK(pkix_pl_DirectoryName_Create
(nssAltName, &pkixDN, plContext),
PKIX_DIRECTORYNAMECREATEFAILED);
genName->directoryName = pkixDN;
break;
case certRegisterID:
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&nssAltName->name.other, &asciiName, plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create(asciiName, &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
genName->oid = pkixOID;
break;
case certDNSName:
case certEDIPartyName:
case certIPAddress:
case certRFC822Name:
case certX400Address:
case certURI:
PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_AllocItem).\n");
secItem = SECITEM_AllocItem(NULL, NULL, 0);
if (secItem == NULL){
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CopyItem).\n");
rv = SECITEM_CopyItem(NULL, secItem, &nssAltName->name.other);
if (rv != SECSuccess) {
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
genName->other = secItem;
break;
default:
PKIX_ERROR(PKIX_NAMETYPENOTSUPPORTED);
}
*pGenName = genName;
cleanup:
PKIX_FREE(asciiName);
if (PKIX_ERROR_RECEIVED){
PKIX_DECREF(genName);
if (secItem){
PKIX_GENERALNAME_DEBUG
("\t\tCalling SECITEM_FreeItem).\n");
SECITEM_FreeItem(secItem, PR_TRUE);
secItem = NULL;
}
}
PKIX_RETURN(GENERALNAME);
}
/*
* FUNCTION: pkix_TargetCertCheckerState_Create
* DESCRIPTION:
*
* Creates a new TargetCertCheckerState using the CertSelector pointed to
* by "certSelector" and the number of certs represented by "certsRemaining"
* and stores it at "pState".
*
* PARAMETERS:
* "certSelector"
* Address of CertSelector representing the criteria against which the
* final certificate in a chain is to be matched. Must be non-NULL.
* "certsRemaining"
* Number of certificates remaining in the chain.
* "pState"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a TargetCertCheckerState Error if the function fails in a
* non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_TargetCertCheckerState_Create(
PKIX_CertSelector *certSelector,
PKIX_UInt32 certsRemaining,
pkix_TargetCertCheckerState **pState,
void *plContext)
{
pkix_TargetCertCheckerState *state = NULL;
PKIX_ComCertSelParams *certSelectorParams = NULL;
PKIX_List *pathToNameList = NULL;
PKIX_List *extKeyUsageList = NULL;
PKIX_List *subjAltNameList = NULL;
PKIX_PL_OID *extKeyUsageOID = NULL;
PKIX_PL_OID *subjAltNameOID = NULL;
PKIX_Boolean subjAltNameMatchAll = PKIX_TRUE;
PKIX_ENTER(TARGETCERTCHECKERSTATE,
"pkix_TargetCertCheckerState_Create");
PKIX_NULLCHECK_ONE(pState);
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_EXTENDEDKEYUSAGE_OID,
&extKeyUsageOID,
plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_CERTSUBJALTNAME_OID,
&subjAltNameOID,
plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_TARGETCERTCHECKERSTATE_TYPE,
sizeof (pkix_TargetCertCheckerState),
(PKIX_PL_Object **)&state,
plContext),
PKIX_COULDNOTCREATETARGETCERTCHECKERSTATEOBJECT);
/* initialize fields */
if (certSelector != NULL) {
PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
(certSelector, &certSelectorParams, plContext),
PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMFAILED);
if (certSelectorParams != NULL) {
PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames
(certSelectorParams,
&pathToNameList,
plContext),
PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED);
PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
(certSelectorParams,
&extKeyUsageList,
plContext),
PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames
(certSelectorParams,
&subjAltNameList,
plContext),
PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
(certSelectorParams,
&subjAltNameMatchAll,
plContext),
PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
}
}
state->certsRemaining = certsRemaining;
state->subjAltNameMatchAll = subjAltNameMatchAll;
PKIX_INCREF(certSelector);
state->certSelector = certSelector;
state->pathToNameList = pathToNameList;
pathToNameList = NULL;
state->extKeyUsageList = extKeyUsageList;
extKeyUsageList = NULL;
state->subjAltNameList = subjAltNameList;
subjAltNameList = NULL;
state->extKeyUsageOID = extKeyUsageOID;
extKeyUsageOID = NULL;
state->subjAltNameOID = subjAltNameOID;
subjAltNameOID = NULL;
*pState = state;
state = NULL;
cleanup:
PKIX_DECREF(extKeyUsageOID);
PKIX_DECREF(subjAltNameOID);
PKIX_DECREF(pathToNameList);
PKIX_DECREF(extKeyUsageList);
PKIX_DECREF(subjAltNameList);
PKIX_DECREF(state);
PKIX_DECREF(certSelectorParams);
PKIX_RETURN(TARGETCERTCHECKERSTATE);
}
int test_policynode(int argc, char *argv[]) {
/*
* Create a tree with parent = anyPolicy,
* child1 with Nist1+Nist2, child2 with Nist1.
* Give each child another child, with policies Nist2
* and Nist1, respectively. Pruning with a depth of two
* should have no effect. Give one of the children
* another child. Then pruning with a depth of three
* should reduce the tree to a single strand, as child1
* and child3 are removed.
*
* parent (anyPolicy)
* / \
* child1(Nist1+Nist2) child2(Nist1)
* | |
* child3(Nist2) child4(Nist1)
* |
* child5(Nist1)
*
*/
char *asciiAnyPolicy = "2.5.29.32.0";
PKIX_PL_Cert *cert = NULL;
PKIX_PL_CertPolicyInfo *nist1Policy = NULL;
PKIX_PL_CertPolicyInfo *nist2Policy = NULL;
PKIX_List *policyQualifierList = NULL;
PKIX_PL_OID *oidAnyPolicy = NULL;
PKIX_PL_OID *oidNist1Policy = NULL;
PKIX_PL_OID *oidNist2Policy = NULL;
PKIX_List *expectedAnyList = NULL;
PKIX_List *expectedNist1List = NULL;
PKIX_List *expectedNist2List = NULL;
PKIX_List *expectedNist1Nist2List = NULL;
PKIX_List *emptyList = NULL;
PKIX_PolicyNode *parentNode = NULL;
PKIX_PolicyNode *childNode1 = NULL;
PKIX_PolicyNode *childNode2 = NULL;
PKIX_PolicyNode *childNode3 = NULL;
PKIX_PolicyNode *childNode4 = NULL;
PKIX_PolicyNode *childNode5 = NULL;
PKIX_PL_String *parentString = NULL;
PKIX_Boolean pDelete = PKIX_FALSE;
char *expectedParentAscii =
"{2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5C "
"1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 65"
" 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D 2"
"0 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 69 "
"73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 66"
" 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20 6"
"F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1[(1.3"
".6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 69 7"
"3 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74 69 "
"63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 72 20"
" 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 63 6"
"1 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70 75 "
"72 70 6F 73 65 73 20 6F 6E 6C 79])], 2.16.840.1.101.3"
".2.1.48.2[(1.3.6.1.5.5.7.2.2:[30 5A 1A 58 71 32 3A 20"
" 20 54 68 69 73 20 69 73 20 74 68 65 20 75 73 65 72 2"
"0 6E 6F 74 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 "
"66 69 65 72 20 32 2E 20 20 54 68 69 73 20 75 73 65 72"
" 20 6E 6F 74 69 63 65 20 73 68 6F 75 6C 64 20 6E 6F 7"
"4 20 62 65 20 64 69 73 70 6C 61 79 65 64])]),1}\n"
". {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5"
"C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
"65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
" 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
"9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
"66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
" 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.2),2}";
char *expectedValidAscii =
"2.16.840.1.101.3.2.1.48.2";
char *expectedQualifiersAscii =
/* "(1.3.6.1.5.5.7.2.2)"; */
"(1.3.6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 "
"69 73 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74"
" 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 7"
"2 20 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 "
"63 61 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70"
" 75 72 70 6F 73 65 73 20 6F 6E 6C 79])";
char *expectedPoliciesAscii =
"(2.16.840.1.101.3.2.1.48.1)";
char *expectedTree =
"{2.5.29.32.0,{},Critical,(2.5.29.32.0),0}\n"
". {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5"
"C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
"65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
" 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
"9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
"66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
" 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1[(1"
".3.6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 69"
" 73 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74 6"
"9 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 72 "
"20 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 63"
" 61 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70 7"
"5 72 70 6F 73 65 73 20 6F 6E 6C 79])], 2.16.840.1.101"
".3.2.1.48.2[(1.3.6.1.5.5.7.2.2:[30 5A 1A 58 71 32 3A "
"20 20 54 68 69 73 20 69 73 20 74 68 65 20 75 73 65 72"
" 20 6E 6F 74 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 6"
"9 66 69 65 72 20 32 2E 20 20 54 68 69 73 20 75 73 65 "
"72 20 6E 6F 74 69 63 65 20 73 68 6F 75 6C 64 20 6E 6F"
" 74 20 62 65 20 64 69 73 70 6C 61 79 65 64])]"
"),1}\n"
". . {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30"
" 5C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 6"
"8 65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F "
"6D 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68"
" 69 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 2"
"0 66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 "
"20 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.2)"
",2}\n"
". {2.16.840.1.101.3.2.1.48.1,(1.3.6.1.5.5.7.2.2:[30 5"
"C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
"65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
" 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
"9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
"66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
" 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1),1}\n"
". . {2.16.840.1.101.3.2.1.48.1,(EMPTY),Not Critical,"
"(2.16.840.1.101.3.2.1.48.1),2}\n"
". . . {2.16.840.1.101.3.2.1.48.1,{},Critical,(2.16.84"
"0.1.101.3.2.1.48.1),3}";
char *expectedPrunedTree =
"{2.5.29.32.0,{},Critical,(2.5.29.32.0),0}\n"
". {2.16.840.1.101.3.2.1.48.1,(1.3.6.1.5.5.7.2.2:[30 5"
"C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
"65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
" 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
"9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
"66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
" 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1),1}\n"
". . {2.16.840.1.101.3.2.1.48.1,(EMPTY),Not Critical,"
"(2.16.840.1.101.3.2.1.48.1),2}\n"
". . . {2.16.840.1.101.3.2.1.48.1,{},Critical,(2.16.84"
"0.1.101.3.2.1.48.1),3}";
PKIX_UInt32 actualMinorVersion;
PKIX_UInt32 j = 0;
char *dirName = NULL;
PKIX_TEST_STD_VARS();
if (argc < 2) {
printUsage();
return (0);
}
startTests("PolicyNode");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
dirName = argv[j+1];
subTest("Creating OID objects");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(asciiAnyPolicy, &oidAnyPolicy, plContext));
/* Read certificates to get real policies, qualifiers */
cert = createCert
(dirName, "UserNoticeQualifierTest16EE.crt", plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
(cert, &expectedNist1Nist2List, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
(expectedNist1Nist2List,
0,
(PKIX_PL_Object **)&nist1Policy,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
(expectedNist1Nist2List,
1,
(PKIX_PL_Object **)&nist2Policy,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
(nist1Policy, &policyQualifierList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
(nist1Policy, &oidNist1Policy, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
(nist2Policy, &oidNist2Policy, plContext));
subTest("Creating expectedPolicy List objects");
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_Create(&expectedAnyList, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_Create(&expectedNist1List, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_Create(&expectedNist2List, plContext));
subTest("Populating expectedPolicy List objects");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(expectedAnyList, (PKIX_PL_Object *)oidAnyPolicy, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(expectedNist1List,
(PKIX_PL_Object *)oidNist1Policy,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(expectedNist2List,
(PKIX_PL_Object *)oidNist2Policy,
plContext));
subTest("Creating PolicyNode objects");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
(oidAnyPolicy,
NULL,
PKIX_TRUE,
expectedAnyList,
&parentNode,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
(oidNist2Policy,
policyQualifierList,
PKIX_TRUE,
expectedNist1Nist2List,
&childNode1,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
(oidNist1Policy,
policyQualifierList,
PKIX_TRUE,
expectedNist1List,
&childNode2,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
(oidNist2Policy,
policyQualifierList,
PKIX_TRUE,
expectedNist2List,
&childNode3,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
(oidNist1Policy,
emptyList,
PKIX_FALSE,
expectedNist1List,
&childNode4,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
(oidNist1Policy,
NULL,
PKIX_TRUE,
expectedNist1List,
&childNode5,
plContext));
subTest("Creating the PolicyNode tree");
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
(parentNode, childNode1, plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
(parentNode, childNode2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
(childNode1, childNode3, plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
(childNode2, childNode4, plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
(childNode4, childNode5, plContext));
subTest("Displaying PolicyNode objects");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
((PKIX_PL_Object*)parentNode, &parentString, plContext));
(void) printf("parentNode is\n\t%s\n", parentString->escAsciiString);
testToStringHelper
((PKIX_PL_Object*)parentNode, expectedTree, plContext);
test_DuplicateHelper(parentNode, plContext);
test_GetParent(childNode3, childNode3, childNode4, expectedParentAscii);
test_GetValidPolicy
(childNode1, childNode3, parentNode, expectedValidAscii);
test_GetPolicyQualifiers
(childNode1, childNode3, childNode4, expectedQualifiersAscii);
test_GetExpectedPolicies
(childNode2, childNode4, childNode3, expectedPoliciesAscii);
test_IsCritical(childNode1, childNode2, childNode4);
test_GetDepth(childNode2, childNode4, childNode5);
subTest("pkix_PolicyNode_Prune");
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Prune
(parentNode, 2, &pDelete, plContext));
testToStringHelper
((PKIX_PL_Object*)parentNode, expectedTree, plContext);
PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Prune
(parentNode, 3, &pDelete, plContext));
testToStringHelper
((PKIX_PL_Object*)parentNode, expectedPrunedTree, plContext);
test_GetChildren(parentNode, parentNode, childNode2);
cleanup:
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(nist1Policy);
PKIX_TEST_DECREF_AC(nist2Policy);
PKIX_TEST_DECREF_AC(policyQualifierList);
PKIX_TEST_DECREF_AC(oidAnyPolicy);
PKIX_TEST_DECREF_AC(oidNist1Policy);
PKIX_TEST_DECREF_AC(oidNist2Policy);
PKIX_TEST_DECREF_AC(expectedAnyList);
PKIX_TEST_DECREF_AC(expectedNist1List);
PKIX_TEST_DECREF_AC(expectedNist2List);
PKIX_TEST_DECREF_AC(expectedNist1Nist2List);
PKIX_TEST_DECREF_AC(emptyList);
PKIX_TEST_DECREF_AC(parentNode);
PKIX_TEST_DECREF_AC(childNode1);
PKIX_TEST_DECREF_AC(childNode2);
PKIX_TEST_DECREF_AC(childNode3);
PKIX_TEST_DECREF_AC(childNode4);
PKIX_TEST_DECREF_AC(childNode5);
PKIX_TEST_DECREF_AC(parentString);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("PolicyNode");
return (0);
}
/*
* FUNCTION: pkix_DefaultCRLCheckerState_Create
*
* DESCRIPTION:
* Allocate and initialize DefaultCRLChecker state data.
*
* PARAMETERS
* "certStores"
* Address of CertStore List to be stored in state. Must be non-NULL.
* "testDate"
* Address of PKIX_PL_Date to be checked. May be NULL.
* "trustedPubKey"
* Trusted Anchor Public Key for verifying first Cert in the chain.
* Must be non-NULL.
* "certsRemaining"
* Number of certificates remaining in the chain.
* "nistCRLPolicyEnabled"
* If enabled, enforce nist crl policy.
* "pCheckerState"
* Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
*
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
*
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a DefaultCrlCheckerState Error if the function fails in a
* non-fatal way.
* Returns a Fatal Error
*/
static PKIX_Error *
pkix_DefaultCRLCheckerState_Create(
PKIX_List *certStores,
PKIX_PL_Date *testDate,
PKIX_PL_PublicKey *trustedPubKey,
PKIX_UInt32 certsRemaining,
PKIX_Boolean nistCRLPolicyEnabled,
pkix_DefaultCRLCheckerState **pCheckerState,
void *plContext)
{
pkix_DefaultCRLCheckerState *state = NULL;
PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
"pkix_DefaultCRLCheckerState_Create");
PKIX_NULLCHECK_TWO(certStores, pCheckerState);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
sizeof (pkix_DefaultCRLCheckerState),
(PKIX_PL_Object **)&state,
plContext),
PKIX_COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT);
/* Initialize fields */
PKIX_INCREF(certStores);
state->certStores = certStores;
PKIX_INCREF(testDate);
state->testDate = testDate;
PKIX_INCREF(trustedPubKey);
state->prevPublicKey = trustedPubKey;
state->certHasValidCrl = PKIX_FALSE;
state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
state->prevCertCrlSign = PKIX_TRUE;
state->prevPublicKeyList = NULL;
state->reasonCodeMask = 0;
state->certsRemaining = certsRemaining;
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_CRLREASONCODE_OID,
&state->crlReasonCodeOID,
plContext),
PKIX_OIDCREATEFAILED);
state->certIssuer = NULL;
state->certSerialNumber = NULL;
state->crlSelector = NULL;
state->crlStoreIndex = 0;
state->numCrlStores = 0;
*pCheckerState = state;
state = NULL;
cleanup:
PKIX_DECREF(state);
PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
}
/*
* FUNCTION: PKIX_PL_GeneralName_Create (see comments in pkix_pl_pki.h)
*/
PKIX_Error *
PKIX_PL_GeneralName_Create(
PKIX_UInt32 nameType,
PKIX_PL_String *stringRep,
PKIX_PL_GeneralName **pGName,
void *plContext)
{
PKIX_PL_X500Name *pkixDN = NULL;
PKIX_PL_OID *pkixOID = NULL;
SECItem *secItem = NULL;
char *asciiString = NULL;
PKIX_UInt32 length = 0;
PKIX_PL_GeneralName *genName = NULL;
CERTGeneralName *nssGenName = NULL;
CERTGeneralNameList *nssGenNameList = NULL;
CERTName *nssCertName = NULL;
PLArenaPool *arena = NULL;
PKIX_ENTER(GENERALNAME, "PKIX_PL_GeneralName_Create");
PKIX_NULLCHECK_TWO(pGName, stringRep);
PKIX_CHECK(PKIX_PL_String_GetEncoded
(stringRep,
PKIX_ESCASCII,
(void **)&asciiString,
&length,
plContext),
PKIX_STRINGGETENCODEDFAILED);
/* Create a temporary CERTGeneralName */
PKIX_GENERALNAME_DEBUG("\t\tCalling PL_strlen).\n");
length = PL_strlen(asciiString);
PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_AllocItem).\n");
secItem = SECITEM_AllocItem(NULL, NULL, length);
PKIX_GENERALNAME_DEBUG("\t\tCalling PORT_Memcpy).\n");
(void) PORT_Memcpy(secItem->data, asciiString, length);
PKIX_CERT_DEBUG("\t\tCalling PORT_NewArena).\n");
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
PKIX_GENERALNAME_DEBUG("\t\tCalling CERT_NewGeneralName).\n");
nssGenName = CERT_NewGeneralName(arena, nameType);
if (nssGenName == NULL) {
PKIX_ERROR(PKIX_ALLOCATENEWCERTGENERALNAMEFAILED);
}
switch (nameType) {
case certRFC822Name:
case certDNSName:
case certURI:
nssGenName->name.other = *secItem;
break;
case certDirectoryName:
PKIX_CHECK(PKIX_PL_X500Name_Create
(stringRep, &pkixDN, plContext),
PKIX_X500NAMECREATEFAILED);
PKIX_GENERALNAME_DEBUG("\t\tCalling CERT_AsciiToName).\n");
nssCertName = CERT_AsciiToName(asciiString);
nssGenName->name.directoryName = *nssCertName;
break;
case certRegisterID:
PKIX_CHECK(PKIX_PL_OID_Create
(asciiString, &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
nssGenName->name.other = *secItem;
break;
default:
/* including IPAddress, EDIPartyName, OtherName, X400Address */
PKIX_ERROR(PKIX_UNABLETOCREATEGENERALNAMEOFTHISTYPE);
}
/* create a PKIX_PL_GeneralName object */
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_GENERALNAME_TYPE,
sizeof (PKIX_PL_GeneralName),
(PKIX_PL_Object **)&genName,
plContext),
PKIX_COULDNOTCREATEOBJECT);
/* create a CERTGeneralNameList */
nssGenName->type = nameType;
PKIX_GENERALNAME_DEBUG("\t\tCalling CERT_CreateGeneralNameList).\n");
nssGenNameList = CERT_CreateGeneralNameList(nssGenName);
if (nssGenNameList == NULL) {
PKIX_ERROR(PKIX_CERTCREATEGENERALNAMELISTFAILED);
}
genName->nssGeneralNameList = nssGenNameList;
/* initialize fields */
genName->type = nameType;
genName->directoryName = pkixDN;
genName->OthName = NULL;
genName->other = secItem;
genName->oid = pkixOID;
*pGName = genName;
cleanup:
PKIX_FREE(asciiString);
if (nssCertName != NULL) {
PKIX_CERT_DEBUG("\t\tCalling CERT_DestroyName).\n");
CERT_DestroyName(nssCertName);
}
if (arena){ /* will free nssGenName */
PKIX_CERT_DEBUG("\t\tCalling PORT_FreeArena).\n");
PORT_FreeArena(arena, PR_FALSE);
}
if (PKIX_ERROR_RECEIVED){
PKIX_DECREF(pkixDN);
PKIX_DECREF(pkixOID);
PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_FreeItem).\n");
if (secItem){
SECITEM_FreeItem(secItem, PR_TRUE);
secItem = NULL;
}
}
PKIX_RETURN(GENERALNAME);
}
