Result CheckCert(ByteString& certDER, IssuerChecker& checker, bool& keepGoing) { Input derCert; Result rv = derCert.Init(certDER.data(), certDER.length()); if (rv != Success) { return rv; } return checker.Check(derCert, nullptr/*additionalNameConstraints*/, keepGoing); }
Result FindIssuer(Input, IssuerChecker& checker, Time) override { Input issuerInput; EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length())); bool keepGoing; EXPECT_EQ(Success, checker.Check(issuerInput, nullptr /*additionalNameConstraints*/, keepGoing)); EXPECT_EQ(expectedKeepGoing, keepGoing); return Success; }
Result FindIssuer(Input, IssuerChecker& checker, Time) override { // keepGoing is an out parameter from IssuerChecker.Check. It would tell us // whether or not to continue attempting other potential issuers. We only // know of one potential issuer, however, so we ignore it. bool keepGoing; Input rootCert; Result rv = rootCert.Init(rootDER.data(), rootDER.length()); if (rv != Success) { return rv; } return checker.Check(rootCert, nullptr, keepGoing); }
Result FindIssuer(Input, IssuerChecker& checker, Time) override { EXPECT_FALSE(ENCODING_FAILED(issuer)); Input issuerInput; EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length())); bool keepGoing; EXPECT_EQ(Success, checker.Check(issuerInput, nullptr, keepGoing)); EXPECT_FALSE(keepGoing); return Success; }
Result FindIssuer(Input, IssuerChecker& checker, Time) override { bool keepGoing; for (auto& cert: certs) { Input certInput; Result rv = certInput.Init(cert.data(), cert.length()); if (rv != Success) { return rv; } rv = checker.Check(certInput, nullptr, keepGoing); if (rv != Success || !keepGoing) { return rv; } } return Success; }
Result AppTrustDomain::FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time) { MOZ_ASSERT(mTrustedRoot); if (!mTrustedRoot) { return Result::FATAL_ERROR_INVALID_STATE; } // TODO(bug 1035418): If/when mozilla::pkix relaxes the restriction that // FindIssuer must only pass certificates with a matching subject name to // checker.Check, we can stop using CERT_CreateSubjectCertList and instead // use logic like this: // // 1. First, try the trusted trust anchor. // 2. Secondly, iterate through the certificates that were stored in the CMS // message, passing each one to checker.Check. SECItem encodedIssuerNameSECItem = UnsafeMapInputToSECItem(encodedIssuerName); UniqueCERTCertList candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(), &encodedIssuerNameSECItem, 0, false)); if (candidates) { for (CERTCertListNode* n = CERT_LIST_HEAD(candidates); !CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) { Input certDER; Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len); if (rv != Success) { continue; // probably too big } bool keepGoing; rv = checker.Check(certDER, nullptr/*additionalNameConstraints*/, keepGoing); if (rv != Success) { return rv; } if (!keepGoing) { break; } } } return Success; }
Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time) override { ByteString subjectDER(InputToByteString(encodedIssuerName)); ByteString certDER(subjectDERToCertDER[subjectDER]); Input derCert; Result rv = derCert.Init(certDER.data(), certDER.length()); if (rv != Success) { return rv; } bool keepGoing; rv = checker.Check(derCert, nullptr/*additionalNameConstraints*/, keepGoing); if (rv != Success) { return rv; } return Success; }
virtual Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time) { ByteString* issuerDER = nullptr; if (InputEqualsByteString(encodedIssuerName, rootSubjectDER)) { issuerDER = &rootDER; } else if (InputEqualsByteString(encodedIssuerName, intSubjectDER)) { issuerDER = &intDER; } else { // FindIssuer just returns success if it can't find a potential issuer. return Success; } Input issuerCert; Result rv = issuerCert.Init(issuerDER->data(), issuerDER->length()); if (rv != Success) { return rv; } bool keepGoing; return checker.Check(issuerCert, nullptr, keepGoing); }