Result CheckCert(ByteString& certDER, IssuerChecker& checker, bool& keepGoing)
{
Input derCert;
Result rv = derCert.Init(certDER.data(), certDER.length());
if (rv != Success) {
return rv;
}
return checker.Check(derCert, nullptr/*additionalNameConstraints*/,
keepGoing);
}
Result FindIssuer(Input, IssuerChecker& checker, Time) override
{
Input issuerInput;
EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length()));
bool keepGoing;
EXPECT_EQ(Success,
checker.Check(issuerInput, nullptr /*additionalNameConstraints*/,
keepGoing));
EXPECT_EQ(expectedKeepGoing, keepGoing);
return Success;
}
Result FindIssuer(Input, IssuerChecker& checker, Time) override
{
// keepGoing is an out parameter from IssuerChecker.Check. It would tell us
// whether or not to continue attempting other potential issuers. We only
// know of one potential issuer, however, so we ignore it.
bool keepGoing;
Input rootCert;
Result rv = rootCert.Init(rootDER.data(), rootDER.length());
if (rv != Success) {
return rv;
}
return checker.Check(rootCert, nullptr, keepGoing);
}
Result FindIssuer(Input, IssuerChecker& checker, Time) override
{
EXPECT_FALSE(ENCODING_FAILED(issuer));
Input issuerInput;
EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length()));
bool keepGoing;
EXPECT_EQ(Success, checker.Check(issuerInput, nullptr, keepGoing));
EXPECT_FALSE(keepGoing);
return Success;
}
Result FindIssuer(Input, IssuerChecker& checker, Time) override
{
bool keepGoing;
for (auto& cert: certs) {
Input certInput;
Result rv = certInput.Init(cert.data(), cert.length());
if (rv != Success) {
return rv;
}
rv = checker.Check(certInput, nullptr, keepGoing);
if (rv != Success || !keepGoing) {
return rv;
}
}
return Success;
}
Result
AppTrustDomain::FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
Time)
{
MOZ_ASSERT(mTrustedRoot);
if (!mTrustedRoot) {
return Result::FATAL_ERROR_INVALID_STATE;
}
// TODO(bug 1035418): If/when mozilla::pkix relaxes the restriction that
// FindIssuer must only pass certificates with a matching subject name to
// checker.Check, we can stop using CERT_CreateSubjectCertList and instead
// use logic like this:
//
// 1. First, try the trusted trust anchor.
// 2. Secondly, iterate through the certificates that were stored in the CMS
// message, passing each one to checker.Check.
SECItem encodedIssuerNameSECItem =
UnsafeMapInputToSECItem(encodedIssuerName);
UniqueCERTCertList
candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
&encodedIssuerNameSECItem, 0,
false));
if (candidates) {
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
Input certDER;
Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
if (rv != Success) {
continue; // probably too big
}
bool keepGoing;
rv = checker.Check(certDER, nullptr/*additionalNameConstraints*/,
keepGoing);
if (rv != Success) {
return rv;
}
if (!keepGoing) {
break;
}
}
}
return Success;
}
Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time)
override
{
ByteString subjectDER(InputToByteString(encodedIssuerName));
ByteString certDER(subjectDERToCertDER[subjectDER]);
Input derCert;
Result rv = derCert.Init(certDER.data(), certDER.length());
if (rv != Success) {
return rv;
}
bool keepGoing;
rv = checker.Check(derCert, nullptr/*additionalNameConstraints*/,
keepGoing);
if (rv != Success) {
return rv;
}
return Success;
}
virtual Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
Time)
{
ByteString* issuerDER = nullptr;
if (InputEqualsByteString(encodedIssuerName, rootSubjectDER)) {
issuerDER = &rootDER;
} else if (InputEqualsByteString(encodedIssuerName, intSubjectDER)) {
issuerDER = &intDER;
} else {
// FindIssuer just returns success if it can't find a potential issuer.
return Success;
}
Input issuerCert;
Result rv = issuerCert.Init(issuerDER->data(), issuerDER->length());
if (rv != Success) {
return rv;
}
bool keepGoing;
return checker.Check(issuerCert, nullptr, keepGoing);
}
