PKIX_ProcessingParams * createProcessingParams( char *dirName, char *firstAnchorFileName, char *secondAnchorFileName, char *dateAscii, PKIX_List *initialPolicies, /* List of PKIX_PL_OID */ PKIX_Boolean isCrlEnabled, void *plContext) { PKIX_TrustAnchor *firstAnchor = NULL; PKIX_TrustAnchor *secondAnchor = NULL; PKIX_List *anchorsList = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_PL_String *dateString = NULL; PKIX_PL_Date *testDate = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchorsList, plContext)); firstAnchor = createTrustAnchor (dirName, firstAnchorFileName, PKIX_FALSE, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (anchorsList, (PKIX_PL_Object *)firstAnchor, plContext)); if (secondAnchorFileName){ secondAnchor = createTrustAnchor (dirName, secondAnchorFileName, PKIX_FALSE, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (anchorsList, (PKIX_PL_Object *)secondAnchor, plContext)); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create (anchorsList, &procParams, plContext)); if (dateAscii){ PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_String_Create (PKIX_ESCASCII, dateAscii, 0, &dateString, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Date_Create_UTCTime (dateString, &testDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ProcessingParams_SetDate (procParams, testDate, plContext)); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies (procParams, initialPolicies, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled (procParams, isCrlEnabled, plContext)); cleanup: if (PKIX_TEST_ERROR_RECEIVED){ PKIX_TEST_DECREF_AC(procParams); } PKIX_TEST_DECREF_AC(dateString); PKIX_TEST_DECREF_AC(testDate); PKIX_TEST_DECREF_AC(anchorsList); PKIX_TEST_DECREF_AC(firstAnchor); PKIX_TEST_DECREF_AC(secondAnchor); PKIX_TEST_RETURN(); return (procParams); }
static PKIX_Error * testDefaultMultipleCertStores(PKIX_ValidateParams *valParams, char *crlDir1, char *crlDir2) { PKIX_PL_String *dirString1 = NULL; PKIX_PL_String *dirString2 = NULL; PKIX_CertStore *certStore1 = NULL; PKIX_CertStore *certStore2 = NULL; PKIX_List *certStoreList = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_CollectionCertStore_Create"); /* Create CollectionCertStore */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, crlDir1, 0, &dirString1, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirString1, &certStore1, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, crlDir2, 0, &dirString2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirString2, &certStore2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams (valParams, &procParams, plContext)); /* Add multiple CollectionCertStores */ subTest("PKIX_ProcessingParams_SetCertStores"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStoreList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (certStoreList, (PKIX_PL_Object *)certStore1, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores (procParams, certStoreList, plContext)); subTest("PKIX_ProcessingParams_AddCertStore"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore (procParams, certStore2, plContext)); subTest("PKIX_ProcessingParams_SetRevocationEnabled"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled (procParams, PKIX_TRUE, plContext)); cleanup: PKIX_TEST_DECREF_AC(dirString1); PKIX_TEST_DECREF_AC(dirString2); PKIX_TEST_DECREF_AC(certStore1); PKIX_TEST_DECREF_AC(certStore2); PKIX_TEST_DECREF_AC(certStoreList); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_RETURN(); return (0); }
/* * FUNCTION: pkix_pl_CollectionCertStoreContext_GetSelectedCert * DESCRIPTION: * * Finds the Certs that match the criterion of the CertSelector pointed * to by "selector" using the List of Certs pointed to by "certList" and * stores the matching Certs at "pSelectedCertList". * * Not recursive to sub-directory. * * PARAMETERS * "certList" - Address of List of Certs to be searched. Must be non-NULL. * "colCertStoreContext" - Address of CollectionCertStoreContext * where the cached Certs are stored. * "selector" - CertSelector for chosing Cert based on Params set * "pSelectedCertList" - Certs that qualified by selector. * "plContext" - Platform-specific context pointer. * * THREAD SAFETY: * Not Thread Safe - A lock at top level is required. * * RETURNS: * Returns NULL if the function succeeds. * Returns a CollectionCertStoreContext Error if the function fails in * a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ static PKIX_Error * pkix_pl_CollectionCertStoreContext_GetSelectedCert( PKIX_List *certList, PKIX_CertSelector *selector, PKIX_List **pSelectedCertList, void *plContext) { PKIX_List *selectCertList = NULL; PKIX_PL_Cert *certItem = NULL; PKIX_CertSelector_MatchCallback certSelectorMatch = NULL; PKIX_UInt32 numCerts = 0; PKIX_UInt32 i = 0; PKIX_ENTER(COLLECTIONCERTSTORECONTEXT, "pkix_pl_CollectionCertStoreContext_GetSelectedCert"); PKIX_NULLCHECK_THREE(certList, selector, pSelectedCertList); PKIX_CHECK(PKIX_CertSelector_GetMatchCallback (selector, &certSelectorMatch, plContext), PKIX_CERTSELECTORGETMATCHCALLBACKFAILED); PKIX_CHECK(PKIX_List_GetLength(certList, &numCerts, plContext), PKIX_LISTGETLENGTHFAILED); if (certSelectorMatch) { PKIX_CHECK(PKIX_List_Create(&selectCertList, plContext), PKIX_LISTCREATEFAILED); for (i = 0; i < numCerts; i++) { PKIX_CHECK_ONLY_FATAL (PKIX_List_GetItem (certList, i, (PKIX_PL_Object **) &certItem, plContext), PKIX_LISTGETITEMFAILED); if (!PKIX_ERROR_RECEIVED){ PKIX_CHECK_ONLY_FATAL (certSelectorMatch (selector, certItem, plContext), PKIX_CERTSELECTORMATCHFAILED); if (!PKIX_ERROR_RECEIVED){ PKIX_CHECK_ONLY_FATAL (PKIX_List_AppendItem (selectCertList, (PKIX_PL_Object *)certItem, plContext), PKIX_LISTAPPENDITEMFAILED); } } PKIX_DECREF(certItem); } } else { PKIX_INCREF(certList); selectCertList = certList; } *pSelectedCertList = selectCertList; cleanup: PKIX_RETURN(COLLECTIONCERTSTORECONTEXT); }
/* * FUNCTION: pkix_pl_LdapCertStore_BuildCertList * DESCRIPTION: * * This function takes a List of LdapResponse objects pointed to by * "responseList" and extracts and decodes the Certificates in those responses, * storing the List of those Certificates at "pCerts". If none of the objects * can be decoded into a Cert, the returned List is empty. * * PARAMETERS: * "responseList" * The address of the List of LdapResponses. Must be non-NULL. * "pCerts" * The address at which the result is stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * pkix_pl_LdapCertStore_BuildCertList( PKIX_List *responseList, PKIX_List **pCerts, void *plContext) { PKIX_UInt32 numResponses = 0; PKIX_UInt32 respIx = 0; LdapAttrMask attrBits = 0; PKIX_PL_LdapResponse *response = NULL; PKIX_List *certList = NULL; LDAPMessage *message = NULL; LDAPSearchResponseEntry *sre = NULL; LDAPSearchResponseAttr **sreAttrArray = NULL; LDAPSearchResponseAttr *sreAttr = NULL; SECItem *attrType = NULL; SECItem **attrVal = NULL; SECItem *derCertItem = NULL; PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_BuildCertList"); PKIX_NULLCHECK_TWO(responseList, pCerts); PKIX_CHECK(PKIX_List_Create(&certList, plContext), PKIX_LISTCREATEFAILED); /* extract certs from response */ PKIX_CHECK(PKIX_List_GetLength (responseList, &numResponses, plContext), PKIX_LISTGETLENGTHFAILED); for (respIx = 0; respIx < numResponses; respIx++) { PKIX_CHECK(PKIX_List_GetItem (responseList, respIx, (PKIX_PL_Object **)&response, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(pkix_pl_LdapResponse_GetMessage (response, &message, plContext), PKIX_LDAPRESPONSEGETMESSAGEFAILED); sre = &(message->protocolOp.op.searchResponseEntryMsg); sreAttrArray = sre->attributes; /* Get next element of null-terminated array */ sreAttr = *sreAttrArray++; while (sreAttr != NULL) { attrType = &(sreAttr->attrType); PKIX_CHECK(pkix_pl_LdapRequest_AttrTypeToBit (attrType, &attrBits, plContext), PKIX_LDAPREQUESTATTRTYPETOBITFAILED); /* Is this attrVal a Certificate? */ if (((LDAPATTR_CACERT | LDAPATTR_USERCERT) & attrBits) == attrBits) { attrVal = sreAttr->val; derCertItem = *attrVal++; while (derCertItem != 0) { /* create a PKIX_PL_Cert from derCert */ PKIX_CHECK(pkix_pl_Cert_CreateToList (derCertItem, certList, plContext), PKIX_CERTCREATETOLISTFAILED); derCertItem = *attrVal++; } } else if ((LDAPATTR_CROSSPAIRCERT & attrBits) == attrBits){ /* Is this attrVal a CrossPairCertificate? */ attrVal = sreAttr->val; derCertItem = *attrVal++; while (derCertItem != 0) { /* create PKIX_PL_Certs from derCert */ PKIX_CHECK(pkix_pl_LdapCertStore_DecodeCrossCertPair (derCertItem, certList, plContext), PKIX_LDAPCERTSTOREDECODECROSSCERTPAIRFAILED); derCertItem = *attrVal++; } } sreAttr = *sreAttrArray++; } PKIX_DECREF(response); } *pCerts = certList; cleanup: if (PKIX_ERROR_RECEIVED) { PKIX_DECREF(certList); } PKIX_DECREF(response); PKIX_RETURN(CERTSTORE); }
/* * FUNCTION: pkix_pl_LdapCertStore_GetCert * (see description of PKIX_CertStore_CertCallback in pkix_certstore.h) */ PKIX_Error * pkix_pl_LdapCertStore_GetCert( PKIX_CertStore *store, PKIX_CertSelector *selector, PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) { PLArenaPool *requestArena = NULL; LDAPRequestParams requestParams; void *pollDesc = NULL; PKIX_Int32 minPathLen = 0; PKIX_Boolean cacheFlag = PKIX_FALSE; PKIX_ComCertSelParams *params = NULL; PKIX_PL_LdapCertStoreContext *lcs = NULL; PKIX_List *responses = NULL; PKIX_List *unfilteredCerts = NULL; PKIX_List *filteredCerts = NULL; PKIX_PL_X500Name *subjectName = 0; PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCert"); PKIX_NULLCHECK_THREE(store, selector, pCertList); requestParams.baseObject = "c=US"; requestParams.scope = WHOLE_SUBTREE; requestParams.derefAliases = NEVER_DEREF; requestParams.sizeLimit = 0; requestParams.timeLimit = 0; /* Prepare elements for request filter */ /* * Get a short-lived arena. We'll be done with this space once * the request is encoded. */ requestArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!requestArena) { PKIX_ERROR_FATAL(PKIX_OUTOFMEMORY); } PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams (selector, ¶ms, plContext), PKIX_CERTSELECTORGETCOMCERTSELPARAMSFAILED); /* * If we have the subject name for the desired subject, * ask the server for Certs with that subject. */ PKIX_CHECK(PKIX_ComCertSelParams_GetSubject (params, &subjectName, plContext), PKIX_COMCERTSELPARAMSGETSUBJECTFAILED); PKIX_CHECK(PKIX_ComCertSelParams_GetBasicConstraints (params, &minPathLen, plContext), PKIX_COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED); if (subjectName) { PKIX_CHECK(pkix_pl_LdapCertStore_MakeNameAVAList (requestArena, subjectName, &(requestParams.nc), plContext), PKIX_LDAPCERTSTOREMAKENAMEAVALISTFAILED); if (*requestParams.nc == NULL) { /* * The subjectName may not include any components * that we know how to encode. We do not return * an error, because the caller did not necessarily * do anything wrong, but we return an empty List. */ PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena, (requestArena, PR_FALSE)); PKIX_CHECK(PKIX_List_Create(&filteredCerts, plContext), PKIX_LISTCREATEFAILED); PKIX_CHECK(PKIX_List_SetImmutable (filteredCerts, plContext), PKIX_LISTSETIMMUTABLEFAILED); *pNBIOContext = NULL; *pCertList = filteredCerts; filteredCerts = NULL; goto cleanup; } } else { PKIX_ERROR(PKIX_INSUFFICIENTCRITERIAFORCERTQUERY); } /* Prepare attribute field of request */ requestParams.attributes = 0; if (minPathLen < 0) { requestParams.attributes |= LDAPATTR_USERCERT; } if (minPathLen > -2) { requestParams.attributes |= LDAPATTR_CACERT | LDAPATTR_CROSSPAIRCERT; } /* All request fields are done */ PKIX_CHECK(PKIX_CertStore_GetCertStoreContext (store, (PKIX_PL_Object **)&lcs, plContext), PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED); PKIX_CHECK(PKIX_PL_LdapClient_InitiateRequest ((PKIX_PL_LdapClient *)lcs, &requestParams, &pollDesc, &responses, plContext), PKIX_LDAPCLIENTINITIATEREQUESTFAILED); PKIX_CHECK(pkix_pl_LdapCertStore_DestroyAVAList (requestParams.nc, plContext), PKIX_LDAPCERTSTOREDESTROYAVALISTFAILED); if (requestArena) { PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena, (requestArena, PR_FALSE)); requestArena = NULL; } if (pollDesc != NULL) { /* client is waiting for non-blocking I/O to complete */ *pNBIOContext = (void *)pollDesc; *pCertList = NULL; goto cleanup; } /* LdapClient has given us a response! */ if (responses) { PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag (store, &cacheFlag, plContext), PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED); PKIX_CHECK(pkix_pl_LdapCertStore_BuildCertList (responses, &unfilteredCerts, plContext), PKIX_LDAPCERTSTOREBUILDCERTLISTFAILED); PKIX_CHECK(pkix_CertSelector_Select (selector, unfilteredCerts, &filteredCerts, plContext), PKIX_CERTSELECTORSELECTFAILED); } *pNBIOContext = NULL; *pCertList = filteredCerts; filteredCerts = NULL; cleanup: PKIX_DECREF(params); PKIX_DECREF(subjectName); PKIX_DECREF(responses); PKIX_DECREF(unfilteredCerts); PKIX_DECREF(filteredCerts); PKIX_DECREF(lcs); PKIX_RETURN(CERTSTORE); }
/* * FUNCTION: pkix_List_QuickSort * DESCRIPTION: * * Sorts List of Objects "fromList" using "comparatorCallback"'s result as * comasrison key and returns the sorted List at "pSortedList". The sorting * algorithm used is quick sort (n*logn). * * PARAMETERS: * "fromList" * Address of a List of Objects to be sorted. Must be non-NULL, but may be * empty. * "comparatorCallback" * Address of callback function that will compare two Objects on the List. * It should return -1 for less, 0 for equal and 1 for greater. The * callback implementation chooses what in Objects to be compared. Must be * non-NULL. * "pSortedList" * Address of a List of Objects that shall be sorted and returned. Must be * non-NULL, but may be empty. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe - assumes exclusive access to "toList" * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds * Returns a Fatal Error if the function fails in an unrecoverable way */ PKIX_Error * pkix_List_QuickSort( PKIX_List *fromList, PKIX_List_SortComparatorCallback comparator, PKIX_List **pSortedList, void *plContext) { PKIX_List *sortedList = NULL; PKIX_List *lessList = NULL; PKIX_List *greaterList = NULL; PKIX_List *sortedLessList = NULL; PKIX_List *sortedGreaterList = NULL; PKIX_PL_Object *object = NULL; PKIX_PL_Object *cmpObj = NULL; PKIX_Int32 cmpResult = 0; PKIX_UInt32 size = 0; PKIX_UInt32 i; PKIX_ENTER(BUILD, "pkix_List_QuickSort"); PKIX_NULLCHECK_THREE(fromList, comparator, pSortedList); PKIX_CHECK(PKIX_List_GetLength(fromList, &size, plContext), PKIX_LISTGETLENGTHFAILED); PKIX_CHECK(PKIX_List_Create(&lessList, plContext), PKIX_LISTCREATEFAILED); PKIX_CHECK(PKIX_List_Create(&greaterList, plContext), PKIX_LISTCREATEFAILED); PKIX_CHECK(PKIX_List_GetItem (fromList, 0, &object, plContext), PKIX_LISTGETITEMFAILED); /* * Pick the first item on the list as the one to be compared. * Separate rest of the itmes into two lists: less-than or greater- * than lists. Sort those two lists recursively. Insert sorted * less-than list before the picked item and append the greater- * than list after the picked item. */ for (i = 1; i < size; i++) { PKIX_CHECK(PKIX_List_GetItem (fromList, i, &cmpObj, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(comparator(object, cmpObj, &cmpResult, plContext), PKIX_COMPARATORCALLBACKFAILED); if (cmpResult >= 0) { PKIX_CHECK(PKIX_List_AppendItem (lessList, cmpObj, plContext), PKIX_LISTAPPENDITEMFAILED); } else { PKIX_CHECK(PKIX_List_AppendItem (greaterList, cmpObj, plContext), PKIX_LISTAPPENDITEMFAILED); } PKIX_DECREF(cmpObj); } PKIX_CHECK(PKIX_List_Create(&sortedList, plContext), PKIX_LISTCREATEFAILED); PKIX_CHECK(PKIX_List_GetLength(lessList, &size, plContext), PKIX_LISTGETLENGTHFAILED); if (size > 1) { PKIX_CHECK(pkix_List_QuickSort (lessList, comparator, &sortedLessList, plContext), PKIX_LISTQUICKSORTFAILED); PKIX_CHECK(pkix_List_AppendList (sortedList, sortedLessList, plContext), PKIX_LISTAPPENDLISTFAILED); } else { PKIX_CHECK(pkix_List_AppendList (sortedList, lessList, plContext), PKIX_LISTAPPENDLISTFAILED); } PKIX_CHECK(PKIX_List_AppendItem(sortedList, object, plContext), PKIX_LISTAPPENDFAILED); PKIX_CHECK(PKIX_List_GetLength(greaterList, &size, plContext), PKIX_LISTGETLENGTHFAILED); if (size > 1) { PKIX_CHECK(pkix_List_QuickSort (greaterList, comparator, &sortedGreaterList, plContext), PKIX_LISTQUICKSORTFAILED); PKIX_CHECK(pkix_List_AppendList (sortedList, sortedGreaterList, plContext), PKIX_LISTAPPENDLISTFAILED); } else { PKIX_CHECK(pkix_List_AppendList (sortedList, greaterList, plContext), PKIX_LISTAPPENDLISTFAILED); } *pSortedList = sortedList; cleanup: PKIX_DECREF(cmpObj); PKIX_DECREF(object); PKIX_DECREF(sortedGreaterList); PKIX_DECREF(sortedLessList); PKIX_DECREF(greaterList); PKIX_DECREF(lessList); PKIX_RETURN(LIST); }
int test_certchainchecker(int argc, char *argv[]) { PKIX_UInt32 actualMinorVersion; PKIX_PL_OID *bcOID = NULL; PKIX_PL_OID *ncOID = NULL; PKIX_PL_OID *cpOID = NULL; PKIX_PL_OID *pmOID = NULL; PKIX_PL_OID *pcOID = NULL; PKIX_PL_OID *iaOID = NULL; PKIX_CertChainChecker *dummyChecker = NULL; PKIX_List *supportedExtensions = NULL; PKIX_PL_Object *initialState = NULL; PKIX_UInt32 j = 0; PKIX_TEST_STD_VARS(); startTests("CertChainChecker"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create (&supportedExtensions, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create (PKIX_BASICCONSTRAINTS_OID, &bcOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (supportedExtensions, (PKIX_PL_Object *)bcOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create (PKIX_NAMECONSTRAINTS_OID, &ncOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (supportedExtensions, (PKIX_PL_Object *)ncOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create (PKIX_CERTIFICATEPOLICIES_OID, &cpOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (supportedExtensions, (PKIX_PL_Object *)cpOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create (PKIX_POLICYMAPPINGS_OID, &pmOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (supportedExtensions, (PKIX_PL_Object *)pmOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create (PKIX_POLICYCONSTRAINTS_OID, &pcOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (supportedExtensions, (PKIX_PL_Object *)pcOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create (PKIX_INHIBITANYPOLICY_OID, &iaOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (supportedExtensions, (PKIX_PL_Object *)iaOID, plContext)); PKIX_TEST_DECREF_BC(bcOID); PKIX_TEST_DECREF_BC(ncOID); PKIX_TEST_DECREF_BC(cpOID); PKIX_TEST_DECREF_BC(pmOID); PKIX_TEST_DECREF_BC(pcOID); PKIX_TEST_DECREF_BC(iaOID); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef ((PKIX_PL_Object *)supportedExtensions, plContext)); initialState = (PKIX_PL_Object *)supportedExtensions; subTest("CertChainChecker_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create (dummyChecker_Check, /* PKIX_CertChainChecker_CheckCallback */ PKIX_FALSE, /* forwardCheckingSupported */ PKIX_FALSE, /* forwardDirectionExpected */ supportedExtensions, NULL, /* PKIX_PL_Object *initialState */ &dummyChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertChainChecker_SetCertChainCheckerState (dummyChecker, initialState, plContext)); test_CertChainChecker_Duplicate(dummyChecker); subTest("CertChainChecker_Destroy"); PKIX_TEST_DECREF_BC(dummyChecker); cleanup: PKIX_TEST_DECREF_AC(dummyChecker); PKIX_TEST_DECREF_AC(initialState); PKIX_TEST_DECREF_AC(supportedExtensions); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("CertChainChecker"); return (0); }
/* * FUNCTION: pkix_DefaultCRLChecker_CheckCRLs * * DESCRIPTION: * Check validity of "cert" based on CRLs at "crlList" that has correct * signature verification with "publicKey". * * PARAMETERS * "cert" * Address of Cert which has the certificate data. Must be non-NULL. * "certIssuer" * Address of Issuer that associates with the Cert. Must be non-NULL. * "certSerialNumber" * Address of Serial Number that associates with the Cert. Must be * non-NULL. * "publicKey" * Address of Public Key that associates with the Cert Issuer. * Must be non-NULL. * "crlList" * A List CRLs that the certificate is verified upon. Must be non-NULL. * "state" * Address of DefaultCRLCheckerState which keeps dynamic state data. * Must be non-NULL. * "pCrlEntryList" * Address of PKIX_PL_CrlEntry List that contains valid CrlEntries for * this Cert. May be NULL. * "plContext" * Platform-specific context pointer. * * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * * RETURNS: * Returns NULL if the function succeeds. * Returns a CertChainChecker Error if the function fails in a non-fatal way. * Returns a Fatal Error */ static PKIX_Error * pkix_DefaultCRLChecker_CheckCRLs( PKIX_PL_Cert *cert, PKIX_PL_X500Name *certIssuer, PKIX_PL_BigInt *certSerialNumber, PKIX_PL_PublicKey *publicKey, PKIX_List *crlList, pkix_DefaultCRLCheckerState *state, PKIX_List **pCrlEntryList, void *plContext) { PKIX_PL_CRL *crl = NULL; PKIX_PL_CRLEntry *crlEntry = NULL; PKIX_PL_PublicKey *pKey = NULL; PKIX_List *unresCrlCritExtOIDs = NULL; PKIX_List *unresCrlEntryCritExtOIDs = NULL; PKIX_List *crlEntryList = NULL; PKIX_Error *verifyFail = NULL; PKIX_UInt32 numCrls = 0; PKIX_UInt32 numKeys = 0; PKIX_UInt32 numCritExtOIDs = 0; PKIX_Boolean crlVerified = PKIX_FALSE; PKIX_Boolean crlRevoking = PKIX_FALSE; PKIX_Int32 reasonCode = 0; PKIX_UInt32 i; PKIX_Int32 j; PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_CheckCRLs"); PKIX_NULLCHECK_FOUR(cert, publicKey, crlList, state); PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext), PKIX_LISTGETLENGTHFAILED); if (state->prevPublicKeyList != NULL) { PKIX_CHECK(PKIX_List_GetLength (state->prevPublicKeyList, &numKeys, plContext), PKIX_LISTGETLENGTHFAILED); } /* Check if Cert is not revoked by any the the CRLs */ for (i = 0; i < numCrls; i++){ PKIX_CHECK(PKIX_List_GetItem (crlList, i, (PKIX_PL_Object **)&crl, plContext), PKIX_LISTGETITEMFAILED); /* * Checking serial number (issuer done in selector) then * verify signature. If matches, get the CRL reason(s). */ if (state->prevCertCrlSign == PKIX_TRUE) { verifyFail = PKIX_PL_CRL_VerifySignature (crl, publicKey, plContext); if (verifyFail == NULL) { crlVerified = PKIX_TRUE; } else { crlVerified = PKIX_FALSE; PKIX_DECREF(verifyFail); } } if (crlVerified == PKIX_FALSE) { /* Verify from old key(s) on the list */ for (j = numKeys - 1; j >= 0; j--) { PKIX_CHECK(PKIX_List_GetItem (state->prevPublicKeyList, j, (PKIX_PL_Object **) &pKey, plContext), PKIX_LISTGETITEMFAILED); verifyFail = PKIX_PL_CRL_VerifySignature (crl, pKey, plContext); if (verifyFail == NULL) { crlVerified = PKIX_TRUE; break; } else { crlVerified = PKIX_FALSE; PKIX_DECREF(verifyFail); } PKIX_DECREF(pKey); } } if (crlVerified == PKIX_FALSE) { /* try next one ... */ goto cleanup_loop; } state->certHasValidCrl = PKIX_TRUE; PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs (crl, &unresCrlCritExtOIDs, plContext), PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED); /* * XXX Advanced CRL work - should put a * Loop here to process and remove critical * extension oids. */ if (unresCrlCritExtOIDs) { PKIX_CHECK(PKIX_List_GetLength(unresCrlCritExtOIDs, &numCritExtOIDs, plContext), PKIX_LISTGETLENGTHFAILED); if (numCritExtOIDs != 0) { PKIX_DEFAULTCRLCHECKERSTATE_DEBUG (PKIX_CRLCRITICALEXTENSIONOIDSNOTPROCESSED); /* * Uncomment this after we have implemented * checkers for all the critical extensions. * * PKIX_ERROR * ("Unrecognized CRL Critical Extension"); */ } } PKIX_CHECK(PKIX_PL_CRL_GetCRLEntryForSerialNumber (crl, certSerialNumber, &crlEntry, plContext), PKIX_CRLGETCRLENTRYFORSERIALNUMBERFAILED); if (crlEntry == NULL) { goto cleanup_loop; } crlRevoking = PKIX_TRUE; PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode (crlEntry, &reasonCode, plContext), PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED); /* This is a valid CRLEntry, return it for caching */ if (crlEntryList == NULL) { PKIX_CHECK(PKIX_List_Create(&crlEntryList, plContext), PKIX_LISTCREATEFAILED); } PKIX_CHECK(PKIX_List_AppendItem (crlEntryList, (PKIX_PL_Object *) crlEntry, plContext), PKIX_LISTAPPENDITEMFAILED); /* Set reason code in state for advance CRL reviewing */ if (reasonCode >= 0) { if (reasonCode >= numReasonCodes) reasonCode = 0; state->reasonCodeMask |= 1 << reasonCode; PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG ("CRL revocation Reason: %s\n ", reasonCodeMsgString[reasonCode]); } else { PKIX_DEFAULTCRLCHECKERSTATE_DEBUG ("Revoked by Unknown CRL ReasonCode"); } PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs (crlEntry, &unresCrlEntryCritExtOIDs, plContext), PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED); if (unresCrlEntryCritExtOIDs) { PKIX_CHECK(pkix_List_Remove (unresCrlEntryCritExtOIDs, (PKIX_PL_Object *) state->crlReasonCodeOID, plContext), PKIX_LISTREMOVEFAILED); PKIX_CHECK(PKIX_List_GetLength(unresCrlEntryCritExtOIDs, &numCritExtOIDs, plContext), PKIX_LISTGETLENGTHFAILED); if (numCritExtOIDs != 0) { PKIX_DEFAULTCRLCHECKERSTATE_DEBUG (PKIX_CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED); PKIX_ERROR(PKIX_UNRECOGNIZEDCRLENTRYCRITICALEXTENSION); } } cleanup_loop: PKIX_DECREF(pKey); PKIX_DECREF(verifyFail); PKIX_DECREF(pKey); PKIX_DECREF(crlEntry); PKIX_DECREF(crl); PKIX_DECREF(unresCrlCritExtOIDs); PKIX_DECREF(unresCrlEntryCritExtOIDs); } *pCrlEntryList = crlEntryList; if (crlRevoking == PKIX_TRUE) { PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL); } cleanup: PKIX_DECREF(pKey); PKIX_DECREF(verifyFail); PKIX_DECREF(crlEntry); PKIX_DECREF(crl); PKIX_DECREF(unresCrlCritExtOIDs); PKIX_DECREF(unresCrlEntryCritExtOIDs); PKIX_RETURN(CERTCHAINCHECKER); }
/* * FUNCTION: pkix_DefaultCRLChecker_Check * * DESCRIPTION: * Check if the Cert has been revoked based the CRLs data. This function * maintains the checker state to be current. * * PARAMETERS * "checker" * Address of CertChainChecker which has the state data. * Must be non-NULL. * "cert" * Address of Certificate that is to be validated. Must be non-NULL. * "unresolvedCriticalExtensions" * A List OIDs. Not **yet** used in this checker function. * "plContext" * Platform-specific context pointer. * * THREAD SAFETY: * Not Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * * RETURNS: * Returns NULL if the function succeeds. * Returns a CertChainChecker Error if the function fails in a non-fatal way. * Returns a Fatal Error */ static PKIX_Error * pkix_DefaultCRLChecker_Check( PKIX_CertChainChecker *checker, PKIX_PL_Cert *cert, PKIX_List *unresolvedCriticalExtensions, void **pNBIOContext, void *plContext) { pkix_DefaultCRLCheckerState *state = NULL; PKIX_PL_PublicKey *publicKey = NULL; PKIX_PL_PublicKey *newPublicKey = NULL; PKIX_Error *checkKeyUsageFail = NULL; PKIX_Boolean selfIssued = PKIX_FALSE; void *nbioContext = NULL; PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check"); PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); nbioContext = *pNBIOContext; *pNBIOContext = NULL; /* prepare for Error exit */ PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState (checker, (PKIX_PL_Object **)&state, plContext), PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey (cert, &publicKey, plContext), PKIX_CERTGETSUBJECTPUBLICKEYFAILED); /* * If we already have a selector, we were in the middle of checking * when a certStore returned with non-blocking I/O pendning. */ if ((state->crlSelector) == NULL) { state->certsRemaining--; PKIX_NULLCHECK_ONE(state->prevPublicKey); if (state->prevCertCrlSign == PKIX_FALSE) { PKIX_ERROR (PKIX_KEYUSAGEKEYCRLSIGNBITNOTON); } /* Set up CRLSelector */ PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector (cert, state, plContext), PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED); } PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper (checker, cert, state->prevPublicKey, state, unresolvedCriticalExtensions, PKIX_FALSE, &nbioContext, plContext), PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED); if (nbioContext != NULL) { *pNBIOContext = nbioContext; goto cleanup; } PKIX_DECREF(state->crlSelector); /* * Some NIST test case in 4.5.* use different publicKeys for * Cert and its CRL on the chain. Self-issued Certs are used * to speciy multiple keys for those cases. That is why we apply * the following algorithm: * * Check if Cert is self-issued. If so, the public key of the Cert * that issues this Cert (old key) can be used together with this * current key (new key) for key verification. If there are multiple * self-issued certs, keys of those Certs (old keys) can also be used * for key verification. Old key(s) is saved in a list (PrevPublickKey- * List) and cleared when a Cert is no longer self-issued. * PrevPublicKey keep key of the previous Cert. * PrevPublicKeyList keep key(s) of Cert before the previous one. */ PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext), PKIX_ISCERTSELFISSUEFAILED); if (selfIssued == PKIX_TRUE) { if (state->prevPublicKeyList == NULL) { PKIX_CHECK(PKIX_List_Create (&state->prevPublicKeyList, plContext), PKIX_LISTCREATEFAILED); } PKIX_CHECK(PKIX_List_AppendItem (state->prevPublicKeyList, (PKIX_PL_Object *) state->prevPublicKey, plContext), PKIX_LISTAPPENDITEMFAILED); } else { /* Not self-issued Cert any more, clear old key(s) saved */ PKIX_DECREF(state->prevPublicKeyList); } /* Make inheritance and save current Public Key */ PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey (publicKey, state->prevPublicKey, &newPublicKey, plContext), PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED); if (newPublicKey == NULL){ PKIX_INCREF(publicKey); newPublicKey = publicKey; } PKIX_DECREF(state->prevPublicKey); PKIX_INCREF(newPublicKey); state->prevPublicKey = newPublicKey; /* Save current Cert's crlSign bit for CRL checking later */ if (state->certsRemaining != 0) { checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage (cert, PKIX_CRL_SIGN, plContext); state->prevCertCrlSign = (checkKeyUsageFail == NULL)? PKIX_TRUE : PKIX_FALSE; PKIX_DECREF(checkKeyUsageFail); } /* PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState (checker, (PKIX_PL_Object *)state, plContext), PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED); */ cleanup: PKIX_DECREF(state); PKIX_DECREF(publicKey); PKIX_DECREF(newPublicKey); PKIX_DECREF(checkKeyUsageFail); PKIX_RETURN(CERTCHAINCHECKER); }
int test_buildchain_uchecker(int argc, char *argv[]) { PKIX_BuildResult *buildResult = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_TrustAnchor *anchor = NULL; PKIX_List *anchors = NULL; PKIX_List *certs = NULL; PKIX_PL_Cert *cert = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_CertChainChecker *checker = NULL; char *dirName = NULL; PKIX_PL_String *dirNameString = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *targetCert = NULL; PKIX_UInt32 numCerts = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_UInt32 chainLength = 0; PKIX_CertStore *certStore = NULL; PKIX_List *certStores = NULL; char *asciiResult = NULL; PKIX_Boolean result; PKIX_Boolean testValid = PKIX_TRUE; PKIX_Boolean supportForward = PKIX_FALSE; PKIX_List *expectedCerts = NULL; PKIX_List *userOIDs = NULL; PKIX_PL_OID *oid = NULL; PKIX_PL_Cert *dirCert = NULL; PKIX_PL_String *actualCertsString = NULL; PKIX_PL_String *expectedCertsString = NULL; char *actualCertsAscii = NULL; char *expectedCertsAscii = NULL; char *oidString = NULL; void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */ void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */ PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage(); return (0); } startTests("BuildChain_UserChecker"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } /* OID specified at argv[3+j] */ if (*argv[3 + j] != '-') { if (*argv[3 + j] == 'F') { supportForward = PKIX_TRUE; oidString = argv[3 + j] + 1; } else { oidString = argv[3 + j]; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&userOIDs, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(oidString, &oid, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(userOIDs, (PKIX_PL_Object *)oid, plContext)); PKIX_TEST_DECREF_BC(oid); } subTest(argv[1 + j]); dirName = argv[4 + j]; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext)); chainLength = argc - j - 5; for (k = 0; k < chainLength; k++) { dirCert = createCert(dirName, argv[5 + k + j], plContext); if (k == (chainLength - 1)) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); trustedCert = dirCert; } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts, (PKIX_PL_Object *)dirCert, plContext)); if (k == 0) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); targetCert = dirCert; } } PKIX_TEST_DECREF_BC(dirCert); } /* create processing params with list of trust anchors */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); /* create CertSelector with target certificate in params */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create(testUserChecker, supportForward, PKIX_FALSE, userOIDs, NULL, &checker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker(procParams, checker, plContext)); /* create CertStores */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext)); #if 0 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create (&certStore, plContext)); #endif PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); /* build cert chain using processing params and return buildResult */ pkixTestErrorResult = PKIX_BuildChain(procParams, &nbioContext, &buildState, &buildResult, NULL, plContext); if (testValid == PKIX_TRUE) { /* ENE */ if (pkixTestErrorResult) { (void)printf("UNEXPECTED RESULT RECEIVED!\n"); } else { (void)printf("EXPECTED RESULT RECEIVED!\n"); PKIX_TEST_DECREF_BC(pkixTestErrorResult); } } else { /* EE */ if (pkixTestErrorResult) { (void)printf("EXPECTED RESULT RECEIVED!\n"); PKIX_TEST_DECREF_BC(pkixTestErrorResult); } else { testError("UNEXPECTED RESULT RECEIVED"); } } if (buildResult) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, NULL)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); printf("\n"); for (i = 0; i < numCerts; i++) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext)); asciiResult = PKIX_Cert2ASCII(cert); printf("CERT[%d]:\n%s\n", i, asciiResult); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, plContext)); asciiResult = NULL; PKIX_TEST_DECREF_BC(cert); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs, (PKIX_PL_Object *)expectedCerts, &result, plContext)); if (!result) { testError("BUILT CERTCHAIN IS " "NOT THE ONE THAT WAS EXPECTED"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs, &actualCertsString, plContext)); actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext); if (actualCertsAscii == NULL) { pkixTestErrorMsg = "PKIX_String2ASCII Failed"; goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts, &expectedCertsString, plContext)); expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext); if (expectedCertsAscii == NULL) { pkixTestErrorMsg = "PKIX_String2ASCII Failed"; goto cleanup; } (void)printf("Actual value:\t%s\n", actualCertsAscii); (void)printf("Expected value:\t%s\n", expectedCertsAscii); if (chainLength - 1 != numUserCheckerCalled) { pkixTestErrorMsg = "PKIX user defined checker not called"; } goto cleanup; } } cleanup: PKIX_PL_Free(asciiResult, plContext); PKIX_PL_Free(actualCertsAscii, plContext); PKIX_PL_Free(expectedCertsAscii, plContext); PKIX_TEST_DECREF_AC(actualCertsString); PKIX_TEST_DECREF_AC(expectedCertsString); PKIX_TEST_DECREF_AC(expectedCerts); PKIX_TEST_DECREF_AC(certs); PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(certStores); PKIX_TEST_DECREF_AC(dirNameString); PKIX_TEST_DECREF_AC(trustedCert); PKIX_TEST_DECREF_AC(targetCert); PKIX_TEST_DECREF_AC(anchor); PKIX_TEST_DECREF_AC(anchors); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(buildResult); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(userOIDs); PKIX_TEST_DECREF_AC(checker); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); endTests("BuildChain_UserChecker"); return (0); }
/* * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod */ PKIX_Error * PKIX_RevocationChecker_CreateAndAddMethod( PKIX_RevocationChecker *revChecker, PKIX_ProcessingParams *params, PKIX_RevocationMethodType methodType, PKIX_UInt32 flags, PKIX_UInt32 priority, PKIX_PL_VerifyCallback verificationFn, PKIX_Boolean isLeafMethod, void *plContext) { PKIX_List **methodList = NULL; PKIX_List *unsortedList = NULL; PKIX_List *certStores = NULL; pkix_RevocationMethod *method = NULL; pkix_LocalRevocationCheckFn *localRevChecker = NULL; pkix_ExternalRevocationCheckFn *externRevChecker = NULL; PKIX_UInt32 miFlags; PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_CreateAndAddMethod"); PKIX_NULLCHECK_ONE(revChecker); /* If the caller has said "Either one is sufficient, then don't let the * absence of any one method's info lead to an overall failure. */ miFlags = isLeafMethod ? revChecker->leafMethodListFlags : revChecker->chainMethodListFlags; if (miFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE) flags &= ~PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO; switch (methodType) { case PKIX_RevocationMethod_CRL: localRevChecker = pkix_CrlChecker_CheckLocal; externRevChecker = pkix_CrlChecker_CheckExternal; PKIX_CHECK( PKIX_ProcessingParams_GetCertStores(params, &certStores, plContext), PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED); PKIX_CHECK( pkix_CrlChecker_Create(methodType, flags, priority, localRevChecker, externRevChecker, certStores, verificationFn, &method, plContext), PKIX_COULDNOTCREATECRLCHECKEROBJECT); break; case PKIX_RevocationMethod_OCSP: localRevChecker = pkix_OcspChecker_CheckLocal; externRevChecker = pkix_OcspChecker_CheckExternal; PKIX_CHECK( pkix_OcspChecker_Create(methodType, flags, priority, localRevChecker, externRevChecker, verificationFn, &method, plContext), PKIX_COULDNOTCREATEOCSPCHECKEROBJECT); break; default: PKIX_ERROR(PKIX_INVALIDREVOCATIONMETHOD); } if (isLeafMethod) { methodList = &revChecker->leafMethodList; } else { methodList = &revChecker->chainMethodList; } if (*methodList == NULL) { PKIX_CHECK( PKIX_List_Create(methodList, plContext), PKIX_LISTCREATEFAILED); } unsortedList = *methodList; PKIX_CHECK( PKIX_List_AppendItem(unsortedList, (PKIX_PL_Object*)method, plContext), PKIX_LISTAPPENDITEMFAILED); PKIX_CHECK( pkix_List_BubbleSort(unsortedList, pkix_RevocationChecker_SortComparator, methodList, plContext), PKIX_LISTBUBBLESORTFAILED); cleanup: PKIX_DECREF(method); PKIX_DECREF(unsortedList); PKIX_DECREF(certStores); PKIX_RETURN(REVOCATIONCHECKER); }
int test_list2(int argc, char *argv[]) { PKIX_List *list; char *temp; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_Int32 cmpResult; PKIX_PL_OID *testOID; PKIX_PL_String *testString; PKIX_PL_Object *obj, *obj2; PKIX_UInt32 size = 10; char *testOIDString[10] = { "2.9.999.1.20", "1.2.3.4.5.6.7", "0.1", "1.2.3.5", "0.39", "1.2.3.4.7", "1.2.3.4.6", "0.39.1", "1.2.3.4.5", "0.39.1.300" }; PKIX_UInt32 actualMinorVersion; PKIX_TEST_STD_VARS(); startTests("List Sorting"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); subTest("Creating Unsorted Lists"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext)); for (i = 0; i < size; i++) { /* Create a new OID object */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create( testOIDString[i], &testOID, plContext)); /* Insert it into the list */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list, (PKIX_PL_Object *)testOID, plContext)); /* Decref the string object */ PKIX_TEST_DECREF_BC(testOID); } subTest("Outputting Unsorted List"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)list, &testString, plContext)); temp = PKIX_String2ASCII(testString, plContext); if (temp) { (void)printf("%s \n", temp); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext)); } PKIX_TEST_DECREF_BC(testString); subTest("Performing Bubble Sort"); for (i = 0; i < size; i++) for (j = 9; j > i; j--) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j, &obj, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j - 1, &obj2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare(obj, obj2, &cmpResult, plContext)); if (cmpResult < 0) { /* Exchange the items */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j, obj2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j - 1, obj, plContext)); } /* DecRef objects */ PKIX_TEST_DECREF_BC(obj); PKIX_TEST_DECREF_BC(obj2); } subTest("Outputting Sorted List"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)list, &testString, plContext)); temp = PKIX_String2ASCII(testString, plContext); if (temp) { (void)printf("%s \n", temp); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext)); } cleanup: PKIX_TEST_DECREF_AC(testString); PKIX_TEST_DECREF_AC(list); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("List Sorting"); return (0); }
static PKIX_Error * testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir) { PKIX_PL_String *dirString = NULL; PKIX_CertStore *certStore = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_PL_Date *validity = NULL; PKIX_List *revCheckers = NULL; PKIX_RevocationChecker *ocspChecker = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_CollectionCertStoreContext_Create"); /* Create CollectionCertStore */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, crlDir, 0, &dirString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirString, &certStore, plContext)); /* Create CertStore */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams (valParams, &procParams, plContext)); subTest("PKIX_ProcessingParams_AddCertStore"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore (procParams, certStore, plContext)); subTest("PKIX_ProcessingParams_SetRevocationEnabled"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled (procParams, PKIX_TRUE, plContext)); /* create current Date */ PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime (PR_Now(), &validity, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); /* create revChecker */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize (validity, NULL, /* pwArg */ NULL, /* Use default responder */ &ocspChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (revCheckers, (PKIX_PL_Object *)ocspChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers (procParams, revCheckers, plContext)); cleanup: PKIX_TEST_DECREF_AC(dirString); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(revCheckers); PKIX_TEST_DECREF_AC(ocspChecker); PKIX_TEST_RETURN(); return (0); }
int test_validatechain(int argc, char *argv[]){ PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_UInt32 actualMinorVersion; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_UInt32 chainLength = 0; PKIX_Boolean testValid = PKIX_TRUE; PKIX_List *chainCerts = NULL; PKIX_PL_Cert *dirCert = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; char *dirCertName = NULL; char *anchorCertName = NULL; char *dirName = NULL; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage(); return (0); } startTests("ValidateChain"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2+j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2+j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } subTest(argv[1+j]); dirName = argv[3+j]; chainLength = argc - j - 5; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext)); for (k = 0; k < chainLength; k++) { dirCert = createCert(dirName, argv[5+k+j], plContext); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (chainCerts, (PKIX_PL_Object *)dirCert, plContext)); PKIX_TEST_DECREF_BC(dirCert); } valParams = createValidateParams (dirName, argv[4+j], NULL, NULL, NULL, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, chainCerts, plContext); testDefaultCertStore(valParams, dirName); if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); } subTest("Displaying VerifyNode objects"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); cleanup: PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chainCerts); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("ValidateChain"); return (0); }
/* * FUNCTION: PKIX_PL_AIAMgr_GetAIACerts (see description in pkix_pl_pki.h) */ PKIX_Error * PKIX_PL_AIAMgr_GetAIACerts( PKIX_PL_AIAMgr *aiaMgr, PKIX_PL_Cert *prevCert, void **pNBIOContext, PKIX_List **pCerts, void *plContext) { PKIX_UInt32 numAias = 0; PKIX_UInt32 aiaIndex = 0; PKIX_UInt32 iaType = PKIX_INFOACCESS_LOCATION_UNKNOWN; PKIX_List *certs = NULL; PKIX_PL_InfoAccess *ia = NULL; void *nbio = NULL; PKIX_ENTER(AIAMGR, "PKIX_PL_AIAMgr_GetAIACerts"); PKIX_NULLCHECK_FOUR(aiaMgr, prevCert, pNBIOContext, pCerts); nbio = *pNBIOContext; *pCerts = NULL; *pNBIOContext = NULL; if (nbio == NULL) { /* a new request */ /* Does this Cert have an AIA extension? */ PKIX_CHECK(PKIX_PL_Cert_GetAuthorityInfoAccess (prevCert, &aiaMgr->aia, plContext), PKIX_CERTGETAUTHORITYINFOACCESSFAILED); if (aiaMgr->aia != NULL) { PKIX_CHECK(PKIX_List_GetLength (aiaMgr->aia, &numAias, plContext), PKIX_LISTGETLENGTHFAILED); } /* And if so, does it have any entries? */ if ((aiaMgr->aia == NULL) || (numAias == 0)) { *pCerts = NULL; goto cleanup; } aiaMgr->aiaIndex = 0; aiaMgr->numAias = numAias; aiaMgr->results = NULL; } for (aiaIndex = aiaMgr->aiaIndex; aiaIndex < aiaMgr->numAias; aiaIndex ++) { PKIX_UInt32 method = 0; PKIX_CHECK(PKIX_List_GetItem (aiaMgr->aia, aiaIndex, (PKIX_PL_Object **)&ia, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(PKIX_PL_InfoAccess_GetMethod (ia, &method, plContext), PKIX_INFOACCESSGETMETHODFAILED); if (method != PKIX_INFOACCESS_CA_ISSUERS && method != PKIX_INFOACCESS_CA_REPOSITORY) { PKIX_DECREF(ia); continue; } PKIX_CHECK(PKIX_PL_InfoAccess_GetLocationType (ia, &iaType, plContext), PKIX_INFOACCESSGETLOCATIONTYPEFAILED); if (iaType == PKIX_INFOACCESS_LOCATION_HTTP) { PKIX_CHECK(pkix_pl_AIAMgr_GetHTTPCerts (aiaMgr, ia, &nbio, &certs, plContext), PKIX_AIAMGRGETHTTPCERTSFAILED); } else if (iaType == PKIX_INFOACCESS_LOCATION_LDAP) { PKIX_CHECK(pkix_pl_AIAMgr_GetLDAPCerts (aiaMgr, ia, &nbio, &certs, plContext), PKIX_AIAMGRGETLDAPCERTSFAILED); } else { /* We only support http and ldap requests. */ PKIX_DECREF(ia); continue; } if (nbio != NULL) { /* WOULDBLOCK */ aiaMgr->aiaIndex = aiaIndex; *pNBIOContext = nbio; *pCerts = NULL; goto cleanup; } /* * We can't just use and modify the List we received. * Because it's cached, it's set immutable. */ if (aiaMgr->results == NULL) { PKIX_CHECK(PKIX_List_Create (&(aiaMgr->results), plContext), PKIX_LISTCREATEFAILED); } PKIX_CHECK(pkix_List_AppendList (aiaMgr->results, certs, plContext), PKIX_APPENDLISTFAILED); PKIX_DECREF(certs); PKIX_DECREF(ia); } PKIX_DECREF(aiaMgr->aia); *pNBIOContext = NULL; *pCerts = aiaMgr->results; aiaMgr->results = NULL; cleanup: if (PKIX_ERROR_RECEIVED) { PKIX_DECREF(aiaMgr->aia); PKIX_DECREF(aiaMgr->results); PKIX_DECREF(aiaMgr->client.ldapClient); } PKIX_DECREF(certs); PKIX_DECREF(ia); PKIX_RETURN(AIAMGR); }
/* * FUNCTION: pkix_VerifyNode_AddToChain * DESCRIPTION: * * Adds the VerifyNode pointed to by "child", at the appropriate depth, to the * List of children of the VerifyNode pointed to by "parentNode". The chain of * VerifyNodes is traversed until a VerifyNode is found at a depth one less * than that specified in "child". An Error is returned if there is no parent * at a suitable depth. * * If "parentNode" has a NULL pointer for the List of children, a new List is * created containing "child". Otherwise "child" is appended to the existing * List. * * Depth, in this context, means distance from the root node, which * is at depth zero. * * PARAMETERS: * "parentNode" * Address of VerifyNode whose List of child VerifyNodes is to be * created or appended to. Must be non-NULL. * "child" * Address of VerifyNode to be added to parentNode's List. Must be * non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a VerifyNode Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * pkix_VerifyNode_AddToChain( PKIX_VerifyNode *parentNode, PKIX_VerifyNode *child, void *plContext) { PKIX_VerifyNode *successor = NULL; PKIX_List *listOfChildren = NULL; PKIX_UInt32 numChildren = 0; PKIX_UInt32 parentDepth = 0; PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_AddToChain"); PKIX_NULLCHECK_TWO(parentNode, child); parentDepth = parentNode->depth; listOfChildren = parentNode->children; if (listOfChildren == NULL) { if (parentDepth != (child->depth - 1)) { PKIX_ERROR(PKIX_NODESMISSINGFROMCHAIN); } PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext), PKIX_LISTCREATEFAILED); PKIX_CHECK(PKIX_List_AppendItem (listOfChildren, (PKIX_PL_Object *)child, plContext), PKIX_COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST); parentNode->children = listOfChildren; } else { /* get number of children */ PKIX_CHECK(PKIX_List_GetLength (listOfChildren, &numChildren, plContext), PKIX_LISTGETLENGTHFAILED); if (numChildren != 1) { PKIX_ERROR(PKIX_AMBIGUOUSPARENTAGEOFVERIFYNODE); } /* successor = listOfChildren[0] */ PKIX_CHECK(PKIX_List_GetItem (listOfChildren, 0, (PKIX_PL_Object **)&successor, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(pkix_VerifyNode_AddToChain (successor, child, plContext), PKIX_VERIFYNODEADDTOCHAINFAILED); } PKIX_CHECK(PKIX_PL_Object_InvalidateCache ((PKIX_PL_Object *)parentNode, plContext), PKIX_OBJECTINVALIDATECACHEFAILED); cleanup: PKIX_DECREF(successor); PKIX_RETURN(VERIFYNODE); }
int test_validatechain_NB(int argc, char *argv[]){ PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_UInt32 actualMinorVersion; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_UInt32 chainLength = 0; PKIX_Boolean testValid = PKIX_TRUE; PKIX_List *chainCerts = NULL; PKIX_PL_Cert *dirCert = NULL; char *dirCertName = NULL; char *anchorCertName = NULL; char *dirName = NULL; PKIX_UInt32 certIndex = 0; PKIX_UInt32 anchorIndex = 0; PKIX_UInt32 checkerIndex = 0; PKIX_Boolean revChecking = PKIX_FALSE; PKIX_List *checkers = NULL; PRPollDesc *pollDesc = NULL; PRErrorCode errorCode = 0; PKIX_PL_Socket *socket = NULL; char *ldapName = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; PKIX_List *loggers = NULL; PKIX_Logger *logger = NULL; char *logging = NULL; PKIX_PL_String *component = NULL; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage(); return (0); } startTests("ValidateChain_NB"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2+j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2+j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } subTest(argv[1+j]); dirName = argv[3+j]; chainLength = argc - j - 5; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext)); for (k = 0; k < chainLength; k++){ dirCert = createCert(dirName, argv[5+k+j], plContext); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (chainCerts, (PKIX_PL_Object *)dirCert, plContext)); PKIX_TEST_DECREF_BC(dirCert); } valParams = createValidateParams (dirName, argv[4+j], NULL, NULL, NULL, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, chainCerts, plContext); ldapName = PR_GetEnv("LDAP"); /* Is LDAP set in the environment? */ if ((ldapName == NULL) || (*ldapName == '\0')) { testError("LDAP not set in environment"); goto cleanup; } pkixTestErrorResult = pkix_pl_Socket_CreateByName (PKIX_FALSE, /* isServer */ PR_SecondsToInterval(30), /* try 30 secs for connect */ ldapName, &errorCode, &socket, plContext); if (pkixTestErrorResult != NULL) { PKIX_PL_Object_DecRef ((PKIX_PL_Object *)pkixTestErrorResult, plContext); pkixTestErrorResult = NULL; testError("Unable to connect to LDAP Server"); goto cleanup; } PKIX_TEST_DECREF_BC(socket); testSetupCertStore(valParams, ldapName); logging = PR_GetEnv("LOGGING"); /* Is LOGGING set in the environment? */ if ((logging != NULL) && (*logging != '\0')) { PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_Create(&loggers, plContext)); testLogErrors (PKIX_VALIDATE_ERROR, 2, loggers, plContext); testLogErrors (PKIX_CERTCHAINCHECKER_ERROR, 2, loggers, plContext); testLogErrors (PKIX_LDAPDEFAULTCLIENT_ERROR, 2, loggers, plContext); testLogErrors (PKIX_CERTSTORE_ERROR, 2, loggers, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_SetLoggers(loggers, plContext)); } pkixTestErrorResult = PKIX_ValidateChain_NB (valParams, &certIndex, &anchorIndex, &checkerIndex, &revChecking, &checkers, (void **)&pollDesc, &valResult, &verifyTree, plContext); while (pollDesc != NULL) { if (PR_Poll(pollDesc, 1, 0) < 0) { testError("PR_Poll failed"); } pkixTestErrorResult = PKIX_ValidateChain_NB (valParams, &certIndex, &anchorIndex, &checkerIndex, &revChecking, &checkers, (void **)&pollDesc, &valResult, &verifyTree, plContext); } if (pkixTestErrorResult) { if (testValid == PKIX_FALSE) { /* EE */ (void) printf("EXPECTED ERROR RECEIVED!\n"); } else { /* ENE */ testError("UNEXPECTED ERROR RECEIVED"); } PKIX_TEST_DECREF_BC(pkixTestErrorResult); } else { if (testValid == PKIX_TRUE) { /* ENE */ (void) printf("EXPECTED NON-ERROR RECEIVED!\n"); } else { /* EE */ (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n"); } } cleanup: if (verifyTree) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); } PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(checkers); PKIX_TEST_DECREF_AC(chainCerts); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("ValidateChain_NB"); return (0); }
int validate_chain(int argc, char *argv[]) { PKIX_TrustAnchor *anchor = NULL; PKIX_List *anchors = NULL; PKIX_List *certs = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_PL_X500Name *subject = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; char *trustedCertFile = NULL; char *chainCertFile = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *chainCert = NULL; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_UInt32 actualMinorVersion; PKIX_TEST_STD_VARS(); if (argc < 3) { printUsage(); return (0); } PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); chainLength = (argc - j) - 2; /* create processing params with list of trust anchors */ trustedCertFile = argv[1 + j]; trustedCert = createCert(trustedCertFile); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); #if 0 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject (certSelParams, subject, plContext)); #endif PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); PKIX_TEST_DECREF_BC(subject); PKIX_TEST_DECREF_BC(certSelParams); PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); PKIX_TEST_DECREF_BC(certSelector); /* create cert chain */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); for (i = 0; i < chainLength; i++) { chainCertFile = argv[(i + j) + 2]; chainCert = createCert(chainCertFile); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs, (PKIX_PL_Object *)chainCert, plContext)); PKIX_TEST_DECREF_BC(chainCert); chainCert = NULL; } /* create validate params with processing params and cert chain */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, certs, &valParams, plContext)); PKIX_TEST_DECREF_BC(trustedCert); trustedCert = NULL; PKIX_TEST_DECREF_BC(anchor); anchor = NULL; PKIX_TEST_DECREF_BC(anchors); anchors = NULL; PKIX_TEST_DECREF_BC(certs); certs = NULL; PKIX_TEST_DECREF_BC(procParams); procParams = NULL; /* validate cert chain using processing params and return valResult */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); if (valResult != NULL) { (void)printf("SUCCESSFULLY VALIDATED\n"); } cleanup: if (PKIX_TEST_ERROR_RECEIVED) { (void)printf("FAILED TO VALIDATE\n"); (void)PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext); (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); PKIX_TEST_DECREF_AC(verifyString); } PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(valResult); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); return (0); }
/* * FUNCTION: pkix_List_MergeLists * DESCRIPTION: * * Creates a new list consisting of the items from "firstList", followed by * the items on "secondList", returns the new list at "pMergedList". If * both input lists are NULL or empty, the result is an empty list. If an error * occurs, the result is NULL. * * PARAMETERS: * "firstList" * Address of list to be merged from. May be NULL or empty. * "secondList" * Address of list to be merged from. May be NULL or empty. * "pMergedList" * Address where returned object is stored. * "plContext" * platform-specific context pointer * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds * Returns a List Error if the functions fails in a non-fatal way * Returns a Fatal Error if the function fails in an unrecoverable way */ PKIX_Error * pkix_List_MergeLists( PKIX_List *firstList, PKIX_List *secondList, PKIX_List **pMergedList, void *plContext) { PKIX_List *list = NULL; PKIX_PL_Object *item = NULL; PKIX_UInt32 numItems = 0; PKIX_UInt32 i; PKIX_ENTER(LIST, "pkix_List_MergeLists"); PKIX_NULLCHECK_ONE(pMergedList); *pMergedList = NULL; PKIX_CHECK(PKIX_List_Create(&list, plContext), PKIX_LISTCREATEFAILED); if (firstList != NULL) { PKIX_CHECK(PKIX_List_GetLength(firstList, &numItems, plContext), PKIX_LISTGETLENGTHFAILED); } for (i = 0; i < numItems; i++) { PKIX_CHECK(PKIX_List_GetItem(firstList, i, &item, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(PKIX_List_AppendItem(list, item, plContext), PKIX_LISTAPPENDITEMFAILED); PKIX_DECREF(item); } numItems = 0; if (secondList != NULL) { PKIX_CHECK(PKIX_List_GetLength (secondList, &numItems, plContext), PKIX_LISTGETLENGTHFAILED); } for (i = 0; i < numItems; i++) { PKIX_CHECK(PKIX_List_GetItem (secondList, i, &item, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(PKIX_List_AppendItem (list, item, plContext), PKIX_LISTAPPENDITEMFAILED); PKIX_DECREF(item); } *pMergedList = list; list = NULL; cleanup: PKIX_DECREF(list); PKIX_DECREF(item); PKIX_RETURN(LIST); }
int test_policynode(int argc, char *argv[]) { /* * Create a tree with parent = anyPolicy, * child1 with Nist1+Nist2, child2 with Nist1. * Give each child another child, with policies Nist2 * and Nist1, respectively. Pruning with a depth of two * should have no effect. Give one of the children * another child. Then pruning with a depth of three * should reduce the tree to a single strand, as child1 * and child3 are removed. * * parent (anyPolicy) * / \ * child1(Nist1+Nist2) child2(Nist1) * | | * child3(Nist2) child4(Nist1) * | * child5(Nist1) * */ char *asciiAnyPolicy = "2.5.29.32.0"; PKIX_PL_Cert *cert = NULL; PKIX_PL_CertPolicyInfo *nist1Policy = NULL; PKIX_PL_CertPolicyInfo *nist2Policy = NULL; PKIX_List *policyQualifierList = NULL; PKIX_PL_OID *oidAnyPolicy = NULL; PKIX_PL_OID *oidNist1Policy = NULL; PKIX_PL_OID *oidNist2Policy = NULL; PKIX_List *expectedAnyList = NULL; PKIX_List *expectedNist1List = NULL; PKIX_List *expectedNist2List = NULL; PKIX_List *expectedNist1Nist2List = NULL; PKIX_List *emptyList = NULL; PKIX_PolicyNode *parentNode = NULL; PKIX_PolicyNode *childNode1 = NULL; PKIX_PolicyNode *childNode2 = NULL; PKIX_PolicyNode *childNode3 = NULL; PKIX_PolicyNode *childNode4 = NULL; PKIX_PolicyNode *childNode5 = NULL; PKIX_PL_String *parentString = NULL; PKIX_Boolean pDelete = PKIX_FALSE; char *expectedParentAscii = "{2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5C " "1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 65" " 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D 2" "0 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 69 " "73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 66" " 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20 6" "F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1[(1.3" ".6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 69 7" "3 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74 69 " "63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 72 20" " 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 63 6" "1 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70 75 " "72 70 6F 73 65 73 20 6F 6E 6C 79])], 2.16.840.1.101.3" ".2.1.48.2[(1.3.6.1.5.5.7.2.2:[30 5A 1A 58 71 32 3A 20" " 20 54 68 69 73 20 69 73 20 74 68 65 20 75 73 65 72 2" "0 6E 6F 74 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 " "66 69 65 72 20 32 2E 20 20 54 68 69 73 20 75 73 65 72" " 20 6E 6F 74 69 63 65 20 73 68 6F 75 6C 64 20 6E 6F 7" "4 20 62 65 20 64 69 73 70 6C 61 79 65 64])]),1}\n" ". {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5" "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 " "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D" " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6" "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 " "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20" " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.2),2}"; char *expectedValidAscii = "2.16.840.1.101.3.2.1.48.2"; char *expectedQualifiersAscii = /* "(1.3.6.1.5.5.7.2.2)"; */ "(1.3.6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 " "69 73 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74" " 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 7" "2 20 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 " "63 61 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70" " 75 72 70 6F 73 65 73 20 6F 6E 6C 79])"; char *expectedPoliciesAscii = "(2.16.840.1.101.3.2.1.48.1)"; char *expectedTree = "{2.5.29.32.0,{},Critical,(2.5.29.32.0),0}\n" ". {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5" "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 " "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D" " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6" "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 " "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20" " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1[(1" ".3.6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 69" " 73 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74 6" "9 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 72 " "20 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 63" " 61 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70 7" "5 72 70 6F 73 65 73 20 6F 6E 6C 79])], 2.16.840.1.101" ".3.2.1.48.2[(1.3.6.1.5.5.7.2.2:[30 5A 1A 58 71 32 3A " "20 20 54 68 69 73 20 69 73 20 74 68 65 20 75 73 65 72" " 20 6E 6F 74 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 6" "9 66 69 65 72 20 32 2E 20 20 54 68 69 73 20 75 73 65 " "72 20 6E 6F 74 69 63 65 20 73 68 6F 75 6C 64 20 6E 6F" " 74 20 62 65 20 64 69 73 70 6C 61 79 65 64])]" "),1}\n" ". . {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30" " 5C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 6" "8 65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F " "6D 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68" " 69 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 2" "0 66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 " "20 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.2)" ",2}\n" ". {2.16.840.1.101.3.2.1.48.1,(1.3.6.1.5.5.7.2.2:[30 5" "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 " "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D" " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6" "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 " "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20" " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1),1}\n" ". . {2.16.840.1.101.3.2.1.48.1,(EMPTY),Not Critical," "(2.16.840.1.101.3.2.1.48.1),2}\n" ". . . {2.16.840.1.101.3.2.1.48.1,{},Critical,(2.16.84" "0.1.101.3.2.1.48.1),3}"; char *expectedPrunedTree = "{2.5.29.32.0,{},Critical,(2.5.29.32.0),0}\n" ". {2.16.840.1.101.3.2.1.48.1,(1.3.6.1.5.5.7.2.2:[30 5" "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 " "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D" " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6" "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 " "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20" " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1),1}\n" ". . {2.16.840.1.101.3.2.1.48.1,(EMPTY),Not Critical," "(2.16.840.1.101.3.2.1.48.1),2}\n" ". . . {2.16.840.1.101.3.2.1.48.1,{},Critical,(2.16.84" "0.1.101.3.2.1.48.1),3}"; PKIX_UInt32 actualMinorVersion; PKIX_UInt32 j = 0; char *dirName = NULL; PKIX_TEST_STD_VARS(); if (argc < 2) { printUsage(); return (0); } startTests("PolicyNode"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); dirName = argv[j+1]; subTest("Creating OID objects"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create (asciiAnyPolicy, &oidAnyPolicy, plContext)); /* Read certificates to get real policies, qualifiers */ cert = createCert (dirName, "UserNoticeQualifierTest16EE.crt", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation (cert, &expectedNist1Nist2List, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (expectedNist1Nist2List, 0, (PKIX_PL_Object **)&nist1Policy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (expectedNist1Nist2List, 1, (PKIX_PL_Object **)&nist2Policy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers (nist1Policy, &policyQualifierList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId (nist1Policy, &oidNist1Policy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId (nist2Policy, &oidNist2Policy, plContext)); subTest("Creating expectedPolicy List objects"); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_Create(&expectedAnyList, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_Create(&expectedNist1List, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_Create(&expectedNist2List, plContext)); subTest("Populating expectedPolicy List objects"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (expectedAnyList, (PKIX_PL_Object *)oidAnyPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (expectedNist1List, (PKIX_PL_Object *)oidNist1Policy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (expectedNist2List, (PKIX_PL_Object *)oidNist2Policy, plContext)); subTest("Creating PolicyNode objects"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create (oidAnyPolicy, NULL, PKIX_TRUE, expectedAnyList, &parentNode, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create (oidNist2Policy, policyQualifierList, PKIX_TRUE, expectedNist1Nist2List, &childNode1, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create (oidNist1Policy, policyQualifierList, PKIX_TRUE, expectedNist1List, &childNode2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create (oidNist2Policy, policyQualifierList, PKIX_TRUE, expectedNist2List, &childNode3, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create (oidNist1Policy, emptyList, PKIX_FALSE, expectedNist1List, &childNode4, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create (oidNist1Policy, NULL, PKIX_TRUE, expectedNist1List, &childNode5, plContext)); subTest("Creating the PolicyNode tree"); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent (parentNode, childNode1, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent (parentNode, childNode2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent (childNode1, childNode3, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent (childNode2, childNode4, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent (childNode4, childNode5, plContext)); subTest("Displaying PolicyNode objects"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)parentNode, &parentString, plContext)); (void) printf("parentNode is\n\t%s\n", parentString->escAsciiString); testToStringHelper ((PKIX_PL_Object*)parentNode, expectedTree, plContext); test_DuplicateHelper(parentNode, plContext); test_GetParent(childNode3, childNode3, childNode4, expectedParentAscii); test_GetValidPolicy (childNode1, childNode3, parentNode, expectedValidAscii); test_GetPolicyQualifiers (childNode1, childNode3, childNode4, expectedQualifiersAscii); test_GetExpectedPolicies (childNode2, childNode4, childNode3, expectedPoliciesAscii); test_IsCritical(childNode1, childNode2, childNode4); test_GetDepth(childNode2, childNode4, childNode5); subTest("pkix_PolicyNode_Prune"); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Prune (parentNode, 2, &pDelete, plContext)); testToStringHelper ((PKIX_PL_Object*)parentNode, expectedTree, plContext); PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Prune (parentNode, 3, &pDelete, plContext)); testToStringHelper ((PKIX_PL_Object*)parentNode, expectedPrunedTree, plContext); test_GetChildren(parentNode, parentNode, childNode2); cleanup: PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(nist1Policy); PKIX_TEST_DECREF_AC(nist2Policy); PKIX_TEST_DECREF_AC(policyQualifierList); PKIX_TEST_DECREF_AC(oidAnyPolicy); PKIX_TEST_DECREF_AC(oidNist1Policy); PKIX_TEST_DECREF_AC(oidNist2Policy); PKIX_TEST_DECREF_AC(expectedAnyList); PKIX_TEST_DECREF_AC(expectedNist1List); PKIX_TEST_DECREF_AC(expectedNist2List); PKIX_TEST_DECREF_AC(expectedNist1Nist2List); PKIX_TEST_DECREF_AC(emptyList); PKIX_TEST_DECREF_AC(parentNode); PKIX_TEST_DECREF_AC(childNode1); PKIX_TEST_DECREF_AC(childNode2); PKIX_TEST_DECREF_AC(childNode3); PKIX_TEST_DECREF_AC(childNode4); PKIX_TEST_DECREF_AC(childNode5); PKIX_TEST_DECREF_AC(parentString); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("PolicyNode"); return (0); }
int test_buildchain_resourcelimits(int argc, char *argv[]) { PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_TrustAnchor *anchor = NULL; PKIX_List *anchors = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_CertChainChecker *checker = NULL; PKIX_ResourceLimits *resourceLimits = NULL; char *dirName = NULL; PKIX_PL_String *dirNameString = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *targetCert = NULL; PKIX_PL_Cert *dirCert = NULL; PKIX_UInt32 actualMinorVersion = 0; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_CertStore *ldapCertStore = NULL; PRIntervalTime timeout = 0; /* 0 for non-blocking */ PKIX_CertStore *certStore = NULL; PKIX_List *certStores = NULL; PKIX_List *expectedCerts = NULL; PKIX_Boolean testValid = PKIX_FALSE; PKIX_Boolean usebind = PKIX_FALSE; PKIX_Boolean useLDAP = PKIX_FALSE; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage(); return (0); } startTests("BuildChain_ResourceLimits"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* * arguments: * [optional] -arenas * [optional] usebind * servername or servername:port ( - for no server) * testname * EE or ENE * cert directory * target cert (end entity) * intermediate certs * trust anchor */ /* optional argument "usebind" for Ldap CertStore */ if (argv[j + 1]) { if (PORT_Strcmp(argv[j + 1], "usebind") == 0) { usebind = PKIX_TRUE; j++; } } if (PORT_Strcmp(argv[++j], "-") == 0) { useLDAP = PKIX_FALSE; } else { serverName = argv[j]; } subTest(argv[++j]); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[++j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } dirName = argv[++j]; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext)); for (k = ++j; k < argc; k++) { dirCert = createCert(dirName, argv[k], plContext); if (k == (argc - 1)) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); trustedCert = dirCert; } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts, (PKIX_PL_Object *)dirCert, plContext)); if (k == j) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); targetCert = dirCert; } } PKIX_TEST_DECREF_BC(dirCert); } /* create processing params with list of trust anchors */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); /* create CertSelector with target certificate in params */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); /* create CertStores */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext)); #if 0 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create (&certStore, plContext)); #endif PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); if (useLDAP == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)ldapCertStore, plContext)); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); /* set resource limits */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create(&resourceLimits, plContext)); /* need longer time when running dbx for memory leak checking */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 60, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits(procParams, resourceLimits, plContext)); /* build cert chain using processing params and return buildResult */ subTest("Testing ResourceLimits MaxFanout & MaxDepth - <pass>"); Test_BuildResult(procParams, testValid, expectedCerts, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 1, plContext)); subTest("Testing ResourceLimits MaxFanout - <fail>"); Test_BuildResult(procParams, PKIX_FALSE, expectedCerts, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 1, plContext)); subTest("Testing ResourceLimits MaxDepth - <fail>"); Test_BuildResult(procParams, PKIX_FALSE, expectedCerts, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 0, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 0, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 0, plContext)); subTest("Testing ResourceLimits No checking - <pass>"); Test_BuildResult(procParams, testValid, expectedCerts, plContext); cleanup: PKIX_TEST_DECREF_AC(expectedCerts); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certStores); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(ldapCertStore); PKIX_TEST_DECREF_AC(dirNameString); PKIX_TEST_DECREF_AC(trustedCert); PKIX_TEST_DECREF_AC(targetCert); PKIX_TEST_DECREF_AC(anchors); PKIX_TEST_DECREF_AC(anchor); PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(checker); PKIX_TEST_DECREF_AC(resourceLimits); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); endTests("BuildChain_UserChecker"); return (0); }
int build_chain(int argc, char *argv[]) { PKIX_BuildResult *buildResult = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_TrustAnchor *anchor = NULL; PKIX_List *anchors = NULL; PKIX_List *certs = NULL; PKIX_PL_Cert *cert = NULL; PKIX_ProcessingParams *procParams = NULL; char *trustedCertFile = NULL; char *targetCertFile = NULL; char *storeDirAscii = NULL; PKIX_PL_String *storeDirString = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *targetCert = NULL; PKIX_UInt32 actualMinorVersion, numCerts, i; PKIX_UInt32 j = 0; PKIX_CertStore *certStore = NULL; PKIX_List *certStores = NULL; char *asciiResult = NULL; PKIX_Boolean useArenas = PKIX_FALSE; void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */ void *nbioContext = NULL; PKIX_TEST_STD_VARS(); if (argc < 4) { printUsage(); return (0); } useArenas = PKIX_TEST_ARENAS_ARG(argv[1]); PKIX_TEST_EXPECT_NO_ERROR(PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */ useArenas, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, PKIX_MINOR_VERSION, &actualMinorVersion, &plContext)); /* create processing params with list of trust anchors */ trustedCertFile = argv[j + 1]; trustedCert = createCert(trustedCertFile); PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); /* create CertSelector with target certificate in params */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); targetCertFile = argv[j + 2]; targetCert = createCert(targetCertFile); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); /* create CertStores */ storeDirAscii = argv[j + 3]; PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, storeDirAscii, 0, &storeDirString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(storeDirString, &certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); /* build cert chain using processing params and return buildResult */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildChain(procParams, &nbioContext, &buildState, &buildResult, NULL, plContext)); /* * As long as we use only CertStores with blocking I/O, we can omit * checking for completion with nbioContext. */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); printf("\n"); for (i = 0; i < numCerts; i++) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext)); asciiResult = PKIX_Cert2ASCII(cert); printf("CERT[%d]:\n%s\n", i, asciiResult); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, plContext)); asciiResult = NULL; PKIX_TEST_DECREF_BC(cert); } cleanup: if (PKIX_TEST_ERROR_RECEIVED) { (void)printf("FAILED TO BUILD CHAIN\n"); } else { (void)printf("SUCCESSFULLY BUILT CHAIN\n"); } PKIX_PL_Free(asciiResult, plContext); PKIX_TEST_DECREF_AC(certs); PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(certStores); PKIX_TEST_DECREF_AC(storeDirString); PKIX_TEST_DECREF_AC(trustedCert); PKIX_TEST_DECREF_AC(targetCert); PKIX_TEST_DECREF_AC(anchor); PKIX_TEST_DECREF_AC(anchors); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(buildResult); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); return (0); }
/* * FUNCTION: pkix_pl_LdapCertStore_BuildCrlList * DESCRIPTION: * * This function takes a List of LdapResponse objects pointed to by * "responseList" and extracts and decodes the CRLs in those responses, storing * the List of those CRLs at "pCrls". If none of the objects can be decoded * into a CRL, the returned List is empty. * * PARAMETERS: * "responseList" * The address of the List of LdapResponses. Must be non-NULL. * "pCrls" * The address at which the result is stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * pkix_pl_LdapCertStore_BuildCrlList( PKIX_List *responseList, PKIX_List **pCrls, void *plContext) { PKIX_UInt32 numResponses = 0; PKIX_UInt32 respIx = 0; LdapAttrMask attrBits = 0; CERTSignedCrl *nssCrl = NULL; PKIX_PL_LdapResponse *response = NULL; PKIX_List *crlList = NULL; PKIX_PL_CRL *crl = NULL; LDAPMessage *message = NULL; LDAPSearchResponseEntry *sre = NULL; LDAPSearchResponseAttr **sreAttrArray = NULL; LDAPSearchResponseAttr *sreAttr = NULL; SECItem *attrType = NULL; SECItem **attrVal = NULL; SECItem *derCrlCopy = NULL; SECItem *derCrlItem = NULL; PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_BuildCrlList"); PKIX_NULLCHECK_TWO(responseList, pCrls); PKIX_CHECK(PKIX_List_Create(&crlList, plContext), PKIX_LISTCREATEFAILED); /* extract crls from response */ PKIX_CHECK(PKIX_List_GetLength (responseList, &numResponses, plContext), PKIX_LISTGETLENGTHFAILED); for (respIx = 0; respIx < numResponses; respIx++) { PKIX_CHECK(PKIX_List_GetItem (responseList, respIx, (PKIX_PL_Object **)&response, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(pkix_pl_LdapResponse_GetMessage (response, &message, plContext), PKIX_LDAPRESPONSEGETMESSAGEFAILED); sre = &(message->protocolOp.op.searchResponseEntryMsg); sreAttrArray = sre->attributes; /* Get next element of null-terminated array */ sreAttr = *sreAttrArray++; while (sreAttr != NULL) { attrType = &(sreAttr->attrType); PKIX_CHECK(pkix_pl_LdapRequest_AttrTypeToBit (attrType, &attrBits, plContext), PKIX_LDAPREQUESTATTRTYPETOBITFAILED); /* Is this attrVal a Revocation List? */ if (((LDAPATTR_CERTREVLIST | LDAPATTR_AUTHREVLIST) & attrBits) == attrBits) { attrVal = sreAttr->val; derCrlItem = *attrVal++; while (derCrlItem != 0) { /* create a PKIX_PL_Crl from derCrl */ derCrlCopy = SECITEM_DupItem(derCrlItem); if (!derCrlCopy) { PKIX_ERROR(PKIX_ALLOCERROR); } /* crl will be based on derCrlCopy, but wont * own the der. */ nssCrl = CERT_DecodeDERCrlWithFlags(NULL, derCrlCopy, SEC_CRL_TYPE, CRL_DECODE_DONT_COPY_DER | CRL_DECODE_SKIP_ENTRIES); if (!nssCrl) { SECITEM_FreeItem(derCrlCopy, PKIX_TRUE); continue; } /* pkix crl own the der. */ PKIX_CHECK( pkix_pl_CRL_CreateWithSignedCRL(nssCrl, derCrlCopy, NULL, &crl, plContext), PKIX_CRLCREATEWITHSIGNEDCRLFAILED); /* Left control over memory pointed by derCrlCopy and * nssCrl to pkix crl. */ derCrlCopy = NULL; nssCrl = NULL; PKIX_CHECK(PKIX_List_AppendItem (crlList, (PKIX_PL_Object *) crl, plContext), PKIX_LISTAPPENDITEMFAILED); PKIX_DECREF(crl); derCrlItem = *attrVal++; } /* Clean up after PKIX_CHECK_ONLY_FATAL */ pkixTempErrorReceived = PKIX_FALSE; } sreAttr = *sreAttrArray++; } PKIX_DECREF(response); } *pCrls = crlList; crlList = NULL; cleanup: if (derCrlCopy) { SECITEM_FreeItem(derCrlCopy, PKIX_TRUE); } if (nssCrl) { SEC_DestroyCrl(nssCrl); } PKIX_DECREF(crl); PKIX_DECREF(crlList); PKIX_DECREF(response); PKIX_RETURN(CERTSTORE); }
/* * FUNCTION: PKIX_Logger_GetLoggers (see comments in pkix_util.h) */ PKIX_Error * PKIX_GetLoggers( PKIX_List **pLoggers, /* list of PKIX_Logger */ void *plContext) { PKIX_List *list = NULL; PKIX_List *savedPkixLoggersDebugTrace = NULL; PKIX_List *savedPkixLoggersErrors = NULL; PKIX_Logger *logger = NULL; PKIX_Logger *dupLogger = NULL; PKIX_UInt32 i, length; PKIX_Boolean locked = PKIX_FALSE; PKIX_ENTER(LOGGER, "PKIX_Logger_GetLoggers"); PKIX_NULLCHECK_ONE(pLoggers); PKIX_CHECK(PKIX_PL_MonitorLock_Enter(pkixLoggerLock, plContext), PKIX_MONITORLOCKENTERFAILED); locked = PKIX_TRUE; /* * Temporarily disable DEBUG/TRACE Logging to avoid possible * deadlock: * When the Logger List is being accessed, e.g. by PKIX_ENTER or * PKIX_DECREF, pkix_Logger_Check may check whether logging * is requested, creating a deadlock situation. */ savedPkixLoggersDebugTrace = pkixLoggersDebugTrace; pkixLoggersDebugTrace = NULL; savedPkixLoggersErrors = pkixLoggersErrors; pkixLoggersErrors = NULL; if (pkixLoggers == NULL) { length = 0; } else { PKIX_CHECK(PKIX_List_GetLength (pkixLoggers, &length, plContext), PKIX_LISTGETLENGTHFAILED); } /* Create a list and copy the pkixLoggers item to the list */ PKIX_CHECK(PKIX_List_Create(&list, plContext), PKIX_LISTCREATEFAILED); for (i = 0; i < length; i++) { PKIX_CHECK(PKIX_List_GetItem (pkixLoggers, i, (PKIX_PL_Object **) &logger, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(pkix_Logger_Duplicate ((PKIX_PL_Object *)logger, (PKIX_PL_Object **)&dupLogger, plContext), PKIX_LOGGERDUPLICATEFAILED); PKIX_CHECK(PKIX_List_AppendItem (list, (PKIX_PL_Object *) dupLogger, plContext), PKIX_LISTAPPENDITEMFAILED); PKIX_DECREF(logger); PKIX_DECREF(dupLogger); } /* Set the list to be immutable */ PKIX_CHECK(PKIX_List_SetImmutable(list, plContext), PKIX_LISTSETIMMUTABLEFAILED); *pLoggers = list; cleanup: PKIX_DECREF(logger); /* Restore logging capability */ pkixLoggersDebugTrace = savedPkixLoggersDebugTrace; pkixLoggersErrors = savedPkixLoggersErrors; if (locked) { PKIX_CHECK(PKIX_PL_MonitorLock_Exit(pkixLoggerLock, plContext), PKIX_MONITORLOCKEXITFAILED); } PKIX_RETURN(LOGGER); }
/* * FUNCTION: pkix_pl_LdapCertStore_GetCRL * (see description of PKIX_CertStore_CRLCallback in pkix_certstore.h) */ PKIX_Error * pkix_pl_LdapCertStore_GetCRL( PKIX_CertStore *store, PKIX_CRLSelector *selector, void **pNBIOContext, PKIX_List **pCrlList, void *plContext) { LDAPRequestParams requestParams; void *pollDesc = NULL; PLArenaPool *requestArena = NULL; PKIX_UInt32 numNames = 0; PKIX_UInt32 thisName = 0; PKIX_PL_CRL *candidate = NULL; PKIX_List *responses = NULL; PKIX_List *issuerNames = NULL; PKIX_List *filteredCRLs = NULL; PKIX_List *unfilteredCRLs = NULL; PKIX_PL_X500Name *issuer = NULL; PKIX_PL_LdapCertStoreContext *lcs = NULL; PKIX_ComCRLSelParams *params = NULL; PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCRL"); PKIX_NULLCHECK_THREE(store, selector, pCrlList); requestParams.baseObject = "c=US"; requestParams.scope = WHOLE_SUBTREE; requestParams.derefAliases = NEVER_DEREF; requestParams.sizeLimit = 0; requestParams.timeLimit = 0; requestParams.attributes = LDAPATTR_CERTREVLIST | LDAPATTR_AUTHREVLIST; /* Prepare elements for request filter */ /* XXX Place CRLDP code here. Handle the case when */ /* RFC 5280. Paragraph: 4.2.1.13: */ /* If the distributionPoint field contains a directoryName, the entry */ /* for that directoryName contains the current CRL for the associated */ /* reasons and the CRL is issued by the associated cRLIssuer. The CRL */ /* may be stored in either the certificateRevocationList or */ /* authorityRevocationList attribute. The CRL is to be obtained by the */ /* application from whatever directory server is locally configured. */ /* The protocol the application uses to access the directory (e.g., DAP */ /* or LDAP) is a local matter. */ /* * Get a short-lived arena. We'll be done with this space once * the request is encoded. */ PKIX_PL_NSSCALLRV (CERTSTORE, requestArena, PORT_NewArena, (DER_DEFAULT_CHUNKSIZE)); if (!requestArena) { PKIX_ERROR_FATAL(PKIX_OUTOFMEMORY); } PKIX_CHECK(PKIX_CRLSelector_GetCommonCRLSelectorParams (selector, ¶ms, plContext), PKIX_CRLSELECTORGETCOMCERTSELPARAMSFAILED); PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames (params, &issuerNames, plContext), PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED); /* * The specification for PKIX_ComCRLSelParams_GetIssuerNames in * pkix_crlsel.h says that if the criterion is not set we get a null * pointer. If we get an empty List the criterion is impossible to * meet ("must match at least one of the names in the List"). */ if (issuerNames) { PKIX_CHECK(PKIX_List_GetLength (issuerNames, &numNames, plContext), PKIX_LISTGETLENGTHFAILED); if (numNames > 0) { for (thisName = 0; thisName < numNames; thisName++) { PKIX_CHECK(PKIX_List_GetItem (issuerNames, thisName, (PKIX_PL_Object **)&issuer, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK (pkix_pl_LdapCertStore_MakeNameAVAList (requestArena, issuer, &(requestParams.nc), plContext), PKIX_LDAPCERTSTOREMAKENAMEAVALISTFAILED); PKIX_DECREF(issuer); if (*requestParams.nc == NULL) { /* * The issuer may not include any * components that we know how to * encode. We do not return an error, * because the caller did not * necessarily do anything wrong, but * we return an empty List. */ PKIX_PL_NSSCALL (CERTSTORE, PORT_FreeArena, (requestArena, PR_FALSE)); PKIX_CHECK(PKIX_List_Create (&filteredCRLs, plContext), PKIX_LISTCREATEFAILED); PKIX_CHECK(PKIX_List_SetImmutable (filteredCRLs, plContext), PKIX_LISTSETIMMUTABLEFAILED); *pNBIOContext = NULL; *pCrlList = filteredCRLs; goto cleanup; } /* * LDAP Servers don't seem to be able to handle * requests with more than more than one name. */ break; } } else { PKIX_ERROR(PKIX_IMPOSSIBLECRITERIONFORCRLQUERY); } } else { PKIX_ERROR(PKIX_IMPOSSIBLECRITERIONFORCRLQUERY); } /* All request fields are done */ PKIX_CHECK(PKIX_CertStore_GetCertStoreContext (store, (PKIX_PL_Object **)&lcs, plContext), PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED); PKIX_CHECK(PKIX_PL_LdapClient_InitiateRequest ((PKIX_PL_LdapClient *)lcs, &requestParams, &pollDesc, &responses, plContext), PKIX_LDAPCLIENTINITIATEREQUESTFAILED); PKIX_CHECK(pkix_pl_LdapCertStore_DestroyAVAList (requestParams.nc, plContext), PKIX_LDAPCERTSTOREDESTROYAVALISTFAILED); if (requestArena) { PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena, (requestArena, PR_FALSE)); } if (pollDesc != NULL) { /* client is waiting for non-blocking I/O to complete */ *pNBIOContext = (void *)pollDesc; *pCrlList = NULL; goto cleanup; } /* client has finished! */ if (responses) { /* * We have a List of LdapResponse objects that still have to be * turned into Crls. */ PKIX_CHECK(pkix_pl_LdapCertStore_BuildCrlList (responses, &unfilteredCRLs, plContext), PKIX_LDAPCERTSTOREBUILDCRLLISTFAILED); PKIX_CHECK(pkix_CRLSelector_Select (selector, unfilteredCRLs, &filteredCRLs, plContext), PKIX_CRLSELECTORSELECTFAILED); } /* Don't throw away the list if one CRL was bad! */ pkixTempErrorReceived = PKIX_FALSE; *pNBIOContext = NULL; *pCrlList = filteredCRLs; cleanup: if (PKIX_ERROR_RECEIVED) { PKIX_DECREF(filteredCRLs); } PKIX_DECREF(params); PKIX_DECREF(issuerNames); PKIX_DECREF(issuer); PKIX_DECREF(candidate); PKIX_DECREF(responses); PKIX_DECREF(unfilteredCRLs); PKIX_DECREF(lcs); PKIX_RETURN(CERTSTORE); }
/* * FUNCTION: PKIX_Logger_SetLoggers (see comments in pkix_util.h) */ PKIX_Error * PKIX_SetLoggers( PKIX_List *loggers, /* list of PKIX_Logger */ void *plContext) { PKIX_List *list = NULL; PKIX_List *savedPkixLoggersErrors = NULL; PKIX_List *savedPkixLoggersDebugTrace = NULL; PKIX_Logger *logger = NULL; PKIX_Logger *dupLogger = NULL; PKIX_Boolean locked = PKIX_FALSE; PKIX_UInt32 i, length; PKIX_ENTER(LOGGER, "PKIX_SetLoggers"); PKIX_CHECK(PKIX_PL_MonitorLock_Enter(pkixLoggerLock, plContext), PKIX_MONITORLOCKENTERFAILED); locked = PKIX_TRUE; /* Disable tracing, etc. to avoid recursion and deadlock */ savedPkixLoggersDebugTrace = pkixLoggersDebugTrace; pkixLoggersDebugTrace = NULL; savedPkixLoggersErrors = pkixLoggersErrors; pkixLoggersErrors = NULL; /* discard any prior loggers */ PKIX_DECREF(pkixLoggers); PKIX_DECREF(savedPkixLoggersErrors); PKIX_DECREF(savedPkixLoggersDebugTrace); if (loggers != NULL) { PKIX_CHECK(PKIX_List_Create(&list, plContext), PKIX_LISTCREATEFAILED); PKIX_CHECK(PKIX_List_GetLength(loggers, &length, plContext), PKIX_LISTGETLENGTHFAILED); for (i = 0; i < length; i++) { PKIX_CHECK(PKIX_List_GetItem (loggers, i, (PKIX_PL_Object **) &logger, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(pkix_Logger_Duplicate ((PKIX_PL_Object *)logger, (PKIX_PL_Object **)&dupLogger, plContext), PKIX_LOGGERDUPLICATEFAILED); PKIX_CHECK(PKIX_List_AppendItem (list, (PKIX_PL_Object *) dupLogger, plContext), PKIX_LISTAPPENDITEMFAILED); /* Make two lists */ /* Put in pkixLoggersErrors in any case*/ if (savedPkixLoggersErrors == NULL) { PKIX_CHECK(PKIX_List_Create (&savedPkixLoggersErrors, plContext), PKIX_LISTCREATEFAILED); } PKIX_CHECK(PKIX_List_AppendItem (savedPkixLoggersErrors, (PKIX_PL_Object *) dupLogger, plContext), PKIX_LISTAPPENDITEMFAILED); if (logger->maxLevel > PKIX_LOGGER_LEVEL_WARNING) { /* Put in pkixLoggersDebugTrace */ if (savedPkixLoggersDebugTrace == NULL) { PKIX_CHECK(PKIX_List_Create (&savedPkixLoggersDebugTrace, plContext), PKIX_LISTCREATEFAILED); } PKIX_CHECK(PKIX_List_AppendItem (savedPkixLoggersDebugTrace, (PKIX_PL_Object *) dupLogger, plContext), PKIX_LISTAPPENDITEMFAILED); } PKIX_DECREF(logger); PKIX_DECREF(dupLogger); } pkixLoggers = list; } cleanup: if (PKIX_ERROR_RECEIVED){ PKIX_DECREF(list); PKIX_DECREF(savedPkixLoggersErrors); PKIX_DECREF(savedPkixLoggersDebugTrace); pkixLoggers = NULL; } PKIX_DECREF(logger); /* Reenable logging capability with new lists */ pkixLoggersErrors = savedPkixLoggersErrors; pkixLoggersDebugTrace = savedPkixLoggersDebugTrace; if (locked) { PKIX_CHECK(PKIX_PL_MonitorLock_Exit(pkixLoggerLock, plContext), PKIX_MONITORLOCKEXITFAILED); } PKIX_RETURN(LOGGER); }
/* * FUNCTION: pkix_pl_CollectionCertStoreContext_PopulateCRL * DESCRIPTION: * * Create list of CRLs from *.crl files at directory specified in dirName, * Not recursive to sub-dirctory. Also assume the directory contents are * not changed dynamically. * * PARAMETERS * "colCertStoreContext" - Address of CollectionCertStoreContext * where the dirName is specified and where the return * CRLs are stored as a list. Must be non-NULL. * "plContext" - Platform-specific context pointer. * * THREAD SAFETY: * Not Thread Safe - A lock at top level is required. * * RETURNS: * Returns NULL if the function succeeds. * Returns a CollectionCertStoreContext Error if the function fails in * a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ static PKIX_Error * pkix_pl_CollectionCertStoreContext_PopulateCRL( PKIX_PL_CollectionCertStoreContext *colCertStoreContext, void *plContext) { PKIX_List *crlList = NULL; PKIX_PL_CRL *crlItem = NULL; char *dirName = NULL; char *pathName = NULL; PKIX_UInt32 dirNameLen = 0; PRErrorCode prError = 0; PRDir *dir = NULL; PRDirEntry *dirEntry = NULL; PKIX_ENTER(COLLECTIONCERTSTORECONTEXT, "pkix_pl_CollectionCertStoreContext_PopulateCRL"); PKIX_NULLCHECK_ONE(colCertStoreContext); /* convert directory to ascii */ PKIX_CHECK(PKIX_PL_String_GetEncoded (colCertStoreContext->storeDir, PKIX_ESCASCII, (void **)&dirName, &dirNameLen, plContext), PKIX_STRINGGETENCODEDFAILED); /* create CRL list, if no CRL file, should return an empty list */ PKIX_CHECK(PKIX_List_Create(&crlList, plContext), PKIX_LISTCREATEFAILED); /* open directory and read in .crl files */ PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_OpenDir.\n"); dir = PR_OpenDir(dirName); if (!dir) { PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG_ARG ("\t\t Directory Name:%s\n", dirName); PKIX_ERROR(PKIX_CANNOTOPENCOLLECTIONCERTSTORECONTEXTDIRECTORY); } PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_ReadDir.\n"); dirEntry = PR_ReadDir(dir, PR_SKIP_HIDDEN | PR_SKIP_BOTH); if (!dirEntry) { PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG ("\t\t Empty directory.\n"); PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG ("\t\t Calling PR_GetError.\n"); prError = PR_GetError(); } PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_SetError.\n"); PR_SetError(0, 0); while (dirEntry != NULL && prError == 0) { if (PL_strrstr(dirEntry->name, ".crl") == dirEntry->name + PL_strlen(dirEntry->name) - 4) { PKIX_CHECK_ONLY_FATAL (PKIX_PL_Malloc (dirNameLen + PL_strlen(dirEntry->name) + 2, (void **)&pathName, plContext), PKIX_MALLOCFAILED); if ((!PKIX_ERROR_RECEIVED) && (pathName != NULL)){ PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG ("\t\t Calling PL_strcpy for dirName.\n"); PL_strcpy(pathName, dirName); PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG ("\t\t Calling PL_strcat for dirName.\n"); PL_strcat(pathName, "/"); PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG ("\t\t Calling PL_strcat for /.\n"); PL_strcat(pathName, dirEntry->name); PKIX_CHECK_ONLY_FATAL (pkix_pl_CollectionCertStoreContext_CreateCRL (pathName, &crlItem, plContext), PKIX_COLLECTIONCERTSTORECONTEXTCREATECRLFAILED); if (!PKIX_ERROR_RECEIVED){ PKIX_CHECK_ONLY_FATAL (PKIX_List_AppendItem (crlList, (PKIX_PL_Object *)crlItem, plContext), PKIX_LISTAPPENDITEMFAILED); } } PKIX_DECREF(crlItem); PKIX_FREE(pathName); } PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG ("\t\t Calling PR_SetError.\n"); PR_SetError(0, 0); PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG ("\t\t Calling PR_ReadDir.\n"); dirEntry = PR_ReadDir(dir, PR_SKIP_HIDDEN | PR_SKIP_BOTH); if (!dirEntry) { PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG ("\t\t Calling PR_GetError.\n"); prError = PR_GetError(); } } if ((prError != 0) && (prError != PR_NO_MORE_FILES_ERROR)) { PKIX_ERROR(PKIX_COLLECTIONCERTSTORECONTEXTGETSELECTCRLFAILED); } PKIX_CHECK(PKIX_List_SetImmutable(crlList, plContext), PKIX_LISTSETIMMUTABLEFAILED); PKIX_INCREF(crlList); colCertStoreContext->crlList = crlList; cleanup: if (dir) { PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG ("\t\t Calling PR_CloseDir.\n"); PR_CloseDir(dir); } PKIX_FREE(pathName); PKIX_FREE(dirName); if (PKIX_ERROR_RECEIVED){ PKIX_DECREF(crlList); } PKIX_DECREF(crlItem); PKIX_DECREF(crlList); PKIX_RETURN(COLLECTIONCERTSTORECONTEXT); }
/* * FUNCTION: PKIX_Logger_AddLogger (see comments in pkix_util.h) */ PKIX_Error * PKIX_AddLogger( PKIX_Logger *logger, void *plContext) { PKIX_Logger *dupLogger = NULL; PKIX_Logger *addLogger = NULL; PKIX_List *savedPkixLoggersErrors = NULL; PKIX_List *savedPkixLoggersDebugTrace = NULL; PKIX_Boolean locked = PKIX_FALSE; PKIX_UInt32 i, length; PKIX_ENTER(LOGGER, "PKIX_Logger_AddLogger"); PKIX_NULLCHECK_ONE(logger); PKIX_CHECK(PKIX_PL_MonitorLock_Enter(pkixLoggerLock, plContext), PKIX_MONITORLOCKENTERFAILED); locked = PKIX_TRUE; savedPkixLoggersDebugTrace = pkixLoggersDebugTrace; pkixLoggersDebugTrace = NULL; savedPkixLoggersErrors = pkixLoggersErrors; pkixLoggersErrors = NULL; PKIX_DECREF(savedPkixLoggersErrors); PKIX_DECREF(savedPkixLoggersDebugTrace); if (pkixLoggers == NULL) { PKIX_CHECK(PKIX_List_Create(&pkixLoggers, plContext), PKIX_LISTCREATEFAILED); } PKIX_CHECK(pkix_Logger_Duplicate ((PKIX_PL_Object *)logger, (PKIX_PL_Object **)&dupLogger, plContext), PKIX_LOGGERDUPLICATEFAILED); PKIX_CHECK(PKIX_List_AppendItem (pkixLoggers, (PKIX_PL_Object *) dupLogger, plContext), PKIX_LISTAPPENDITEMFAILED); PKIX_CHECK(PKIX_List_GetLength(pkixLoggers, &length, plContext), PKIX_LISTGETLENGTHFAILED); /* Reconstruct pkixLoggersErrors and pkixLoggersDebugTrace */ for (i = 0; i < length; i++) { PKIX_CHECK(PKIX_List_GetItem (pkixLoggers, i, (PKIX_PL_Object **) &addLogger, plContext), PKIX_LISTGETITEMFAILED); /* Put in pkixLoggersErrors */ if (savedPkixLoggersErrors == NULL) { PKIX_CHECK(PKIX_List_Create (&savedPkixLoggersErrors, plContext), PKIX_LISTCREATEFAILED); } PKIX_CHECK(PKIX_List_AppendItem (savedPkixLoggersErrors, (PKIX_PL_Object *) addLogger, plContext), PKIX_LISTAPPENDITEMFAILED); if (addLogger->maxLevel > PKIX_LOGGER_LEVEL_WARNING) { /* Put in pkixLoggersDebugTrace */ if (savedPkixLoggersDebugTrace == NULL) { PKIX_CHECK(PKIX_List_Create (&savedPkixLoggersDebugTrace, plContext), PKIX_LISTCREATEFAILED); } PKIX_CHECK(PKIX_List_AppendItem (savedPkixLoggersDebugTrace, (PKIX_PL_Object *) addLogger, plContext), PKIX_LISTAPPENDITEMFAILED); } PKIX_DECREF(addLogger); } cleanup: PKIX_DECREF(dupLogger); PKIX_DECREF(addLogger); /* Restore logging capability */ pkixLoggersErrors = savedPkixLoggersErrors; pkixLoggersDebugTrace = savedPkixLoggersDebugTrace; if (locked) { PKIX_CHECK(PKIX_PL_MonitorLock_Exit(pkixLoggerLock, plContext), PKIX_MONITORLOCKEXITFAILED); } PKIX_RETURN(LOGGER); }
/* * FUNCTION: pkix_pl_CollectionCertStoreContext_GetSelectedCRL * DESCRIPTION: * * Finds the CRLs that match the criterion of the CRLSelector pointed * to by "selector" using the List of CRLs pointed to by "crlList" and * stores the matching CRLs at "pSelectedCrlList". * * Not recursive to sub-directory. * * PARAMETERS * "crlList" - Address of List of CRLs to be searched. Must be non-NULL * "selector" - CRLSelector for chosing CRL based on Params set * "pSelectedCrlList" - CRLs that qualified by selector. * "plContext" - Platform-specific context pointer. * * THREAD SAFETY: * Not Thread Safe - A lock at top level is required. * * RETURNS: * Returns NULL if the function succeeds. * Returns a CollectionCertStoreContext Error if the function fails in * a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ static PKIX_Error * pkix_pl_CollectionCertStoreContext_GetSelectedCRL( PKIX_List *crlList, PKIX_CRLSelector *selector, PKIX_List **pSelectedCrlList, void *plContext) { PKIX_List *selectCrlList = NULL; PKIX_PL_CRL *crlItem = NULL; PKIX_CRLSelector_MatchCallback crlSelectorMatch = NULL; PKIX_UInt32 numCrls = 0; PKIX_UInt32 i = 0; PKIX_Boolean match = PKIX_FALSE; PKIX_ENTER(COLLECTIONCERTSTORECONTEXT, "pkix_pl_CollectionCertStoreContext_GetSelectedCRL"); PKIX_NULLCHECK_THREE(crlList, selector, pSelectedCrlList); PKIX_CHECK(PKIX_CRLSelector_GetMatchCallback (selector, &crlSelectorMatch, plContext), PKIX_CRLSELECTORGETMATCHCALLBACKFAILED); PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext), PKIX_LISTGETLENGTHFAILED); if (crlSelectorMatch) { PKIX_CHECK(PKIX_List_Create(&selectCrlList, plContext), PKIX_LISTCREATEFAILED); for (i = 0; i < numCrls; i++) { PKIX_CHECK_ONLY_FATAL(PKIX_List_GetItem (crlList, i, (PKIX_PL_Object **) &crlItem, plContext), PKIX_LISTGETITEMFAILED); if (!PKIX_ERROR_RECEIVED){ PKIX_CHECK_ONLY_FATAL (crlSelectorMatch (selector, crlItem, &match, plContext), PKIX_CRLSELECTORMATCHFAILED); if (!(PKIX_ERROR_RECEIVED) && match) { PKIX_CHECK_ONLY_FATAL (PKIX_List_AppendItem (selectCrlList, (PKIX_PL_Object *)crlItem, plContext), PKIX_LISTAPPENDITEMFAILED); } } PKIX_DECREF(crlItem); } } else { PKIX_INCREF(crlList); selectCrlList = crlList; } /* Don't throw away the list if one CRL was bad! */ pkixTempErrorReceived = PKIX_FALSE; *pSelectedCrlList = selectCrlList; cleanup: PKIX_RETURN(COLLECTIONCERTSTORECONTEXT); }
/* * FUNCTION: pkix_pl_HttpCertStore_ProcessCrlResponse * DESCRIPTION: * * This function verifies that the response code pointed to by "responseCode" * and the content type pointed to by "responseContentType" are as expected, * and then decodes the data pointed to by "responseData", of length * "responseDataLen", into a List of Crls, possibly empty, which is returned * at "pCrlList". * * PARAMETERS: * "responseCode" * The value of the HTTP response code. * "responseContentType" * The address of the Content-type string. Must be non-NULL. * "responseData" * The address of the message data. Must be non-NULL. * "responseDataLen" * The length of the message data. * "pCrlList" * The address of the List that is created. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a HttpCertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * pkix_pl_HttpCertStore_ProcessCrlResponse( PRUint16 responseCode, const char *responseContentType, const char *responseData, PRUint32 responseDataLen, PKIX_List **pCrlList, void *plContext) { PRArenaPool *arena = NULL; SECItem *encodedResponse = NULL; PRInt16 compareVal = 0; PKIX_List *crls = NULL; PKIX_ENTER (HTTPCERTSTORECONTEXT, "pkix_pl_HttpCertStore_ProcessCrlResponse"); PKIX_NULLCHECK_ONE(pCrlList); if (responseCode != 200) { PKIX_ERROR(PKIX_BADHTTPRESPONSE); } /* check that response type is application/pkix-crl */ if (responseContentType == NULL) { PKIX_ERROR(PKIX_NOCONTENTTYPEINHTTPRESPONSE); } compareVal = PORT_Strcasecmp(responseContentType, "application/pkix-crl"); if (compareVal != 0) { PKIX_ERROR(PKIX_CONTENTTYPENOTPKIXCRL); } /* Make a SECItem of the response data */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { PKIX_ERROR(PKIX_OUTOFMEMORY); } if (responseData == NULL) { PKIX_ERROR(PKIX_NORESPONSEDATAINHTTPRESPONSE); } encodedResponse = SECITEM_AllocItem(arena, NULL, responseDataLen); if (encodedResponse == NULL) { PKIX_ERROR(PKIX_OUTOFMEMORY); } PORT_Memcpy(encodedResponse->data, responseData, responseDataLen); PKIX_CHECK(PKIX_List_Create(&crls, plContext), PKIX_LISTCREATEFAILED); PKIX_CHECK(pkix_pl_CRL_CreateToList (encodedResponse, crls, plContext), PKIX_CRLCREATETOLISTFAILED); *pCrlList = crls; cleanup: if (PKIX_ERROR_RECEIVED) { PKIX_DECREF(crls); } if (arena != NULL) { PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena, (arena, PR_FALSE)); } PKIX_RETURN(HTTPCERTSTORECONTEXT); }