/* * FUNCTION: pkix_SingleVerifyNode_ToString * DESCRIPTION: * * Creates a String representation of the attributes of the VerifyNode pointed * to by "node", other than its children, and stores the result at "pString". * * PARAMETERS: * "node" * Address of VerifyNode to be described by the string. Must be non-NULL. * "pString" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if function succeeds * Returns a VerifyNode Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in a fatal way */ PKIX_Error * pkix_SingleVerifyNode_ToString( PKIX_VerifyNode *node, PKIX_PL_String **pString, void *plContext) { PKIX_PL_String *fmtString = NULL; PKIX_PL_String *errorString = NULL; PKIX_PL_String *outString = NULL; PKIX_PL_X500Name *issuerName = NULL; PKIX_PL_X500Name *subjectName = NULL; PKIX_PL_String *issuerString = NULL; PKIX_PL_String *subjectString = NULL; PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_ToString"); PKIX_NULLCHECK_THREE(node, pString, node->verifyCert); PKIX_TOSTRING(node->error, &errorString, plContext, PKIX_ERRORTOSTRINGFAILED); PKIX_CHECK(PKIX_PL_Cert_GetIssuer (node->verifyCert, &issuerName, plContext), PKIX_CERTGETISSUERFAILED); PKIX_TOSTRING(issuerName, &issuerString, plContext, PKIX_X500NAMETOSTRINGFAILED); PKIX_CHECK(PKIX_PL_Cert_GetSubject (node->verifyCert, &subjectName, plContext), PKIX_CERTGETSUBJECTFAILED); PKIX_TOSTRING(subjectName, &subjectString, plContext, PKIX_X500NAMETOSTRINGFAILED); PKIX_CHECK(PKIX_PL_String_Create (PKIX_ESCASCII, "CERT[Issuer:%s, Subject:%s], depth=%d, error=%s", 0, &fmtString, plContext), PKIX_CANTCREATESTRING); PKIX_CHECK(PKIX_PL_Sprintf (&outString, plContext, fmtString, issuerString, subjectString, node->depth, errorString), PKIX_SPRINTFFAILED); *pString = outString; cleanup: PKIX_DECREF(fmtString); PKIX_DECREF(errorString); PKIX_DECREF(issuerName); PKIX_DECREF(subjectName); PKIX_DECREF(issuerString); PKIX_DECREF(subjectString); PKIX_RETURN(VERIFYNODE); }
/* * FUNCTION: pkix_CrlChecker_CheckRemote * * DESCRIPTION: * Check if the Cert has been revoked based the CRLs data. This function * maintains the checker state to be current. * * PARAMETERS * "checker" * Address of CertChainChecker which has the state data. * Must be non-NULL. * "cert" * Address of Certificate that is to be validated. Must be non-NULL. * "unreslvdCrtExts" * A List OIDs. Not **yet** used in this checker function. * "plContext" * Platform-specific context pointer. * * THREAD SAFETY: * Not Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * * RETURNS: * Returns NULL if the function succeeds. * Returns a CertChainChecker Error if the function fails in a non-fatal way. * Returns a Fatal Error */ PKIX_Error * pkix_CrlChecker_CheckExternal( PKIX_PL_Cert *cert, PKIX_PL_Cert *issuer, PKIX_PL_Date *date, pkix_RevocationMethod *checkerObject, PKIX_ProcessingParams *procParams, PKIX_UInt32 methodFlags, PKIX_RevocationStatus *pRevStatus, PKIX_UInt32 *pReasonCode, void **pNBIOContext, void *plContext) { PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn = NULL; PKIX_CertStore_ImportCrlCallback storeImportCrlFn = NULL; PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo; PKIX_CertStore *certStore = NULL; PKIX_CertStore *localStore = NULL; PKIX_CRLSelector *crlSelector = NULL; PKIX_PL_X500Name *issuerName = NULL; pkix_CrlChecker *state = NULL; PKIX_UInt32 reasonCode = 0; PKIX_UInt32 crlStoreIndex = 0; PKIX_UInt32 numCrlStores = 0; PKIX_Boolean storeIsLocal = PKIX_FALSE; PKIX_List *crlList = NULL; PKIX_List *dpList = NULL; void *nbioContext = NULL; PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckExternal"); PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, pNBIOContext); nbioContext = *pNBIOContext; *pNBIOContext = NULL; /* prepare for Error exit */ state = (pkix_CrlChecker*)checkerObject; PKIX_CHECK( PKIX_List_GetLength(state->certStores, &numCrlStores, plContext), PKIX_LISTGETLENGTHFAILED); /* Find a cert store that is capable of storing crls */ for (;crlStoreIndex < numCrlStores;crlStoreIndex++) { PKIX_CHECK( PKIX_List_GetItem(state->certStores, crlStoreIndex, (PKIX_PL_Object **)&certStore, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK( PKIX_CertStore_GetLocalFlag(certStore, &storeIsLocal, plContext), PKIX_CERTSTOREGETLOCALFLAGFAILED); if (storeIsLocal) { PKIX_CHECK( PKIX_CertStore_GetImportCrlCallback(certStore, &storeImportCrlFn, plContext), PKIX_CERTSTOREGETCHECKREVBYCRLFAILED); PKIX_CHECK( PKIX_CertStore_GetCrlCheckerFn(certStore, &storeCheckRevocationFn, plContext), PKIX_CERTSTOREGETCHECKREVBYCRLFAILED); if (storeImportCrlFn && storeCheckRevocationFn) { localStore = certStore; certStore = NULL; break; } } PKIX_DECREF(certStore); } /* while */ /* Report unknown status if we can not check crl in one of the * local stores. */ if (!localStore) { PKIX_ERROR_FATAL(PKIX_CRLCHECKERNOLOCALCERTSTOREFOUND); } PKIX_CHECK( PKIX_PL_Cert_VerifyKeyUsage(issuer, PKIX_CRL_SIGN, plContext), PKIX_CERTCHECKKEYUSAGEFAILED); PKIX_CHECK( PKIX_PL_Cert_GetCrlDp(cert, &dpList, plContext), PKIX_CERTGETCRLDPFAILED); if (!(methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE) && (!dpList || !dpList->length)) { goto cleanup; } PKIX_CHECK( PKIX_PL_Cert_GetIssuer(cert, &issuerName, plContext), PKIX_CERTGETISSUERFAILED); PKIX_CHECK( PKIX_CRLSelector_Create(issuer, dpList, date, &crlSelector, plContext), PKIX_CRLCHECKERSETSELECTORFAILED); /* Fetch crl and store in a local cert store */ for (crlStoreIndex = 0;crlStoreIndex < numCrlStores;crlStoreIndex++) { PKIX_CertStore_CRLCallback getCrlsFn; PKIX_CHECK( PKIX_List_GetItem(state->certStores, crlStoreIndex, (PKIX_PL_Object **)&certStore, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK( PKIX_CertStore_GetCRLCallback(certStore, &getCrlsFn, plContext), PKIX_CERTSTOREGETCRLCALLBACKFAILED); PKIX_CHECK( (*getCrlsFn)(certStore, crlSelector, &nbioContext, &crlList, plContext), PKIX_GETCRLSFAILED); PKIX_CHECK( (*storeImportCrlFn)(localStore, issuerName, crlList, plContext), PKIX_CERTSTOREFAILTOIMPORTCRLLIST); PKIX_CHECK( (*storeCheckRevocationFn)(certStore, cert, issuer, date, /* done with crl downloading */ PKIX_TRUE, &reasonCode, &revStatus, plContext), PKIX_CERTSTORECRLCHECKFAILED); if (revStatus != PKIX_RevStatus_NoInfo) { break; } PKIX_DECREF(crlList); PKIX_DECREF(certStore); } /* while */ cleanup: /* Update return flags */ if (revStatus == PKIX_RevStatus_NoInfo && ((dpList && dpList->length > 0) || (methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE)) && methodFlags & PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) { revStatus = PKIX_RevStatus_Revoked; } *pRevStatus = revStatus; PKIX_DECREF(dpList); PKIX_DECREF(crlList); PKIX_DECREF(certStore); PKIX_DECREF(issuerName); PKIX_DECREF(localStore); PKIX_DECREF(crlSelector); PKIX_RETURN(CERTCHAINCHECKER); }
/* * FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector * * DESCRIPTION: * This function creates a CRLSelector suitable for finding a CRL for * the Cert pointed to by "cert", setting the result in the * defaultCRLCheckerState pointed to by "state". * * PARAMETERS * "cert" * Address of Cert for which a CRLSelector is to be constructed. Must be * non-NULL. * "state" * Address of defaultCRLCheckerState whose CRLSelector is to be set. Must * be non-NULL. * "plContext" * Platform-specific context pointer. * * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * * RETURNS: * Returns NULL if the function succeeds. * Returns a DefaultCrlCheckerState Error if the function fails in a * non-fatal way. * Returns a Fatal Error */ PKIX_Error * pkix_DefaultCRLChecker_Check_SetSelector( PKIX_PL_Cert *cert, pkix_DefaultCRLCheckerState *state, void *plContext) { PKIX_PL_X500Name *certIssuer = NULL; PKIX_PL_BigInt *certSerialNumber = NULL; PKIX_PL_Date *nowDate = NULL; PKIX_ComCRLSelParams *comCrlSelParams = NULL; PKIX_CRLSelector *crlSelector = NULL; PKIX_ENTER (CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector"); PKIX_NULLCHECK_TWO(cert, state); PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext), PKIX_CERTGETISSUERFAILED); PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber (cert, &certSerialNumber, plContext), PKIX_CERTGETSERIALNUMBERFAILED); if (state->testDate != NULL) { PKIX_INCREF(state->testDate); nowDate = state->testDate; } else { PKIX_CHECK(PKIX_PL_Date_Create_UTCTime (NULL, &nowDate, plContext), PKIX_DATECREATEUTCTIMEFAILED); } PKIX_CHECK(PKIX_ComCRLSelParams_Create (&comCrlSelParams, plContext), PKIX_COMCRLSELPARAMSCREATEFAILED); PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName (comCrlSelParams, certIssuer, plContext), PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED); PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime (comCrlSelParams, nowDate, plContext), PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED); PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled (comCrlSelParams, state->nistCRLPolicyEnabled, plContext), PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED); PKIX_CHECK(PKIX_CRLSelector_Create (NULL, NULL, /* never used? (PKIX_PL_Object *)checker, */ &crlSelector, plContext), PKIX_CRLSELECTORCREATEFAILED); PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams (crlSelector, comCrlSelParams, plContext), PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED); PKIX_DECREF(state->certIssuer); PKIX_INCREF(certIssuer); state->certIssuer = certIssuer; PKIX_DECREF(state->certSerialNumber); PKIX_INCREF(certSerialNumber); state->certSerialNumber = certSerialNumber; PKIX_DECREF(state->crlSelector); PKIX_INCREF(crlSelector); state->crlSelector = crlSelector; state->crlStoreIndex = 0; PKIX_CHECK(PKIX_List_GetLength (state->certStores, &(state->numCrlStores), plContext), PKIX_LISTGETLENGTHFAILED); state->certHasValidCrl = PKIX_FALSE; cleanup: PKIX_DECREF(certIssuer); PKIX_DECREF(certSerialNumber); PKIX_DECREF(nowDate); PKIX_DECREF(comCrlSelParams); PKIX_DECREF(crlSelector); PKIX_RETURN(CERTCHAINCHECKER); }