static void testGetCAName( PKIX_PL_Cert *diffCert, PKIX_TrustAnchor *equalObject) { PKIX_PL_X500Name *diffCAName = NULL; PKIX_PL_X500Name *equalCAName = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_TrustAnchor_GetCAName"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(diffCert, &diffCAName, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetCAName(equalObject, &equalCAName, plContext)); testEqualsHelper((PKIX_PL_Object *)diffCAName, (PKIX_PL_Object *)equalCAName, PKIX_TRUE, plContext); cleanup: PKIX_TEST_DECREF_AC(diffCAName); PKIX_TEST_DECREF_AC(equalCAName); PKIX_TEST_RETURN(); }
/* * This function creates a certSelector with ComCertSelParams set up to * select entries whose Subject Name matches that in the given Cert and * whose validity window includes the Date specified by "validityDate". */ static void test_makeSubjectCertSelector( PKIX_PL_Cert *certNameToMatch, PKIX_PL_Date *validityDate, PKIX_CertSelector **pSelector, void *plContext) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *subjParams = NULL; PKIX_PL_X500Name *subjectName = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&subjParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(certNameToMatch, &subjectName, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(subjParams, subjectName, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(subjParams, validityDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, subjParams, plContext)); *pSelector = selector; cleanup: PKIX_TEST_DECREF_AC(subjParams); PKIX_TEST_DECREF_AC(subjectName); PKIX_TEST_RETURN(); }
PKIX_TrustAnchor * createTrustAnchor( char *dirName, char *certFileName, PKIX_Boolean useCert, void *plContext) { PKIX_TrustAnchor *anchor = NULL; PKIX_PL_Cert *cert = NULL; PKIX_PL_X500Name *name = NULL; PKIX_PL_PublicKey *pubKey = NULL; PKIX_PL_CertNameConstraints *nameConstraints = NULL; PKIX_TEST_STD_VARS(); cert = createCert(dirName, certFileName, plContext); if (useCert){ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert (cert, &anchor, plContext)); } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject (cert, &name, plContext)); if (name == NULL){ goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey (cert, &pubKey, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints (cert, &nameConstraints, NULL)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_TrustAnchor_CreateWithNameKeyPair (name, pubKey, nameConstraints, &anchor, plContext)); } cleanup: if (PKIX_TEST_ERROR_RECEIVED){ PKIX_TEST_DECREF_AC(anchor); } PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(name); PKIX_TEST_DECREF_AC(pubKey); PKIX_TEST_DECREF_AC(nameConstraints); PKIX_TEST_RETURN(); return (anchor); }
int test_validatechain_bc(int argc, char *argv[]) { PKIX_TrustAnchor *anchor = NULL; PKIX_List *anchors = NULL; PKIX_List *certs = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_PL_X500Name *subject = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; char *trustedCertFile = NULL; char *chainCertFile = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *chainCert = NULL; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_UInt32 actualMinorVersion; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; PKIX_TEST_STD_VARS(); if (argc < 3){ printUsage(); return (0); } startTests("ValidateChainBasicConstraints"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); chainLength = (argc - j) - 2; /* create processing params with list of trust anchors */ trustedCertFile = argv[1+j]; trustedCert = createCert(trustedCertFile); PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_Create(&certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints (certSelParams, -1, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_Create (NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams (certSelector, certSelParams, plContext)); PKIX_TEST_DECREF_BC(subject); PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert (trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create (anchors, &procParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled (procParams, PKIX_FALSE, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ProcessingParams_SetTargetCertConstraints (procParams, certSelector, plContext)); PKIX_TEST_DECREF_BC(certSelector); /* create cert chain */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); for (i = 0; i < chainLength; i++){ chainCertFile = argv[i + (2+j)]; chainCert = createCert(chainCertFile); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (certs, (PKIX_PL_Object *)chainCert, plContext)); PKIX_TEST_DECREF_BC(chainCert); } /* create validate params with processing params and cert chain */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create (procParams, certs, &valParams, plContext)); /* validate cert chain using processing params and return valResult */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); if (valResult != NULL){ printf("SUCCESSFULLY VALIDATED with Basic Constraint "); printf("Cert Selector minimum path length to be -1\n"); PKIX_TEST_DECREF_BC(valResult); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); PKIX_TEST_DECREF_BC(verifyString); PKIX_TEST_DECREF_BC(verifyTree); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints (certSelParams, 6, plContext)); /* validate cert chain using processing params and return valResult */ PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); if (valResult != NULL){ printf("SUCCESSFULLY VALIDATED with Basic Constraint "); printf("Cert Selector minimum path length to be 6\n"); } PKIX_TEST_DECREF_BC(trustedCert); PKIX_TEST_DECREF_BC(anchor); PKIX_TEST_DECREF_BC(anchors); PKIX_TEST_DECREF_BC(certs); PKIX_TEST_DECREF_BC(procParams); cleanup: if (PKIX_TEST_ERROR_RECEIVED){ printf("FAILED TO VALIDATE\n"); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(valResult); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); endTests("ValidateChainBasicConstraints"); return (0); }
/* * FUNCTION: pkix_SingleVerifyNode_ToString * DESCRIPTION: * * Creates a String representation of the attributes of the VerifyNode pointed * to by "node", other than its children, and stores the result at "pString". * * PARAMETERS: * "node" * Address of VerifyNode to be described by the string. Must be non-NULL. * "pString" * Address where object pointer will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Conditionally Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if function succeeds * Returns a VerifyNode Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in a fatal way */ PKIX_Error * pkix_SingleVerifyNode_ToString( PKIX_VerifyNode *node, PKIX_PL_String **pString, void *plContext) { PKIX_PL_String *fmtString = NULL; PKIX_PL_String *errorString = NULL; PKIX_PL_String *outString = NULL; PKIX_PL_X500Name *issuerName = NULL; PKIX_PL_X500Name *subjectName = NULL; PKIX_PL_String *issuerString = NULL; PKIX_PL_String *subjectString = NULL; PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_ToString"); PKIX_NULLCHECK_THREE(node, pString, node->verifyCert); PKIX_TOSTRING(node->error, &errorString, plContext, PKIX_ERRORTOSTRINGFAILED); PKIX_CHECK(PKIX_PL_Cert_GetIssuer (node->verifyCert, &issuerName, plContext), PKIX_CERTGETISSUERFAILED); PKIX_TOSTRING(issuerName, &issuerString, plContext, PKIX_X500NAMETOSTRINGFAILED); PKIX_CHECK(PKIX_PL_Cert_GetSubject (node->verifyCert, &subjectName, plContext), PKIX_CERTGETSUBJECTFAILED); PKIX_TOSTRING(subjectName, &subjectString, plContext, PKIX_X500NAMETOSTRINGFAILED); PKIX_CHECK(PKIX_PL_String_Create (PKIX_ESCASCII, "CERT[Issuer:%s, Subject:%s], depth=%d, error=%s", 0, &fmtString, plContext), PKIX_CANTCREATESTRING); PKIX_CHECK(PKIX_PL_Sprintf (&outString, plContext, fmtString, issuerString, subjectString, node->depth, errorString), PKIX_SPRINTFFAILED); *pString = outString; cleanup: PKIX_DECREF(fmtString); PKIX_DECREF(errorString); PKIX_DECREF(issuerName); PKIX_DECREF(subjectName); PKIX_DECREF(issuerString); PKIX_DECREF(subjectString); PKIX_RETURN(VERIFYNODE); }
int test_comcertselparams(int argc, char *argv[]) { PKIX_UInt32 actualMinorVersion; PKIX_UInt32 j = 0; PKIX_PL_Cert *testCert = NULL; PKIX_PL_Cert *goodCert = NULL; PKIX_PL_Cert *equalCert = NULL; PKIX_PL_Cert *diffCert = NULL; PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL; PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL; PKIX_List *testPolicyInfos = NULL; /* CertPolicyInfos */ PKIX_List *cert2PolicyInfos = NULL; /* CertPolicyInfos */ PKIX_ComCertSelParams *goodParams = NULL; PKIX_ComCertSelParams *equalParams = NULL; PKIX_PL_X500Name *goodSubject = NULL; PKIX_PL_X500Name *equalSubject = NULL; PKIX_PL_X500Name *diffSubject = NULL; PKIX_PL_X500Name *testSubject = NULL; PKIX_Int32 goodMinPathLength = 0; PKIX_Int32 equalMinPathLength = 0; PKIX_Int32 diffMinPathLength = 0; PKIX_Int32 testMinPathLength = 0; PKIX_List *goodPolicies = NULL; /* OIDs */ PKIX_List *equalPolicies = NULL; /* OIDs */ PKIX_List *testPolicies = NULL; /* OIDs */ PKIX_List *cert2Policies = NULL; /* OIDs */ PKIX_PL_Date *testDate = NULL; PKIX_PL_Date *goodDate = NULL; PKIX_PL_Date *equalDate = NULL; PKIX_PL_String *stringRep = NULL; char *asciiRep = NULL; char *dirName = NULL; PKIX_TEST_STD_VARS(); if (argc < 2) { printUsage(); return (0); } startTests("ComCertSelParams"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); dirName = argv[j + 1]; asciiRep = "050501000000Z"; PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext)); testCert = createCert(dirName, "PoliciesP1234CACert.crt", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(testCert, &testSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(testCert, &goodBasicConstraints, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(goodBasicConstraints, &testMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(testCert, &testPolicyInfos, plContext)); /* Convert from List of CertPolicyInfos to List of OIDs */ test_CreateOIDList(testPolicyInfos, &testPolicies); subTest("Create goodParams and set its fields"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(goodParams, testSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(goodParams, testMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(goodParams, testDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(goodParams, testPolicies, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(goodParams, testCert, plContext)); subTest("Duplicate goodParams and verify copy"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)goodParams, (PKIX_PL_Object **)&equalParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(goodParams, &goodSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(goodParams, &goodMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(goodParams, &goodCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(goodParams, &goodDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(goodParams, &goodPolicies, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicies, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(equalParams, &equalCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(equalParams, &equalDate, plContext)); testEqualsHelper((PKIX_PL_Object *)goodSubject, (PKIX_PL_Object *)equalSubject, PKIX_TRUE, plContext); if (goodMinPathLength != equalMinPathLength) { testError("unexpected mismatch"); (void)printf("goodMinPathLength:\t%d\n", goodMinPathLength); (void)printf("equalMinPathLength:\t%d\n", equalMinPathLength); } testEqualsHelper((PKIX_PL_Object *)goodPolicies, (PKIX_PL_Object *)equalPolicies, PKIX_TRUE, plContext); testEqualsHelper((PKIX_PL_Object *)goodCert, (PKIX_PL_Object *)equalCert, PKIX_TRUE, plContext); testEqualsHelper((PKIX_PL_Object *)goodDate, (PKIX_PL_Object *)equalDate, PKIX_TRUE, plContext); PKIX_TEST_DECREF_BC(equalSubject); PKIX_TEST_DECREF_BC(equalPolicies); PKIX_TEST_DECREF_BC(equalCert); PKIX_TEST_DECREF_AC(equalDate); subTest("Set different values and verify differences"); diffCert = createCert(dirName, "pathLenConstraint6CACert.crt", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(diffCert, &diffSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(diffCert, &diffBasicConstraints, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(diffBasicConstraints, &diffMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &cert2PolicyInfos, plContext)); test_CreateOIDList(cert2PolicyInfos, &cert2Policies); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject( equalParams, diffSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(equalParams, diffMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(equalParams, cert2Policies, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicies, plContext)); testEqualsHelper((PKIX_PL_Object *)goodSubject, (PKIX_PL_Object *)equalSubject, PKIX_FALSE, plContext); if (goodMinPathLength == equalMinPathLength) { testError("unexpected match"); (void)printf("goodMinPathLength:\t%d\n", goodMinPathLength); (void)printf("equalMinPathLength:\t%d\n", equalMinPathLength); } testEqualsHelper((PKIX_PL_Object *)goodPolicies, (PKIX_PL_Object *)equalPolicies, PKIX_FALSE, plContext); test_NameConstraints(dirName); test_PathToNames(); test_SubjAltNames(); test_KeyUsages(); test_Version_Issuer_SerialNumber(); test_SubjKeyId_AuthKeyId(); test_SubjAlgId_SubjPublicKey(dirName); cleanup: PKIX_TEST_DECREF_AC(testSubject); PKIX_TEST_DECREF_AC(goodSubject); PKIX_TEST_DECREF_AC(equalSubject); PKIX_TEST_DECREF_AC(diffSubject); PKIX_TEST_DECREF_AC(testSubject); PKIX_TEST_DECREF_AC(goodPolicies); PKIX_TEST_DECREF_AC(equalPolicies); PKIX_TEST_DECREF_AC(testPolicies); PKIX_TEST_DECREF_AC(cert2Policies); PKIX_TEST_DECREF_AC(goodParams); PKIX_TEST_DECREF_AC(equalParams); PKIX_TEST_DECREF_AC(goodCert); PKIX_TEST_DECREF_AC(diffCert); PKIX_TEST_DECREF_AC(testCert); PKIX_TEST_DECREF_AC(goodBasicConstraints); PKIX_TEST_DECREF_AC(diffBasicConstraints); PKIX_TEST_DECREF_AC(testPolicyInfos); PKIX_TEST_DECREF_AC(cert2PolicyInfos); PKIX_TEST_DECREF_AC(stringRep); PKIX_TEST_DECREF_AC(testDate); PKIX_TEST_DECREF_AC(goodDate); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("ComCertSelParams"); return (0); }
/* * FUNCTION: pkix_TargetCertChecker_Check * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h) */ PKIX_Error * pkix_TargetCertChecker_Check( PKIX_CertChainChecker *checker, PKIX_PL_Cert *cert, PKIX_List *unresolvedCriticalExtensions, void **pNBIOContext, void *plContext) { pkix_TargetCertCheckerState *state = NULL; PKIX_CertSelector_MatchCallback certSelectorMatch = NULL; PKIX_PL_CertNameConstraints *nameConstraints = NULL; PKIX_List *certSubjAltNames = NULL; PKIX_List *certExtKeyUsageList = NULL; PKIX_PL_GeneralName *name = NULL; PKIX_PL_X500Name *certSubjectName = NULL; PKIX_Boolean checkPassed = PKIX_FALSE; PKIX_UInt32 numItems, i; PKIX_UInt32 matchCount = 0; PKIX_ENTER(CERTCHAINCHECKER, "pkix_TargetCertChecker_Check"); PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); *pNBIOContext = NULL; /* we never block on pending I/O */ PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState (checker, (PKIX_PL_Object **)&state, plContext), PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); (state->certsRemaining)--; if (state->pathToNameList != NULL) { PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints (cert, &nameConstraints, plContext), PKIX_CERTGETNAMECONSTRAINTSFAILED); /* * XXX We should either make the following call a public one * so it is legal to call from the portability layer or we * should try to create pathToNameList as CertNameConstraints * then call the existing check function. */ PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace (state->pathToNameList, nameConstraints, &checkPassed, plContext), PKIX_CERTNAMECONSTRAINTSCHECKNAMEINNAMESPACEFAILED); if (checkPassed != PKIX_TRUE) { PKIX_ERROR(PKIX_VALIDATIONFAILEDPATHTONAMECHECKFAILED); } } PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames (cert, &certSubjAltNames, plContext), PKIX_CERTGETSUBJALTNAMESFAILED); if (state->subjAltNameList != NULL && certSubjAltNames != NULL) { PKIX_CHECK(PKIX_List_GetLength (state->subjAltNameList, &numItems, plContext), PKIX_LISTGETLENGTHFAILED); for (i = 0; i < numItems; i++) { PKIX_CHECK(PKIX_List_GetItem (state->subjAltNameList, i, (PKIX_PL_Object **) &name, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(pkix_List_Contains (certSubjAltNames, (PKIX_PL_Object *) name, &checkPassed, plContext), PKIX_LISTCONTAINSFAILED); PKIX_DECREF(name); if (checkPassed == PKIX_TRUE) { if (state->subjAltNameMatchAll == PKIX_FALSE) { matchCount = numItems; break; } else { /* else continue checking next */ matchCount++; } } } if (matchCount != numItems) { PKIX_ERROR(PKIX_SUBJALTNAMECHECKFAILED); } } if (state->certsRemaining == 0) { if (state->certSelector != NULL) { PKIX_CHECK(PKIX_CertSelector_GetMatchCallback (state->certSelector, &certSelectorMatch, plContext), PKIX_CERTSELECTORGETMATCHCALLBACKFAILED); PKIX_CHECK(certSelectorMatch (state->certSelector, cert, plContext), PKIX_CERTSELECTORMATCHFAILED); } else { /* Check at least cert/key usages if target cert selector * is not set. */ PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, PKIX_FALSE /* is chain cert*/, plContext), PKIX_CERTVERIFYCERTTYPEFAILED); } /* * There are two Extended Key Usage Checkings * available : * 1) here at the targetcertchecker where we * verify the Extended Key Usage OIDs application * specifies via ComCertSelParams are included * in Cert's Extended Key Usage OID's. Note, * this is an OID to OID comparison and only last * Cert is checked. * 2) at user defined ekuchecker where checking * is applied to all Certs on the chain and * the NSS Extended Key Usage algorithm is * used. In order to invoke this checking, not * only does the ComCertSelparams needs to be * set, the EKU initialize call is required to * activate the checking. * * XXX We use the same ComCertSelParams Set/Get * functions to set the parameters for both cases. * We may want to separate them in the future. */ PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage (cert, &certExtKeyUsageList, plContext), PKIX_CERTGETEXTENDEDKEYUSAGEFAILED); if (state->extKeyUsageList != NULL && certExtKeyUsageList != NULL) { PKIX_CHECK(PKIX_List_GetLength (state->extKeyUsageList, &numItems, plContext), PKIX_LISTGETLENGTHFAILED); for (i = 0; i < numItems; i++) { PKIX_CHECK(PKIX_List_GetItem (state->extKeyUsageList, i, (PKIX_PL_Object **) &name, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(pkix_List_Contains (certExtKeyUsageList, (PKIX_PL_Object *) name, &checkPassed, plContext), PKIX_LISTCONTAINSFAILED); PKIX_DECREF(name); if (checkPassed != PKIX_TRUE) { PKIX_ERROR (PKIX_EXTENDEDKEYUSAGECHECKINGFAILED); } } } } else { /* Check key usage and cert type based on certificate usage. */ PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, PKIX_TRUE, plContext), PKIX_CERTVERIFYCERTTYPEFAILED); } /* Remove Critical Extension OID from list */ if (unresolvedCriticalExtensions != NULL) { PKIX_CHECK(pkix_List_Remove (unresolvedCriticalExtensions, (PKIX_PL_Object *) state->extKeyUsageOID, plContext), PKIX_LISTREMOVEFAILED); PKIX_CHECK(PKIX_PL_Cert_GetSubject (cert, &certSubjectName, plContext), PKIX_CERTGETSUBJECTFAILED); if (certSubjAltNames != NULL) { PKIX_CHECK(pkix_List_Remove (unresolvedCriticalExtensions, (PKIX_PL_Object *) state->subjAltNameOID, plContext), PKIX_LISTREMOVEFAILED); } } cleanup: PKIX_DECREF(name); PKIX_DECREF(nameConstraints); PKIX_DECREF(certSubjAltNames); PKIX_DECREF(certExtKeyUsageList); PKIX_DECREF(certSubjectName); PKIX_DECREF(state); PKIX_RETURN(CERTCHAINCHECKER); }