// Find the first policy OID that is known to be an EV policy OID.
SECStatus
GetFirstEVPolicy(CERTCertificate* cert,
/*out*/ mozilla::pkix::CertPolicyId& policy,
/*out*/ SECOidTag& policyOidTag)
{
if (!cert) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
if (cert->extensions) {
for (int i=0; cert->extensions[i]; i++) {
const SECItem* oid = &cert->extensions[i]->id;
SECOidTag oidTag = SECOID_FindOIDTag(oid);
if (oidTag != SEC_OID_X509_CERTIFICATE_POLICIES)
continue;
SECItem* value = &cert->extensions[i]->value;
CERTCertificatePolicies* policies;
CERTPolicyInfo** policyInfos;
policies = CERT_DecodeCertificatePoliciesExtension(value);
if (!policies)
continue;
policyInfos = policies->policyInfos;
bool found = false;
while (*policyInfos) {
const CERTPolicyInfo* policyInfo = *policyInfos++;
SECOidTag oid_tag = policyInfo->oid;
if (oid_tag != SEC_OID_UNKNOWN && isEVPolicy(oid_tag)) {
const SECOidData* oidData = SECOID_FindOIDByTag(oid_tag);
PR_ASSERT(oidData);
PR_ASSERT(oidData->oid.data);
PR_ASSERT(oidData->oid.len > 0);
PR_ASSERT(oidData->oid.len <= mozilla::pkix::CertPolicyId::MAX_BYTES);
if (oidData && oidData->oid.data && oidData->oid.len > 0 &&
oidData->oid.len <= mozilla::pkix::CertPolicyId::MAX_BYTES) {
policy.numBytes = static_cast<uint16_t>(oidData->oid.len);
memcpy(policy.bytes, oidData->oid.data, policy.numBytes);
policyOidTag = oid_tag;
found = true;
}
break;
}
}
CERT_DestroyCertificatePoliciesExtension(policies);
if (found) {
return SECSuccess;
}
}
}
PR_SetError(SEC_ERROR_POLICY_VALIDATION_FAILED, 0);
return SECFailure;
}
// RFC5820 4.2.1.4. Certificate Policies
//
// "The user-initial-policy-set contains the special value any-policy if the
// user is not concerned about certificate policy."
Result
CheckCertificatePolicies(BackCert& cert, EndEntityOrCA endEntityOrCA,
bool isTrustAnchor, SECOidTag requiredPolicy)
{
if (requiredPolicy == SEC_OID_X509_ANY_POLICY) {
return Success;
}
// It is likely some callers will pass SEC_OID_UNKNOWN when they don't care,
// instead of passing SEC_OID_X509_ANY_POLICY. Help them out by failing hard.
if (requiredPolicy == SEC_OID_UNKNOWN) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return FatalError;
}
// Bug 989051. Until we handle inhibitAnyPolicy we will fail close when
// inhibitAnyPolicy extension is present and we need to evaluate certificate
// policies.
if (cert.encodedInhibitAnyPolicy) {
PR_SetError(SEC_ERROR_POLICY_VALIDATION_FAILED, 0);
return RecoverableError;
}
// The root CA certificate may omit the policies that it has been
// trusted for, so we cannot require the policies to be present in those
// certificates. Instead, the determination of which roots are trusted for
// which policies is made by the TrustDomain's GetCertTrust method.
if (isTrustAnchor && endEntityOrCA == MustBeCA) {
return Success;
}
if (!cert.encodedCertificatePolicies) {
PR_SetError(SEC_ERROR_POLICY_VALIDATION_FAILED, 0);
return RecoverableError;
}
ScopedPtr<CERTCertificatePolicies, CERT_DestroyCertificatePoliciesExtension>
policies(CERT_DecodeCertificatePoliciesExtension(
cert.encodedCertificatePolicies));
if (!policies) {
return MapSECStatus(SECFailure);
}
for (const CERTPolicyInfo* const* policyInfos = policies->policyInfos;
*policyInfos; ++policyInfos) {
if ((*policyInfos)->oid == requiredPolicy) {
return Success;
}
// Intermediate certs are allowed to have the anyPolicy OID
if (endEntityOrCA == MustBeCA &&
(*policyInfos)->oid == SEC_OID_X509_ANY_POLICY) {
return Success;
}
}
PR_SetError(SEC_ERROR_POLICY_VALIDATION_FAILED, 0);
return RecoverableError;
}
// Find the first policy OID that is known to be an EV policy OID.
SECStatus
GetFirstEVPolicy(CERTCertificate* cert, SECOidTag& outOidTag)
{
if (!cert)
return SECFailure;
if (cert->extensions) {
for (int i=0; cert->extensions[i]; i++) {
const SECItem* oid = &cert->extensions[i]->id;
SECOidTag oidTag = SECOID_FindOIDTag(oid);
if (oidTag != SEC_OID_X509_CERTIFICATE_POLICIES)
continue;
SECItem* value = &cert->extensions[i]->value;
CERTCertificatePolicies* policies;
CERTPolicyInfo** policyInfos;
policies = CERT_DecodeCertificatePoliciesExtension(value);
if (!policies)
continue;
policyInfos = policies->policyInfos;
bool found = false;
while (*policyInfos) {
const CERTPolicyInfo* policyInfo = *policyInfos++;
SECOidTag oid_tag = policyInfo->oid;
if (oid_tag != SEC_OID_UNKNOWN && isEVPolicy(oid_tag)) {
// in our list of OIDs accepted for EV
outOidTag = oid_tag;
found = true;
break;
}
}
CERT_DestroyCertificatePoliciesExtension(policies);
if (found)
return SECSuccess;
}
}
return SECFailure;
}
// Find the first policy OID that is known to be an EV policy OID.
static SECStatus getFirstEVPolicy(CERTCertificate *cert, SECOidTag &outOidTag)
{
if (!cert)
return SECFailure;
if (cert->extensions) {
for (int i=0; cert->extensions[i] != nsnull; i++) {
const SECItem *oid = &cert->extensions[i]->id;
SECOidTag oidTag = SECOID_FindOIDTag(oid);
if (oidTag != SEC_OID_X509_CERTIFICATE_POLICIES)
continue;
SECItem *value = &cert->extensions[i]->value;
CERTCertificatePolicies *policies;
CERTPolicyInfo **policyInfos, *policyInfo;
policies = CERT_DecodeCertificatePoliciesExtension(value);
if (!policies)
continue;
policyInfos = policies->policyInfos;
while (*policyInfos != NULL) {
policyInfo = *policyInfos++;
SECOidTag oid_tag = SECOID_FindOIDTag(&policyInfo->policyID);
if (oid_tag == SEC_OID_UNKNOWN) // not in our list of OIDs accepted for EV
continue;
if (!isEVPolicy(oid_tag))
continue;
outOidTag = oid_tag;
return SECSuccess;
}
}
}
return SECFailure;
}
char *
CERT_GetCertCommentString(CERTCertificate *cert)
{
char *retstring = NULL;
SECStatus rv;
SECItem policyItem;
CERTCertificatePolicies *policies = NULL;
CERTPolicyInfo **policyInfos;
CERTPolicyQualifier **policyQualifiers, *qualifier;
policyItem.data = NULL;
rv = CERT_FindCertExtension(cert, SEC_OID_X509_CERTIFICATE_POLICIES,
&policyItem);
if ( rv != SECSuccess ) {
goto nopolicy;
}
policies = CERT_DecodeCertificatePoliciesExtension(&policyItem);
if ( policies == NULL ) {
goto nopolicy;
}
policyInfos = policies->policyInfos;
/* search through policyInfos looking for the verisign policy */
while (*policyInfos != NULL ) {
if ( (*policyInfos)->oid == SEC_OID_VERISIGN_USER_NOTICES ) {
policyQualifiers = (*policyInfos)->policyQualifiers;
/* search through the policy qualifiers looking for user notice */
while ( policyQualifiers != NULL && *policyQualifiers != NULL ) {
qualifier = *policyQualifiers;
if ( qualifier->oid == SEC_OID_PKIX_USER_NOTICE_QUALIFIER ) {
retstring =
stringFromUserNotice(&qualifier->qualifierValue);
break;
}
policyQualifiers++;
}
break;
}
policyInfos++;
}
nopolicy:
if ( policyItem.data != NULL ) {
PORT_Free(policyItem.data);
}
if ( policies != NULL ) {
CERT_DestroyCertificatePoliciesExtension(policies);
}
if ( retstring == NULL ) {
retstring = CERT_FindNSStringExtension(cert,
SEC_OID_NS_CERT_EXT_COMMENT);
}
if ( retstring != NULL ) {
breakLines(retstring);
}
return(retstring);
}
