void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level) { CERTCertificatePolicies *policies = NULL; CERTPolicyInfo **policyInfos; if (msg) { SECU_Indent(out, level); fprintf(out,"%s: \n",msg); level++; } policies = secu_DecodeCertificatePoliciesExtension(value); if (policies == NULL) { SECU_PrintAny(out, value, "Invalid Policy Data", level); return; } policyInfos = policies->policyInfos; while (policyInfos && *policyInfos != NULL) { secu_PrintPolicyInfo(out,*policyInfos,"",level); policyInfos++; } CERT_DestroyCertificatePoliciesExtension(policies); }
// Find the first policy OID that is known to be an EV policy OID. SECStatus GetFirstEVPolicy(CERTCertificate* cert, /*out*/ mozilla::pkix::CertPolicyId& policy, /*out*/ SECOidTag& policyOidTag) { if (!cert) { PR_SetError(SEC_ERROR_INVALID_ARGS, 0); return SECFailure; } if (cert->extensions) { for (int i=0; cert->extensions[i]; i++) { const SECItem* oid = &cert->extensions[i]->id; SECOidTag oidTag = SECOID_FindOIDTag(oid); if (oidTag != SEC_OID_X509_CERTIFICATE_POLICIES) continue; SECItem* value = &cert->extensions[i]->value; CERTCertificatePolicies* policies; CERTPolicyInfo** policyInfos; policies = CERT_DecodeCertificatePoliciesExtension(value); if (!policies) continue; policyInfos = policies->policyInfos; bool found = false; while (*policyInfos) { const CERTPolicyInfo* policyInfo = *policyInfos++; SECOidTag oid_tag = policyInfo->oid; if (oid_tag != SEC_OID_UNKNOWN && isEVPolicy(oid_tag)) { const SECOidData* oidData = SECOID_FindOIDByTag(oid_tag); PR_ASSERT(oidData); PR_ASSERT(oidData->oid.data); PR_ASSERT(oidData->oid.len > 0); PR_ASSERT(oidData->oid.len <= mozilla::pkix::CertPolicyId::MAX_BYTES); if (oidData && oidData->oid.data && oidData->oid.len > 0 && oidData->oid.len <= mozilla::pkix::CertPolicyId::MAX_BYTES) { policy.numBytes = static_cast<uint16_t>(oidData->oid.len); memcpy(policy.bytes, oidData->oid.data, policy.numBytes); policyOidTag = oid_tag; found = true; } break; } } CERT_DestroyCertificatePoliciesExtension(policies); if (found) { return SECSuccess; } } } PR_SetError(SEC_ERROR_POLICY_VALIDATION_FAILED, 0); return SECFailure; }
// Find the first policy OID that is known to be an EV policy OID. SECStatus GetFirstEVPolicy(CERTCertificate* cert, SECOidTag& outOidTag) { if (!cert) return SECFailure; if (cert->extensions) { for (int i=0; cert->extensions[i]; i++) { const SECItem* oid = &cert->extensions[i]->id; SECOidTag oidTag = SECOID_FindOIDTag(oid); if (oidTag != SEC_OID_X509_CERTIFICATE_POLICIES) continue; SECItem* value = &cert->extensions[i]->value; CERTCertificatePolicies* policies; CERTPolicyInfo** policyInfos; policies = CERT_DecodeCertificatePoliciesExtension(value); if (!policies) continue; policyInfos = policies->policyInfos; bool found = false; while (*policyInfos) { const CERTPolicyInfo* policyInfo = *policyInfos++; SECOidTag oid_tag = policyInfo->oid; if (oid_tag != SEC_OID_UNKNOWN && isEVPolicy(oid_tag)) { // in our list of OIDs accepted for EV outOidTag = oid_tag; found = true; break; } } CERT_DestroyCertificatePoliciesExtension(policies); if (found) return SECSuccess; } } return SECFailure; }
char * CERT_GetCertCommentString(CERTCertificate *cert) { char *retstring = NULL; SECStatus rv; SECItem policyItem; CERTCertificatePolicies *policies = NULL; CERTPolicyInfo **policyInfos; CERTPolicyQualifier **policyQualifiers, *qualifier; policyItem.data = NULL; rv = CERT_FindCertExtension(cert, SEC_OID_X509_CERTIFICATE_POLICIES, &policyItem); if ( rv != SECSuccess ) { goto nopolicy; } policies = CERT_DecodeCertificatePoliciesExtension(&policyItem); if ( policies == NULL ) { goto nopolicy; } policyInfos = policies->policyInfos; /* search through policyInfos looking for the verisign policy */ while (*policyInfos != NULL ) { if ( (*policyInfos)->oid == SEC_OID_VERISIGN_USER_NOTICES ) { policyQualifiers = (*policyInfos)->policyQualifiers; /* search through the policy qualifiers looking for user notice */ while ( policyQualifiers != NULL && *policyQualifiers != NULL ) { qualifier = *policyQualifiers; if ( qualifier->oid == SEC_OID_PKIX_USER_NOTICE_QUALIFIER ) { retstring = stringFromUserNotice(&qualifier->qualifierValue); break; } policyQualifiers++; } break; } policyInfos++; } nopolicy: if ( policyItem.data != NULL ) { PORT_Free(policyItem.data); } if ( policies != NULL ) { CERT_DestroyCertificatePoliciesExtension(policies); } if ( retstring == NULL ) { retstring = CERT_FindNSStringExtension(cert, SEC_OID_NS_CERT_EXT_COMMENT); } if ( retstring != NULL ) { breakLines(retstring); } return(retstring); }