BERParse * BER_ParseInit(PLArenaPool *arena, PRBool derOnly) { BERParse *h; PLArenaPool *temp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (temp == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return NULL; } h = PORT_ArenaAlloc(temp, sizeof(BERParse)); if (h == NULL) { PORT_FreeArena(temp, PR_FALSE); PORT_SetError(SEC_ERROR_NO_MEMORY); return NULL; } h->his = arena; h->mine = temp; h->proc = ParseTag; h->stackDepth = 20; h->stack = PORT_ArenaZAlloc(h->mine, sizeof(ParseStackElem) * h->stackDepth); h->stackPtr = h->stack; h->state = notDone; h->pos = 0; h->keepLeaves = PR_TRUE; h->before = NULL; h->after = NULL; h->filter = NULL; h->derOnly = derOnly; return h; }
NSS_IMPLEMENT PRStatus nssDecodedPKIXCertificate_Destroy ( nssDecodedCert *dc ) { CERTCertificate *cert = (CERTCertificate *)dc->data; /* The decoder may only be half initialized (the case where we find we * could not decode the certificate). In this case, there is not cert to * free, just free the dc structure. */ if (cert) { PRBool freeSlot = cert->ownSlot; PK11SlotInfo *slot = cert->slot; PLArenaPool *arena = cert->arena; /* zero cert before freeing. Any stale references to this cert * after this point will probably cause an exception. */ PORT_Memset(cert, 0, sizeof *cert); /* free the arena that contains the cert. */ PORT_FreeArena(arena, PR_FALSE); if (slot && freeSlot) { PK11_FreeSlot(slot); } } nss_ZFreeIf(dc); return PR_SUCCESS; }
OSStatus sslDecodeRsaBlob( const SSLBuffer *blob, /* PKCS-1 encoded */ SSLBuffer *modulus, /* data mallocd and RETURNED */ SSLBuffer *exponent) /* data mallocd and RETURNED */ { SECStatus rv; OSStatus srtn; NSS_RSAPublicKeyPKCS1 nssPubKey = {}; PLArenaPool *pool; assert(blob != NULL); assert(modulus != NULL); assert(exponent != NULL); /* DER-decode the blob */ pool = PORT_NewArena(CHUNKSIZE_DEF); rv = SEC_ASN1Decode(pool, &nssPubKey, kSecAsn1RSAPublicKeyPKCS1Template, (const char *)blob->data, blob->length); if (rv != SECSuccess) srtn = errSSLBadCert; else { /* malloc & copy components */ srtn = SSLCopyBufferFromData(nssPubKey.modulus.Data, nssPubKey.modulus.Length, modulus); if(!srtn) { srtn = SSLCopyBufferFromData(nssPubKey.publicExponent.Data, nssPubKey.publicExponent.Length, exponent); } } PORT_FreeArena(pool, PR_TRUE); return srtn; }
/* * Given a prime and generator, cook up a BER-encoded DHParameter blob. */ OSStatus sslEncodeDhParams( const SSLBuffer *prime, const SSLBuffer *generator, SSLBuffer *blob) /* data mallocd and RETURNED */ { PLArenaPool *pool; OSStatus srtn; SECItem *encBlob, dest = {}; NSS_DHParameter dhParams; assert((prime != NULL) && (generator != NULL)); /* convert to NSS_DHParameter */ SSLBUF_TO_SECITEM(prime, &dhParams.prime); SSLBUF_TO_SECITEM(generator, &dhParams.base); dhParams.privateValueLength.Data = NULL; dhParams.privateValueLength.Length = 0; /* DER encode */ pool = PORT_NewArena(CHUNKSIZE_DEF); encBlob = SEC_ASN1EncodeItem(pool, &dest, &dhParams, kSecAsn1DHParameterTemplate); if (!encBlob) srtn = memFullErr; else { /* copy out to caller */ srtn = SSLCopyBufferFromData(encBlob->Data, encBlob->Length, blob); } PORT_FreeArena(pool, PR_TRUE); return srtn; }
/* * Given a raw modulus and exponent, cook up a * BER-encoded RSA public key blob. */ OSStatus sslEncodeRsaBlob( const SSLBuffer *modulus, const SSLBuffer *exponent, SSLBuffer *blob) /* data mallocd and RETURNED */ { PLArenaPool *pool; OSStatus srtn; SECItem *encBlob, dest = {}; NSS_RSAPublicKeyPKCS1 nssPubKey; assert((modulus != NULL) && (exponent != NULL)); /* convert to NSS_RSAPublicKeyPKCS1 */ SSLBUF_TO_SECITEM(modulus, &nssPubKey.modulus); SSLBUF_TO_SECITEM(exponent, &nssPubKey.publicExponent); /* DER encode */ pool = PORT_NewArena(CHUNKSIZE_DEF); encBlob = SEC_ASN1EncodeItem(pool, &dest, &nssPubKey, kSecAsn1RSAPublicKeyPKCS1Template); if (!encBlob) srtn = memFullErr; else { /* copy out to caller */ srtn = SSLCopyBufferFromData(encBlob->Data, encBlob->Length, blob); } PORT_FreeArena(pool, PR_TRUE); return srtn; }
/* free pfx structure and associated items in the arena */ void SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx) { if (pfx != NULL && pfx->poolp != NULL) { PORT_FreeArena(pfx->poolp, PR_TRUE); } }
SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI, SECItem *nickname, SECItem *publicValue, PRBool isPerm, PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey **privk, void *wincx) { SECKEYPrivateKeyInfo *pki = NULL; PLArenaPool *temparena = NULL; SECStatus rv = SECFailure; temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!temparena) return rv; pki = PORT_ArenaZNew(temparena, SECKEYPrivateKeyInfo); if (!pki) { PORT_FreeArena(temparena, PR_FALSE); return rv; } pki->arena = temparena; rv = SEC_ASN1DecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate, derPKI); if (rv != SECSuccess) { /* If SEC_ASN1DecodeItem fails, we cannot assume anything about the * validity of the data in pki. The best we can do is free the arena * and return. */ PORT_FreeArena(temparena, PR_TRUE); return rv; } if (pki->privateKey.data == NULL) { /* If SEC_ASN1DecodeItems succeeds but SECKEYPrivateKeyInfo.privateKey * is a zero-length octet string, free the arena and return a failure * to avoid trying to zero the corresponding SECItem in * SECKEY_DestroyPrivateKeyInfo(). */ PORT_FreeArena(temparena, PR_TRUE); PORT_SetError(SEC_ERROR_BAD_KEY); return SECFailure; } rv = PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname, publicValue, isPerm, isPrivate, keyUsage, privk, wincx); /* this zeroes the key and frees the arena */ SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/); return rv; }
CERTUserNotice * CERT_DecodeUserNotice(SECItem *noticeItem) { PLArenaPool *arena = NULL; SECStatus rv; CERTUserNotice *userNotice; SECItem newNoticeItem; /* make a new arena */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if ( !arena ) { goto loser; } /* allocate the userNotice structure */ userNotice = (CERTUserNotice *)PORT_ArenaZAlloc(arena, sizeof(CERTUserNotice)); if ( userNotice == NULL ) { goto loser; } userNotice->arena = arena; /* copy the DER into the arena, since Quick DER returns data that points into the DER input, which may get freed by the caller */ rv = SECITEM_CopyItem(arena, &newNoticeItem, noticeItem); if ( rv != SECSuccess ) { goto loser; } /* decode the user notice */ rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, &newNoticeItem); if ( rv != SECSuccess ) { goto loser; } if (userNotice->derNoticeReference.data != NULL) { rv = SEC_QuickDERDecodeItem(arena, &userNotice->noticeReference, CERT_NoticeReferenceTemplate, &userNotice->derNoticeReference); if (rv == SECFailure) { goto loser; } } return(userNotice); loser: if ( arena != NULL ) { PORT_FreeArena(arena, PR_FALSE); } return(NULL); }
CERTCertNicknames * CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx) { PLArenaPool *arena; CERTCertNicknames *names; int i; stringNode *node; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return (NULL); } names = (CERTCertNicknames *)PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames)); if (names == NULL) { goto loser; } names->arena = arena; names->head = NULL; names->numnicknames = 0; names->nicknames = NULL; names->what = what; names->totallen = 0; /* make sure we are logged in */ (void)pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, wincx); NSSTrustDomain_TraverseCertificates(handle, CollectNicknames, (void *)names); if (names->numnicknames) { names->nicknames = (char **)PORT_ArenaAlloc(arena, names->numnicknames * sizeof(char *)); if (names->nicknames == NULL) { goto loser; } node = (stringNode *)names->head; for (i = 0; i < names->numnicknames; i++) { PORT_Assert(node != NULL); names->nicknames[i] = node->string; names->totallen += PORT_Strlen(node->string); node = node->next; } PORT_Assert(node == NULL); } return (names); loser: PORT_FreeArena(arena, PR_FALSE); return (NULL); }
void CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies) { if ( policies != NULL ) { PORT_FreeArena(policies->arena, PR_FALSE); } return; }
SECStatus CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings) { if ( mappings != NULL ) { PORT_FreeArena(mappings->arena, PR_FALSE); } return SECSuccess; }
void CERT_DestroyUserNotice(CERTUserNotice *userNotice) { if ( userNotice != NULL ) { PORT_FreeArena(userNotice->arena, PR_FALSE); } return; }
void CERT_DestroyOidSequence(CERTOidSequence *oidSeq) { if ( oidSeq != NULL ) { PORT_FreeArena(oidSeq->arena, PR_FALSE); } return; }
SECStatus CMMF_DestroyPOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyCont) { PORT_Assert(inDecKeyCont != NULL); if (inDecKeyCont != NULL && inDecKeyCont->poolp) { PORT_FreeArena(inDecKeyCont->poolp, PR_FALSE); } return SECSuccess; }
/* * FUNCTION: pkix_pl_OcspResponse_Destroy * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) */ static PKIX_Error * pkix_pl_OcspResponse_Destroy( PKIX_PL_Object *object, void *plContext) { PKIX_PL_OcspResponse *ocspRsp = NULL; const SEC_HttpClientFcn *httpClient = NULL; const SEC_HttpClientFcnV1 *hcv1 = NULL; PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Destroy"); PKIX_NULLCHECK_ONE(object); PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext), PKIX_OBJECTNOTANOCSPRESPONSE); ocspRsp = (PKIX_PL_OcspResponse *)object; if (ocspRsp->nssOCSPResponse != NULL) { CERT_DestroyOCSPResponse(ocspRsp->nssOCSPResponse); ocspRsp->nssOCSPResponse = NULL; } if (ocspRsp->signerCert != NULL) { CERT_DestroyCertificate(ocspRsp->signerCert); ocspRsp->signerCert = NULL; } httpClient = (const SEC_HttpClientFcn *)(ocspRsp->httpClient); if (httpClient && (httpClient->version == 1)) { hcv1 = &(httpClient->fcnTable.ftable1); if (ocspRsp->sessionRequest != NULL) { (*hcv1->freeFcn)(ocspRsp->sessionRequest); ocspRsp->sessionRequest = NULL; } if (ocspRsp->serverSession != NULL) { (*hcv1->freeSessionFcn)(ocspRsp->serverSession); ocspRsp->serverSession = NULL; } } if (ocspRsp->arena != NULL) { PORT_FreeArena(ocspRsp->arena, PR_FALSE); ocspRsp->arena = NULL; } PKIX_DECREF(ocspRsp->producedAtDate); PKIX_DECREF(ocspRsp->pkixSignerCert); PKIX_DECREF(ocspRsp->request); cleanup: PKIX_RETURN(OCSPRESPONSE); }
void SGN_DestroyDigestInfo(SGNDigestInfo *di) { if (di && di->arena) { PORT_FreeArena(di->arena, PR_FALSE); } return; }
SECStatus CERT_DecodePolicyConstraintsExtension (CERTCertificatePolicyConstraints *decodedValue, const SECItem *encodedValue) { CERTCertificatePolicyConstraints decodeContext; PLArenaPool *arena = NULL; SECStatus rv = SECSuccess; /* initialize so we can tell when an optional component is omitted */ PORT_Memset(&decodeContext, 0, sizeof(decodeContext)); /* make a new arena */ arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); if (!arena) { return SECFailure; } do { /* decode the policy constraints */ rv = SEC_QuickDERDecodeItem(arena, &decodeContext, CERT_PolicyConstraintsTemplate, encodedValue); if ( rv != SECSuccess ) { break; } if (decodeContext.explicitPolicySkipCerts.len == 0) { *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data = -1; } else { *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data = DER_GetInteger(&decodeContext.explicitPolicySkipCerts); } if (decodeContext.inhibitMappingSkipCerts.len == 0) { *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data = -1; } else { *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data = DER_GetInteger(&decodeContext.inhibitMappingSkipCerts); } if ((*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data == PR_INT32_MIN) || (*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data == PR_INT32_MAX) || (*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data == PR_INT32_MIN) || (*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data == PR_INT32_MAX)) { rv = SECFailure; } } while (0); PORT_FreeArena(arena, PR_FALSE); return(rv); }
void SEC_ASN1EncoderFinish (SEC_ASN1EncoderContext *cx) { /* * XXX anything else that needs to be finished? */ PORT_FreeArena (cx->our_pool, PR_FALSE); }
SECStatus CERT_DecodeBasicConstraintValue (CERTBasicConstraints *value, SECItem *encodedValue) { EncodedContext decodeContext; PRArenaPool *our_pool; SECStatus rv = SECSuccess; do { PORT_Memset (&decodeContext, 0, sizeof (decodeContext)); /* initialize the value just in case we got "0x30 00", or when the pathLenConstraint is omitted. */ decodeContext.isCA.data =&hexFalse; decodeContext.isCA.len = 1; our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE); if (our_pool == NULL) { PORT_SetError (SEC_ERROR_NO_MEMORY); GEN_BREAK (SECFailure); } rv = SEC_QuickDERDecodeItem (our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue); if (rv == SECFailure) break; value->isCA = decodeContext.isCA.data ? (PRBool)(decodeContext.isCA.data[0] != 0) : PR_FALSE; if (decodeContext.pathLenConstraint.data == NULL) { /* if the pathLenConstraint is not encoded, and the current setting is CA, then the pathLenConstraint should be set to a negative number for unlimited certificate path. */ if (value->isCA) value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT; } else if (value->isCA) { long len = DER_GetInteger (&decodeContext.pathLenConstraint); if (len < 0 || len == LONG_MAX) { PORT_SetError (SEC_ERROR_BAD_DER); GEN_BREAK (SECFailure); } value->pathLenConstraint = len; } else { /* here we get an error where the subject is not a CA, but the pathLenConstraint is set */ PORT_SetError (SEC_ERROR_BAD_DER); GEN_BREAK (SECFailure); break; } } while (0); PORT_FreeArena (our_pool, PR_FALSE); return (rv); }
int sv_PrintSignedData(FILE *out, SECItem *der, char *m, SECU_PPFunc inner) { PLArenaPool *arena = NULL; CERTSignedData *sd; int rv; /* Strip off the signature */ sd = (CERTSignedData *)PORT_ZAlloc(sizeof(CERTSignedData)); if (!sd) return PORT_GetError(); arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) return SEC_ERROR_NO_MEMORY; rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), der); if (rv) { PORT_FreeArena(arena, PR_FALSE); return rv; } /* fprintf(out, "%s:\n", m); */ PORT_Strcat(m, "data."); rv = (*inner)(out, &sd->data, m, 0); if (rv) { PORT_FreeArena(arena, PR_FALSE); return rv; } m[PORT_Strlen(m) - 5] = 0; fprintf(out, "%s", m); sv_PrintAlgorithmID(out, &sd->signatureAlgorithm, "signatureAlgorithm="); DER_ConvertBitString(&sd->signature); fprintf(out, "%s", m); sv_PrintAsHex(out, &sd->signature, "signature="); PORT_FreeArena(arena, PR_FALSE); return 0; }
static CERTSignedCrl * FindCRL(CERTCertDBHandle *certHandle, char *name, int type) { CERTSignedCrl *crl = NULL; CERTCertificate *cert = NULL; SECItem derName; derName.data = NULL; derName.len = 0; cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name); if (!cert) { CERTName *certName = NULL; PLArenaPool *arena = NULL; SECStatus rv = SECSuccess; certName = CERT_AsciiToName(name); if (certName) { arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena) { SECItem *nameItem = SEC_ASN1EncodeItem(arena, NULL, (void *)certName, SEC_ASN1_GET(CERT_NameTemplate)); if (nameItem) { rv = SECITEM_CopyItem(NULL, &derName, nameItem); } PORT_FreeArena(arena, PR_FALSE); } CERT_DestroyName(certName); } if (rv != SECSuccess) { SECU_PrintError(progName, "SECITEM_CopyItem failed, out of memory"); return ((CERTSignedCrl *)NULL); } if (!derName.len || !derName.data) { SECU_PrintError(progName, "could not find certificate named '%s'", name); return ((CERTSignedCrl *)NULL); } } else { SECITEM_CopyItem(NULL, &derName, &cert->derSubject); CERT_DestroyCertificate(cert); } crl = SEC_FindCrlByName(certHandle, &derName, type); if (crl == NULL) SECU_PrintError(progName, "could not find %s's CRL", name); if (derName.data) { SECITEM_FreeItem(&derName, PR_FALSE); } return (crl); }
/* * Given a DER encoded DHParameterBlock, extract the prime and generator. * modulus and public exponent. * This will work with either PKCS-1 encoded DHParameterBlock or * openssl-style DHParameter. */ OSStatus sslDecodeDhParams( const SSLBuffer *blob, /* PKCS-1 encoded */ SSLBuffer *prime, /* data mallocd and RETURNED */ SSLBuffer *generator) /* data mallocd and RETURNED */ { SECStatus rv; OSStatus srtn; NSS_DHParameterBlock paramBlock = {}; PLArenaPool *pool; assert(blob != NULL); assert(prime != NULL); assert(generator != NULL); pool = PORT_NewArena(CHUNKSIZE_DEF); /* * Since the common case here is to decode a parameter block coming * over the wire, which is in openssl format, let's try that format first. */ rv = SEC_ASN1Decode(pool, ¶mBlock.params, kSecAsn1DHParameterTemplate, (const char *)blob->data, blob->length); if (rv != SECSuccess) { /* * OK, that failed when trying as a CDSA_formatted parameter * block DHParameterBlock). Openssl uses a subset of that, * a DHParameter. Try that instead. */ memset(¶mBlock, 0, sizeof(paramBlock)); rv = SEC_ASN1Decode(pool, ¶mBlock, kSecAsn1DHParameterBlockTemplate, (const char *)blob->data, blob->length); } if (rv != SECSuccess) { /* Ah well, we tried. */ sslErrorLog("sslDecodeDhParams: both CDSA and openssl format" "failed\n"); srtn = errSSLCrypto; } else { /* copy out components */ srtn = SSLCopyBufferFromData(paramBlock.params.prime.Data, paramBlock.params.prime.Length, prime); if(!srtn) { srtn = SSLCopyBufferFromData(paramBlock.params.base.Data, paramBlock.params.base.Length, generator); } } PORT_FreeArena(pool, PR_TRUE); return srtn; }
void check(PLArenaPool *arena, const char b64[], const char s[], const char sName[], bool url) { void *mark = NULL; SECItem *b64Item; mark = PORT_ArenaMark(arena); b64Item = SECITEM_AllocItem(arena, NULL, strlen(b64)); if(b64Item == NULL){ printf(">>> Couldn't allocate memore, SECITEM_AllocItem failed.\n"); } strncpy(b64Item->data, b64, b64Item->len); SECItem b64Decoded; PORT_Memset(&b64Decoded, 0, sizeof(b64Decoded)); if (url) { #ifdef NSS_B64_URL_TEST if (!NSSBase64_URL_DecodeBuffer(arena, &b64Decoded, b64Item->data, b64Item->len)) { PORT_FreeArena(arena, 0); printf(">>> Couldn't b64decode, NSSBase64_DecodeBuffer failed (URL).\n"); return; } #endif } else { if (!NSSBase64_DecodeBuffer(arena, &b64Decoded, b64Item->data, b64Item->len)) { PORT_FreeArena(arena, 0); printf(">>> Couldn't b64decode, NSSBase64_DecodeBuffer failed.\n"); return; } } if (strcmp(s,b64Decoded.data) != 0) { printf(">>> DECODING ERROR (%s):/\n>>> expected:\n%s\ngot:\n", sName, s); printf("%.*s---\n---", b64Decoded.len, b64Decoded.data); } else { printf("Successful decoded %s string\n", sName); } PORT_ArenaUnmark(arena, mark); }
CERTCertificateList* hack_NewCertificateListFromCertList(CERTCertList* list) { CERTCertificateList * chain = NULL; PLArenaPool * arena = NULL; CERTCertListNode * node; int len; if (CERT_LIST_EMPTY(list)) goto loser; arena = PORT_NewArena(4096); if (arena == NULL) goto loser; for (len = 0, node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list); len++, node = CERT_LIST_NEXT(node)) { } chain = PORT_ArenaNew(arena, CERTCertificateList); if (chain == NULL) goto loser; chain->certs = PORT_ArenaNewArray(arena, SECItem, len); if (!chain->certs) goto loser; chain->len = len; for (len = 0, node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list); len++, node = CERT_LIST_NEXT(node)) { // Check to see if the last cert to be sent is a self-signed cert, // and if so, omit it from the list of certificates. However, if // there is only one cert (len == 0), include the cert, as it means // the EE cert is self-signed. if (len > 0 && (len == chain->len - 1) && node->cert->isRoot) { chain->len = len; break; } SECITEM_CopyItem(arena, &chain->certs[len], &node->cert->derCert); } chain->arena = arena; return chain; loser: if (arena) { PORT_FreeArena(arena, PR_FALSE); } return NULL; }
CERTDistNames * CERT_DistNamesFromCertList(CERTCertList *certList) { CERTDistNames *dnames = NULL; PLArenaPool *arena; CERTCertListNode *node = NULL; SECItem *names = NULL; int listLen = 0, i = 0; if (certList == NULL) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } node = CERT_LIST_HEAD(certList); while (!CERT_LIST_END(node, certList)) { listLen += 1; node = CERT_LIST_NEXT(node); } arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) goto loser; dnames = PORT_ArenaZNew(arena, CERTDistNames); if (dnames == NULL) goto loser; dnames->arena = arena; dnames->nnames = listLen; dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, listLen); if (names == NULL) goto loser; node = CERT_LIST_HEAD(certList); while (!CERT_LIST_END(node, certList)) { CERTCertificate *cert = node->cert; SECStatus rv = SECITEM_CopyItem(arena, &names[i++], &cert->derSubject); if (rv == SECFailure) { goto loser; } node = CERT_LIST_NEXT(node); } return dnames; loser: if (arena) { PORT_FreeArena(arena, PR_FALSE); } return NULL; }
void cms_context_fini(cms_context *ctx) { if (ctx->cert) { CERT_DestroyCertificate(ctx->cert); ctx->cert = NULL; } if (ctx->privkey) { free(ctx->privkey); ctx->privkey = NULL; } if (ctx->pe_digest) { free_poison(ctx->pe_digest->data, ctx->pe_digest->len); /* XXX sure seems like we should be freeing it here, but * that's segfaulting, and we know it'll get cleaned up with * PORT_FreeArena a couple of lines down. */ ctx->pe_digest = NULL; } if (ctx->ci_digest) { free_poison(ctx->ci_digest->data, ctx->ci_digest->len); /* XXX sure seems like we should be freeing it here, but * that's segfaulting, and we know it'll get cleaned up with * PORT_FreeArena a couple of lines down. */ ctx->ci_digest = NULL; } #if 0 for (int i = 0; i < ctx->num_signatures; i++) { if (ctx->signatures[i]) { if (ctx->signatures[i]->data) free(ctx->signatures[i]->data); free(ctx->signatures[i]); } } free(ctx->signatures); #endif ctx->signatures = NULL; PORT_FreeArena(ctx->arena, PR_TRUE); memset(ctx, '\0', sizeof(*ctx)); NSS_Shutdown(); }
/* * SecCmsArraySortByDER - sort array of objects by objects' DER encoding * * make sure that the order of the objects guarantees valid DER (which must be * in lexigraphically ascending order for a SET OF); if reordering is necessary it * will be done in place (in objs). */ OSStatus SecCmsArraySortByDER(void **objs, const SecAsn1Template *objtemplate, void **objs2) { PRArenaPool *poolp; int num_objs; SecAsn1Item **enc_objs; OSStatus rv = SECFailure; int i; if (objs == NULL) /* already sorted */ return SECSuccess; num_objs = SecCmsArrayCount((void **)objs); if (num_objs == 0 || num_objs == 1) /* already sorted. */ return SECSuccess; poolp = PORT_NewArena (1024); /* arena for temporaries */ if (poolp == NULL) return SECFailure; /* no memory; nothing we can do... */ /* * Allocate arrays to hold the individual encodings which we will use * for comparisons and the reordered attributes as they are sorted. */ // Security check to prevent under-allocation if (num_objs<0 || num_objs>=(int)((INT_MAX/sizeof(SecAsn1Item *))-1)) { goto loser; } enc_objs = (SecAsn1Item **)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(SecAsn1Item *)); if (enc_objs == NULL) goto loser; /* DER encode each individual object. */ for (i = 0; i < num_objs; i++) { enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate); if (enc_objs[i] == NULL) goto loser; } enc_objs[num_objs] = NULL; /* now compare and sort objs by the order of enc_objs */ SecCmsArraySort((void **)enc_objs, SecCmsUtilDERCompare, objs, objs2); rv = SECSuccess; loser: PORT_FreeArena (poolp, PR_FALSE); return rv; }
/* * get the value of a string type extension */ char * CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag) { SECItem wrapperItem, tmpItem = {siBuffer,0}; SECStatus rv; PLArenaPool *arena = NULL; char *retstring = NULL; wrapperItem.data = NULL; tmpItem.data = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if ( ! arena ) { goto loser; } rv = cert_FindExtension(cert->extensions, oidtag, &wrapperItem); if ( rv != SECSuccess ) { goto loser; } rv = SEC_QuickDERDecodeItem(arena, &tmpItem, SEC_ASN1_GET(SEC_IA5StringTemplate), &wrapperItem); if ( rv != SECSuccess ) { goto loser; } retstring = (char *)PORT_Alloc(tmpItem.len + 1 ); if ( retstring == NULL ) { goto loser; } PORT_Memcpy(retstring, tmpItem.data, tmpItem.len); retstring[tmpItem.len] = '\0'; loser: if ( arena ) { PORT_FreeArena(arena, PR_FALSE); } if ( wrapperItem.data ) { PORT_Free(wrapperItem.data); } return(retstring); }
static bool cert_issuer_has_current_crl(CERTCertDBHandle *handle, CERTCertificate *cert) { bool res = FALSE; CERTSignedCrl *crl = get_issuer_crl(handle, cert); if (crl != NULL) { res = crl_is_current(crl); if (crl->arena != NULL) { PORT_FreeArena(crl->arena, PR_FALSE); } } return res; }
void ssl3_DestroyExtensionData(TLSExtensionData *xtnData) { ssl3_FreeSniNameArray(xtnData); PORT_Free(xtnData->sigSchemes); SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE); tls13_DestroyKeyShares(&xtnData->remoteKeyShares); SECITEM_FreeItem(&xtnData->certReqContext, PR_FALSE); SECITEM_FreeItem(&xtnData->applicationToken, PR_FALSE); if (xtnData->certReqAuthorities.arena) { PORT_FreeArena(xtnData->certReqAuthorities.arena, PR_FALSE); xtnData->certReqAuthorities.arena = NULL; } PORT_Free(xtnData->advertised); }