BERParse *
BER_ParseInit(PLArenaPool *arena, PRBool derOnly)
{
BERParse *h;
PLArenaPool *temp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (temp == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
h = PORT_ArenaAlloc(temp, sizeof(BERParse));
if (h == NULL) {
PORT_FreeArena(temp, PR_FALSE);
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
h->his = arena;
h->mine = temp;
h->proc = ParseTag;
h->stackDepth = 20;
h->stack = PORT_ArenaZAlloc(h->mine,
sizeof(ParseStackElem) * h->stackDepth);
h->stackPtr = h->stack;
h->state = notDone;
h->pos = 0;
h->keepLeaves = PR_TRUE;
h->before = NULL;
h->after = NULL;
h->filter = NULL;
h->derOnly = derOnly;
return h;
}
NSS_IMPLEMENT PRStatus
nssDecodedPKIXCertificate_Destroy (
nssDecodedCert *dc
)
{
CERTCertificate *cert = (CERTCertificate *)dc->data;
/* The decoder may only be half initialized (the case where we find we
* could not decode the certificate). In this case, there is not cert to
* free, just free the dc structure. */
if (cert) {
PRBool freeSlot = cert->ownSlot;
PK11SlotInfo *slot = cert->slot;
PLArenaPool *arena = cert->arena;
/* zero cert before freeing. Any stale references to this cert
* after this point will probably cause an exception. */
PORT_Memset(cert, 0, sizeof *cert);
/* free the arena that contains the cert. */
PORT_FreeArena(arena, PR_FALSE);
if (slot && freeSlot) {
PK11_FreeSlot(slot);
}
}
nss_ZFreeIf(dc);
return PR_SUCCESS;
}
OSStatus sslDecodeRsaBlob(
const SSLBuffer *blob, /* PKCS-1 encoded */
SSLBuffer *modulus, /* data mallocd and RETURNED */
SSLBuffer *exponent) /* data mallocd and RETURNED */
{
SECStatus rv;
OSStatus srtn;
NSS_RSAPublicKeyPKCS1 nssPubKey = {};
PLArenaPool *pool;
assert(blob != NULL);
assert(modulus != NULL);
assert(exponent != NULL);
/* DER-decode the blob */
pool = PORT_NewArena(CHUNKSIZE_DEF);
rv = SEC_ASN1Decode(pool, &nssPubKey,
kSecAsn1RSAPublicKeyPKCS1Template, (const char *)blob->data, blob->length);
if (rv != SECSuccess)
srtn = errSSLBadCert;
else {
/* malloc & copy components */
srtn = SSLCopyBufferFromData(nssPubKey.modulus.Data,
nssPubKey.modulus.Length, modulus);
if(!srtn) {
srtn = SSLCopyBufferFromData(nssPubKey.publicExponent.Data,
nssPubKey.publicExponent.Length, exponent);
}
}
PORT_FreeArena(pool, PR_TRUE);
return srtn;
}
/*
* Given a prime and generator, cook up a BER-encoded DHParameter blob.
*/
OSStatus sslEncodeDhParams(
const SSLBuffer *prime,
const SSLBuffer *generator,
SSLBuffer *blob) /* data mallocd and RETURNED */
{
PLArenaPool *pool;
OSStatus srtn;
SECItem *encBlob, dest = {};
NSS_DHParameter dhParams;
assert((prime != NULL) && (generator != NULL));
/* convert to NSS_DHParameter */
SSLBUF_TO_SECITEM(prime, &dhParams.prime);
SSLBUF_TO_SECITEM(generator, &dhParams.base);
dhParams.privateValueLength.Data = NULL;
dhParams.privateValueLength.Length = 0;
/* DER encode */
pool = PORT_NewArena(CHUNKSIZE_DEF);
encBlob = SEC_ASN1EncodeItem(pool, &dest, &dhParams,
kSecAsn1DHParameterTemplate);
if (!encBlob)
srtn = memFullErr;
else {
/* copy out to caller */
srtn = SSLCopyBufferFromData(encBlob->Data, encBlob->Length, blob);
}
PORT_FreeArena(pool, PR_TRUE);
return srtn;
}
/*
* Given a raw modulus and exponent, cook up a
* BER-encoded RSA public key blob.
*/
OSStatus sslEncodeRsaBlob(
const SSLBuffer *modulus,
const SSLBuffer *exponent,
SSLBuffer *blob) /* data mallocd and RETURNED */
{
PLArenaPool *pool;
OSStatus srtn;
SECItem *encBlob, dest = {};
NSS_RSAPublicKeyPKCS1 nssPubKey;
assert((modulus != NULL) && (exponent != NULL));
/* convert to NSS_RSAPublicKeyPKCS1 */
SSLBUF_TO_SECITEM(modulus, &nssPubKey.modulus);
SSLBUF_TO_SECITEM(exponent, &nssPubKey.publicExponent);
/* DER encode */
pool = PORT_NewArena(CHUNKSIZE_DEF);
encBlob = SEC_ASN1EncodeItem(pool, &dest, &nssPubKey,
kSecAsn1RSAPublicKeyPKCS1Template);
if (!encBlob)
srtn = memFullErr;
else {
/* copy out to caller */
srtn = SSLCopyBufferFromData(encBlob->Data, encBlob->Length, blob);
}
PORT_FreeArena(pool, PR_TRUE);
return srtn;
}
/* free pfx structure and associated items in the arena */
void
SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx)
{
if (pfx != NULL && pfx->poolp != NULL) {
PORT_FreeArena(pfx->poolp, PR_TRUE);
}
}
SECStatus
PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI,
SECItem *nickname, SECItem *publicValue,
PRBool isPerm, PRBool isPrivate, unsigned int keyUsage,
SECKEYPrivateKey **privk, void *wincx)
{
SECKEYPrivateKeyInfo *pki = NULL;
PLArenaPool *temparena = NULL;
SECStatus rv = SECFailure;
temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!temparena)
return rv;
pki = PORT_ArenaZNew(temparena, SECKEYPrivateKeyInfo);
if (!pki) {
PORT_FreeArena(temparena, PR_FALSE);
return rv;
}
pki->arena = temparena;
rv = SEC_ASN1DecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate,
derPKI);
if (rv != SECSuccess) {
/* If SEC_ASN1DecodeItem fails, we cannot assume anything about the
* validity of the data in pki. The best we can do is free the arena
* and return. */
PORT_FreeArena(temparena, PR_TRUE);
return rv;
}
if (pki->privateKey.data == NULL) {
/* If SEC_ASN1DecodeItems succeeds but SECKEYPrivateKeyInfo.privateKey
* is a zero-length octet string, free the arena and return a failure
* to avoid trying to zero the corresponding SECItem in
* SECKEY_DestroyPrivateKeyInfo(). */
PORT_FreeArena(temparena, PR_TRUE);
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
rv = PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname,
publicValue, isPerm, isPrivate,
keyUsage, privk, wincx);
/* this zeroes the key and frees the arena */
SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
return rv;
}
CERTUserNotice *
CERT_DecodeUserNotice(SECItem *noticeItem)
{
PLArenaPool *arena = NULL;
SECStatus rv;
CERTUserNotice *userNotice;
SECItem newNoticeItem;
/* make a new arena */
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena ) {
goto loser;
}
/* allocate the userNotice structure */
userNotice = (CERTUserNotice *)PORT_ArenaZAlloc(arena,
sizeof(CERTUserNotice));
if ( userNotice == NULL ) {
goto loser;
}
userNotice->arena = arena;
/* copy the DER into the arena, since Quick DER returns data that points
into the DER input, which may get freed by the caller */
rv = SECITEM_CopyItem(arena, &newNoticeItem, noticeItem);
if ( rv != SECSuccess ) {
goto loser;
}
/* decode the user notice */
rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate,
&newNoticeItem);
if ( rv != SECSuccess ) {
goto loser;
}
if (userNotice->derNoticeReference.data != NULL) {
rv = SEC_QuickDERDecodeItem(arena, &userNotice->noticeReference,
CERT_NoticeReferenceTemplate,
&userNotice->derNoticeReference);
if (rv == SECFailure) {
goto loser;
}
}
return(userNotice);
loser:
if ( arena != NULL ) {
PORT_FreeArena(arena, PR_FALSE);
}
return(NULL);
}
CERTCertNicknames *
CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx)
{
PLArenaPool *arena;
CERTCertNicknames *names;
int i;
stringNode *node;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return (NULL);
}
names = (CERTCertNicknames *)PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
if (names == NULL) {
goto loser;
}
names->arena = arena;
names->head = NULL;
names->numnicknames = 0;
names->nicknames = NULL;
names->what = what;
names->totallen = 0;
/* make sure we are logged in */
(void)pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, wincx);
NSSTrustDomain_TraverseCertificates(handle,
CollectNicknames, (void *)names);
if (names->numnicknames) {
names->nicknames = (char **)PORT_ArenaAlloc(arena,
names->numnicknames *
sizeof(char *));
if (names->nicknames == NULL) {
goto loser;
}
node = (stringNode *)names->head;
for (i = 0; i < names->numnicknames; i++) {
PORT_Assert(node != NULL);
names->nicknames[i] = node->string;
names->totallen += PORT_Strlen(node->string);
node = node->next;
}
PORT_Assert(node == NULL);
}
return (names);
loser:
PORT_FreeArena(arena, PR_FALSE);
return (NULL);
}
void
CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies)
{
if ( policies != NULL ) {
PORT_FreeArena(policies->arena, PR_FALSE);
}
return;
}
SECStatus
CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings)
{
if ( mappings != NULL ) {
PORT_FreeArena(mappings->arena, PR_FALSE);
}
return SECSuccess;
}
void
CERT_DestroyUserNotice(CERTUserNotice *userNotice)
{
if ( userNotice != NULL ) {
PORT_FreeArena(userNotice->arena, PR_FALSE);
}
return;
}
void
CERT_DestroyOidSequence(CERTOidSequence *oidSeq)
{
if ( oidSeq != NULL ) {
PORT_FreeArena(oidSeq->arena, PR_FALSE);
}
return;
}
SECStatus
CMMF_DestroyPOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyCont)
{
PORT_Assert(inDecKeyCont != NULL);
if (inDecKeyCont != NULL && inDecKeyCont->poolp) {
PORT_FreeArena(inDecKeyCont->poolp, PR_FALSE);
}
return SECSuccess;
}
/*
* FUNCTION: pkix_pl_OcspResponse_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_OcspResponse_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_PL_OcspResponse *ocspRsp = NULL;
const SEC_HttpClientFcn *httpClient = NULL;
const SEC_HttpClientFcnV1 *hcv1 = NULL;
PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext),
PKIX_OBJECTNOTANOCSPRESPONSE);
ocspRsp = (PKIX_PL_OcspResponse *)object;
if (ocspRsp->nssOCSPResponse != NULL) {
CERT_DestroyOCSPResponse(ocspRsp->nssOCSPResponse);
ocspRsp->nssOCSPResponse = NULL;
}
if (ocspRsp->signerCert != NULL) {
CERT_DestroyCertificate(ocspRsp->signerCert);
ocspRsp->signerCert = NULL;
}
httpClient = (const SEC_HttpClientFcn *)(ocspRsp->httpClient);
if (httpClient && (httpClient->version == 1)) {
hcv1 = &(httpClient->fcnTable.ftable1);
if (ocspRsp->sessionRequest != NULL) {
(*hcv1->freeFcn)(ocspRsp->sessionRequest);
ocspRsp->sessionRequest = NULL;
}
if (ocspRsp->serverSession != NULL) {
(*hcv1->freeSessionFcn)(ocspRsp->serverSession);
ocspRsp->serverSession = NULL;
}
}
if (ocspRsp->arena != NULL) {
PORT_FreeArena(ocspRsp->arena, PR_FALSE);
ocspRsp->arena = NULL;
}
PKIX_DECREF(ocspRsp->producedAtDate);
PKIX_DECREF(ocspRsp->pkixSignerCert);
PKIX_DECREF(ocspRsp->request);
cleanup:
PKIX_RETURN(OCSPRESPONSE);
}
void
SGN_DestroyDigestInfo(SGNDigestInfo *di)
{
if (di && di->arena) {
PORT_FreeArena(di->arena, PR_FALSE);
}
return;
}
SECStatus
CERT_DecodePolicyConstraintsExtension
(CERTCertificatePolicyConstraints *decodedValue,
const SECItem *encodedValue)
{
CERTCertificatePolicyConstraints decodeContext;
PLArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
/* initialize so we can tell when an optional component is omitted */
PORT_Memset(&decodeContext, 0, sizeof(decodeContext));
/* make a new arena */
arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
if (!arena) {
return SECFailure;
}
do {
/* decode the policy constraints */
rv = SEC_QuickDERDecodeItem(arena,
&decodeContext, CERT_PolicyConstraintsTemplate, encodedValue);
if ( rv != SECSuccess ) {
break;
}
if (decodeContext.explicitPolicySkipCerts.len == 0) {
*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data = -1;
} else {
*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data =
DER_GetInteger(&decodeContext.explicitPolicySkipCerts);
}
if (decodeContext.inhibitMappingSkipCerts.len == 0) {
*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data = -1;
} else {
*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data =
DER_GetInteger(&decodeContext.inhibitMappingSkipCerts);
}
if ((*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
PR_INT32_MIN) ||
(*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
PR_INT32_MAX) ||
(*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data ==
PR_INT32_MIN) ||
(*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data ==
PR_INT32_MAX)) {
rv = SECFailure;
}
} while (0);
PORT_FreeArena(arena, PR_FALSE);
return(rv);
}
void
SEC_ASN1EncoderFinish (SEC_ASN1EncoderContext *cx)
{
/*
* XXX anything else that needs to be finished?
*/
PORT_FreeArena (cx->our_pool, PR_FALSE);
}
SECStatus CERT_DecodeBasicConstraintValue
(CERTBasicConstraints *value, SECItem *encodedValue)
{
EncodedContext decodeContext;
PRArenaPool *our_pool;
SECStatus rv = SECSuccess;
do {
PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
/* initialize the value just in case we got "0x30 00", or when the
pathLenConstraint is omitted.
*/
decodeContext.isCA.data =&hexFalse;
decodeContext.isCA.len = 1;
our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
if (our_pool == NULL) {
PORT_SetError (SEC_ERROR_NO_MEMORY);
GEN_BREAK (SECFailure);
}
rv = SEC_QuickDERDecodeItem
(our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue);
if (rv == SECFailure)
break;
value->isCA = decodeContext.isCA.data
? (PRBool)(decodeContext.isCA.data[0] != 0)
: PR_FALSE;
if (decodeContext.pathLenConstraint.data == NULL) {
/* if the pathLenConstraint is not encoded, and the current setting
is CA, then the pathLenConstraint should be set to a negative number
for unlimited certificate path.
*/
if (value->isCA)
value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
} else if (value->isCA) {
long len = DER_GetInteger (&decodeContext.pathLenConstraint);
if (len < 0 || len == LONG_MAX) {
PORT_SetError (SEC_ERROR_BAD_DER);
GEN_BREAK (SECFailure);
}
value->pathLenConstraint = len;
} else {
/* here we get an error where the subject is not a CA, but
the pathLenConstraint is set */
PORT_SetError (SEC_ERROR_BAD_DER);
GEN_BREAK (SECFailure);
break;
}
} while (0);
PORT_FreeArena (our_pool, PR_FALSE);
return (rv);
}
int
sv_PrintSignedData(FILE *out, SECItem *der, char *m, SECU_PPFunc inner)
{
PLArenaPool *arena = NULL;
CERTSignedData *sd;
int rv;
/* Strip off the signature */
sd = (CERTSignedData *)PORT_ZAlloc(sizeof(CERTSignedData));
if (!sd)
return PORT_GetError();
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena)
return SEC_ERROR_NO_MEMORY;
rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate),
der);
if (rv) {
PORT_FreeArena(arena, PR_FALSE);
return rv;
}
/* fprintf(out, "%s:\n", m); */
PORT_Strcat(m, "data.");
rv = (*inner)(out, &sd->data, m, 0);
if (rv) {
PORT_FreeArena(arena, PR_FALSE);
return rv;
}
m[PORT_Strlen(m) - 5] = 0;
fprintf(out, "%s", m);
sv_PrintAlgorithmID(out, &sd->signatureAlgorithm, "signatureAlgorithm=");
DER_ConvertBitString(&sd->signature);
fprintf(out, "%s", m);
sv_PrintAsHex(out, &sd->signature, "signature=");
PORT_FreeArena(arena, PR_FALSE);
return 0;
}
static CERTSignedCrl *
FindCRL(CERTCertDBHandle *certHandle, char *name, int type)
{
CERTSignedCrl *crl = NULL;
CERTCertificate *cert = NULL;
SECItem derName;
derName.data = NULL;
derName.len = 0;
cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
if (!cert) {
CERTName *certName = NULL;
PLArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
certName = CERT_AsciiToName(name);
if (certName) {
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena) {
SECItem *nameItem =
SEC_ASN1EncodeItem(arena, NULL, (void *)certName,
SEC_ASN1_GET(CERT_NameTemplate));
if (nameItem) {
rv = SECITEM_CopyItem(NULL, &derName, nameItem);
}
PORT_FreeArena(arena, PR_FALSE);
}
CERT_DestroyName(certName);
}
if (rv != SECSuccess) {
SECU_PrintError(progName, "SECITEM_CopyItem failed, out of memory");
return ((CERTSignedCrl *)NULL);
}
if (!derName.len || !derName.data) {
SECU_PrintError(progName, "could not find certificate named '%s'", name);
return ((CERTSignedCrl *)NULL);
}
} else {
SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
CERT_DestroyCertificate(cert);
}
crl = SEC_FindCrlByName(certHandle, &derName, type);
if (crl == NULL)
SECU_PrintError(progName, "could not find %s's CRL", name);
if (derName.data) {
SECITEM_FreeItem(&derName, PR_FALSE);
}
return (crl);
}
/*
* Given a DER encoded DHParameterBlock, extract the prime and generator.
* modulus and public exponent.
* This will work with either PKCS-1 encoded DHParameterBlock or
* openssl-style DHParameter.
*/
OSStatus sslDecodeDhParams(
const SSLBuffer *blob, /* PKCS-1 encoded */
SSLBuffer *prime, /* data mallocd and RETURNED */
SSLBuffer *generator) /* data mallocd and RETURNED */
{
SECStatus rv;
OSStatus srtn;
NSS_DHParameterBlock paramBlock = {};
PLArenaPool *pool;
assert(blob != NULL);
assert(prime != NULL);
assert(generator != NULL);
pool = PORT_NewArena(CHUNKSIZE_DEF);
/*
* Since the common case here is to decode a parameter block coming
* over the wire, which is in openssl format, let's try that format first.
*/
rv = SEC_ASN1Decode(pool, ¶mBlock.params,
kSecAsn1DHParameterTemplate, (const char *)blob->data, blob->length);
if (rv != SECSuccess) {
/*
* OK, that failed when trying as a CDSA_formatted parameter
* block DHParameterBlock). Openssl uses a subset of that,
* a DHParameter. Try that instead.
*/
memset(¶mBlock, 0, sizeof(paramBlock));
rv = SEC_ASN1Decode(pool, ¶mBlock,
kSecAsn1DHParameterBlockTemplate,
(const char *)blob->data, blob->length);
}
if (rv != SECSuccess) {
/* Ah well, we tried. */
sslErrorLog("sslDecodeDhParams: both CDSA and openssl format"
"failed\n");
srtn = errSSLCrypto;
}
else {
/* copy out components */
srtn = SSLCopyBufferFromData(paramBlock.params.prime.Data,
paramBlock.params.prime.Length, prime);
if(!srtn) {
srtn = SSLCopyBufferFromData(paramBlock.params.base.Data,
paramBlock.params.base.Length, generator);
}
}
PORT_FreeArena(pool, PR_TRUE);
return srtn;
}
void check(PLArenaPool *arena, const char b64[], const char s[], const char sName[], bool url) {
void *mark = NULL;
SECItem *b64Item;
mark = PORT_ArenaMark(arena);
b64Item = SECITEM_AllocItem(arena, NULL, strlen(b64));
if(b64Item == NULL){
printf(">>> Couldn't allocate memore, SECITEM_AllocItem failed.\n");
}
strncpy(b64Item->data, b64, b64Item->len);
SECItem b64Decoded;
PORT_Memset(&b64Decoded, 0, sizeof(b64Decoded));
if (url) {
#ifdef NSS_B64_URL_TEST
if (!NSSBase64_URL_DecodeBuffer(arena, &b64Decoded,
b64Item->data,
b64Item->len)) {
PORT_FreeArena(arena, 0);
printf(">>> Couldn't b64decode, NSSBase64_DecodeBuffer failed (URL).\n");
return;
}
#endif
} else {
if (!NSSBase64_DecodeBuffer(arena, &b64Decoded,
b64Item->data,
b64Item->len)) {
PORT_FreeArena(arena, 0);
printf(">>> Couldn't b64decode, NSSBase64_DecodeBuffer failed.\n");
return;
}
}
if (strcmp(s,b64Decoded.data) != 0) {
printf(">>> DECODING ERROR (%s):/\n>>> expected:\n%s\ngot:\n", sName, s);
printf("%.*s---\n---", b64Decoded.len, b64Decoded.data);
} else {
printf("Successful decoded %s string\n", sName);
}
PORT_ArenaUnmark(arena, mark);
}
CERTCertificateList*
hack_NewCertificateListFromCertList(CERTCertList* list)
{
CERTCertificateList * chain = NULL;
PLArenaPool * arena = NULL;
CERTCertListNode * node;
int len;
if (CERT_LIST_EMPTY(list))
goto loser;
arena = PORT_NewArena(4096);
if (arena == NULL)
goto loser;
for (len = 0, node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list);
len++, node = CERT_LIST_NEXT(node)) {
}
chain = PORT_ArenaNew(arena, CERTCertificateList);
if (chain == NULL)
goto loser;
chain->certs = PORT_ArenaNewArray(arena, SECItem, len);
if (!chain->certs)
goto loser;
chain->len = len;
for (len = 0, node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list);
len++, node = CERT_LIST_NEXT(node)) {
// Check to see if the last cert to be sent is a self-signed cert,
// and if so, omit it from the list of certificates. However, if
// there is only one cert (len == 0), include the cert, as it means
// the EE cert is self-signed.
if (len > 0 && (len == chain->len - 1) && node->cert->isRoot) {
chain->len = len;
break;
}
SECITEM_CopyItem(arena, &chain->certs[len], &node->cert->derCert);
}
chain->arena = arena;
return chain;
loser:
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
CERTDistNames *
CERT_DistNamesFromCertList(CERTCertList *certList)
{
CERTDistNames *dnames = NULL;
PLArenaPool *arena;
CERTCertListNode *node = NULL;
SECItem *names = NULL;
int listLen = 0, i = 0;
if (certList == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
node = CERT_LIST_HEAD(certList);
while (!CERT_LIST_END(node, certList)) {
listLen += 1;
node = CERT_LIST_NEXT(node);
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL)
goto loser;
dnames = PORT_ArenaZNew(arena, CERTDistNames);
if (dnames == NULL)
goto loser;
dnames->arena = arena;
dnames->nnames = listLen;
dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, listLen);
if (names == NULL)
goto loser;
node = CERT_LIST_HEAD(certList);
while (!CERT_LIST_END(node, certList)) {
CERTCertificate *cert = node->cert;
SECStatus rv = SECITEM_CopyItem(arena, &names[i++], &cert->derSubject);
if (rv == SECFailure) {
goto loser;
}
node = CERT_LIST_NEXT(node);
}
return dnames;
loser:
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
void
cms_context_fini(cms_context *ctx)
{
if (ctx->cert) {
CERT_DestroyCertificate(ctx->cert);
ctx->cert = NULL;
}
if (ctx->privkey) {
free(ctx->privkey);
ctx->privkey = NULL;
}
if (ctx->pe_digest) {
free_poison(ctx->pe_digest->data, ctx->pe_digest->len);
/* XXX sure seems like we should be freeing it here, but
* that's segfaulting, and we know it'll get cleaned up with
* PORT_FreeArena a couple of lines down.
*/
ctx->pe_digest = NULL;
}
if (ctx->ci_digest) {
free_poison(ctx->ci_digest->data, ctx->ci_digest->len);
/* XXX sure seems like we should be freeing it here, but
* that's segfaulting, and we know it'll get cleaned up with
* PORT_FreeArena a couple of lines down.
*/
ctx->ci_digest = NULL;
}
#if 0
for (int i = 0; i < ctx->num_signatures; i++) {
if (ctx->signatures[i]) {
if (ctx->signatures[i]->data)
free(ctx->signatures[i]->data);
free(ctx->signatures[i]);
}
}
free(ctx->signatures);
#endif
ctx->signatures = NULL;
PORT_FreeArena(ctx->arena, PR_TRUE);
memset(ctx, '\0', sizeof(*ctx));
NSS_Shutdown();
}
/*
* SecCmsArraySortByDER - sort array of objects by objects' DER encoding
*
* make sure that the order of the objects guarantees valid DER (which must be
* in lexigraphically ascending order for a SET OF); if reordering is necessary it
* will be done in place (in objs).
*/
OSStatus
SecCmsArraySortByDER(void **objs, const SecAsn1Template *objtemplate, void **objs2)
{
PRArenaPool *poolp;
int num_objs;
SecAsn1Item **enc_objs;
OSStatus rv = SECFailure;
int i;
if (objs == NULL) /* already sorted */
return SECSuccess;
num_objs = SecCmsArrayCount((void **)objs);
if (num_objs == 0 || num_objs == 1) /* already sorted. */
return SECSuccess;
poolp = PORT_NewArena (1024); /* arena for temporaries */
if (poolp == NULL)
return SECFailure; /* no memory; nothing we can do... */
/*
* Allocate arrays to hold the individual encodings which we will use
* for comparisons and the reordered attributes as they are sorted.
*/
// Security check to prevent under-allocation
if (num_objs<0 || num_objs>=(int)((INT_MAX/sizeof(SecAsn1Item *))-1)) {
goto loser;
}
enc_objs = (SecAsn1Item **)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(SecAsn1Item *));
if (enc_objs == NULL)
goto loser;
/* DER encode each individual object. */
for (i = 0; i < num_objs; i++) {
enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate);
if (enc_objs[i] == NULL)
goto loser;
}
enc_objs[num_objs] = NULL;
/* now compare and sort objs by the order of enc_objs */
SecCmsArraySort((void **)enc_objs, SecCmsUtilDERCompare, objs, objs2);
rv = SECSuccess;
loser:
PORT_FreeArena (poolp, PR_FALSE);
return rv;
}
/*
* get the value of a string type extension
*/
char *
CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag)
{
SECItem wrapperItem, tmpItem = {siBuffer,0};
SECStatus rv;
PLArenaPool *arena = NULL;
char *retstring = NULL;
wrapperItem.data = NULL;
tmpItem.data = NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( ! arena ) {
goto loser;
}
rv = cert_FindExtension(cert->extensions, oidtag,
&wrapperItem);
if ( rv != SECSuccess ) {
goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, &tmpItem,
SEC_ASN1_GET(SEC_IA5StringTemplate), &wrapperItem);
if ( rv != SECSuccess ) {
goto loser;
}
retstring = (char *)PORT_Alloc(tmpItem.len + 1 );
if ( retstring == NULL ) {
goto loser;
}
PORT_Memcpy(retstring, tmpItem.data, tmpItem.len);
retstring[tmpItem.len] = '\0';
loser:
if ( arena ) {
PORT_FreeArena(arena, PR_FALSE);
}
if ( wrapperItem.data ) {
PORT_Free(wrapperItem.data);
}
return(retstring);
}
static bool cert_issuer_has_current_crl(CERTCertDBHandle *handle,
CERTCertificate *cert)
{
bool res = FALSE;
CERTSignedCrl *crl = get_issuer_crl(handle, cert);
if (crl != NULL) {
res = crl_is_current(crl);
if (crl->arena != NULL) {
PORT_FreeArena(crl->arena, PR_FALSE);
}
}
return res;
}
void
ssl3_DestroyExtensionData(TLSExtensionData *xtnData)
{
ssl3_FreeSniNameArray(xtnData);
PORT_Free(xtnData->sigSchemes);
SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE);
tls13_DestroyKeyShares(&xtnData->remoteKeyShares);
SECITEM_FreeItem(&xtnData->certReqContext, PR_FALSE);
SECITEM_FreeItem(&xtnData->applicationToken, PR_FALSE);
if (xtnData->certReqAuthorities.arena) {
PORT_FreeArena(xtnData->certReqAuthorities.arena, PR_FALSE);
xtnData->certReqAuthorities.arena = NULL;
}
PORT_Free(xtnData->advertised);
}
