static void testGetCAPublicKey( PKIX_PL_Cert *diffCert, PKIX_TrustAnchor *equalObject) { PKIX_PL_PublicKey *diffPubKey = NULL; PKIX_PL_PublicKey *equalPubKey = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_TrustAnchor_GetCAPublicKey"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(diffCert, &diffPubKey, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetCAPublicKey(equalObject, &equalPubKey, plContext)); testEqualsHelper((PKIX_PL_Object *)diffPubKey, (PKIX_PL_Object *)equalPubKey, PKIX_TRUE, plContext); cleanup: PKIX_TEST_DECREF_AC(diffPubKey); PKIX_TEST_DECREF_AC(equalPubKey); PKIX_TEST_RETURN(); }
PKIX_TrustAnchor * createTrustAnchor( char *dirName, char *certFileName, PKIX_Boolean useCert, void *plContext) { PKIX_TrustAnchor *anchor = NULL; PKIX_PL_Cert *cert = NULL; PKIX_PL_X500Name *name = NULL; PKIX_PL_PublicKey *pubKey = NULL; PKIX_PL_CertNameConstraints *nameConstraints = NULL; PKIX_TEST_STD_VARS(); cert = createCert(dirName, certFileName, plContext); if (useCert){ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert (cert, &anchor, plContext)); } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject (cert, &name, plContext)); if (name == NULL){ goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey (cert, &pubKey, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints (cert, &nameConstraints, NULL)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_TrustAnchor_CreateWithNameKeyPair (name, pubKey, nameConstraints, &anchor, plContext)); } cleanup: if (PKIX_TEST_ERROR_RECEIVED){ PKIX_TEST_DECREF_AC(anchor); } PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(name); PKIX_TEST_DECREF_AC(pubKey); PKIX_TEST_DECREF_AC(nameConstraints); PKIX_TEST_RETURN(); return (anchor); }
PKIX_ValidateResult * createValidateResult( char *dirName, char *anchorFileName, char *pubKeyCertFileName, void *plContext) { PKIX_TrustAnchor *anchor = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_PL_Cert *cert = NULL; PKIX_PL_PublicKey *pubKey = NULL; PKIX_TEST_STD_VARS(); anchor = createTrustAnchor (dirName, anchorFileName, PKIX_FALSE, plContext); cert = createCert(dirName, pubKeyCertFileName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey (cert, &pubKey, plContext)); PKIX_TEST_EXPECT_NO_ERROR (pkix_ValidateResult_Create (pubKey, anchor, NULL, &valResult, plContext)); cleanup: if (PKIX_TEST_ERROR_RECEIVED){ PKIX_TEST_DECREF_AC(valResult); } PKIX_TEST_DECREF_AC(anchor); PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(pubKey); PKIX_TEST_RETURN(); return (valResult); }
int test_buildchain(int argc, char *argv[]) { PKIX_BuildResult *buildResult = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_TrustAnchor *anchor = NULL; PKIX_PL_PublicKey *trustedPubKey = NULL; PKIX_List *anchors = NULL; PKIX_List *certs = NULL; PKIX_RevocationChecker *revChecker = NULL; PKIX_PL_Cert *cert = NULL; PKIX_ProcessingParams *procParams = NULL; char *dirName = NULL; PKIX_PL_String *dirNameString = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *targetCert = NULL; PKIX_UInt32 actualMinorVersion = 0; PKIX_UInt32 numCerts = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_CertStore *ldapCertStore = NULL; PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */ /* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */ PKIX_CertStore *certStore = NULL; PKIX_List *certStores = NULL; PKIX_List *revCheckers = NULL; char *asciiResult = NULL; PKIX_Boolean result = PKIX_FALSE; PKIX_Boolean testValid = PKIX_TRUE; PKIX_List *expectedCerts = NULL; PKIX_PL_Cert *dirCert = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; PKIX_PL_String *actualCertsString = NULL; PKIX_PL_String *expectedCertsString = NULL; void *state = NULL; char *actualCertsAscii = NULL; char *expectedCertsAscii = NULL; PRPollDesc *pollDesc = NULL; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage(); return (0); } startTests("BuildChain"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* * arguments: * [optional] -arenas * [optional] usebind * servername or servername:port ( - for no server) * testname * EE or ENE * cert directory * target cert (end entity) * intermediate certs * trust anchor */ /* optional argument "usebind" for Ldap CertStore */ if (argv[j + 1]) { if (PORT_Strcmp(argv[j + 1], "usebind") == 0) { usebind = PKIX_TRUE; j++; } } if (PORT_Strcmp(argv[++j], "-") == 0) { useLDAP = PKIX_FALSE; } else { serverName = argv[j]; useLDAP = PKIX_TRUE; } subTest(argv[++j]); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[++j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } dirName = argv[++j]; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext)); for (k = ++j; k < (PKIX_UInt32)argc; k++) { dirCert = createCert(dirName, argv[k], plContext); if (k == (PKIX_UInt32)(argc - 1)) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); trustedCert = dirCert; } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts, (PKIX_PL_Object *)dirCert, plContext)); if (k == j) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); targetCert = dirCert; } } PKIX_TEST_DECREF_BC(dirCert); } /* create processing params with list of trust anchors */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); /* create CertSelector with target certificate in params */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); /* create CertStores */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); if (useLDAP == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)ldapCertStore, plContext)); } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(expectedCerts, &numCerts, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores, NULL, /* testDate, may be NULL */ trustedPubKey, numCerts, &revChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext)); #ifdef debuggingWithoutRevocation PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext)); #endif /* build cert chain using processing params and return buildResult */ pkixTestErrorResult = PKIX_BuildChain(procParams, (void **)&pollDesc, &state, &buildResult, &verifyTree, plContext); while (pollDesc != NULL) { if (PR_Poll(pollDesc, 1, 0) < 0) { testError("PR_Poll failed"); } pkixTestErrorResult = PKIX_BuildChain(procParams, (void **)&pollDesc, &state, &buildResult, &verifyTree, plContext); } if (pkixTestErrorResult) { if (testValid == PKIX_FALSE) { /* EE */ (void)printf("EXPECTED ERROR RECEIVED!\n"); } else { /* ENE */ testError("UNEXPECTED ERROR RECEIVED"); } } else { if (testValid == PKIX_TRUE) { /* ENE */ (void)printf("EXPECTED NON-ERROR RECEIVED!\n"); } else { /* EE */ (void)printf("UNEXPECTED NON-ERROR RECEIVED!\n"); } } subTest("Displaying VerifyNode objects"); if (verifyTree == NULL) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, &verifyString, plContext)); } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); } (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); if (pkixTestErrorResult) { PKIX_TEST_DECREF_BC(pkixTestErrorResult); goto cleanup; } if (buildResult) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); printf("\n"); for (i = 0; i < numCerts; i++) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext)); asciiResult = PKIX_Cert2ASCII(cert); printf("CERT[%d]:\n%s\n", i, asciiResult); /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL)); asciiResult = NULL; PKIX_TEST_DECREF_BC(cert); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs, (PKIX_PL_Object *)expectedCerts, &result, plContext)); if (!result) { testError("BUILT CERTCHAIN IS " "NOT THE ONE THAT WAS EXPECTED"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs, &actualCertsString, plContext)); actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext); if (actualCertsAscii == NULL) { pkixTestErrorMsg = "PKIX_String2ASCII Failed"; goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts, &expectedCertsString, plContext)); expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext); if (expectedCertsAscii == NULL) { pkixTestErrorMsg = "PKIX_String2ASCII Failed"; goto cleanup; } (void)printf("Actual value:\t%s\n", actualCertsAscii); (void)printf("Expected value:\t%s\n", expectedCertsAscii); } } cleanup: PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_PL_Free(asciiResult, NULL); PKIX_PL_Free(actualCertsAscii, plContext); PKIX_PL_Free(expectedCertsAscii, plContext); PKIX_TEST_DECREF_AC(state); PKIX_TEST_DECREF_AC(actualCertsString); PKIX_TEST_DECREF_AC(expectedCertsString); PKIX_TEST_DECREF_AC(expectedCerts); PKIX_TEST_DECREF_AC(buildResult); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certStores); PKIX_TEST_DECREF_AC(revCheckers); PKIX_TEST_DECREF_AC(revChecker); PKIX_TEST_DECREF_AC(ldapCertStore); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(dirNameString); PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(anchors); PKIX_TEST_DECREF_AC(anchor); PKIX_TEST_DECREF_AC(trustedCert); PKIX_TEST_DECREF_AC(trustedPubKey); PKIX_TEST_DECREF_AC(certs); PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(targetCert); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); endTests("BuildChain"); return (0); }
static void test_SubjAlgId_SubjPublicKey(char *dirName) { PKIX_ComCertSelParams *goodParams = NULL; PKIX_PL_OID *setAlgId = NULL; PKIX_PL_OID *getAlgId = NULL; PKIX_PL_Cert *goodCert = NULL; PKIX_PL_PublicKey *setPublicKey = NULL; PKIX_PL_PublicKey *getPublicKey = NULL; PKIX_Boolean isEqual = PKIX_FALSE; PKIX_TEST_STD_VARS(); /* Subject Algorithm Identifier */ subTest("PKIX_PL_OID_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.1.2.3", &setAlgId, plContext)); subTest("PKIX_ComCertSelParams_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); subTest("PKIX_ComCertSelParams_SetSubjPKAlgId"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId(goodParams, setAlgId, plContext)); subTest("PKIX_ComCertSelParams_GetSubjPKAlgId"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPKAlgId(goodParams, &getAlgId, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setAlgId, (PKIX_PL_Object *)getAlgId, &isEqual, plContext)); if (isEqual == PKIX_FALSE) { testError("unexpected Subject Public Key Alg mismatch " "<expect equal>"); } /* Subject Public Key */ subTest("Getting Cert for Subject Public Key"); goodCert = createCert(dirName, "nameConstraintsDN2CACert.crt", plContext); subTest("PKIX_PL_Cert_GetSubjectPublicKey"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(goodCert, &setPublicKey, plContext)); subTest("PKIX_ComCertSelParams_SetSubjPubKey"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey(goodParams, setPublicKey, plContext)); subTest("PKIX_ComCertSelParams_GetSubjPubKey"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPubKey(goodParams, &getPublicKey, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setPublicKey, (PKIX_PL_Object *)getPublicKey, &isEqual, plContext)); if (isEqual == PKIX_FALSE) { testError("unexpected Subject Public Key mismatch " "<expect equal>"); } cleanup: PKIX_TEST_DECREF_AC(setAlgId); PKIX_TEST_DECREF_AC(getAlgId); PKIX_TEST_DECREF_AC(goodParams); PKIX_TEST_DECREF_AC(goodCert); PKIX_TEST_DECREF_AC(setPublicKey); PKIX_TEST_DECREF_AC(getPublicKey); PKIX_TEST_RETURN(); }
/* * FUNCTION: pkix_DefaultCRLChecker_Check * * DESCRIPTION: * Check if the Cert has been revoked based the CRLs data. This function * maintains the checker state to be current. * * PARAMETERS * "checker" * Address of CertChainChecker which has the state data. * Must be non-NULL. * "cert" * Address of Certificate that is to be validated. Must be non-NULL. * "unresolvedCriticalExtensions" * A List OIDs. Not **yet** used in this checker function. * "plContext" * Platform-specific context pointer. * * THREAD SAFETY: * Not Thread Safe * (see Thread Safety Definitions in Programmer's Guide) * * RETURNS: * Returns NULL if the function succeeds. * Returns a CertChainChecker Error if the function fails in a non-fatal way. * Returns a Fatal Error */ static PKIX_Error * pkix_DefaultCRLChecker_Check( PKIX_CertChainChecker *checker, PKIX_PL_Cert *cert, PKIX_List *unresolvedCriticalExtensions, void **pNBIOContext, void *plContext) { pkix_DefaultCRLCheckerState *state = NULL; PKIX_PL_PublicKey *publicKey = NULL; PKIX_PL_PublicKey *newPublicKey = NULL; PKIX_Error *checkKeyUsageFail = NULL; PKIX_Boolean selfIssued = PKIX_FALSE; void *nbioContext = NULL; PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check"); PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); nbioContext = *pNBIOContext; *pNBIOContext = NULL; /* prepare for Error exit */ PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState (checker, (PKIX_PL_Object **)&state, plContext), PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey (cert, &publicKey, plContext), PKIX_CERTGETSUBJECTPUBLICKEYFAILED); /* * If we already have a selector, we were in the middle of checking * when a certStore returned with non-blocking I/O pendning. */ if ((state->crlSelector) == NULL) { state->certsRemaining--; PKIX_NULLCHECK_ONE(state->prevPublicKey); if (state->prevCertCrlSign == PKIX_FALSE) { PKIX_ERROR (PKIX_KEYUSAGEKEYCRLSIGNBITNOTON); } /* Set up CRLSelector */ PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector (cert, state, plContext), PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED); } PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper (checker, cert, state->prevPublicKey, state, unresolvedCriticalExtensions, PKIX_FALSE, &nbioContext, plContext), PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED); if (nbioContext != NULL) { *pNBIOContext = nbioContext; goto cleanup; } PKIX_DECREF(state->crlSelector); /* * Some NIST test case in 4.5.* use different publicKeys for * Cert and its CRL on the chain. Self-issued Certs are used * to speciy multiple keys for those cases. That is why we apply * the following algorithm: * * Check if Cert is self-issued. If so, the public key of the Cert * that issues this Cert (old key) can be used together with this * current key (new key) for key verification. If there are multiple * self-issued certs, keys of those Certs (old keys) can also be used * for key verification. Old key(s) is saved in a list (PrevPublickKey- * List) and cleared when a Cert is no longer self-issued. * PrevPublicKey keep key of the previous Cert. * PrevPublicKeyList keep key(s) of Cert before the previous one. */ PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext), PKIX_ISCERTSELFISSUEFAILED); if (selfIssued == PKIX_TRUE) { if (state->prevPublicKeyList == NULL) { PKIX_CHECK(PKIX_List_Create (&state->prevPublicKeyList, plContext), PKIX_LISTCREATEFAILED); } PKIX_CHECK(PKIX_List_AppendItem (state->prevPublicKeyList, (PKIX_PL_Object *) state->prevPublicKey, plContext), PKIX_LISTAPPENDITEMFAILED); } else { /* Not self-issued Cert any more, clear old key(s) saved */ PKIX_DECREF(state->prevPublicKeyList); } /* Make inheritance and save current Public Key */ PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey (publicKey, state->prevPublicKey, &newPublicKey, plContext), PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED); if (newPublicKey == NULL){ PKIX_INCREF(publicKey); newPublicKey = publicKey; } PKIX_DECREF(state->prevPublicKey); PKIX_INCREF(newPublicKey); state->prevPublicKey = newPublicKey; /* Save current Cert's crlSign bit for CRL checking later */ if (state->certsRemaining != 0) { checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage (cert, PKIX_CRL_SIGN, plContext); state->prevCertCrlSign = (checkKeyUsageFail == NULL)? PKIX_TRUE : PKIX_FALSE; PKIX_DECREF(checkKeyUsageFail); } /* PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState (checker, (PKIX_PL_Object *)state, plContext), PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED); */ cleanup: PKIX_DECREF(state); PKIX_DECREF(publicKey); PKIX_DECREF(newPublicKey); PKIX_DECREF(checkKeyUsageFail); PKIX_RETURN(CERTCHAINCHECKER); }