static void
testGetCAPublicKey(
PKIX_PL_Cert *diffCert,
PKIX_TrustAnchor *equalObject)
{
PKIX_PL_PublicKey *diffPubKey = NULL;
PKIX_PL_PublicKey *equalPubKey = NULL;
PKIX_TEST_STD_VARS();
subTest("PKIX_TrustAnchor_GetCAPublicKey");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(diffCert, &diffPubKey, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetCAPublicKey(equalObject, &equalPubKey, plContext));
testEqualsHelper((PKIX_PL_Object *)diffPubKey,
(PKIX_PL_Object *)equalPubKey,
PKIX_TRUE,
plContext);
cleanup:
PKIX_TEST_DECREF_AC(diffPubKey);
PKIX_TEST_DECREF_AC(equalPubKey);
PKIX_TEST_RETURN();
}
PKIX_TrustAnchor *
createTrustAnchor(
char *dirName,
char *certFileName,
PKIX_Boolean useCert,
void *plContext)
{
PKIX_TrustAnchor *anchor = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_PL_X500Name *name = NULL;
PKIX_PL_PublicKey *pubKey = NULL;
PKIX_PL_CertNameConstraints *nameConstraints = NULL;
PKIX_TEST_STD_VARS();
cert = createCert(dirName, certFileName, plContext);
if (useCert){
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
(cert, &anchor, plContext));
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
(cert, &name, plContext));
if (name == NULL){
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
(cert, &pubKey, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
(cert, &nameConstraints, NULL));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_TrustAnchor_CreateWithNameKeyPair
(name, pubKey, nameConstraints, &anchor, plContext));
}
cleanup:
if (PKIX_TEST_ERROR_RECEIVED){
PKIX_TEST_DECREF_AC(anchor);
}
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(name);
PKIX_TEST_DECREF_AC(pubKey);
PKIX_TEST_DECREF_AC(nameConstraints);
PKIX_TEST_RETURN();
return (anchor);
}
PKIX_ValidateResult *
createValidateResult(
char *dirName,
char *anchorFileName,
char *pubKeyCertFileName,
void *plContext)
{
PKIX_TrustAnchor *anchor = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_PL_PublicKey *pubKey = NULL;
PKIX_TEST_STD_VARS();
anchor = createTrustAnchor
(dirName, anchorFileName, PKIX_FALSE, plContext);
cert = createCert(dirName, pubKeyCertFileName, plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
(cert, &pubKey, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(pkix_ValidateResult_Create
(pubKey, anchor, NULL, &valResult, plContext));
cleanup:
if (PKIX_TEST_ERROR_RECEIVED){
PKIX_TEST_DECREF_AC(valResult);
}
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(pubKey);
PKIX_TEST_RETURN();
return (valResult);
}
int
test_buildchain(int argc, char *argv[])
{
PKIX_BuildResult *buildResult = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_PL_PublicKey *trustedPubKey = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_RevocationChecker *revChecker = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_ProcessingParams *procParams = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_UInt32 actualMinorVersion = 0;
PKIX_UInt32 numCerts = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_CertStore *ldapCertStore = NULL;
PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */
/* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
PKIX_List *revCheckers = NULL;
char *asciiResult = NULL;
PKIX_Boolean result = PKIX_FALSE;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_List *expectedCerts = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
PKIX_PL_String *actualCertsString = NULL;
PKIX_PL_String *expectedCertsString = NULL;
void *state = NULL;
char *actualCertsAscii = NULL;
char *expectedCertsAscii = NULL;
PRPollDesc *pollDesc = NULL;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage();
return (0);
}
startTests("BuildChain");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/*
* arguments:
* [optional] -arenas
* [optional] usebind
* servername or servername:port ( - for no server)
* testname
* EE or ENE
* cert directory
* target cert (end entity)
* intermediate certs
* trust anchor
*/
/* optional argument "usebind" for Ldap CertStore */
if (argv[j + 1]) {
if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
usebind = PKIX_TRUE;
j++;
}
}
if (PORT_Strcmp(argv[++j], "-") == 0) {
useLDAP = PKIX_FALSE;
} else {
serverName = argv[j];
useLDAP = PKIX_TRUE;
}
subTest(argv[++j]);
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[++j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
dirName = argv[++j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
for (k = ++j; k < (PKIX_UInt32)argc; k++) {
dirCert = createCert(dirName, argv[k], plContext);
if (k == (PKIX_UInt32)(argc - 1)) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == j) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
if (useLDAP == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores,
(PKIX_PL_Object *)ldapCertStore,
plContext));
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(expectedCerts, &numCerts, plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores,
NULL, /* testDate, may be NULL */
trustedPubKey,
numCerts,
&revChecker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext));
#ifdef debuggingWithoutRevocation
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext));
#endif
/* build cert chain using processing params and return buildResult */
pkixTestErrorResult = PKIX_BuildChain(procParams,
(void **)&pollDesc,
&state,
&buildResult,
&verifyTree,
plContext);
while (pollDesc != NULL) {
if (PR_Poll(pollDesc, 1, 0) < 0) {
testError("PR_Poll failed");
}
pkixTestErrorResult = PKIX_BuildChain(procParams,
(void **)&pollDesc,
&state,
&buildResult,
&verifyTree,
plContext);
}
if (pkixTestErrorResult) {
if (testValid == PKIX_FALSE) { /* EE */
(void)printf("EXPECTED ERROR RECEIVED!\n");
} else { /* ENE */
testError("UNEXPECTED ERROR RECEIVED");
}
} else {
if (testValid == PKIX_TRUE) { /* ENE */
(void)printf("EXPECTED NON-ERROR RECEIVED!\n");
} else { /* EE */
(void)printf("UNEXPECTED NON-ERROR RECEIVED!\n");
}
}
subTest("Displaying VerifyNode objects");
if (verifyTree == NULL) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, &verifyString, plContext));
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
}
(void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);
if (pkixTestErrorResult) {
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
goto cleanup;
}
if (buildResult) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext));
printf("\n");
for (i = 0; i < numCerts; i++) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs,
i,
(PKIX_PL_Object **)&cert,
plContext));
asciiResult = PKIX_Cert2ASCII(cert);
printf("CERT[%d]:\n%s\n", i, asciiResult);
/* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL));
asciiResult = NULL;
PKIX_TEST_DECREF_BC(cert);
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs,
(PKIX_PL_Object *)expectedCerts,
&result,
plContext));
if (!result) {
testError("BUILT CERTCHAIN IS "
"NOT THE ONE THAT WAS EXPECTED");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs,
&actualCertsString,
plContext));
actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext);
if (actualCertsAscii == NULL) {
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts,
&expectedCertsString,
plContext));
expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext);
if (expectedCertsAscii == NULL) {
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
(void)printf("Actual value:\t%s\n", actualCertsAscii);
(void)printf("Expected value:\t%s\n",
expectedCertsAscii);
}
}
cleanup:
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_PL_Free(asciiResult, NULL);
PKIX_PL_Free(actualCertsAscii, plContext);
PKIX_PL_Free(expectedCertsAscii, plContext);
PKIX_TEST_DECREF_AC(state);
PKIX_TEST_DECREF_AC(actualCertsString);
PKIX_TEST_DECREF_AC(expectedCertsString);
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(buildResult);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(revCheckers);
PKIX_TEST_DECREF_AC(revChecker);
PKIX_TEST_DECREF_AC(ldapCertStore);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(trustedPubKey);
PKIX_TEST_DECREF_AC(certs);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain");
return (0);
}
static void
test_SubjAlgId_SubjPublicKey(char *dirName)
{
PKIX_ComCertSelParams *goodParams = NULL;
PKIX_PL_OID *setAlgId = NULL;
PKIX_PL_OID *getAlgId = NULL;
PKIX_PL_Cert *goodCert = NULL;
PKIX_PL_PublicKey *setPublicKey = NULL;
PKIX_PL_PublicKey *getPublicKey = NULL;
PKIX_Boolean isEqual = PKIX_FALSE;
PKIX_TEST_STD_VARS();
/* Subject Algorithm Identifier */
subTest("PKIX_PL_OID_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.1.2.3", &setAlgId, plContext));
subTest("PKIX_ComCertSelParams_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext));
subTest("PKIX_ComCertSelParams_SetSubjPKAlgId");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId(goodParams, setAlgId, plContext));
subTest("PKIX_ComCertSelParams_GetSubjPKAlgId");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPKAlgId(goodParams, &getAlgId, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setAlgId,
(PKIX_PL_Object *)getAlgId,
&isEqual,
plContext));
if (isEqual == PKIX_FALSE) {
testError("unexpected Subject Public Key Alg mismatch "
"<expect equal>");
}
/* Subject Public Key */
subTest("Getting Cert for Subject Public Key");
goodCert = createCert(dirName, "nameConstraintsDN2CACert.crt", plContext);
subTest("PKIX_PL_Cert_GetSubjectPublicKey");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(goodCert, &setPublicKey, plContext));
subTest("PKIX_ComCertSelParams_SetSubjPubKey");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey(goodParams, setPublicKey, plContext));
subTest("PKIX_ComCertSelParams_GetSubjPubKey");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPubKey(goodParams, &getPublicKey, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setPublicKey,
(PKIX_PL_Object *)getPublicKey,
&isEqual,
plContext));
if (isEqual == PKIX_FALSE) {
testError("unexpected Subject Public Key mismatch "
"<expect equal>");
}
cleanup:
PKIX_TEST_DECREF_AC(setAlgId);
PKIX_TEST_DECREF_AC(getAlgId);
PKIX_TEST_DECREF_AC(goodParams);
PKIX_TEST_DECREF_AC(goodCert);
PKIX_TEST_DECREF_AC(setPublicKey);
PKIX_TEST_DECREF_AC(getPublicKey);
PKIX_TEST_RETURN();
}
/*
* FUNCTION: pkix_DefaultCRLChecker_Check
*
* DESCRIPTION:
* Check if the Cert has been revoked based the CRLs data. This function
* maintains the checker state to be current.
*
* PARAMETERS
* "checker"
* Address of CertChainChecker which has the state data.
* Must be non-NULL.
* "cert"
* Address of Certificate that is to be validated. Must be non-NULL.
* "unresolvedCriticalExtensions"
* A List OIDs. Not **yet** used in this checker function.
* "plContext"
* Platform-specific context pointer.
*
* THREAD SAFETY:
* Not Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
*
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
* Returns a Fatal Error
*/
static PKIX_Error *
pkix_DefaultCRLChecker_Check(
PKIX_CertChainChecker *checker,
PKIX_PL_Cert *cert,
PKIX_List *unresolvedCriticalExtensions,
void **pNBIOContext,
void *plContext)
{
pkix_DefaultCRLCheckerState *state = NULL;
PKIX_PL_PublicKey *publicKey = NULL;
PKIX_PL_PublicKey *newPublicKey = NULL;
PKIX_Error *checkKeyUsageFail = NULL;
PKIX_Boolean selfIssued = PKIX_FALSE;
void *nbioContext = NULL;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check");
PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
nbioContext = *pNBIOContext;
*pNBIOContext = NULL; /* prepare for Error exit */
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
(checker, (PKIX_PL_Object **)&state, plContext),
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
(cert, &publicKey, plContext),
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
/*
* If we already have a selector, we were in the middle of checking
* when a certStore returned with non-blocking I/O pendning.
*/
if ((state->crlSelector) == NULL) {
state->certsRemaining--;
PKIX_NULLCHECK_ONE(state->prevPublicKey);
if (state->prevCertCrlSign == PKIX_FALSE) {
PKIX_ERROR
(PKIX_KEYUSAGEKEYCRLSIGNBITNOTON);
}
/* Set up CRLSelector */
PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
(cert, state, plContext),
PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
}
PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper
(checker,
cert,
state->prevPublicKey,
state,
unresolvedCriticalExtensions,
PKIX_FALSE,
&nbioContext,
plContext),
PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED);
if (nbioContext != NULL) {
*pNBIOContext = nbioContext;
goto cleanup;
}
PKIX_DECREF(state->crlSelector);
/*
* Some NIST test case in 4.5.* use different publicKeys for
* Cert and its CRL on the chain. Self-issued Certs are used
* to speciy multiple keys for those cases. That is why we apply
* the following algorithm:
*
* Check if Cert is self-issued. If so, the public key of the Cert
* that issues this Cert (old key) can be used together with this
* current key (new key) for key verification. If there are multiple
* self-issued certs, keys of those Certs (old keys) can also be used
* for key verification. Old key(s) is saved in a list (PrevPublickKey-
* List) and cleared when a Cert is no longer self-issued.
* PrevPublicKey keep key of the previous Cert.
* PrevPublicKeyList keep key(s) of Cert before the previous one.
*/
PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
PKIX_ISCERTSELFISSUEFAILED);
if (selfIssued == PKIX_TRUE) {
if (state->prevPublicKeyList == NULL) {
PKIX_CHECK(PKIX_List_Create
(&state->prevPublicKeyList, plContext),
PKIX_LISTCREATEFAILED);
}
PKIX_CHECK(PKIX_List_AppendItem
(state->prevPublicKeyList,
(PKIX_PL_Object *) state->prevPublicKey,
plContext),
PKIX_LISTAPPENDITEMFAILED);
} else {
/* Not self-issued Cert any more, clear old key(s) saved */
PKIX_DECREF(state->prevPublicKeyList);
}
/* Make inheritance and save current Public Key */
PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
(publicKey, state->prevPublicKey, &newPublicKey, plContext),
PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
if (newPublicKey == NULL){
PKIX_INCREF(publicKey);
newPublicKey = publicKey;
}
PKIX_DECREF(state->prevPublicKey);
PKIX_INCREF(newPublicKey);
state->prevPublicKey = newPublicKey;
/* Save current Cert's crlSign bit for CRL checking later */
if (state->certsRemaining != 0) {
checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
(cert, PKIX_CRL_SIGN, plContext);
state->prevCertCrlSign = (checkKeyUsageFail == NULL)?
PKIX_TRUE : PKIX_FALSE;
PKIX_DECREF(checkKeyUsageFail);
}
/*
PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
(checker, (PKIX_PL_Object *)state, plContext),
PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
*/
cleanup:
PKIX_DECREF(state);
PKIX_DECREF(publicKey);
PKIX_DECREF(newPublicKey);
PKIX_DECREF(checkKeyUsageFail);
PKIX_RETURN(CERTCHAINCHECKER);
}
