/*
* The OCSPChecker is created in an idle state, and remains in this state until
* either (a) the default Responder has been set and enabled, and a Check
* request is received with no responder specified, or (b) a Check request is
* received with a specified responder. A request message is constructed and
* given to the HttpClient. If non-blocking I/O is used the client may return
* with WOULDBLOCK, in which case the OCSPChecker returns the WOULDBLOCK
* condition to its caller in turn. On a subsequent call the I/O is resumed.
* When a response is received it is decoded and the results provided to the
* caller.
*
*/
PKIX_Error *
pkix_OcspChecker_CheckLocal(
PKIX_PL_Cert *cert,
PKIX_PL_Cert *issuer,
PKIX_PL_Date *date,
pkix_RevocationMethod *checkerObject,
PKIX_ProcessingParams *procParams,
PKIX_UInt32 methodFlags,
PKIX_Boolean chainVerificationState,
PKIX_RevocationStatus *pRevStatus,
CERTCRLEntryReasonCode *pReasonCode,
void *plContext)
{
PKIX_PL_OcspCertID *cid = NULL;
PKIX_Boolean hasFreshStatus = PKIX_FALSE;
PKIX_Boolean statusIsGood = PKIX_FALSE;
SECErrorCodes resultCode = SEC_ERROR_REVOKED_CERTIFICATE_OCSP;
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_CheckLocal");
PKIX_CHECK(
PKIX_PL_OcspCertID_Create(cert, NULL, &cid,
plContext),
PKIX_OCSPCERTIDCREATEFAILED);
if (!cid) {
goto cleanup;
}
PKIX_CHECK(
PKIX_PL_OcspCertID_GetFreshCacheStatus(cid, date,
&hasFreshStatus,
&statusIsGood,
&resultCode,
plContext),
PKIX_OCSPCERTIDGETFRESHCACHESTATUSFAILED);
if (hasFreshStatus) {
if (statusIsGood) {
revStatus = PKIX_RevStatus_Success;
resultCode = 0;
} else {
revStatus = pkix_OcspChecker_MapResultCodeToRevStatus(resultCode);
}
}
cleanup:
*pRevStatus = revStatus;
/* ocsp carries only tree statuses: good, bad, and unknown.
* revStatus is used to pass them. reasonCode is always set
* to be unknown. */
*pReasonCode = crlEntryReasonUnspecified;
PKIX_DECREF(cid);
PKIX_RETURN(OCSPCHECKER);
}
/*
* FUNCTION: pkix_List_Remove
* DESCRIPTION:
*
* Traverses the List pointed to by "list", to find and delete an entry
* that is equal to the Object pointed to by "object". If no such entry
* is found the function does not return an error.
*
* PARAMETERS:
* "list"
* List to be searched; may be empty; must be non-NULL
* "object"
* Object to be checked for and deleted, if found; must be non-NULL
* "plContext"
* platform-specific context pointer
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a Validate Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
PKIX_Error *
pkix_List_Remove(
PKIX_List *list,
PKIX_PL_Object *object,
void *plContext)
{
PKIX_PL_Object *current = NULL;
PKIX_UInt32 numEntries = 0;
PKIX_UInt32 index = 0;
PKIX_Boolean match = PKIX_FALSE;
PKIX_ENTER(LIST, "pkix_List_Remove");
PKIX_NULLCHECK_TWO(list, object);
PKIX_CHECK(PKIX_List_GetLength(list, &numEntries, plContext),
PKIX_LISTGETLENGTHFAILED);
for (index = 0; index < numEntries; index++) {
PKIX_CHECK(PKIX_List_GetItem
(list, index, ¤t, plContext),
PKIX_LISTGETITEMFAILED);
if (current) {
PKIX_CHECK(PKIX_PL_Object_Equals
(object, current, &match, plContext),
PKIX_OBJECTEQUALSFAILED);
PKIX_DECREF(current);
}
if (match) {
PKIX_CHECK(PKIX_List_DeleteItem
(list, index, plContext),
PKIX_LISTDELETEITEMFAILED);
break;
}
}
cleanup:
PKIX_DECREF(current);
PKIX_RETURN(LIST);
}
/*
* FUNCTION: pkix_pl_CollectionCertStore_GetCRL
* DESCRIPTION:
*
* Retrieve CRL's in a list of PKIX_PL_CRL object.
*
* PARAMETERS:
* "colCertStoreContext"
* The object CertStore is passed in by checker call.
* "crlSelector"
* CRLSelector specifies criteria for chosing CRL's
* "pNBIOContext"
* Address where platform-dependent information is returned for CertStores
* that use non-blocking I/O. Must be non-NULL.
* "pCrlList"
* Address where object pointer will be returned. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CertStore Error if the function fails in
* a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_CollectionCertStore_GetCRL(
PKIX_CertStore *certStore,
PKIX_CRLSelector *selector,
void **pNBIOContext,
PKIX_List **pCrlList,
void *plContext)
{
PKIX_PL_CollectionCertStoreContext *colCertStoreContext = NULL;
PKIX_List *selectCrl = NULL;
PKIX_ENTER(CERTSTORE, "pkix_pl_CollectionCertStore_GetCRL");
PKIX_NULLCHECK_FOUR(certStore, selector, pNBIOContext, pCrlList);
*pNBIOContext = NULL; /* We don't use non-blocking I/O */
PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
(certStore,
(PKIX_PL_Object **) &colCertStoreContext,
plContext),
PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
if (colCertStoreContext->crlList == NULL) {
PKIX_OBJECT_LOCK(colCertStoreContext);
/*
* CRLs in the directory are cached based on the
* assumption that the directory contents won't be
* changed dynamically.
*/
if (colCertStoreContext->crlList == NULL){
PKIX_CHECK(pkix_pl_CollectionCertStoreContext_PopulateCRL
(colCertStoreContext, plContext),
PKIX_COLLECTIONCERTSTORECONTEXTPOPULATECRLFAILED);
}
PKIX_OBJECT_UNLOCK(colCertStoreContext);
}
PKIX_CHECK(pkix_pl_CollectionCertStoreContext_GetSelectedCRL
(colCertStoreContext->crlList,
selector,
&selectCrl,
plContext),
PKIX_COLLECTIONCERTSTORECONTEXTGETSELECTCRLFAILED);
*pCrlList = selectCrl;
cleanup:
PKIX_OBJECT_UNLOCK(lockedObject);
PKIX_DECREF(colCertStoreContext);
PKIX_RETURN(CERTSTORE);
}
/*
* FUNCTION: pkix_List_AppendUnique
* DESCRIPTION:
*
* Adds each Object in the List pointed to by "fromList" to the List pointed
* to by "toList", if it is not already a member of that List. In other words,
* "toList" becomes the union of the two sets.
*
* PARAMETERS:
* "toList"
* Address of a List of Objects to be augmented by "fromList". Must be
* non-NULL, but may be empty.
* "fromList"
* Address of a List of Objects to be added, if not already present, to
* "toList". Must be non-NULL, but may be empty.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe - assumes exclusive access to "toList"
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
PKIX_Error *
pkix_List_AppendUnique(
PKIX_List *toList,
PKIX_List *fromList,
void *plContext)
{
PKIX_Boolean isContained = PKIX_FALSE;
PKIX_UInt32 listLen = 0;
PKIX_UInt32 listIx = 0;
PKIX_PL_Object *object = NULL;
PKIX_ENTER(BUILD, "pkix_List_AppendUnique");
PKIX_NULLCHECK_TWO(fromList, toList);
PKIX_CHECK(PKIX_List_GetLength(fromList, &listLen, plContext),
PKIX_LISTGETLENGTHFAILED);
for (listIx = 0; listIx < listLen; listIx++) {
PKIX_CHECK(PKIX_List_GetItem
(fromList, listIx, &object, plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_List_Contains
(toList, object, &isContained, plContext),
PKIX_LISTCONTAINSFAILED);
if (isContained == PKIX_FALSE) {
PKIX_CHECK(PKIX_List_AppendItem
(toList, object, plContext),
PKIX_LISTAPPENDITEMFAILED);
}
PKIX_DECREF(object);
}
cleanup:
PKIX_DECREF(object);
PKIX_RETURN(LIST);
}
/*
* FUNCTION: pkix_List_Duplicate
* (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_List_Duplicate(
PKIX_PL_Object *object,
PKIX_PL_Object **pNewObject,
void *plContext)
{
PKIX_List *list = NULL;
PKIX_List *listDuplicate = NULL;
PKIX_ENTER(LIST, "pkix_List_Duplicate");
PKIX_NULLCHECK_TWO(object, pNewObject);
PKIX_CHECK(pkix_CheckType(object, PKIX_LIST_TYPE, plContext),
PKIX_OBJECTNOTLIST);
list = (PKIX_List *)object;
if (list->immutable){
PKIX_CHECK(pkix_duplicateImmutable
(object, pNewObject, plContext),
PKIX_DUPLICATEIMMUTABLEFAILED);
} else {
PKIX_CHECK(pkix_List_Create_Internal
(list->isHeader, &listDuplicate, plContext),
PKIX_LISTCREATEINTERNALFAILED);
listDuplicate->length = list->length;
PKIX_INCREF(list->item);
listDuplicate->item = list->item;
if (list->next == NULL){
listDuplicate->next = NULL;
} else {
/* Recursively Duplicate list */
PKIX_CHECK(pkix_List_Duplicate
((PKIX_PL_Object *)list->next,
(PKIX_PL_Object **)&listDuplicate->next,
plContext),
PKIX_LISTDUPLICATEFAILED);
}
*pNewObject = (PKIX_PL_Object *)listDuplicate;
}
cleanup:
if (PKIX_ERROR_RECEIVED){
PKIX_DECREF(listDuplicate);
}
PKIX_RETURN(LIST);
}
/*
* FUNCTION: PKIX_ProcessingParams_SetHintCerts
* (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_ProcessingParams_SetHintCerts(
PKIX_ProcessingParams *params,
PKIX_List *hintCerts,
void *plContext)
{
PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_SetHintCerts");
PKIX_NULLCHECK_ONE(params);
PKIX_DECREF(params->hintCerts);
PKIX_INCREF(hintCerts);
params->hintCerts = hintCerts;
cleanup:
if (PKIX_ERROR_RECEIVED && params) {
PKIX_DECREF(params->hintCerts);
}
PKIX_RETURN(PROCESSINGPARAMS);
}
/*
* FUNCTION: pkix_TargetCertCheckerState_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_TargetCertCheckerState_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
pkix_TargetCertCheckerState *state = NULL;
PKIX_ENTER(TARGETCERTCHECKERSTATE,
"pkix_TargetCertCheckerState_Destroy");
PKIX_NULLCHECK_ONE(object);
/* Check that this object is a target cert checker state */
PKIX_CHECK(pkix_CheckType
(object, PKIX_TARGETCERTCHECKERSTATE_TYPE, plContext),
PKIX_OBJECTNOTTARGETCERTCHECKERSTATE);
state = (pkix_TargetCertCheckerState *)object;
PKIX_DECREF(state->certSelector);
PKIX_DECREF(state->extKeyUsageOID);
PKIX_DECREF(state->subjAltNameOID);
PKIX_DECREF(state->pathToNameList);
PKIX_DECREF(state->extKeyUsageList);
PKIX_DECREF(state->subjAltNameList);
cleanup:
PKIX_RETURN(TARGETCERTCHECKERSTATE);
}
/*
* FUNCTION: PKIX_ProcessingParams_Create (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_ProcessingParams_Create(
PKIX_ProcessingParams **pParams,
void *plContext)
{
PKIX_ProcessingParams *params = NULL;
PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_Create");
PKIX_NULLCHECK_ONE(pParams);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_PROCESSINGPARAMS_TYPE,
sizeof (PKIX_ProcessingParams),
(PKIX_PL_Object **)¶ms,
plContext),
PKIX_COULDNOTCREATEPROCESSINGPARAMSOBJECT);
/* initialize fields */
PKIX_CHECK(PKIX_List_Create(¶ms->trustAnchors, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_SetImmutable(params->trustAnchors, plContext),
PKIX_LISTSETIMMUTABLEFAILED);
params->hintCerts = NULL;
params->constraints = NULL;
params->date = NULL;
params->initialPolicies = NULL;
params->initialPolicyMappingInhibit = PKIX_FALSE;
params->initialAnyPolicyInhibit = PKIX_FALSE;
params->initialExplicitPolicy = PKIX_FALSE;
params->qualifiersRejected = PKIX_FALSE;
params->certChainCheckers = NULL;
params->revCheckers = NULL;
params->certStores = NULL;
params->resourceLimits = NULL;
params->isCrlRevocationCheckingEnabled = PKIX_TRUE;
params->isCrlRevocationCheckingEnabledWithNISTPolicy = PKIX_TRUE;
params->useAIAForCertFetching = PKIX_FALSE;
*pParams = params;
params = NULL;
cleanup:
PKIX_DECREF(params);
PKIX_RETURN(PROCESSINGPARAMS);
}
/*
* FUNCTION: PKIX_PL_CRL_GetIssuer (see comments in pkix_pl_pki.h)
*/
PKIX_Error *
PKIX_PL_CRL_GetIssuer(
PKIX_PL_CRL *crl,
PKIX_PL_X500Name **pCRLIssuer,
void *plContext)
{
PKIX_PL_String *crlString = NULL;
PKIX_PL_X500Name *issuer = NULL;
SECItem *derIssuerName = NULL;
CERTName *issuerName = NULL;
PKIX_ENTER(CRL, "PKIX_PL_CRL_GetIssuer");
PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pCRLIssuer);
/* Can call this function only with der been adopted. */
PORT_Assert(crl->adoptedDerCrl);
/* if we don't have a cached copy from before, we create one */
if (crl->issuer == NULL){
PKIX_OBJECT_LOCK(crl);
if (crl->issuer == NULL) {
issuerName = &crl->nssSignedCrl->crl.name;
derIssuerName = &crl->nssSignedCrl->crl.derName;
PKIX_CHECK(
PKIX_PL_X500Name_CreateFromCERTName(derIssuerName,
issuerName,
&issuer,
plContext),
PKIX_X500NAMECREATEFROMCERTNAMEFAILED);
/* save a cached copy in case it is asked for again */
crl->issuer = issuer;
}
PKIX_OBJECT_UNLOCK(crl);
}
PKIX_INCREF(crl->issuer);
*pCRLIssuer = crl->issuer;
cleanup:
PKIX_DECREF(crlString);
PKIX_RETURN(CRL);
}
/*
* FUNCTION: pkix_ResourceLimits_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_ResourceLimits_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_ResourceLimits *rLimits = NULL;
char *asciiFormat = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *rLimitsString = NULL;
PKIX_ENTER(RESOURCELIMITS, "pkix_ResourceLimits_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_RESOURCELIMITS_TYPE, plContext),
PKIX_OBJECTNOTRESOURCELIMITS);
/* maxCertsNumber and maxCrlsNumber are not supported */
asciiFormat =
"[\n"
"\tMaxTime: \t\t%d\n"
"\tMaxFanout: \t\t%d\n"
"\tMaxDepth: \t\t%d\n"
"]\n";
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
asciiFormat,
0,
&formatString,
plContext),
PKIX_STRINGCREATEFAILED);
rLimits = (PKIX_ResourceLimits*)object;
PKIX_CHECK(PKIX_PL_Sprintf
(&rLimitsString,
plContext,
formatString,
rLimits->maxTime,
rLimits->maxFanout,
rLimits->maxDepth),
PKIX_SPRINTFFAILED);
*pString = rLimitsString;
cleanup:
PKIX_DECREF(formatString);
PKIX_RETURN(RESOURCELIMITS);
}
/*
* FUNCTION: pkix_PolicyNode_Create
* DESCRIPTION:
*
* Creates a new PolicyNode using the OID pointed to by "validPolicy", the List
* of CertPolicyQualifiers pointed to by "qualifierSet", the criticality
* indicated by the Boolean value of "criticality", and the List of OIDs
* pointed to by "expectedPolicySet", and stores the result at "pObject". The
* criticality should be derived from whether the certificate policy extension
* was marked as critical in the certificate that led to creation of this
* PolicyNode. The "qualifierSet" and "expectedPolicySet" Lists are made
* immutable. The PolicyNode pointers to parent and to children are initialized
* to NULL, and the depth is set to zero; those values should be set by using
* the pkix_PolicyNode_AddToParent function.
*
* PARAMETERS
* "validPolicy"
* Address of OID of the valid policy for the path. Must be non-NULL
* "qualifierSet"
* Address of List of CertPolicyQualifiers associated with the validpolicy.
* May be NULL
* "criticality"
* Boolean indicator of whether the criticality should be set in this
* PolicyNode
* "expectedPolicySet"
* Address of List of OIDs that would satisfy this policy in the next
* certificate. Must be non-NULL
* "pObject"
* Address where the PolicyNode pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a PolicyNode Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_PolicyNode_Create(
PKIX_PL_OID *validPolicy,
PKIX_List *qualifierSet,
PKIX_Boolean criticality,
PKIX_List *expectedPolicySet,
PKIX_PolicyNode **pObject,
void *plContext)
{
PKIX_PolicyNode *node = NULL;
PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_Create");
PKIX_NULLCHECK_THREE(validPolicy, expectedPolicySet, pObject);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_CERTPOLICYNODE_TYPE,
sizeof (PKIX_PolicyNode),
(PKIX_PL_Object **)&node,
plContext),
PKIX_COULDNOTCREATEPOLICYNODEOBJECT);
PKIX_INCREF(validPolicy);
node->validPolicy = validPolicy;
PKIX_INCREF(qualifierSet);
node->qualifierSet = qualifierSet;
if (qualifierSet) {
PKIX_CHECK(PKIX_List_SetImmutable(qualifierSet, plContext),
PKIX_LISTSETIMMUTABLEFAILED);
}
node->criticality = criticality;
PKIX_INCREF(expectedPolicySet);
node->expectedPolicySet = expectedPolicySet;
PKIX_CHECK(PKIX_List_SetImmutable(expectedPolicySet, plContext),
PKIX_LISTSETIMMUTABLEFAILED);
node->parent = NULL;
node->children = NULL;
node->depth = 0;
*pObject = node;
node = NULL;
cleanup:
PKIX_DECREF(node);
PKIX_RETURN(CERTPOLICYNODE);
}
/*
* FUNCTION: PKIX_ProcessingParams_SetResourceLimits
* (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_ProcessingParams_SetResourceLimits(
PKIX_ProcessingParams *params,
PKIX_ResourceLimits *resourceLimits,
void *plContext)
{
PKIX_ENTER(PROCESSINGPARAMS,
"PKIX_ProcessingParams_SetResourceLimits");
PKIX_NULLCHECK_TWO(params, resourceLimits);
PKIX_DECREF(params->resourceLimits);
PKIX_INCREF(resourceLimits);
params->resourceLimits = resourceLimits;
cleanup:
if (PKIX_ERROR_RECEIVED && params) {
PKIX_DECREF(params->resourceLimits);
}
PKIX_RETURN(PROCESSINGPARAMS);
}
/*
* FUNCTION: pkix_pl_CRL_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_CRL_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_PL_CRL *crl = NULL;
PKIX_ENTER(CRL, "pkix_pl_CRL_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType(object, PKIX_CRL_TYPE, plContext),
PKIX_OBJECTNOTCRL);
crl = (PKIX_PL_CRL*)object;
PKIX_CRL_DEBUG("\t\tCalling CERT_DestroyCrl\n");
if (crl->nssSignedCrl) {
CERT_DestroyCrl(crl->nssSignedCrl);
}
if (crl->adoptedDerCrl) {
SECITEM_FreeItem(crl->adoptedDerCrl, PR_TRUE);
}
crl->nssSignedCrl = NULL;
crl->adoptedDerCrl = NULL;
crl->crlNumberAbsent = PKIX_FALSE;
PKIX_DECREF(crl->issuer);
PKIX_DECREF(crl->signatureAlgId);
PKIX_DECREF(crl->crlNumber);
PKIX_DECREF(crl->crlEntryList);
PKIX_DECREF(crl->critExtOids);
if (crl->derGenName) {
SECITEM_FreeItem(crl->derGenName, PR_TRUE);
}
cleanup:
PKIX_RETURN(CRL);
}
/*
* FUNCTION: pkix_List_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_List_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_List *list = NULL;
PKIX_PL_String *listString = NULL;
PKIX_PL_String *format = NULL;
PKIX_ENTER(LIST, "pkix_List_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_LIST_TYPE, plContext),
PKIX_OBJECTNOTLIST);
list = (PKIX_List *)object;
if (!list->isHeader){
PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
}
PKIX_CHECK(pkix_List_ToString_Helper(list, &listString, plContext),
PKIX_LISTTOSTRINGHELPERFAILED);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, "(%s)", 0, &format, plContext),
PKIX_STRINGCREATEFAILED);
PKIX_CHECK(PKIX_PL_Sprintf(pString, plContext, format, listString),
PKIX_SPRINTFFAILED);
cleanup:
PKIX_DECREF(listString);
PKIX_DECREF(format);
PKIX_RETURN(LIST);
}
/*
* FUNCTION: pkix_EkuChecker_Destroy
* (see comments for PKIX_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_EkuChecker_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
pkix_EkuChecker *ekuCheckerState = NULL;
PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType(object, PKIX_EKUCHECKER_TYPE, plContext),
PKIX_OBJECTNOTANEKUCHECKERSTATE);
ekuCheckerState = (pkix_EkuChecker *)object;
PKIX_DECREF(ekuCheckerState->ekuOID);
PKIX_DECREF(ekuCheckerState->requiredExtKeyUsageOids);
cleanup:
PKIX_RETURN(EKUCHECKER);
}
/*
* FUNCTION: PKIX_List_AppendItem (see comments in pkix_util.h)
*/
PKIX_Error *
PKIX_List_AppendItem(
PKIX_List *list,
PKIX_PL_Object *item,
void *plContext)
{
PKIX_List *lastElement = NULL;
PKIX_List *newElement = NULL;
PKIX_UInt32 length, i;
PKIX_ENTER(LIST, "PKIX_List_AppendItem");
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
if (!list->isHeader){
PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
}
length = list->length;
/* find last element of list and create new element there */
lastElement = list;
for (i = 0; i < length; i++){
lastElement = lastElement->next;
}
PKIX_CHECK(pkix_List_Create_Internal
(PKIX_FALSE, &newElement, plContext),
PKIX_LISTCREATEINTERNALFAILED);
PKIX_INCREF(item);
newElement->item = item;
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)list, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
lastElement->next = newElement;
newElement = NULL;
list->length += 1;
cleanup:
PKIX_DECREF(newElement);
PKIX_RETURN(LIST);
}
/*
* FUNCTION: pkix_pl_CertPolicyMap_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_CertPolicyMap_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_PL_CertPolicyMap *certMap = NULL;
PKIX_ENTER(CERTPOLICYMAP, "pkix_pl_CertPolicyMap_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYMAP_TYPE, plContext),
PKIX_OBJECTNOTCERTPOLICYMAP);
certMap = (PKIX_PL_CertPolicyMap*)object;
PKIX_DECREF(certMap->issuerDomainPolicy);
PKIX_DECREF(certMap->subjectDomainPolicy);
cleanup:
PKIX_RETURN(CERTPOLICYMAP);
}
/*
* FUNCTION: pkix_ValidateParams_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_ValidateParams_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_ValidateParams *params = NULL;
PKIX_ENTER(VALIDATEPARAMS, "pkix_ValidateParams_Destroy");
PKIX_NULLCHECK_ONE(object);
/* Check that this object is a validate params object */
PKIX_CHECK(pkix_CheckType(object, PKIX_VALIDATEPARAMS_TYPE, plContext),
PKIX_OBJECTNOTVALIDATEPARAMS);
params = (PKIX_ValidateParams *)object;
PKIX_DECREF(params->procParams);
PKIX_DECREF(params->chain);
cleanup:
PKIX_RETURN(VALIDATEPARAMS);
}
/*
* FUNCTION: PKIX_TrustAnchor_CreateWithNameKeyPair
* (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_TrustAnchor_CreateWithNameKeyPair(
PKIX_PL_X500Name *name,
PKIX_PL_PublicKey *pubKey,
PKIX_PL_CertNameConstraints *nameConstraints,
PKIX_TrustAnchor **pAnchor,
void *plContext)
{
PKIX_TrustAnchor *anchor = NULL;
PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_CreateWithNameKeyPair");
#ifndef BUILD_LIBPKIX_TESTS
/* Nss creates trust anchors by using PKIX_TrustAnchor_CreateWithCert
* function as the complete trusted cert structure, and not only cert
* public key, is required for chain building and validation processes.
* Restricting this function for been used only in libpkix unit
* tests. */
PKIX_ERROR(PKIX_FUNCTIONMUSTNOTBEUSED);
#endif
PKIX_NULLCHECK_THREE(name, pubKey, pAnchor);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_TRUSTANCHOR_TYPE,
sizeof (PKIX_TrustAnchor),
(PKIX_PL_Object **)&anchor,
plContext),
PKIX_COULDNOTCREATETRUSTANCHOROBJECT);
/* initialize fields */
anchor->trustedCert = NULL;
PKIX_INCREF(name);
anchor->caName = name;
PKIX_INCREF(pubKey);
anchor->caPubKey = pubKey;
PKIX_INCREF(nameConstraints);
anchor->nameConstraints = nameConstraints;
*pAnchor = anchor;
anchor = NULL;
cleanup:
PKIX_DECREF(anchor);
PKIX_RETURN(TRUSTANCHOR);
}
/*
* FUNCTION: pkix_Error_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_Error_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_Error *error = NULL;
PKIX_ENTER(ERROR, "pkix_Error_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType(object, PKIX_ERROR_TYPE, plContext),
PKIX_OBJECTNOTANERROR);
error = (PKIX_Error *)object;
PKIX_DECREF(error->cause);
PKIX_DECREF(error->info);
cleanup:
PKIX_RETURN(ERROR);
}
/*
* FUNCTION: pkix_VerifyNode_SetDepth
* DESCRIPTION:
*
* The function sets the depth field of each VerifyNode in the List "children"
* to the value given by "depth", and recursively sets the depth of any
* successive generations to the successive values.
*
* PARAMETERS:
* "children"
* The List of VerifyNodes. Must be non-NULL.
* "depth"
* The value of the depth field to be set in members of the List.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_VerifyNode_SetDepth(PKIX_List *children,
PKIX_UInt32 depth,
void *plContext)
{
PKIX_UInt32 numChildren = 0;
PKIX_UInt32 chIx = 0;
PKIX_VerifyNode *child = NULL;
PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_SetDepth");
PKIX_NULLCHECK_ONE(children);
PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext),
PKIX_LISTGETLENGTHFAILED);
for (chIx = 0; chIx < numChildren; chIx++) {
PKIX_CHECK(PKIX_List_GetItem
(children, chIx, (PKIX_PL_Object **)&child, plContext),
PKIX_LISTGETITEMFAILED);
child->depth = depth;
if (child->children != NULL) {
PKIX_CHECK(pkix_VerifyNode_SetDepth
(child->children, depth + 1, plContext),
PKIX_VERIFYNODESETDEPTHFAILED);
}
PKIX_DECREF(child);
}
cleanup:
PKIX_DECREF(child);
PKIX_RETURN(VERIFYNODE);
}
/*
* FUNCTION: PKIX_CertStore_Create (see comments in pkix_certstore.h)
*/
PKIX_Error *
PKIX_CertStore_Create(
PKIX_CertStore_CertCallback certCallback,
PKIX_CertStore_CRLCallback crlCallback,
PKIX_CertStore_CertContinueFunction certContinue,
PKIX_CertStore_CrlContinueFunction crlContinue,
PKIX_CertStore_CheckTrustCallback trustCallback,
PKIX_CertStore_ImportCrlCallback importCrlCallback,
PKIX_CertStore_CheckRevokationByCrlCallback checkRevByCrlCallback,
PKIX_PL_Object *certStoreContext,
PKIX_Boolean cacheFlag,
PKIX_Boolean localFlag,
PKIX_CertStore **pStore,
void *plContext)
{
PKIX_CertStore *certStore = NULL;
PKIX_ENTER(CERTSTORE, "PKIX_CertStore_Create");
PKIX_NULLCHECK_THREE(certCallback, crlCallback, pStore);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_CERTSTORE_TYPE,
sizeof (PKIX_CertStore),
(PKIX_PL_Object **)&certStore,
plContext),
PKIX_COULDNOTCREATECERTSTOREOBJECT);
certStore->certCallback = certCallback;
certStore->crlCallback = crlCallback;
certStore->certContinue = certContinue;
certStore->crlContinue = crlContinue;
certStore->trustCallback = trustCallback;
certStore->importCrlCallback = importCrlCallback;
certStore->checkRevByCrlCallback = checkRevByCrlCallback;
certStore->cacheFlag = cacheFlag;
certStore->localFlag = localFlag;
PKIX_INCREF(certStoreContext);
certStore->certStoreContext = certStoreContext;
*pStore = certStore;
certStore = NULL;
cleanup:
PKIX_DECREF(certStore);
PKIX_RETURN(CERTSTORE);
}
/*
* FUNCTION: pkix_RevocationChecker_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_RevocationChecker_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_RevocationChecker *checker = NULL;
PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Destroy");
PKIX_NULLCHECK_ONE(object);
/* Check that this object is a revocation checker */
PKIX_CHECK(pkix_CheckType
(object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
PKIX_OBJECTNOTREVOCATIONCHECKER);
checker = (PKIX_RevocationChecker *)object;
PKIX_DECREF(checker->leafMethodList);
PKIX_DECREF(checker->chainMethodList);
cleanup:
PKIX_RETURN(REVOCATIONCHECKER);
}
/*
* FUNCTION: pkix_pl_CollectionCertStoreContext_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_CollectionCertStoreContext_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_PL_CollectionCertStoreContext *colCertStoreContext = NULL;
PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
"pkix_pl_CollectionCertStoreContext_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType
(object, PKIX_COLLECTIONCERTSTORECONTEXT_TYPE, plContext),
PKIX_OBJECTNOTCOLLECTIONCERTSTORECONTEXT);
colCertStoreContext = (PKIX_PL_CollectionCertStoreContext *)object;
PKIX_DECREF(colCertStoreContext->storeDir);
PKIX_DECREF(colCertStoreContext->crlList);
PKIX_DECREF(colCertStoreContext->certList);
cleanup:
PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
}
/*
* FUNCTION: pkix_ValidateResult_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_ValidateResult_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_ValidateResult *result = NULL;
PKIX_ENTER(VALIDATERESULT, "pkix_ValidateResult_Destroy");
PKIX_NULLCHECK_ONE(object);
/* Check that this object is a validate result object */
PKIX_CHECK(pkix_CheckType(object, PKIX_VALIDATERESULT_TYPE, plContext),
PKIX_OBJECTNOTVALIDATERESULT);
result = (PKIX_ValidateResult *)object;
PKIX_DECREF(result->anchor);
PKIX_DECREF(result->pubKey);
PKIX_DECREF(result->policyTree);
cleanup:
PKIX_RETURN(VALIDATERESULT);
}
/*
* FUNCTION: pkix_pl_CertPolicyQualifier_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_CertPolicyQualifier_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_PL_CertPolicyQualifier *certPQ = NULL;
PKIX_ENTER(CERTPOLICYQUALIFIER, "pkix_pl_CertPolicyQualifier_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType
(object, PKIX_CERTPOLICYQUALIFIER_TYPE, plContext),
PKIX_OBJECTNOTCERTPOLICYQUALIFIER);
certPQ = (PKIX_PL_CertPolicyQualifier*)object;
PKIX_DECREF(certPQ->policyQualifierId);
PKIX_DECREF(certPQ->qualifier);
cleanup:
PKIX_RETURN(CERTPOLICYQUALIFIER);
}
/*
* FUNCTION: pkix_pl_HashTable_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_HashTable_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_PL_HashTable *ht = NULL;
pkix_pl_HT_Elem *item = NULL;
PKIX_UInt32 i;
PKIX_ENTER(HASHTABLE, "pkix_pl_HashTable_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType(object, PKIX_HASHTABLE_TYPE, plContext),
PKIX_OBJECTNOTHASHTABLE);
ht = (PKIX_PL_HashTable*) object;
/* DecRef every object in the primitive hash table */
for (i = 0; i < ht->primHash->size; i++) {
for (item = ht->primHash->buckets[i];
item != NULL;
item = item->next) {
PKIX_DECREF(item->key);
PKIX_DECREF(item->value);
}
}
PKIX_CHECK(pkix_pl_PrimHashTable_Destroy(ht->primHash, plContext),
PKIX_PRIMHASHTABLEDESTROYFAILED);
PKIX_DECREF(ht->tableLock);
cleanup:
PKIX_RETURN(HASHTABLE);
}
/*
* FUNCTION: pkix_pl_CRL_CreateWithSignedCRL
* DESCRIPTION:
*
* Creates a new CRL using the CERTSignedCrl pointed to by "nssSignedCrl"
* and stores it at "pCRL". If the decoding of the CERTSignedCrl fails,
* a PKIX_Error is returned.
*
* PARAMETERS:
* "nssSignedCrl"
* Address of CERTSignedCrl. Must be non-NULL.
* "adoptedDerCrl"
* SECItem ponter that if not NULL is indicating that memory used
* for der should be adopted by crl that is about to be created.
* "pCRL"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CRL Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_CRL_CreateWithSignedCRL(
CERTSignedCrl *nssSignedCrl,
SECItem *adoptedDerCrl,
SECItem *derGenName,
PKIX_PL_CRL **pCrl,
void *plContext)
{
PKIX_PL_CRL *crl = NULL;
PKIX_ENTER(CRL, "pkix_pl_CRL_CreateWithSignedCRL");
PKIX_NULLCHECK_ONE(pCrl);
/* create a PKIX_PL_CRL object */
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_CRL_TYPE,
sizeof (PKIX_PL_CRL),
(PKIX_PL_Object **)&crl,
plContext),
PKIX_COULDNOTCREATECRLOBJECT);
/* populate the nssSignedCrl field */
crl->nssSignedCrl = nssSignedCrl;
crl->adoptedDerCrl = adoptedDerCrl;
crl->issuer = NULL;
crl->signatureAlgId = NULL;
crl->crlNumber = NULL;
crl->crlNumberAbsent = PKIX_FALSE;
crl->crlEntryList = NULL;
crl->critExtOids = NULL;
if (derGenName) {
crl->derGenName =
SECITEM_DupItem(derGenName);
if (!crl->derGenName) {
PKIX_ERROR(PKIX_ALLOCERROR);
}
}
*pCrl = crl;
cleanup:
if (PKIX_ERROR_RECEIVED){
PKIX_DECREF(crl);
}
PKIX_RETURN(CRL);
}
/*
* FUNCTION: pkix_pl_CRL_CreateWithSignedCRL
* DESCRIPTION:
*
* Creates a new CRL using the CERTSignedCrl pointed to by "nssSignedCrl"
* and stores it at "pCRL". If the decoding of the CERTSignedCrl fails,
* a PKIX_Error is returned.
*
* PARAMETERS:
* "nssSignedCrl"
* Address of CERTSignedCrl. Must be non-NULL.
* "pCRL"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CRL Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_CRL_CreateWithSignedCRL(
CERTSignedCrl *nssSignedCrl,
PKIX_PL_CRL **pCrl,
void *plContext)
{
SECStatus status;
PKIX_PL_CRL *crl = NULL;
PKIX_ENTER(CRL, "pkix_pl_CRL_CreateWithSignedCRL");
PKIX_NULLCHECK_TWO(nssSignedCrl, pCrl);
/* create a PKIX_PL_CRL object */
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_CRL_TYPE,
sizeof (PKIX_PL_CRL),
(PKIX_PL_Object **)&crl,
plContext),
PKIX_COULDNOTCREATECRLOBJECT);
/* populate the nssSignedCrl field */
crl->nssSignedCrl = nssSignedCrl;
PKIX_CRL_DEBUG("\t\tCalling CERT_CompleteCRLDecodeEntries\n");
status = CERT_CompleteCRLDecodeEntries(crl->nssSignedCrl);
if (status != SECSuccess) {
PKIX_ERROR(PKIX_CERTCOMPLETECRLDECODEDENTRIESFAILED);
}
crl->issuer = NULL;
crl->signatureAlgId = NULL;
crl->crlNumber = NULL;
crl->crlNumberAbsent = PKIX_FALSE;
crl->crlEntryList = NULL;
crl->critExtOids = NULL;
*pCrl = crl;
cleanup:
if (PKIX_ERROR_RECEIVED) {
PKIX_DECREF(crl);
}
PKIX_RETURN(CRL);
}
/*
* FUNCTION: PKIX_ComCertSelParams_SetSubjAltNames
* (see comments in pkix_certsel.h)
*/
PKIX_Error *
PKIX_ComCertSelParams_SetSubjAltNames(
PKIX_ComCertSelParams *params,
PKIX_List *names, /* list of PKIX_PL_GeneralName */
void *plContext)
{
PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetSubjAltNames");
PKIX_NULLCHECK_TWO(params, names);
PKIX_DECREF(params->subjAltNames);
PKIX_INCREF(names);
params->subjAltNames = names;
cleanup:
PKIX_RETURN(COMCERTSELPARAMS);
}
