/* * FUNCTION: PKIX_PL_CRL_Create (see comments in pkix_pl_pki.h) */ PKIX_Error * PKIX_PL_CRL_Create( PKIX_PL_ByteArray *byteArray, PKIX_PL_CRL **pCrl, void *plContext) { CERTSignedCrl *nssSignedCrl = NULL; SECItem derItem, *derCrl = NULL; PKIX_PL_CRL *crl = NULL; PKIX_ENTER(CRL, "PKIX_PL_CRL_Create"); PKIX_NULLCHECK_TWO(byteArray, pCrl); if (byteArray->length == 0){ PKIX_ERROR(PKIX_ZEROLENGTHBYTEARRAYFORCRLENCODING); } derItem.type = siBuffer; derItem.data = byteArray->array; derItem.len = byteArray->length; derCrl = SECITEM_DupItem(&derItem); if (!derCrl) { PKIX_ERROR(PKIX_ALLOCERROR); } nssSignedCrl = CERT_DecodeDERCrlWithFlags(NULL, derCrl, SEC_CRL_TYPE, CRL_DECODE_DONT_COPY_DER | CRL_DECODE_SKIP_ENTRIES); if (!nssSignedCrl) { PKIX_ERROR(PKIX_CERTDECODEDERCRLFAILED); } PKIX_CHECK( pkix_pl_CRL_CreateWithSignedCRL(nssSignedCrl, derCrl, NULL, &crl, plContext), PKIX_CRLCREATEWITHSIGNEDCRLFAILED); nssSignedCrl = NULL; derCrl = NULL; *pCrl = crl; cleanup: if (derCrl) { SECITEM_FreeItem(derCrl, PR_TRUE); } if (nssSignedCrl) { SEC_DestroyCrl(nssSignedCrl); } PKIX_RETURN(CRL); }
/* * FUNCTION: pkix_pl_CRL_CreateToList * DESCRIPTION: * * This function decodes a DER-encoded Certificate Revocation List pointed to * by "derCrlItem", adding the resulting PKIX_PL_CRL, if the decoding was * successful, to the List (possibly empty) pointed to by "crlList". * * PARAMETERS: * "derCrlItem" * The address of the SECItem containing the DER-encoded Certificate * Revocation List. Must be non-NULL. * "crlList" * The address of the List to which the decoded CRL is added. May be * empty, but must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * pkix_pl_CRL_CreateToList( SECItem *derCrlItem, PKIX_List *crlList, void *plContext) { CERTSignedCrl *nssCrl = NULL; PKIX_PL_CRL *crl = NULL; PKIX_ENTER(CRL, "pkix_pl_CRL_CreateToList"); PKIX_NULLCHECK_TWO(derCrlItem, crlList); nssCrl = CERT_DecodeDERCrl(NULL, derCrlItem, SEC_CRL_TYPE); if (nssCrl == NULL) { goto cleanup; } PKIX_CHECK(pkix_pl_CRL_CreateWithSignedCRL (nssCrl, &crl, plContext), PKIX_CRLCREATEWITHSIGNEDCRLFAILED); nssCrl = NULL; PKIX_CHECK(PKIX_List_AppendItem (crlList, (PKIX_PL_Object *) crl, plContext), PKIX_LISTAPPENDITEMFAILED); cleanup: if (nssCrl) { SEC_DestroyCrl(nssCrl); } PKIX_DECREF(crl); PKIX_RETURN(CRL); }
/* * FUNCTION: pkix_pl_LdapCertStore_BuildCrlList * DESCRIPTION: * * This function takes a List of LdapResponse objects pointed to by * "responseList" and extracts and decodes the CRLs in those responses, storing * the List of those CRLs at "pCrls". If none of the objects can be decoded * into a CRL, the returned List is empty. * * PARAMETERS: * "responseList" * The address of the List of LdapResponses. Must be non-NULL. * "pCrls" * The address at which the result is stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns a CertStore Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * pkix_pl_LdapCertStore_BuildCrlList( PKIX_List *responseList, PKIX_List **pCrls, void *plContext) { PKIX_UInt32 numResponses = 0; PKIX_UInt32 respIx = 0; LdapAttrMask attrBits = 0; CERTSignedCrl *nssCrl = NULL; PKIX_PL_LdapResponse *response = NULL; PKIX_List *crlList = NULL; PKIX_PL_CRL *crl = NULL; LDAPMessage *message = NULL; LDAPSearchResponseEntry *sre = NULL; LDAPSearchResponseAttr **sreAttrArray = NULL; LDAPSearchResponseAttr *sreAttr = NULL; SECItem *attrType = NULL; SECItem **attrVal = NULL; SECItem *derCrlCopy = NULL; SECItem *derCrlItem = NULL; PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_BuildCrlList"); PKIX_NULLCHECK_TWO(responseList, pCrls); PKIX_CHECK(PKIX_List_Create(&crlList, plContext), PKIX_LISTCREATEFAILED); /* extract crls from response */ PKIX_CHECK(PKIX_List_GetLength (responseList, &numResponses, plContext), PKIX_LISTGETLENGTHFAILED); for (respIx = 0; respIx < numResponses; respIx++) { PKIX_CHECK(PKIX_List_GetItem (responseList, respIx, (PKIX_PL_Object **)&response, plContext), PKIX_LISTGETITEMFAILED); PKIX_CHECK(pkix_pl_LdapResponse_GetMessage (response, &message, plContext), PKIX_LDAPRESPONSEGETMESSAGEFAILED); sre = &(message->protocolOp.op.searchResponseEntryMsg); sreAttrArray = sre->attributes; /* Get next element of null-terminated array */ sreAttr = *sreAttrArray++; while (sreAttr != NULL) { attrType = &(sreAttr->attrType); PKIX_CHECK(pkix_pl_LdapRequest_AttrTypeToBit (attrType, &attrBits, plContext), PKIX_LDAPREQUESTATTRTYPETOBITFAILED); /* Is this attrVal a Revocation List? */ if (((LDAPATTR_CERTREVLIST | LDAPATTR_AUTHREVLIST) & attrBits) == attrBits) { attrVal = sreAttr->val; derCrlItem = *attrVal++; while (derCrlItem != 0) { /* create a PKIX_PL_Crl from derCrl */ derCrlCopy = SECITEM_DupItem(derCrlItem); if (!derCrlCopy) { PKIX_ERROR(PKIX_ALLOCERROR); } /* crl will be based on derCrlCopy, but wont * own the der. */ nssCrl = CERT_DecodeDERCrlWithFlags(NULL, derCrlCopy, SEC_CRL_TYPE, CRL_DECODE_DONT_COPY_DER | CRL_DECODE_SKIP_ENTRIES); if (!nssCrl) { SECITEM_FreeItem(derCrlCopy, PKIX_TRUE); continue; } /* pkix crl own the der. */ PKIX_CHECK( pkix_pl_CRL_CreateWithSignedCRL(nssCrl, derCrlCopy, NULL, &crl, plContext), PKIX_CRLCREATEWITHSIGNEDCRLFAILED); /* Left control over memory pointed by derCrlCopy and * nssCrl to pkix crl. */ derCrlCopy = NULL; nssCrl = NULL; PKIX_CHECK(PKIX_List_AppendItem (crlList, (PKIX_PL_Object *) crl, plContext), PKIX_LISTAPPENDITEMFAILED); PKIX_DECREF(crl); derCrlItem = *attrVal++; } /* Clean up after PKIX_CHECK_ONLY_FATAL */ pkixTempErrorReceived = PKIX_FALSE; } sreAttr = *sreAttrArray++; } PKIX_DECREF(response); } *pCrls = crlList; crlList = NULL; cleanup: if (derCrlCopy) { SECITEM_FreeItem(derCrlCopy, PKIX_TRUE); } if (nssCrl) { SEC_DestroyCrl(nssCrl); } PKIX_DECREF(crl); PKIX_DECREF(crlList); PKIX_DECREF(response); PKIX_RETURN(CERTSTORE); }
/* * FUNCTION: PKIX_PL_CRL_Create (see comments in pkix_pl_pki.h) */ PKIX_Error * PKIX_PL_CRL_Create( PKIX_PL_ByteArray *byteArray, PKIX_PL_CRL **pCrl, void *plContext) { CERTSignedCrl *nssSignedCrl = NULL; SECItem *derCrlItem = NULL; void *derBytes = NULL; PKIX_UInt32 derLength; PKIX_PL_CRL *crl = NULL; PKIX_ENTER(CRL, "PKIX_PL_CRL_Create"); PKIX_NULLCHECK_TWO(byteArray, pCrl); PKIX_CHECK(PKIX_PL_ByteArray_GetLength (byteArray, &derLength, plContext), PKIX_BYTEARRAYGETLENGTHFAILED); if (derLength == 0) { PKIX_ERROR(PKIX_ZEROLENGTHBYTEARRAYFORCRLENCODING); } PKIX_CHECK(PKIX_PL_ByteArray_GetPointer (byteArray, &derBytes, plContext), PKIX_BYTEARRAYGETPOINTERFAILED); PKIX_CRL_DEBUG("\t\tCalling SECITEM_AllocItem\n"); derCrlItem = SECITEM_AllocItem(NULL, NULL, derLength); if (derCrlItem == NULL) { PKIX_ERROR(PKIX_OUTOFMEMORY); } PKIX_CRL_DEBUG("\t\tCalling PORT_Memcpy\n"); (void) PORT_Memcpy(derCrlItem->data, derBytes, derLength); PKIX_CRL_DEBUG("\t\tCalling CERT_DecodeDERCrl\n"); nssSignedCrl = CERT_DecodeDERCrl(NULL, derCrlItem, SEC_CRL_TYPE); if (nssSignedCrl == NULL) { PKIX_ERROR(PKIX_CERTDECODEDERCRLFAILED); } PKIX_CHECK(pkix_pl_CRL_CreateWithSignedCRL (nssSignedCrl, &crl, plContext), PKIX_CRLCREATEWITHSIGNEDCRLFAILED); *pCrl = crl; cleanup: if (derCrlItem != NULL) { PKIX_CRL_DEBUG("\t\tCalling SECITEM_FreeItem\n"); SECITEM_FreeItem(derCrlItem, PKIX_TRUE); derCrlItem = NULL; } if (PKIX_ERROR_RECEIVED) { if (nssSignedCrl != NULL) { PKIX_CRL_DEBUG("\t\tCalling CERT_DestroyCrl\n"); CERT_DestroyCrl(nssSignedCrl); nssSignedCrl = NULL; } PKIX_DECREF(crl); } PKIX_FREE(derBytes); PKIX_RETURN(CRL); }