summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoralexei.volkov.bugs%sun.com <devnull@localhost>2009-04-14 02:04:08 +0000
committeralexei.volkov.bugs%sun.com <devnull@localhost>2009-04-14 02:04:08 +0000
commit5aa5c7da9c48afa69fdf65768c72289b00014a58 (patch)
treebd86184be1eed52c50532fa70ad4449f0061de7c
parent0682944e3dba3a9bebf36d95439efec4c69b3521 (diff)
downloadnss-hg-5aa5c7da9c48afa69fdf65768c72289b00014a58.tar.gz
391434 - avoid multiple encoding/decoding of PKIX_PL_OID to and from ascii string. r=nelson.
Diffstat
-rw-r--r--security/nss/cmd/lib/SECerrs.h3
-rw-r--r--security/nss/lib/certhigh/certvfypkix.c39
-rwxr-xr-xsecurity/nss/lib/libpkix/include/pkix_errorstrings.h1
-rwxr-xr-xsecurity/nss/lib/libpkix/include/pkix_pl_system.h43
-rwxr-xr-xsecurity/nss/lib/libpkix/include/pkixt.h32
-rw-r--r--security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c16
-rwxr-xr-xsecurity/nss/lib/libpkix/pkix/top/pkix_build.c6
-rw-r--r--security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c120
-rw-r--r--security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c48
-rw-r--r--security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c44
-rw-r--r--security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c45
-rw-r--r--security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c2
-rwxr-xr-xsecurity/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c371
-rwxr-xr-xsecurity/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h3
-rw-r--r--security/nss/lib/util/secerr.h2
-rw-r--r--security/nss/lib/util/secoid.c5
-rw-r--r--security/nss/lib/util/secoidt.h2
17 files changed, 228 insertions, 554 deletions
diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/cmd/lib/SECerrs.h
index de81429b4..d8757cb01 100644
--- a/security/nss/cmd/lib/SECerrs.h
+++ b/security/nss/cmd/lib/SECerrs.h
@@ -555,3 +555,6 @@ ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED, (SEC_ERROR_BASE + 168),
ER3(SEC_ERROR_PKCS11_DEVICE_ERROR, (SEC_ERROR_BASE + 169),
"A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
+
+ER3(SEC_ERROR_BAD_INFO_ACCESS_METHOD, (SEC_ERROR_BASE + 170),
+"Unknown information access method in certificate extension.")
diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c
index 0d9efa2e1..7a3747d90 100644
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -204,7 +204,7 @@ cert_NssKeyUsagesToPkix(
PKIX_RETURN(CERTVFYPKIX);
}
-extern char* ekuOidStrings[];
+extern SECOidTag ekuOidStrings[];
enum {
ekuIndexSSLServer = 0,
@@ -1431,39 +1431,6 @@ cleanup:
return r;
}
-/* XXX
- * There is no NSS SECItem -> PKIX OID
- * conversion function. For now, I go via the ascii
- * representation
- * this should be in PKIX_PL_*
- */
-
-PKIX_PL_OID *
-CERT_PKIXOIDFromNSSOid(SECOidTag tag, void*plContext)
-{
- char *oidstring = NULL;
- char *oidstring_adj = NULL;
- PKIX_PL_OID *policyOID = NULL;
- SECOidData *data;
-
- data = SECOID_FindOIDByTag(tag);
- if (data != NULL) {
- oidstring = CERT_GetOidString(&data->oid);
- if (oidstring == NULL) {
- goto cleanup;
- }
- oidstring_adj = oidstring;
- if (PORT_Strncmp("OID.",oidstring_adj,4) == 0) {
- oidstring_adj += 4;
- }
-
- PKIX_PL_OID_Create(oidstring_adj, &policyOID, plContext);
- }
-cleanup:
- if (oidstring != NULL) PR_smprintf_free(oidstring);
-
- return policyOID;
-}
struct fake_PKIX_PL_CertStruct {
CERTCertificate *nssCert;
@@ -1496,8 +1463,8 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon
}
for (i=0; i<oidCount; i++) {
- policyOID = CERT_PKIXOIDFromNSSOid(oids[i],plContext);
- if (policyOID == NULL) {
+ error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext);
+ if (error) {
goto cleanup;
}
error = PKIX_List_AppendItem(policyList,
diff --git a/security/nss/lib/libpkix/include/pkix_errorstrings.h b/security/nss/lib/libpkix/include/pkix_errorstrings.h
index 57e3a6575..fcc1c39ff 100755
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -1060,6 +1060,7 @@ PKIX_ERRORENTRY(UNEXPECTEDERRORINESTABLISHINGCONNECTION,Unexpected error in esta
PKIX_ERRORENTRY(UNEXPECTEDRESULTCODEINRESPONSE,Unexpected result code in Response,SEC_ERROR_BAD_LDAP_RESPONSE),
PKIX_ERRORENTRY(UNKNOWNFORMAT,Unknown format,SEC_ERROR_INVALID_ARGS),
PKIX_ERRORENTRY(UNKNOWNINFOACCESSTYPE,Unknown InfoAccess type,SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE),
+PKIX_ERRORENTRY(UNKNOWNINFOACCESSMETHOD,Unknown InfoAccess method,SEC_ERROR_BAD_INFO_ACCESS_METHOD),
PKIX_ERRORENTRY(UNKNOWNOBJECTOID,Unknown object OID,0),
PKIX_ERRORENTRY(UNKNOWNOBJECTTYPE,Unknown object type,0),
PKIX_ERRORENTRY(UNKNOWNTYPEARGUMENT,Unknown type argument,0),
diff --git a/security/nss/lib/libpkix/include/pkix_pl_system.h b/security/nss/lib/libpkix/include/pkix_pl_system.h
index 447ea1e5e..053942a22 100755
--- a/security/nss/lib/libpkix/include/pkix_pl_system.h
+++ b/security/nss/lib/libpkix/include/pkix_pl_system.h
@@ -1462,20 +1462,11 @@ PKIX_PL_ByteArray_GetLength(
* FUNCTION: PKIX_PL_OID_Create
* DESCRIPTION:
*
- * Creates a new OID using the string pointed to by "stringRep" and stores it
- * at "pOID". The string representation is a null-terminated char * consisting
- * of decimal components separated by dots. All other characters are illegal.
- * The first field must be be 0, 1 or 2. If the first field is 0 or 1, the
- * second field must be between 0 and 39. All fields must be ASCII decimal
- * digits less than or equal to 2^32. Once created, an OID is immutable.
- *
- * The regexp format is as follows:
- * OID := [0,1,2](.NUM)+
- * NUM := [0-9]+
+ * Creates a new OID using NSS oid tag.
*
* PARAMETERS:
- * "stringRep"
- * Address of character data representing an OID. Must be non-NULL.
+ * "idtag"
+ * nss oid id tag.
* "pOID"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
@@ -1489,7 +1480,33 @@ PKIX_PL_ByteArray_GetLength(
*/
PKIX_Error *
PKIX_PL_OID_Create(
- char *stringRep,
+ SECOidTag idtag,
+ PKIX_PL_OID **pOID,
+ void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_OID_CreateBySECItem
+ * DESCRIPTION:
+ *
+ * Creates a new OID using a DER encoded OID stored as SECItem.
+ *
+ * PARAMETERS:
+ * "derOid"
+ * Address of SECItem that holds DER encoded OID.
+ * "pOID"
+ * Address where object pointer will be stored. Must be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns an OID Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_OID_CreateBySECItem(
+ SECItem *derOid,
PKIX_PL_OID **pOID,
void *plContext);
diff --git a/security/nss/lib/libpkix/include/pkixt.h b/security/nss/lib/libpkix/include/pkixt.h
index 9a830f6a2..9c509b44b 100755
--- a/security/nss/lib/libpkix/include/pkixt.h
+++ b/security/nss/lib/libpkix/include/pkixt.h
@@ -473,18 +473,26 @@ PKIX_Error* PKIX_ALLOC_ERROR(void);
/*
* Define Certificate Extension hard-coded OID's
*/
-#define PKIX_CERTKEYUSAGE_OID "2.5.29.15"
-#define PKIX_CERTSUBJALTNAME_OID "2.5.29.17"
-#define PKIX_BASICCONSTRAINTS_OID "2.5.29.19"
-#define PKIX_CRLREASONCODE_OID "2.5.29.21"
-#define PKIX_NAMECONSTRAINTS_OID "2.5.29.30"
-#define PKIX_CERTIFICATEPOLICIES_OID "2.5.29.32"
-#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID "2.5.29.32.0"
-#define PKIX_POLICYMAPPINGS_OID "2.5.29.33"
-#define PKIX_POLICYCONSTRAINTS_OID "2.5.29.36"
-#define PKIX_EXTENDEDKEYUSAGE_OID "2.5.29.37"
-#define PKIX_INHIBITANYPOLICY_OID "2.5.29.54"
-#define PKIX_NSCERTTYPE_OID "2.16.840.1.113730.1.1"
+#define PKIX_UNKNOWN_OID SEC_OID_UNKNOWN
+#define PKIX_CERTKEYUSAGE_OID SEC_OID_X509_KEY_USAGE
+#define PKIX_CERTSUBJALTNAME_OID SEC_OID_X509_SUBJECT_ALT_NAME
+#define PKIX_BASICCONSTRAINTS_OID SEC_OID_X509_BASIC_CONSTRAINTS
+#define PKIX_CRLREASONCODE_OID SEC_OID_X509_REASON_CODE
+#define PKIX_NAMECONSTRAINTS_OID SEC_OID_X509_NAME_CONSTRAINTS
+#define PKIX_CERTIFICATEPOLICIES_OID SEC_OID_X509_CERTIFICATE_POLICIES
+#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID SEC_OID_X509_ANY_POLICY
+#define PKIX_POLICYMAPPINGS_OID SEC_OID_X509_POLICY_MAPPINGS
+#define PKIX_POLICYCONSTRAINTS_OID SEC_OID_X509_POLICY_CONSTRAINTS
+#define PKIX_EXTENDEDKEYUSAGE_OID SEC_OID_X509_EXT_KEY_USAGE
+#define PKIX_INHIBITANYPOLICY_OID SEC_OID_X509_INHIBIT_ANY_POLICY
+#define PKIX_NSCERTTYPE_OID SEC_OID_NS_CERT_EXT_CERT_TYPE
+#define PKIX_KEY_USAGE_SERVER_AUTH_OID SEC_OID_EXT_KEY_USAGE_SERVER_AUTH
+#define PKIX_KEY_USAGE_CLIENT_AUTH_OID SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH
+#define PKIX_KEY_USAGE_CODE_SIGN_OID SEC_OID_EXT_KEY_USAGE_CODE_SIGN
+#define PKIX_KEY_USAGE_EMAIL_PROTECT_OID SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT
+#define PKIX_KEY_USAGE_TIME_STAMP_OID SEC_OID_EXT_KEY_USAGE_TIME_STAMP
+#define PKIX_KEY_USAGE_OCSP_RESPONDER_OID SEC_OID_OCSP_RESPONDER
+
/* Available revocation method types. */
typedef enum PKIX_RevocationMethodTypeEnum {
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c
index 0fbf7cccd..736e76194 100644
--- a/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c
@@ -43,14 +43,14 @@
#include "pkix_ekuchecker.h"
-char *ekuOidStrings[] = {
- "1.3.6.1.5.5.7.3.1", /* id-kp-serverAuth */
- "1.3.6.1.5.5.7.3.2", /* id-kp-clientAuth */
- "1.3.6.1.5.5.7.3.3", /* id-kp-codeSigning */
- "1.3.6.1.5.5.7.3.4", /* id-kp-emailProtection */
- "1.3.6.1.5.5.7.3.8", /* id-kp-timeStamping */
- "1.3.6.1.5.5.7.3.9", /* id-kp-OCSPSigning */
- NULL
+SECOidTag ekuOidStrings[] = {
+ PKIX_KEY_USAGE_SERVER_AUTH_OID,
+ PKIX_KEY_USAGE_CLIENT_AUTH_OID,
+ PKIX_KEY_USAGE_CODE_SIGN_OID,
+ PKIX_KEY_USAGE_EMAIL_PROTECT_OID,
+ PKIX_KEY_USAGE_TIME_STAMP_OID,
+ PKIX_KEY_USAGE_OCSP_RESPONDER_OID,
+ PKIX_UNKNOWN_OID
};
typedef struct pkix_EkuCheckerStruct {
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c
index a3fa0788c..20aa6d39b 100755
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -53,14 +53,14 @@ extern PRLogModuleInfo *pkixLog;
* checked. Those OIDs need to be removed from the unresolved critical
* extension OIDs list manually (instead of by checker automatically).
*/
-static char *buildCheckedCritExtOIDs[] = {
+static SECOidTag buildCheckedCritExtOIDs[] = {
PKIX_CERTKEYUSAGE_OID,
PKIX_CERTSUBJALTNAME_OID,
PKIX_BASICCONSTRAINTS_OID,
PKIX_NAMECONSTRAINTS_OID,
PKIX_EXTENDEDKEYUSAGE_OID,
PKIX_NSCERTTYPE_OID,
- NULL
+ PKIX_UNKNOWN_OID
};
/* --Private-ForwardBuilderState-Functions---------------------------------- */
@@ -1139,7 +1139,7 @@ pkix_Build_ValidationCheckers(
PKIX_CHECK(PKIX_List_Create(&buildCheckedCritExtOIDsList, plContext),
PKIX_LISTCREATEFAILED);
- for (i = 0; buildCheckedCritExtOIDs[i] != NULL; i++) {
+ for (i = 0; buildCheckedCritExtOIDs[i] != PKIX_UNKNOWN_OID; i++) {
PKIX_CHECK(PKIX_PL_OID_Create
(buildCheckedCritExtOIDs[i], &oid, plContext),
PKIX_OIDCREATEFAILED);
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index fa679c476..c255d2b99 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -146,14 +146,10 @@ pkix_pl_Cert_DecodePolicyInfo(
/* Allocated in the arena; freed in CERT_Destroy... */
CERTCertificatePolicies *certPol = NULL;
CERTPolicyInfo **policyInfos = NULL;
- CERTPolicyInfo *policyInfo = NULL;
- CERTPolicyQualifier **policyQualifiers = NULL;
- CERTPolicyQualifier *policyQualifier = NULL;
/* Holder for the return value */
PKIX_List *infos = NULL;
- char *oidAscii = NULL;
PKIX_PL_OID *pkixOID = NULL;
PKIX_List *qualifiers = NULL;
PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
@@ -204,26 +200,22 @@ pkix_pl_Cert_DecodePolicyInfo(
* building each PKIX_PL_CertPolicyInfo object in turn
*/
while (*policyInfos != NULL) {
- policyInfo = *policyInfos;
- policyQualifiers = policyInfo->policyQualifiers;
+ CERTPolicyInfo *policyInfo = *policyInfos;
+ CERTPolicyQualifier **policyQualifiers =
+ policyInfo->policyQualifiers;
if (policyQualifiers) {
/* create a PKIX_List of PKIX_PL_CertPolicyQualifiers */
PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext),
PKIX_LISTCREATEFAILED);
while (*policyQualifiers != NULL) {
- policyQualifier = *policyQualifiers;
+ CERTPolicyQualifier *policyQualifier =
+ *policyQualifiers;
/* create the qualifier's OID object */
-
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&(policyQualifier->qualifierID),
- &oidAscii,
- plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (oidAscii, &pkixOID, plContext),
+ PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+ (&policyQualifier->qualifierID,
+ &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
/* create qualifier's ByteArray object */
@@ -250,7 +242,6 @@ pkix_pl_Cert_DecodePolicyInfo(
plContext),
PKIX_LISTAPPENDITEMFAILED);
- PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
PKIX_DECREF(qualifierArray);
PKIX_DECREF(certPolicyQualifier);
@@ -269,13 +260,8 @@ pkix_pl_Cert_DecodePolicyInfo(
* (The CERTPolicyInfo structure has an oid field, but it
* is of type SECOidTag. This function wants a SECItem.)
*/
-
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&(policyInfo->policyID), &oidAscii, plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (oidAscii, &pkixOID, plContext),
+ PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+ (&policyInfo->policyID, &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
/* Create a CertPolicyInfo object */
@@ -288,7 +274,6 @@ pkix_pl_Cert_DecodePolicyInfo(
(infos, (PKIX_PL_Object *)certPolicyInfo, plContext),
PKIX_LISTAPPENDITEMFAILED);
- PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
PKIX_DECREF(qualifiers);
PKIX_DECREF(certPolicyInfo);
@@ -313,7 +298,6 @@ cleanup:
CERT_DestroyCertificatePoliciesExtension(certPol);
}
- PKIX_FREE(oidAscii);
PKIX_DECREF(infos);
PKIX_DECREF(pkixOID);
PKIX_DECREF(qualifiers);
@@ -362,13 +346,10 @@ pkix_pl_Cert_DecodePolicyMapping(
/* Allocated in the arena; freed in CERT_Destroy... */
CERTCertificatePolicyMappings *certPolMaps = NULL;
CERTPolicyMap **policyMaps = NULL;
- CERTPolicyMap *policyMap = NULL;
/* Holder for the return value */
PKIX_List *maps = NULL;
- char *issuerPolicyOIDAscii = NULL;
- char *subjectPolicyOIDAscii = NULL;
PKIX_PL_OID *issuerDomainOID = NULL;
PKIX_PL_OID *subjectDomainOID = NULL;
PKIX_PL_CertPolicyMap *certPolicyMap = NULL;
@@ -408,30 +389,18 @@ pkix_pl_Cert_DecodePolicyMapping(
* building each CertPolicyMap object in turn
*/
do {
- policyMap = *policyMaps;
+ CERTPolicyMap *policyMap = *policyMaps;
/* create the OID for the issuer Domain Policy */
-
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&(policyMap->issuerDomainPolicy),
- &issuerPolicyOIDAscii,
- plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (issuerPolicyOIDAscii, &issuerDomainOID, plContext),
+ PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+ (&policyMap->issuerDomainPolicy,
+ &issuerDomainOID, plContext),
PKIX_OIDCREATEFAILED);
/* create the OID for the subject Domain Policy */
-
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&(policyMap->subjectDomainPolicy),
- &subjectPolicyOIDAscii,
- plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (subjectPolicyOIDAscii, &subjectDomainOID, plContext),
+ PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+ (&policyMap->subjectDomainPolicy,
+ &subjectDomainOID, plContext),
PKIX_OIDCREATEFAILED);
/* create the CertPolicyMap */
@@ -447,8 +416,6 @@ pkix_pl_Cert_DecodePolicyMapping(
(maps, (PKIX_PL_Object *)certPolicyMap, plContext),
PKIX_LISTAPPENDITEMFAILED);
- PKIX_FREE(issuerPolicyOIDAscii);
- PKIX_FREE(subjectPolicyOIDAscii);
PKIX_DECREF(issuerDomainOID);
PKIX_DECREF(subjectDomainOID);
PKIX_DECREF(certPolicyMap);
@@ -469,8 +436,6 @@ cleanup:
CERT_DestroyPolicyMappingsExtension(certPolMaps);
}
- PKIX_FREE(issuerPolicyOIDAscii);
- PKIX_FREE(subjectPolicyOIDAscii);
PKIX_DECREF(maps);
PKIX_DECREF(issuerDomainOID);
PKIX_DECREF(subjectDomainOID);
@@ -2052,43 +2017,32 @@ PKIX_PL_Cert_GetSubjectPublicKeyAlgId(
PKIX_PL_OID **pSubjKeyAlgId,
void *plContext)
{
- CERTCertificate *nssCert = NULL;
PKIX_PL_OID *pubKeyAlgId = NULL;
- SECAlgorithmID algorithm;
- SECItem algBytes;
- char *asciiOID = NULL;
PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSubjKeyAlgId);
/* if we don't have a cached copy from before, we create one */
if (cert->publicKeyAlgId == NULL){
-
PKIX_OBJECT_LOCK(cert);
-
if (cert->publicKeyAlgId == NULL){
-
- nssCert = cert->nssCert;
- algorithm = nssCert->subjectPublicKeyInfo.algorithm;
- algBytes = algorithm.algorithm;
-
- PKIX_NULLCHECK_ONE(algBytes.data);
- if (algBytes.len == 0) {
- PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
+ CERTCertificate *nssCert = cert->nssCert;
+ SECAlgorithmID *algorithm;
+ SECItem *algBytes;
+
+ algorithm = &nssCert->subjectPublicKeyInfo.algorithm;
+ algBytes = &algorithm->algorithm;
+ if (!algBytes->data || !algBytes->len) {
+ PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
}
-
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&algBytes, &asciiOID, plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (asciiOID, &pubKeyAlgId, plContext),
+ PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+ (algBytes, &pubKeyAlgId, plContext),
PKIX_OIDCREATEFAILED);
/* save a cached copy in case it is asked for again */
cert->publicKeyAlgId = pubKeyAlgId;
+ pubKeyAlgId = NULL;
}
-
PKIX_OBJECT_UNLOCK(cert);
}
@@ -2096,7 +2050,7 @@ PKIX_PL_Cert_GetSubjectPublicKeyAlgId(
*pSubjKeyAlgId = cert->publicKeyAlgId;
cleanup:
- PKIX_FREE(asciiOID);
+ PKIX_DECREF(pubKeyAlgId);
PKIX_RETURN(CERT);
}
@@ -2413,9 +2367,7 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
CERTCertificate *nssCert = NULL;
PKIX_PL_OID *pkixOID = NULL;
PKIX_List *oidsList = NULL;
- char *oidAscii = NULL;
SECItem **oids = NULL;
- SECItem *oid = NULL;
SECItem encodedExtKeyUsage;
SECStatus rv;
@@ -2462,14 +2414,10 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
PKIX_LISTCREATEFAILED);
while (*oids){
- oid = *oids++;
-
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (oid, &oidAscii, plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
+ SECItem *oid = *oids++;
- PKIX_CHECK(PKIX_PL_OID_Create
- (oidAscii, &pkixOID, plContext),
+ PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+ (oid, &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
@@ -2477,9 +2425,6 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
(PKIX_PL_Object *)pkixOID,
plContext),
PKIX_LISTAPPENDITEMFAILED);
-
- PKIX_FREE(oidAscii);
-
PKIX_DECREF(pkixOID);
}
@@ -2501,7 +2446,6 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
cleanup:
PKIX_OBJECT_UNLOCK(lockedObject);
- PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
PKIX_DECREF(oidsList);
CERT_DestroyOidSequence(extKeyUsage);
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
index b7bbc059b..e757b0202 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
@@ -207,54 +207,36 @@ pkix_pl_CRL_GetSignatureAlgId(
PKIX_PL_OID **pSignatureAlgId,
void *plContext)
{
- CERTCrl *nssCrl = NULL;
PKIX_PL_OID *signatureAlgId = NULL;
- SECAlgorithmID algorithm;
- SECItem algBytes;
- char *asciiOID = NULL;
PKIX_ENTER(CRL, "pkix_pl_CRL_GetSignatureAlgId");
PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pSignatureAlgId);
/* if we don't have a cached copy from before, we create one */
if (crl->signatureAlgId == NULL){
-
PKIX_OBJECT_LOCK(crl);
-
if (crl->signatureAlgId == NULL){
-
- nssCrl = &(crl->nssSignedCrl->crl);
- algorithm = nssCrl->signatureAlg;
- algBytes = algorithm.algorithm;
-
- PKIX_NULLCHECK_ONE(algBytes.data);
- if (algBytes.len == 0) {
- PKIX_ERROR_FATAL(PKIX_OIDBYTESLENGTH0);
- }
-
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&algBytes, &asciiOID, plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (asciiOID, &signatureAlgId, plContext),
- PKIX_OIDCREATEFAILED);
-
- /* save a cached copy in case it is asked for again */
- crl->signatureAlgId = signatureAlgId;
+ CERTCrl *nssCrl = &(crl->nssSignedCrl->crl);
+ SECAlgorithmID *algorithm = &nssCrl->signatureAlg;
+ SECItem *algBytes = &algorithm->algorithm;
+
+ if (!algBytes->data || !algBytes->len) {
+ PKIX_ERROR(PKIX_OIDBYTESLENGTH0);
+ }
+ PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+ (algBytes, &signatureAlgId, plContext),
+ PKIX_OIDCREATEFAILED);
+
+ /* save a cached copy in case it is asked for again */
+ crl->signatureAlgId = signatureAlgId;
+ signatureAlgId = NULL;
}
-
PKIX_OBJECT_UNLOCK(crl);
-
}
-
PKIX_INCREF(crl->signatureAlgId);
*pSignatureAlgId = crl->signatureAlgId;
-
cleanup:
-
- PKIX_FREE(asciiOID);
-
+ PKIX_DECREF(signatureAlgId);
PKIX_RETURN(CRL);
}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c
index b4056f320..b4f74541e 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c
@@ -241,9 +241,6 @@ pkix_pl_GeneralName_Create(
OtherName *otherName = NULL;
CERTGeneralNameList *nssGenNameList = NULL;
CERTGeneralNameType nameType;
- SECItem *secItem = NULL;
- char *asciiName = NULL;
- SECStatus rv;
PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Create");
PKIX_NULLCHECK_TWO(nssAltName, pGenName);
@@ -308,12 +305,8 @@ pkix_pl_GeneralName_Create(
genName->directoryName = pkixDN;
break;
case certRegisterID:
-
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&nssAltName->name.other, &asciiName, plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create(asciiName, &pkixOID, plContext),
+ PKIX_CHECK(PKIX_PL_OID_CreateBySECItem(&nssAltName->name.other,
+ &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
genName->oid = pkixOID;
@@ -324,39 +317,20 @@ pkix_pl_GeneralName_Create(
case certRFC822Name:
case certX400Address:
case certURI:
-
- PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_AllocItem).\n");
- secItem = SECITEM_AllocItem(NULL, NULL, 0);
- if (secItem == NULL){
- PKIX_ERROR(PKIX_OUTOFMEMORY);
- }
-
- PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CopyItem).\n");
- rv = SECITEM_CopyItem(NULL, secItem, &nssAltName->name.other);
- if (rv != SECSuccess) {
- PKIX_ERROR(PKIX_OUTOFMEMORY);
- }
-
- genName->other = secItem;
+ genName->other = SECITEM_DupItem(&nssAltName->name.other);
+ if (!genName->other) {
+ PKIX_ERROR(PKIX_OUTOFMEMORY);
+ }
break;
default:
PKIX_ERROR(PKIX_NAMETYPENOTSUPPORTED);
}
*pGenName = genName;
-cleanup:
-
- PKIX_FREE(asciiName);
+ genName = NULL;
- if (PKIX_ERROR_RECEIVED){
- PKIX_DECREF(genName);
- if (secItem){
- PKIX_GENERALNAME_DEBUG
- ("\t\tCalling SECITEM_FreeItem).\n");
- SECITEM_FreeItem(secItem, PR_TRUE);
- secItem = NULL;
- }
- }
+cleanup:
+ PKIX_DECREF(genName);
PKIX_RETURN(GENERALNAME);
}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
index 996544cc3..c7a2c1691 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
@@ -43,16 +43,6 @@
#include "pkix_pl_infoaccess.h"
-/* XXX Following SEC_OID_PKIX defines should be merged in NSS */
-#define SEC_OID_PKIX_CA_REPOSITORY 1003
-#define SEC_OID_PKIX_TIMESTAMPING 1005
-/* XXX Following OID defines hould be moved to NSS */
-static const unsigned char siaTimeStampingOID[] = {0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x030, 0x03};
-static const unsigned char siaCaRepositoryOID[] = {0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x030, 0x05};
-
-
/* --Private-InfoAccess-Functions----------------------------------*/
/*
@@ -415,37 +405,6 @@ pkix_pl_InfoAccess_CreateList(
PKIX_CERT_DEBUG("\t\tCalling SECOID_FindOIDTag).\n");
method = SECOID_FindOIDTag(&nssInfoAccess[i]->method);
-
- if (method == 0) {
-
- /* XXX
- * This part of code is definitely hacking, need NSS decode
- * support. We can reuse the CERT_DecodeAuthInfoAccessExtension
- * since SIA and AIA are all the same type. However NSS need
- * to add SIA, CaRepository, TimeStamping OID definitions and
- * the numerical method, timeStamping and caRepository values.
- *
- * We assume now, since method is 0, implies the method for SIA
- * was not decoded by CERT_DecodeAuthInfoAccessExtension()
- * so we compare and put value in. This part should be taken
- * out eventually if CERT_DecodeInfoAccessExtension (*renamed*)
- * is doing the job.
- */
-
- PKIX_CERT_DEBUG("\t\tCalling PORT_Strncmp).\n");
- if (PORT_Strncmp
- ((char *)nssInfoAccess[i]->method.data,
- (char *)siaTimeStampingOID,
- nssInfoAccess[i]->method.len) == 0) {
- method = SEC_OID_PKIX_TIMESTAMPING;
- } else if (PORT_Strncmp
- ((char *)nssInfoAccess[i]->method.data,
- (char *)siaCaRepositoryOID,
- nssInfoAccess[i]->method.len) == 0) {
- method = SEC_OID_PKIX_CA_REPOSITORY;
- }
- }
-
/* Map NSS access method value into PKIX constant */
switch(method) {
case SEC_OID_PKIX_CA_ISSUERS:
@@ -461,7 +420,7 @@ pkix_pl_InfoAccess_CreateList(
method = PKIX_INFOACCESS_CA_REPOSITORY;
break;
default:
- break;
+ PKIX_ERROR(PKIX_UNKNOWNINFOACCESSMETHOD);
}
PKIX_CHECK(pkix_pl_InfoAccess_Create
@@ -650,7 +609,7 @@ pkix_pl_InfoAccess_ParseTokens(
*/
if (numFilters > 2) numFilters = 2;
- filterP = PORT_ArenaZNewArray(arena, void*, numFilters+1);
+ filterP = PORT_ArenaZNewArray(arena, char*, numFilters+1);
if (filterP == NULL) {
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
index 6fb1bf18c..0eba65a26 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
@@ -525,7 +525,7 @@ pkix_pl_OcspResponse_Create(
rv = (*hcv1->trySendAndReceiveFcn)(sessionRequest,
(PRPollDesc **)&nbioContext,
&responseCode,
- &responseContentType,
+ (const char **)&responseContentType,
NULL, /* responseHeaders */
(const char **)&responseData,
&responseDataLen);
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
index b0333a126..69c8a9f87 100755
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -45,7 +45,7 @@
/* --Private-OID-Functions---------------------------------------- */
-/*
+ /*
* FUNCTION: pkix_pl_OID_Comparator
* (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h)
*/
@@ -53,15 +53,14 @@ static PKIX_Error *
pkix_pl_OID_Comparator(
PKIX_PL_Object *firstObject,
PKIX_PL_Object *secondObject,
- PKIX_Int32 *pResult,
+ PKIX_Int32 *pRes,
void *plContext)
{
PKIX_PL_OID *firstOID = NULL;
PKIX_PL_OID *secondOID = NULL;
- PKIX_UInt32 minLength;
PKIX_ENTER(OID, "pkix_pl_OID_Comparator");
- PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+ PKIX_NULLCHECK_THREE(firstObject, secondObject, pRes);
PKIX_CHECK(pkix_CheckTypes
(firstObject, secondObject, PKIX_OID_TYPE, plContext),
@@ -70,19 +69,8 @@ pkix_pl_OID_Comparator(
firstOID = (PKIX_PL_OID*)firstObject;
secondOID = (PKIX_PL_OID*)secondObject;
- *pResult = 0;
-
- minLength = (firstOID->length < secondOID->length)?
- firstOID->length:
- secondOID->length;
-
- /* Check if both array contents are identical */
- PKIX_OID_DEBUG("\tCalling PORT_Memcmp).\n");
- *pResult = PORT_Memcmp
- (firstOID->components,
- secondOID->components,
- minLength * sizeof (PKIX_UInt32));
-
+ *pRes = (PKIX_Int32)SECITEM_CompareItem(&firstOID->derOid,
+ &secondOID->derOid);
cleanup:
PKIX_RETURN(OID);
}
@@ -103,14 +91,10 @@ pkix_pl_OID_Destroy(
PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
PKIX_OBJECTNOTANOID);
-
oid = (PKIX_PL_OID*)object;
-
- PKIX_FREE(oid->components);
- oid->length = 0;
+ SECITEM_FreeItem(&oid->derOid, PR_FALSE);
cleanup:
-
PKIX_RETURN(OID);
}
@@ -124,7 +108,7 @@ pkix_pl_OID_Hashcode(
PKIX_UInt32 *pHashcode,
void *plContext)
{
- PKIX_PL_OID *pkixOID = NULL;
+ PKIX_PL_OID *oid = NULL;
PKIX_ENTER(OID, "pkix_pl_OID_HashCode");
PKIX_NULLCHECK_TWO(object, pHashcode);
@@ -132,11 +116,11 @@ pkix_pl_OID_Hashcode(
PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
PKIX_OBJECTNOTANOID);
- pkixOID = (PKIX_PL_OID *)object;
+ oid = (PKIX_PL_OID *)object;
PKIX_CHECK(pkix_hash
- ((unsigned char *)pkixOID->components,
- pkixOID->length * sizeof (PKIX_UInt32),
+ ((unsigned char *)oid->derOid.data,
+ oid->derOid.len * sizeof (char),
pHashcode,
plContext),
PKIX_HASHFAILED);
@@ -157,7 +141,7 @@ pkix_pl_OID_Equals(
void *plContext)
{
PKIX_UInt32 secondType;
- PKIX_Int32 cmpResult;
+ SECComparison cmpResult;
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
PKIX_NULLCHECK_THREE(first, second, pResult);
@@ -174,9 +158,7 @@ pkix_pl_OID_Equals(
* Do a quick check that the second object is an OID.
* If so, check that their lengths are equal.
*/
- if ((secondType != PKIX_OID_TYPE)||
- (((PKIX_PL_OID*)first)->length !=
- ((PKIX_PL_OID*)second)->length)) {
+ if (secondType != PKIX_OID_TYPE) {
goto cleanup;
}
@@ -184,8 +166,7 @@ pkix_pl_OID_Equals(
(first, second, &cmpResult, plContext),
PKIX_OIDCOMPARATORFAILED);
- *pResult = (cmpResult == 0);
-
+ *pResult = (cmpResult == SECEqual);
cleanup:
PKIX_RETURN(OID);
@@ -194,6 +175,8 @@ cleanup:
/*
* FUNCTION: pkix_pl_OID_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ * Use this function only for printing OIDs and not to make any
+ * critical security decision.
*/
static PKIX_Error *
pkix_pl_OID_ToString(
@@ -201,31 +184,23 @@ pkix_pl_OID_ToString(
PKIX_PL_String **pString,
void *plContext)
{
- PKIX_UInt32 *components = NULL;
- PKIX_UInt32 length;
- char *ascii = NULL;
+ PKIX_PL_OID *oid = NULL;
+ char *oidString = NULL;
PKIX_ENTER(OID, "pkix_pl_OID_toString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
PKIX_OBJECTNOTANOID);
-
- components = ((PKIX_PL_OID*)object)->components;
- length = ((PKIX_PL_OID*)object)->length;
-
- PKIX_CHECK(pkix_pl_helperBytes2Ascii
- (components, length, &ascii, plContext),
- PKIX_HELPERBYTES2ASCIIFAILED);
-
+ oid = (PKIX_PL_OID*)object;
+ oidString = CERT_GetOidString(&oid->derOid);
+
PKIX_CHECK(PKIX_PL_String_Create
- (PKIX_ESCASCII, ascii, 0, pString, plContext),
+ (PKIX_ESCASCII, oidString , 0, pString, plContext),
PKIX_STRINGCREATEFAILED);
-
cleanup:
-
- PKIX_FREE(ascii);
-
+ PR_smprintf_free(oidString);
+
PKIX_RETURN(OID);
}
@@ -244,88 +219,19 @@ PKIX_Error *
pkix_pl_OID_RegisterSelf(
void *plContext)
{
-
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
- pkix_ClassTable_Entry entry;
+ pkix_ClassTable_Entry *entry = &systemClasses[PKIX_OID_TYPE];
PKIX_ENTER(OID, "pkix_pl_OID_RegisterSelf");
- entry.description = "OID";
- entry.objCounter = 0;
- entry.typeObjectSize = sizeof(PKIX_PL_OID);
- entry.destructor = pkix_pl_OID_Destroy;
- entry.equalsFunction = pkix_pl_OID_Equals;
- entry.hashcodeFunction = pkix_pl_OID_Hashcode;
- entry.toStringFunction = pkix_pl_OID_ToString;
- entry.comparator = pkix_pl_OID_Comparator;
- entry.duplicateFunction = pkix_duplicateImmutable;
-
- systemClasses[PKIX_OID_TYPE] = entry;
-
- PKIX_RETURN(OID);
-}
-
-/*
- * FUNCTION: pkix_pl_OID_GetNextToken
- * DESCRIPTION:
- *
- * This function is essentially a thread safe version of strtok, except
- * that we always use '.' (dot) for the token separator.
- *
- * Searches for tokens in the string pointed to by "input", using '.' (dot)
- * as the token separator. If "input" contains multiple tokens, the first
- * token is stored at "pToken", the character immediately follow the first
- * token is replaced by a null character, and the rekmainder of "input" is
- * stored at "pRem". If no additional tokens are available, this function
- * stores NULL at "pToken".
- *
- * PARAMETERS
- * "input"
- * Address of string to be tokenized. May be NULL.
- * "pToken"
- * Destination for OID token. Must be non-NULL.
- * "pRem"
- * Destination for pointer to remainder of string. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns an OID Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
-static PKIX_Error *
-pkix_pl_OID_GetNextToken(
- char *input,
- char **pToken,
- char **pRem,
- void *plContext)
-{
- char *token = input;
-
- PKIX_ENTER(OID, "pkix_pl_OID_GetNextToken");
- PKIX_NULLCHECK_TWO(pToken, pRem);
-
- if (token == NULL){
- *pToken = token;
- goto cleanup;
- }
-
- while (*input != '.' && *input != '\0'){
- input++;
- }
-
- if (*input == '.'){
- *input = 0;
- *pRem = input + 1;
- } else { /* NULL case */
- *pRem = NULL;
- }
-
- *pToken = token;
-
-cleanup:
+ entry->description = "OID";
+ entry->typeObjectSize = sizeof(PKIX_PL_OID);
+ entry->destructor = pkix_pl_OID_Destroy;
+ entry->equalsFunction = pkix_pl_OID_Equals;
+ entry->hashcodeFunction = pkix_pl_OID_Hashcode;
+ entry->toStringFunction = pkix_pl_OID_ToString;
+ entry->comparator = pkix_pl_OID_Comparator;
+ entry->duplicateFunction = pkix_duplicateImmutable;
PKIX_RETURN(OID);
}
@@ -357,11 +263,7 @@ pkix_pl_OID_GetCriticalExtensionOIDs(
void *plContext)
{
PKIX_List *oidsList = NULL;
- CERTCertExtension *extension = NULL;
PKIX_PL_OID *pkixOID = NULL;
- SECItem critical;
- SECItem oid;
- char *oidAscii = NULL;
PKIX_ENTER(OID, "pkix_pl_OID_GetCriticalExtensionOIDs");
PKIX_NULLCHECK_ONE(pOidsList);
@@ -369,40 +271,28 @@ pkix_pl_OID_GetCriticalExtensionOIDs(
PKIX_CHECK(PKIX_List_Create(&oidsList, plContext),
PKIX_LISTCREATEFAILED);
- if (extensions){
-
- while (*extensions){
- extension = *extensions++;
-
- PKIX_NULLCHECK_ONE(extension);
-
- /* extension is critical */
- critical = extension->critical;
-
- if (critical.len != 0){
-
- if (critical.data[0] == 0xff) {
- oid = extension->id;
-
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&oid, &oidAscii, plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (oidAscii, &pkixOID, plContext),
- PKIX_OIDCREATEFAILED);
-
- PKIX_CHECK(PKIX_List_AppendItem
- (oidsList,
- (PKIX_PL_Object *)pkixOID,
- plContext),
- PKIX_LISTAPPENDITEMFAILED);
- }
- }
-
- PKIX_FREE(oidAscii);
- PKIX_DECREF(pkixOID);
+ if (extensions) {
+ while (*extensions) {
+ CERTCertExtension *extension = NULL;
+ SECItem *critical = NULL;
+ SECItem *oid = NULL;
+
+ extension = *extensions++;
+ /* extension is critical ? */
+ critical = &extension->critical;
+ if (critical->len == 0 || critical->data[0] == 0) {
+ continue;
}
+ oid = &extension->id;
+ PKIX_CHECK(
+ PKIX_PL_OID_CreateBySECItem(oid, &pkixOID, plContext),
+ PKIX_OIDCREATEFAILED);
+ PKIX_CHECK(
+ PKIX_List_AppendItem(oidsList, (PKIX_PL_Object *)pkixOID,
+ plContext),
+ PKIX_LISTAPPENDITEMFAILED);
+ PKIX_DECREF(pkixOID);
+ }
}
*pOidsList = oidsList;
@@ -410,7 +300,6 @@ pkix_pl_OID_GetCriticalExtensionOIDs(
cleanup:
PKIX_DECREF(oidsList);
- PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
PKIX_RETURN(OID);
}
@@ -418,137 +307,59 @@ cleanup:
/* --Public-Functions------------------------------------------------------- */
/*
- * FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h)
+ * FUNCTION: PKIX_PL_OID_CreateBySECItem (see comments in pkix_pl_system.h)
*/
PKIX_Error *
-PKIX_PL_OID_Create(
- char *stringRep,
+PKIX_PL_OID_CreateBySECItem(
+ SECItem *derOid,
PKIX_PL_OID **pOID,
void *plContext)
{
PKIX_PL_OID *oid = NULL;
- char *strCpy1 = NULL;
- char *strCpy2 = NULL;
- char *token = NULL;
- PKIX_UInt32 numTokens, i, length;
- PKIX_UInt32 value;
- PKIX_Boolean firstFieldTwo;
- PKIX_UInt32 *components = NULL;
- char *rem = NULL;
-
- PKIX_ENTER(OID, "PKIX_PL_OID_Create");
- PKIX_NULLCHECK_TWO(pOID, stringRep);
-
- PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
- length = PL_strlen(stringRep);
-
- if (length < 3) {
- PKIX_ERROR(PKIX_OIDLENGTHTOOSHORT);
- }
-
- for (i = 0; i < length; i++) {
- if ((!PKIX_ISDIGIT(stringRep[i]))&&(stringRep[i] != '.')) {
- PKIX_ERROR(PKIX_ILLEGALCHARACTERINOID);
- }
- }
-
- /* Check that string doesn't have extra dots */
- if ((stringRep[0] == '.') ||
- (stringRep[length-1] == '.')||
- (PL_strstr(stringRep, "..") != NULL)) {
- PKIX_ERROR(PKIX_ILLEGALDOTINOID);
- }
-
- PKIX_OID_DEBUG("\tCalling PL_strdup).\n");
-
- strCpy1 = PL_strdup(stringRep);
- strCpy2 = PL_strdup(stringRep);
-
- /* Validate and tally the number of tokens */
-
- PKIX_CHECK(pkix_pl_OID_GetNextToken
- (strCpy1, &token, &rem, plContext),
- PKIX_OIDGETNEXTTOKENFAILED);
-
- for (numTokens = 0; token != NULL; numTokens++){
- if (numTokens == 0) {
- /* We know the string is all digits */
- PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
- value = PORT_Atoi(token);
- if (value > 2) {
- PKIX_ERROR(PKIX_FIRSTFIELDMUSTBEBETWEEN02);
- }
-
- /* Set a flag if the first field is 2 */
- firstFieldTwo = (value == 2);
- } else if (numTokens == 1) {
- PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
- value = PORT_Atoi(token);
- if ((!firstFieldTwo)&&(value > 39)) {
- PKIX_ERROR
- (PKIX_SECONDFIELDMUSTBEBETWEEN039);
- }
- }
-
- /* Check for 32-bit overflow */
- if (pkix_pl_UInt32_Overflows(token)){
- PKIX_ERROR(PKIX_OIDCOMPONENTTOOBIG);
- }
-
- PKIX_CHECK(pkix_pl_OID_GetNextToken
- (rem, &token, &rem, plContext),
- PKIX_OIDGETNEXTTOKENFAILED);
- }
-
- if (numTokens < 2) {
- PKIX_ERROR(PKIX_OIDNEEDS2ORMOREFIELDS);
- }
-
- PKIX_CHECK(PKIX_PL_Malloc
- (numTokens * sizeof (PKIX_UInt32),
- (void **)&components, plContext),
- PKIX_MALLOCFAILED);
-
- PKIX_CHECK(pkix_pl_OID_GetNextToken
- (strCpy2, &token, &rem, plContext),
- PKIX_OIDGETNEXTTOKENFAILED);
-
- for (i = 0; token != NULL; i++){
- PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
- components[i] = PORT_Atoi(token);
-
- PKIX_CHECK(pkix_pl_OID_GetNextToken
- (rem, &token, &rem, plContext),
- PKIX_OIDGETNEXTTOKENFAILED);
- }
+ SECStatus rv;
+
+ PKIX_ENTER(OID, "PKIX_PL_OID_CreateBySECItem");
+ PKIX_NULLCHECK_TWO(pOID, derOid);
PKIX_CHECK(PKIX_PL_Object_Alloc
- (PKIX_OID_TYPE,
+ (PKIX_OID_TYPE,
sizeof (PKIX_PL_OID),
(PKIX_PL_Object **)&oid,
plContext),
PKIX_COULDNOTCREATEOBJECT);
-
- oid->length = numTokens;
- oid->components = components;
-
- *pOID = oid;
-
-cleanup:
-
- if (strCpy1){
- PKIX_OID_DEBUG("\tCalling PL_strfree).\n");
- PL_strfree(strCpy1);
+ rv = SECITEM_CopyItem(NULL, &oid->derOid, derOid);
+ if (rv != SECFailure) {
+ *pOID = oid;
+ oid = NULL;
}
+
+cleanup:
+ PKIX_DECREF(oid);
+
+ PKIX_RETURN(OID);
+}
- if (strCpy2){
- PKIX_OID_DEBUG("\tCalling PL_strfree).\n");
- PL_strfree(strCpy2);
- }
+/*
+ * FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_OID_Create(
+ SECOidTag idtag,
+ PKIX_PL_OID **pOID,
+ void *plContext)
+{
+ SECOidData *oidData = NULL;
+
+ PKIX_ENTER(OID, "PKIX_PL_OID_Create");
+ PKIX_NULLCHECK_ONE(pOID);
- if (PKIX_ERROR_RECEIVED){
- PKIX_FREE(components);
+ oidData = SECOID_FindOIDByTag((SECOidTag)idtag);
+ if (!oidData) {
+ PKIX_ERROR(PKIX_SECOIDFINDOIDTAGDESCRIPTIONFAILED);
}
-
+
+ pkixErrorResult =
+ PKIX_PL_OID_CreateBySECItem(&oidData->oid, pOID, plContext);
+cleanup:
PKIX_RETURN(OID);
}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h
index d0327909e..2660ae8b2 100755
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h
@@ -51,8 +51,7 @@ extern "C" {
#endif
struct PKIX_PL_OIDStruct {
- PKIX_UInt32 *components;
- PKIX_UInt32 length;
+ SECItem derOid;
};
/* see source file for function documentation */
diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h
index 0c29838cc..48438c88c 100644
--- a/security/nss/lib/util/secerr.h
+++ b/security/nss/lib/util/secerr.h
@@ -225,6 +225,8 @@ SEC_ERROR_PKCS11_GENERAL_ERROR = (SEC_ERROR_BASE + 167),
SEC_ERROR_PKCS11_FUNCTION_FAILED = (SEC_ERROR_BASE + 168),
SEC_ERROR_PKCS11_DEVICE_ERROR = (SEC_ERROR_BASE + 169),
+SEC_ERROR_BAD_INFO_ACCESS_METHOD = (SEC_ERROR_BASE + 170),
+
/* Add new error codes above here. */
SEC_ERROR_END_OF_LIST
} SECErrorCodes;
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
index 287e15453..7e8c1b6e1 100644
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -361,6 +361,8 @@ CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 };
CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
+CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 };
+
CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
@@ -1586,6 +1588,9 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
OD( seed_CBC, SEC_OID_SEED_CBC,
"SEED-CBC", CKM_SEED_CBC, INVALID_CERT_EXTENSION),
+ OD( x509CertificatePoliciesAnyPolicy, SEC_OID_X509_ANY_POLICY,
+ "Certificate Policies AnyPolicy",
+ CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
};
/* PRIVATE EXTENDED SECOID Table
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
index 5457deabc..9ce5eb9be 100644
--- a/security/nss/lib/util/secoidt.h
+++ b/security/nss/lib/util/secoidt.h
@@ -448,6 +448,8 @@ typedef enum {
SEC_OID_SEED_CBC = 302,
+ SEC_OID_X509_ANY_POLICY = 303,
+
SEC_OID_TOTAL
} SECOidTag;
View Lorry Controller Status