diff options
author | alexei.volkov.bugs%sun.com <devnull@localhost> | 2009-04-14 02:04:08 +0000 |
---|---|---|
committer | alexei.volkov.bugs%sun.com <devnull@localhost> | 2009-04-14 02:04:08 +0000 |
commit | 5aa5c7da9c48afa69fdf65768c72289b00014a58 (patch) | |
tree | bd86184be1eed52c50532fa70ad4449f0061de7c | |
parent | 0682944e3dba3a9bebf36d95439efec4c69b3521 (diff) | |
download | nss-hg-5aa5c7da9c48afa69fdf65768c72289b00014a58.tar.gz |
391434 - avoid multiple encoding/decoding of PKIX_PL_OID to and from ascii string. r=nelson.
17 files changed, 228 insertions, 554 deletions
diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/cmd/lib/SECerrs.h index de81429b4..d8757cb01 100644 --- a/security/nss/cmd/lib/SECerrs.h +++ b/security/nss/cmd/lib/SECerrs.h @@ -555,3 +555,6 @@ ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED, (SEC_ERROR_BASE + 168), ER3(SEC_ERROR_PKCS11_DEVICE_ERROR, (SEC_ERROR_BASE + 169), "A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.") + +ER3(SEC_ERROR_BAD_INFO_ACCESS_METHOD, (SEC_ERROR_BASE + 170), +"Unknown information access method in certificate extension.") diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c index 0d9efa2e1..7a3747d90 100644 --- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -204,7 +204,7 @@ cert_NssKeyUsagesToPkix( PKIX_RETURN(CERTVFYPKIX); } -extern char* ekuOidStrings[]; +extern SECOidTag ekuOidStrings[]; enum { ekuIndexSSLServer = 0, @@ -1431,39 +1431,6 @@ cleanup: return r; } -/* XXX - * There is no NSS SECItem -> PKIX OID - * conversion function. For now, I go via the ascii - * representation - * this should be in PKIX_PL_* - */ - -PKIX_PL_OID * -CERT_PKIXOIDFromNSSOid(SECOidTag tag, void*plContext) -{ - char *oidstring = NULL; - char *oidstring_adj = NULL; - PKIX_PL_OID *policyOID = NULL; - SECOidData *data; - - data = SECOID_FindOIDByTag(tag); - if (data != NULL) { - oidstring = CERT_GetOidString(&data->oid); - if (oidstring == NULL) { - goto cleanup; - } - oidstring_adj = oidstring; - if (PORT_Strncmp("OID.",oidstring_adj,4) == 0) { - oidstring_adj += 4; - } - - PKIX_PL_OID_Create(oidstring_adj, &policyOID, plContext); - } -cleanup: - if (oidstring != NULL) PR_smprintf_free(oidstring); - - return policyOID; -} struct fake_PKIX_PL_CertStruct { CERTCertificate *nssCert; @@ -1496,8 +1463,8 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon } for (i=0; i<oidCount; i++) { - policyOID = CERT_PKIXOIDFromNSSOid(oids[i],plContext); - if (policyOID == NULL) { + error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext); + if (error) { goto cleanup; } error = PKIX_List_AppendItem(policyList, diff --git a/security/nss/lib/libpkix/include/pkix_errorstrings.h b/security/nss/lib/libpkix/include/pkix_errorstrings.h index 57e3a6575..fcc1c39ff 100755 --- a/security/nss/lib/libpkix/include/pkix_errorstrings.h +++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h @@ -1060,6 +1060,7 @@ PKIX_ERRORENTRY(UNEXPECTEDERRORINESTABLISHINGCONNECTION,Unexpected error in esta PKIX_ERRORENTRY(UNEXPECTEDRESULTCODEINRESPONSE,Unexpected result code in Response,SEC_ERROR_BAD_LDAP_RESPONSE), PKIX_ERRORENTRY(UNKNOWNFORMAT,Unknown format,SEC_ERROR_INVALID_ARGS), PKIX_ERRORENTRY(UNKNOWNINFOACCESSTYPE,Unknown InfoAccess type,SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE), +PKIX_ERRORENTRY(UNKNOWNINFOACCESSMETHOD,Unknown InfoAccess method,SEC_ERROR_BAD_INFO_ACCESS_METHOD), PKIX_ERRORENTRY(UNKNOWNOBJECTOID,Unknown object OID,0), PKIX_ERRORENTRY(UNKNOWNOBJECTTYPE,Unknown object type,0), PKIX_ERRORENTRY(UNKNOWNTYPEARGUMENT,Unknown type argument,0), diff --git a/security/nss/lib/libpkix/include/pkix_pl_system.h b/security/nss/lib/libpkix/include/pkix_pl_system.h index 447ea1e5e..053942a22 100755 --- a/security/nss/lib/libpkix/include/pkix_pl_system.h +++ b/security/nss/lib/libpkix/include/pkix_pl_system.h @@ -1462,20 +1462,11 @@ PKIX_PL_ByteArray_GetLength( * FUNCTION: PKIX_PL_OID_Create * DESCRIPTION: * - * Creates a new OID using the string pointed to by "stringRep" and stores it - * at "pOID". The string representation is a null-terminated char * consisting - * of decimal components separated by dots. All other characters are illegal. - * The first field must be be 0, 1 or 2. If the first field is 0 or 1, the - * second field must be between 0 and 39. All fields must be ASCII decimal - * digits less than or equal to 2^32. Once created, an OID is immutable. - * - * The regexp format is as follows: - * OID := [0,1,2](.NUM)+ - * NUM := [0-9]+ + * Creates a new OID using NSS oid tag. * * PARAMETERS: - * "stringRep" - * Address of character data representing an OID. Must be non-NULL. + * "idtag" + * nss oid id tag. * "pOID" * Address where object pointer will be stored. Must be non-NULL. * "plContext" @@ -1489,7 +1480,33 @@ PKIX_PL_ByteArray_GetLength( */ PKIX_Error * PKIX_PL_OID_Create( - char *stringRep, + SECOidTag idtag, + PKIX_PL_OID **pOID, + void *plContext); + +/* + * FUNCTION: PKIX_PL_OID_CreateBySECItem + * DESCRIPTION: + * + * Creates a new OID using a DER encoded OID stored as SECItem. + * + * PARAMETERS: + * "derOid" + * Address of SECItem that holds DER encoded OID. + * "pOID" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an OID Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_OID_CreateBySECItem( + SECItem *derOid, PKIX_PL_OID **pOID, void *plContext); diff --git a/security/nss/lib/libpkix/include/pkixt.h b/security/nss/lib/libpkix/include/pkixt.h index 9a830f6a2..9c509b44b 100755 --- a/security/nss/lib/libpkix/include/pkixt.h +++ b/security/nss/lib/libpkix/include/pkixt.h @@ -473,18 +473,26 @@ PKIX_Error* PKIX_ALLOC_ERROR(void); /* * Define Certificate Extension hard-coded OID's */ -#define PKIX_CERTKEYUSAGE_OID "2.5.29.15" -#define PKIX_CERTSUBJALTNAME_OID "2.5.29.17" -#define PKIX_BASICCONSTRAINTS_OID "2.5.29.19" -#define PKIX_CRLREASONCODE_OID "2.5.29.21" -#define PKIX_NAMECONSTRAINTS_OID "2.5.29.30" -#define PKIX_CERTIFICATEPOLICIES_OID "2.5.29.32" -#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID "2.5.29.32.0" -#define PKIX_POLICYMAPPINGS_OID "2.5.29.33" -#define PKIX_POLICYCONSTRAINTS_OID "2.5.29.36" -#define PKIX_EXTENDEDKEYUSAGE_OID "2.5.29.37" -#define PKIX_INHIBITANYPOLICY_OID "2.5.29.54" -#define PKIX_NSCERTTYPE_OID "2.16.840.1.113730.1.1" +#define PKIX_UNKNOWN_OID SEC_OID_UNKNOWN +#define PKIX_CERTKEYUSAGE_OID SEC_OID_X509_KEY_USAGE +#define PKIX_CERTSUBJALTNAME_OID SEC_OID_X509_SUBJECT_ALT_NAME +#define PKIX_BASICCONSTRAINTS_OID SEC_OID_X509_BASIC_CONSTRAINTS +#define PKIX_CRLREASONCODE_OID SEC_OID_X509_REASON_CODE +#define PKIX_NAMECONSTRAINTS_OID SEC_OID_X509_NAME_CONSTRAINTS +#define PKIX_CERTIFICATEPOLICIES_OID SEC_OID_X509_CERTIFICATE_POLICIES +#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID SEC_OID_X509_ANY_POLICY +#define PKIX_POLICYMAPPINGS_OID SEC_OID_X509_POLICY_MAPPINGS +#define PKIX_POLICYCONSTRAINTS_OID SEC_OID_X509_POLICY_CONSTRAINTS +#define PKIX_EXTENDEDKEYUSAGE_OID SEC_OID_X509_EXT_KEY_USAGE +#define PKIX_INHIBITANYPOLICY_OID SEC_OID_X509_INHIBIT_ANY_POLICY +#define PKIX_NSCERTTYPE_OID SEC_OID_NS_CERT_EXT_CERT_TYPE +#define PKIX_KEY_USAGE_SERVER_AUTH_OID SEC_OID_EXT_KEY_USAGE_SERVER_AUTH +#define PKIX_KEY_USAGE_CLIENT_AUTH_OID SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH +#define PKIX_KEY_USAGE_CODE_SIGN_OID SEC_OID_EXT_KEY_USAGE_CODE_SIGN +#define PKIX_KEY_USAGE_EMAIL_PROTECT_OID SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT +#define PKIX_KEY_USAGE_TIME_STAMP_OID SEC_OID_EXT_KEY_USAGE_TIME_STAMP +#define PKIX_KEY_USAGE_OCSP_RESPONDER_OID SEC_OID_OCSP_RESPONDER + /* Available revocation method types. */ typedef enum PKIX_RevocationMethodTypeEnum { diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c index 0fbf7cccd..736e76194 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c @@ -43,14 +43,14 @@ #include "pkix_ekuchecker.h" -char *ekuOidStrings[] = { - "1.3.6.1.5.5.7.3.1", /* id-kp-serverAuth */ - "1.3.6.1.5.5.7.3.2", /* id-kp-clientAuth */ - "1.3.6.1.5.5.7.3.3", /* id-kp-codeSigning */ - "1.3.6.1.5.5.7.3.4", /* id-kp-emailProtection */ - "1.3.6.1.5.5.7.3.8", /* id-kp-timeStamping */ - "1.3.6.1.5.5.7.3.9", /* id-kp-OCSPSigning */ - NULL +SECOidTag ekuOidStrings[] = { + PKIX_KEY_USAGE_SERVER_AUTH_OID, + PKIX_KEY_USAGE_CLIENT_AUTH_OID, + PKIX_KEY_USAGE_CODE_SIGN_OID, + PKIX_KEY_USAGE_EMAIL_PROTECT_OID, + PKIX_KEY_USAGE_TIME_STAMP_OID, + PKIX_KEY_USAGE_OCSP_RESPONDER_OID, + PKIX_UNKNOWN_OID }; typedef struct pkix_EkuCheckerStruct { diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index a3fa0788c..20aa6d39b 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -53,14 +53,14 @@ extern PRLogModuleInfo *pkixLog; * checked. Those OIDs need to be removed from the unresolved critical * extension OIDs list manually (instead of by checker automatically). */ -static char *buildCheckedCritExtOIDs[] = { +static SECOidTag buildCheckedCritExtOIDs[] = { PKIX_CERTKEYUSAGE_OID, PKIX_CERTSUBJALTNAME_OID, PKIX_BASICCONSTRAINTS_OID, PKIX_NAMECONSTRAINTS_OID, PKIX_EXTENDEDKEYUSAGE_OID, PKIX_NSCERTTYPE_OID, - NULL + PKIX_UNKNOWN_OID }; /* --Private-ForwardBuilderState-Functions---------------------------------- */ @@ -1139,7 +1139,7 @@ pkix_Build_ValidationCheckers( PKIX_CHECK(PKIX_List_Create(&buildCheckedCritExtOIDsList, plContext), PKIX_LISTCREATEFAILED); - for (i = 0; buildCheckedCritExtOIDs[i] != NULL; i++) { + for (i = 0; buildCheckedCritExtOIDs[i] != PKIX_UNKNOWN_OID; i++) { PKIX_CHECK(PKIX_PL_OID_Create (buildCheckedCritExtOIDs[i], &oid, plContext), PKIX_OIDCREATEFAILED); diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c index fa679c476..c255d2b99 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c @@ -146,14 +146,10 @@ pkix_pl_Cert_DecodePolicyInfo( /* Allocated in the arena; freed in CERT_Destroy... */ CERTCertificatePolicies *certPol = NULL; CERTPolicyInfo **policyInfos = NULL; - CERTPolicyInfo *policyInfo = NULL; - CERTPolicyQualifier **policyQualifiers = NULL; - CERTPolicyQualifier *policyQualifier = NULL; /* Holder for the return value */ PKIX_List *infos = NULL; - char *oidAscii = NULL; PKIX_PL_OID *pkixOID = NULL; PKIX_List *qualifiers = NULL; PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL; @@ -204,26 +200,22 @@ pkix_pl_Cert_DecodePolicyInfo( * building each PKIX_PL_CertPolicyInfo object in turn */ while (*policyInfos != NULL) { - policyInfo = *policyInfos; - policyQualifiers = policyInfo->policyQualifiers; + CERTPolicyInfo *policyInfo = *policyInfos; + CERTPolicyQualifier **policyQualifiers = + policyInfo->policyQualifiers; if (policyQualifiers) { /* create a PKIX_List of PKIX_PL_CertPolicyQualifiers */ PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext), PKIX_LISTCREATEFAILED); while (*policyQualifiers != NULL) { - policyQualifier = *policyQualifiers; + CERTPolicyQualifier *policyQualifier = + *policyQualifiers; /* create the qualifier's OID object */ - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&(policyQualifier->qualifierID), - &oidAscii, - plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (oidAscii, &pkixOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (&policyQualifier->qualifierID, + &pkixOID, plContext), PKIX_OIDCREATEFAILED); /* create qualifier's ByteArray object */ @@ -250,7 +242,6 @@ pkix_pl_Cert_DecodePolicyInfo( plContext), PKIX_LISTAPPENDITEMFAILED); - PKIX_FREE(oidAscii); PKIX_DECREF(pkixOID); PKIX_DECREF(qualifierArray); PKIX_DECREF(certPolicyQualifier); @@ -269,13 +260,8 @@ pkix_pl_Cert_DecodePolicyInfo( * (The CERTPolicyInfo structure has an oid field, but it * is of type SECOidTag. This function wants a SECItem.) */ - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&(policyInfo->policyID), &oidAscii, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (oidAscii, &pkixOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (&policyInfo->policyID, &pkixOID, plContext), PKIX_OIDCREATEFAILED); /* Create a CertPolicyInfo object */ @@ -288,7 +274,6 @@ pkix_pl_Cert_DecodePolicyInfo( (infos, (PKIX_PL_Object *)certPolicyInfo, plContext), PKIX_LISTAPPENDITEMFAILED); - PKIX_FREE(oidAscii); PKIX_DECREF(pkixOID); PKIX_DECREF(qualifiers); PKIX_DECREF(certPolicyInfo); @@ -313,7 +298,6 @@ cleanup: CERT_DestroyCertificatePoliciesExtension(certPol); } - PKIX_FREE(oidAscii); PKIX_DECREF(infos); PKIX_DECREF(pkixOID); PKIX_DECREF(qualifiers); @@ -362,13 +346,10 @@ pkix_pl_Cert_DecodePolicyMapping( /* Allocated in the arena; freed in CERT_Destroy... */ CERTCertificatePolicyMappings *certPolMaps = NULL; CERTPolicyMap **policyMaps = NULL; - CERTPolicyMap *policyMap = NULL; /* Holder for the return value */ PKIX_List *maps = NULL; - char *issuerPolicyOIDAscii = NULL; - char *subjectPolicyOIDAscii = NULL; PKIX_PL_OID *issuerDomainOID = NULL; PKIX_PL_OID *subjectDomainOID = NULL; PKIX_PL_CertPolicyMap *certPolicyMap = NULL; @@ -408,30 +389,18 @@ pkix_pl_Cert_DecodePolicyMapping( * building each CertPolicyMap object in turn */ do { - policyMap = *policyMaps; + CERTPolicyMap *policyMap = *policyMaps; /* create the OID for the issuer Domain Policy */ - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&(policyMap->issuerDomainPolicy), - &issuerPolicyOIDAscii, - plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (issuerPolicyOIDAscii, &issuerDomainOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (&policyMap->issuerDomainPolicy, + &issuerDomainOID, plContext), PKIX_OIDCREATEFAILED); /* create the OID for the subject Domain Policy */ - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&(policyMap->subjectDomainPolicy), - &subjectPolicyOIDAscii, - plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (subjectPolicyOIDAscii, &subjectDomainOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (&policyMap->subjectDomainPolicy, + &subjectDomainOID, plContext), PKIX_OIDCREATEFAILED); /* create the CertPolicyMap */ @@ -447,8 +416,6 @@ pkix_pl_Cert_DecodePolicyMapping( (maps, (PKIX_PL_Object *)certPolicyMap, plContext), PKIX_LISTAPPENDITEMFAILED); - PKIX_FREE(issuerPolicyOIDAscii); - PKIX_FREE(subjectPolicyOIDAscii); PKIX_DECREF(issuerDomainOID); PKIX_DECREF(subjectDomainOID); PKIX_DECREF(certPolicyMap); @@ -469,8 +436,6 @@ cleanup: CERT_DestroyPolicyMappingsExtension(certPolMaps); } - PKIX_FREE(issuerPolicyOIDAscii); - PKIX_FREE(subjectPolicyOIDAscii); PKIX_DECREF(maps); PKIX_DECREF(issuerDomainOID); PKIX_DECREF(subjectDomainOID); @@ -2052,43 +2017,32 @@ PKIX_PL_Cert_GetSubjectPublicKeyAlgId( PKIX_PL_OID **pSubjKeyAlgId, void *plContext) { - CERTCertificate *nssCert = NULL; PKIX_PL_OID *pubKeyAlgId = NULL; - SECAlgorithmID algorithm; - SECItem algBytes; - char *asciiOID = NULL; PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectPublicKeyAlgId"); PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSubjKeyAlgId); /* if we don't have a cached copy from before, we create one */ if (cert->publicKeyAlgId == NULL){ - PKIX_OBJECT_LOCK(cert); - if (cert->publicKeyAlgId == NULL){ - - nssCert = cert->nssCert; - algorithm = nssCert->subjectPublicKeyInfo.algorithm; - algBytes = algorithm.algorithm; - - PKIX_NULLCHECK_ONE(algBytes.data); - if (algBytes.len == 0) { - PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0); + CERTCertificate *nssCert = cert->nssCert; + SECAlgorithmID *algorithm; + SECItem *algBytes; + + algorithm = &nssCert->subjectPublicKeyInfo.algorithm; + algBytes = &algorithm->algorithm; + if (!algBytes->data || !algBytes->len) { + PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0); } - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&algBytes, &asciiOID, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (asciiOID, &pubKeyAlgId, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (algBytes, &pubKeyAlgId, plContext), PKIX_OIDCREATEFAILED); /* save a cached copy in case it is asked for again */ cert->publicKeyAlgId = pubKeyAlgId; + pubKeyAlgId = NULL; } - PKIX_OBJECT_UNLOCK(cert); } @@ -2096,7 +2050,7 @@ PKIX_PL_Cert_GetSubjectPublicKeyAlgId( *pSubjKeyAlgId = cert->publicKeyAlgId; cleanup: - PKIX_FREE(asciiOID); + PKIX_DECREF(pubKeyAlgId); PKIX_RETURN(CERT); } @@ -2413,9 +2367,7 @@ PKIX_PL_Cert_GetExtendedKeyUsage( CERTCertificate *nssCert = NULL; PKIX_PL_OID *pkixOID = NULL; PKIX_List *oidsList = NULL; - char *oidAscii = NULL; SECItem **oids = NULL; - SECItem *oid = NULL; SECItem encodedExtKeyUsage; SECStatus rv; @@ -2462,14 +2414,10 @@ PKIX_PL_Cert_GetExtendedKeyUsage( PKIX_LISTCREATEFAILED); while (*oids){ - oid = *oids++; - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (oid, &oidAscii, plContext), - PKIX_OIDBYTES2ASCIIFAILED); + SECItem *oid = *oids++; - PKIX_CHECK(PKIX_PL_OID_Create - (oidAscii, &pkixOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (oid, &pkixOID, plContext), PKIX_OIDCREATEFAILED); PKIX_CHECK(PKIX_List_AppendItem @@ -2477,9 +2425,6 @@ PKIX_PL_Cert_GetExtendedKeyUsage( (PKIX_PL_Object *)pkixOID, plContext), PKIX_LISTAPPENDITEMFAILED); - - PKIX_FREE(oidAscii); - PKIX_DECREF(pkixOID); } @@ -2501,7 +2446,6 @@ PKIX_PL_Cert_GetExtendedKeyUsage( cleanup: PKIX_OBJECT_UNLOCK(lockedObject); - PKIX_FREE(oidAscii); PKIX_DECREF(pkixOID); PKIX_DECREF(oidsList); CERT_DestroyOidSequence(extKeyUsage); diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c index b7bbc059b..e757b0202 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c @@ -207,54 +207,36 @@ pkix_pl_CRL_GetSignatureAlgId( PKIX_PL_OID **pSignatureAlgId, void *plContext) { - CERTCrl *nssCrl = NULL; PKIX_PL_OID *signatureAlgId = NULL; - SECAlgorithmID algorithm; - SECItem algBytes; - char *asciiOID = NULL; PKIX_ENTER(CRL, "pkix_pl_CRL_GetSignatureAlgId"); PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pSignatureAlgId); /* if we don't have a cached copy from before, we create one */ if (crl->signatureAlgId == NULL){ - PKIX_OBJECT_LOCK(crl); - if (crl->signatureAlgId == NULL){ - - nssCrl = &(crl->nssSignedCrl->crl); - algorithm = nssCrl->signatureAlg; - algBytes = algorithm.algorithm; - - PKIX_NULLCHECK_ONE(algBytes.data); - if (algBytes.len == 0) { - PKIX_ERROR_FATAL(PKIX_OIDBYTESLENGTH0); - } - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&algBytes, &asciiOID, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (asciiOID, &signatureAlgId, plContext), - PKIX_OIDCREATEFAILED); - - /* save a cached copy in case it is asked for again */ - crl->signatureAlgId = signatureAlgId; + CERTCrl *nssCrl = &(crl->nssSignedCrl->crl); + SECAlgorithmID *algorithm = &nssCrl->signatureAlg; + SECItem *algBytes = &algorithm->algorithm; + + if (!algBytes->data || !algBytes->len) { + PKIX_ERROR(PKIX_OIDBYTESLENGTH0); + } + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (algBytes, &signatureAlgId, plContext), + PKIX_OIDCREATEFAILED); + + /* save a cached copy in case it is asked for again */ + crl->signatureAlgId = signatureAlgId; + signatureAlgId = NULL; } - PKIX_OBJECT_UNLOCK(crl); - } - PKIX_INCREF(crl->signatureAlgId); *pSignatureAlgId = crl->signatureAlgId; - cleanup: - - PKIX_FREE(asciiOID); - + PKIX_DECREF(signatureAlgId); PKIX_RETURN(CRL); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c index b4056f320..b4f74541e 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c @@ -241,9 +241,6 @@ pkix_pl_GeneralName_Create( OtherName *otherName = NULL; CERTGeneralNameList *nssGenNameList = NULL; CERTGeneralNameType nameType; - SECItem *secItem = NULL; - char *asciiName = NULL; - SECStatus rv; PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Create"); PKIX_NULLCHECK_TWO(nssAltName, pGenName); @@ -308,12 +305,8 @@ pkix_pl_GeneralName_Create( genName->directoryName = pkixDN; break; case certRegisterID: - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&nssAltName->name.other, &asciiName, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create(asciiName, &pkixOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem(&nssAltName->name.other, + &pkixOID, plContext), PKIX_OIDCREATEFAILED); genName->oid = pkixOID; @@ -324,39 +317,20 @@ pkix_pl_GeneralName_Create( case certRFC822Name: case certX400Address: case certURI: - - PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_AllocItem).\n"); - secItem = SECITEM_AllocItem(NULL, NULL, 0); - if (secItem == NULL){ - PKIX_ERROR(PKIX_OUTOFMEMORY); - } - - PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CopyItem).\n"); - rv = SECITEM_CopyItem(NULL, secItem, &nssAltName->name.other); - if (rv != SECSuccess) { - PKIX_ERROR(PKIX_OUTOFMEMORY); - } - - genName->other = secItem; + genName->other = SECITEM_DupItem(&nssAltName->name.other); + if (!genName->other) { + PKIX_ERROR(PKIX_OUTOFMEMORY); + } break; default: PKIX_ERROR(PKIX_NAMETYPENOTSUPPORTED); } *pGenName = genName; -cleanup: - - PKIX_FREE(asciiName); + genName = NULL; - if (PKIX_ERROR_RECEIVED){ - PKIX_DECREF(genName); - if (secItem){ - PKIX_GENERALNAME_DEBUG - ("\t\tCalling SECITEM_FreeItem).\n"); - SECITEM_FreeItem(secItem, PR_TRUE); - secItem = NULL; - } - } +cleanup: + PKIX_DECREF(genName); PKIX_RETURN(GENERALNAME); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c index 996544cc3..c7a2c1691 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c @@ -43,16 +43,6 @@ #include "pkix_pl_infoaccess.h" -/* XXX Following SEC_OID_PKIX defines should be merged in NSS */ -#define SEC_OID_PKIX_CA_REPOSITORY 1003 -#define SEC_OID_PKIX_TIMESTAMPING 1005 -/* XXX Following OID defines hould be moved to NSS */ -static const unsigned char siaTimeStampingOID[] = {0x2b, 0x06, 0x01, 0x05, - 0x05, 0x07, 0x030, 0x03}; -static const unsigned char siaCaRepositoryOID[] = {0x2b, 0x06, 0x01, 0x05, - 0x05, 0x07, 0x030, 0x05}; - - /* --Private-InfoAccess-Functions----------------------------------*/ /* @@ -415,37 +405,6 @@ pkix_pl_InfoAccess_CreateList( PKIX_CERT_DEBUG("\t\tCalling SECOID_FindOIDTag).\n"); method = SECOID_FindOIDTag(&nssInfoAccess[i]->method); - - if (method == 0) { - - /* XXX - * This part of code is definitely hacking, need NSS decode - * support. We can reuse the CERT_DecodeAuthInfoAccessExtension - * since SIA and AIA are all the same type. However NSS need - * to add SIA, CaRepository, TimeStamping OID definitions and - * the numerical method, timeStamping and caRepository values. - * - * We assume now, since method is 0, implies the method for SIA - * was not decoded by CERT_DecodeAuthInfoAccessExtension() - * so we compare and put value in. This part should be taken - * out eventually if CERT_DecodeInfoAccessExtension (*renamed*) - * is doing the job. - */ - - PKIX_CERT_DEBUG("\t\tCalling PORT_Strncmp).\n"); - if (PORT_Strncmp - ((char *)nssInfoAccess[i]->method.data, - (char *)siaTimeStampingOID, - nssInfoAccess[i]->method.len) == 0) { - method = SEC_OID_PKIX_TIMESTAMPING; - } else if (PORT_Strncmp - ((char *)nssInfoAccess[i]->method.data, - (char *)siaCaRepositoryOID, - nssInfoAccess[i]->method.len) == 0) { - method = SEC_OID_PKIX_CA_REPOSITORY; - } - } - /* Map NSS access method value into PKIX constant */ switch(method) { case SEC_OID_PKIX_CA_ISSUERS: @@ -461,7 +420,7 @@ pkix_pl_InfoAccess_CreateList( method = PKIX_INFOACCESS_CA_REPOSITORY; break; default: - break; + PKIX_ERROR(PKIX_UNKNOWNINFOACCESSMETHOD); } PKIX_CHECK(pkix_pl_InfoAccess_Create @@ -650,7 +609,7 @@ pkix_pl_InfoAccess_ParseTokens( */ if (numFilters > 2) numFilters = 2; - filterP = PORT_ArenaZNewArray(arena, void*, numFilters+1); + filterP = PORT_ArenaZNewArray(arena, char*, numFilters+1); if (filterP == NULL) { PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c index 6fb1bf18c..0eba65a26 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c @@ -525,7 +525,7 @@ pkix_pl_OcspResponse_Create( rv = (*hcv1->trySendAndReceiveFcn)(sessionRequest, (PRPollDesc **)&nbioContext, &responseCode, - &responseContentType, + (const char **)&responseContentType, NULL, /* responseHeaders */ (const char **)&responseData, &responseDataLen); diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c index b0333a126..69c8a9f87 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c @@ -45,7 +45,7 @@ /* --Private-OID-Functions---------------------------------------- */ -/* + /* * FUNCTION: pkix_pl_OID_Comparator * (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h) */ @@ -53,15 +53,14 @@ static PKIX_Error * pkix_pl_OID_Comparator( PKIX_PL_Object *firstObject, PKIX_PL_Object *secondObject, - PKIX_Int32 *pResult, + PKIX_Int32 *pRes, void *plContext) { PKIX_PL_OID *firstOID = NULL; PKIX_PL_OID *secondOID = NULL; - PKIX_UInt32 minLength; PKIX_ENTER(OID, "pkix_pl_OID_Comparator"); - PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult); + PKIX_NULLCHECK_THREE(firstObject, secondObject, pRes); PKIX_CHECK(pkix_CheckTypes (firstObject, secondObject, PKIX_OID_TYPE, plContext), @@ -70,19 +69,8 @@ pkix_pl_OID_Comparator( firstOID = (PKIX_PL_OID*)firstObject; secondOID = (PKIX_PL_OID*)secondObject; - *pResult = 0; - - minLength = (firstOID->length < secondOID->length)? - firstOID->length: - secondOID->length; - - /* Check if both array contents are identical */ - PKIX_OID_DEBUG("\tCalling PORT_Memcmp).\n"); - *pResult = PORT_Memcmp - (firstOID->components, - secondOID->components, - minLength * sizeof (PKIX_UInt32)); - + *pRes = (PKIX_Int32)SECITEM_CompareItem(&firstOID->derOid, + &secondOID->derOid); cleanup: PKIX_RETURN(OID); } @@ -103,14 +91,10 @@ pkix_pl_OID_Destroy( PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext), PKIX_OBJECTNOTANOID); - oid = (PKIX_PL_OID*)object; - - PKIX_FREE(oid->components); - oid->length = 0; + SECITEM_FreeItem(&oid->derOid, PR_FALSE); cleanup: - PKIX_RETURN(OID); } @@ -124,7 +108,7 @@ pkix_pl_OID_Hashcode( PKIX_UInt32 *pHashcode, void *plContext) { - PKIX_PL_OID *pkixOID = NULL; + PKIX_PL_OID *oid = NULL; PKIX_ENTER(OID, "pkix_pl_OID_HashCode"); PKIX_NULLCHECK_TWO(object, pHashcode); @@ -132,11 +116,11 @@ pkix_pl_OID_Hashcode( PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext), PKIX_OBJECTNOTANOID); - pkixOID = (PKIX_PL_OID *)object; + oid = (PKIX_PL_OID *)object; PKIX_CHECK(pkix_hash - ((unsigned char *)pkixOID->components, - pkixOID->length * sizeof (PKIX_UInt32), + ((unsigned char *)oid->derOid.data, + oid->derOid.len * sizeof (char), pHashcode, plContext), PKIX_HASHFAILED); @@ -157,7 +141,7 @@ pkix_pl_OID_Equals( void *plContext) { PKIX_UInt32 secondType; - PKIX_Int32 cmpResult; + SECComparison cmpResult; PKIX_ENTER(OID, "pkix_pl_OID_Equals"); PKIX_NULLCHECK_THREE(first, second, pResult); @@ -174,9 +158,7 @@ pkix_pl_OID_Equals( * Do a quick check that the second object is an OID. * If so, check that their lengths are equal. */ - if ((secondType != PKIX_OID_TYPE)|| - (((PKIX_PL_OID*)first)->length != - ((PKIX_PL_OID*)second)->length)) { + if (secondType != PKIX_OID_TYPE) { goto cleanup; } @@ -184,8 +166,7 @@ pkix_pl_OID_Equals( (first, second, &cmpResult, plContext), PKIX_OIDCOMPARATORFAILED); - *pResult = (cmpResult == 0); - + *pResult = (cmpResult == SECEqual); cleanup: PKIX_RETURN(OID); @@ -194,6 +175,8 @@ cleanup: /* * FUNCTION: pkix_pl_OID_ToString * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h) + * Use this function only for printing OIDs and not to make any + * critical security decision. */ static PKIX_Error * pkix_pl_OID_ToString( @@ -201,31 +184,23 @@ pkix_pl_OID_ToString( PKIX_PL_String **pString, void *plContext) { - PKIX_UInt32 *components = NULL; - PKIX_UInt32 length; - char *ascii = NULL; + PKIX_PL_OID *oid = NULL; + char *oidString = NULL; PKIX_ENTER(OID, "pkix_pl_OID_toString"); PKIX_NULLCHECK_TWO(object, pString); PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext), PKIX_OBJECTNOTANOID); - - components = ((PKIX_PL_OID*)object)->components; - length = ((PKIX_PL_OID*)object)->length; - - PKIX_CHECK(pkix_pl_helperBytes2Ascii - (components, length, &ascii, plContext), - PKIX_HELPERBYTES2ASCIIFAILED); - + oid = (PKIX_PL_OID*)object; + oidString = CERT_GetOidString(&oid->derOid); + PKIX_CHECK(PKIX_PL_String_Create - (PKIX_ESCASCII, ascii, 0, pString, plContext), + (PKIX_ESCASCII, oidString , 0, pString, plContext), PKIX_STRINGCREATEFAILED); - cleanup: - - PKIX_FREE(ascii); - + PR_smprintf_free(oidString); + PKIX_RETURN(OID); } @@ -244,88 +219,19 @@ PKIX_Error * pkix_pl_OID_RegisterSelf( void *plContext) { - extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; - pkix_ClassTable_Entry entry; + pkix_ClassTable_Entry *entry = &systemClasses[PKIX_OID_TYPE]; PKIX_ENTER(OID, "pkix_pl_OID_RegisterSelf"); - entry.description = "OID"; - entry.objCounter = 0; - entry.typeObjectSize = sizeof(PKIX_PL_OID); - entry.destructor = pkix_pl_OID_Destroy; - entry.equalsFunction = pkix_pl_OID_Equals; - entry.hashcodeFunction = pkix_pl_OID_Hashcode; - entry.toStringFunction = pkix_pl_OID_ToString; - entry.comparator = pkix_pl_OID_Comparator; - entry.duplicateFunction = pkix_duplicateImmutable; - - systemClasses[PKIX_OID_TYPE] = entry; - - PKIX_RETURN(OID); -} - -/* - * FUNCTION: pkix_pl_OID_GetNextToken - * DESCRIPTION: - * - * This function is essentially a thread safe version of strtok, except - * that we always use '.' (dot) for the token separator. - * - * Searches for tokens in the string pointed to by "input", using '.' (dot) - * as the token separator. If "input" contains multiple tokens, the first - * token is stored at "pToken", the character immediately follow the first - * token is replaced by a null character, and the rekmainder of "input" is - * stored at "pRem". If no additional tokens are available, this function - * stores NULL at "pToken". - * - * PARAMETERS - * "input" - * Address of string to be tokenized. May be NULL. - * "pToken" - * Destination for OID token. Must be non-NULL. - * "pRem" - * Destination for pointer to remainder of string. Must be non-NULL. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns an OID Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_pl_OID_GetNextToken( - char *input, - char **pToken, - char **pRem, - void *plContext) -{ - char *token = input; - - PKIX_ENTER(OID, "pkix_pl_OID_GetNextToken"); - PKIX_NULLCHECK_TWO(pToken, pRem); - - if (token == NULL){ - *pToken = token; - goto cleanup; - } - - while (*input != '.' && *input != '\0'){ - input++; - } - - if (*input == '.'){ - *input = 0; - *pRem = input + 1; - } else { /* NULL case */ - *pRem = NULL; - } - - *pToken = token; - -cleanup: + entry->description = "OID"; + entry->typeObjectSize = sizeof(PKIX_PL_OID); + entry->destructor = pkix_pl_OID_Destroy; + entry->equalsFunction = pkix_pl_OID_Equals; + entry->hashcodeFunction = pkix_pl_OID_Hashcode; + entry->toStringFunction = pkix_pl_OID_ToString; + entry->comparator = pkix_pl_OID_Comparator; + entry->duplicateFunction = pkix_duplicateImmutable; PKIX_RETURN(OID); } @@ -357,11 +263,7 @@ pkix_pl_OID_GetCriticalExtensionOIDs( void *plContext) { PKIX_List *oidsList = NULL; - CERTCertExtension *extension = NULL; PKIX_PL_OID *pkixOID = NULL; - SECItem critical; - SECItem oid; - char *oidAscii = NULL; PKIX_ENTER(OID, "pkix_pl_OID_GetCriticalExtensionOIDs"); PKIX_NULLCHECK_ONE(pOidsList); @@ -369,40 +271,28 @@ pkix_pl_OID_GetCriticalExtensionOIDs( PKIX_CHECK(PKIX_List_Create(&oidsList, plContext), PKIX_LISTCREATEFAILED); - if (extensions){ - - while (*extensions){ - extension = *extensions++; - - PKIX_NULLCHECK_ONE(extension); - - /* extension is critical */ - critical = extension->critical; - - if (critical.len != 0){ - - if (critical.data[0] == 0xff) { - oid = extension->id; - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&oid, &oidAscii, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (oidAscii, &pkixOID, plContext), - PKIX_OIDCREATEFAILED); - - PKIX_CHECK(PKIX_List_AppendItem - (oidsList, - (PKIX_PL_Object *)pkixOID, - plContext), - PKIX_LISTAPPENDITEMFAILED); - } - } - - PKIX_FREE(oidAscii); - PKIX_DECREF(pkixOID); + if (extensions) { + while (*extensions) { + CERTCertExtension *extension = NULL; + SECItem *critical = NULL; + SECItem *oid = NULL; + + extension = *extensions++; + /* extension is critical ? */ + critical = &extension->critical; + if (critical->len == 0 || critical->data[0] == 0) { + continue; } + oid = &extension->id; + PKIX_CHECK( + PKIX_PL_OID_CreateBySECItem(oid, &pkixOID, plContext), + PKIX_OIDCREATEFAILED); + PKIX_CHECK( + PKIX_List_AppendItem(oidsList, (PKIX_PL_Object *)pkixOID, + plContext), + PKIX_LISTAPPENDITEMFAILED); + PKIX_DECREF(pkixOID); + } } *pOidsList = oidsList; @@ -410,7 +300,6 @@ pkix_pl_OID_GetCriticalExtensionOIDs( cleanup: PKIX_DECREF(oidsList); - PKIX_FREE(oidAscii); PKIX_DECREF(pkixOID); PKIX_RETURN(OID); } @@ -418,137 +307,59 @@ cleanup: /* --Public-Functions------------------------------------------------------- */ /* - * FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h) + * FUNCTION: PKIX_PL_OID_CreateBySECItem (see comments in pkix_pl_system.h) */ PKIX_Error * -PKIX_PL_OID_Create( - char *stringRep, +PKIX_PL_OID_CreateBySECItem( + SECItem *derOid, PKIX_PL_OID **pOID, void *plContext) { PKIX_PL_OID *oid = NULL; - char *strCpy1 = NULL; - char *strCpy2 = NULL; - char *token = NULL; - PKIX_UInt32 numTokens, i, length; - PKIX_UInt32 value; - PKIX_Boolean firstFieldTwo; - PKIX_UInt32 *components = NULL; - char *rem = NULL; - - PKIX_ENTER(OID, "PKIX_PL_OID_Create"); - PKIX_NULLCHECK_TWO(pOID, stringRep); - - PKIX_OID_DEBUG("\tCalling PL_strlen).\n"); - length = PL_strlen(stringRep); - - if (length < 3) { - PKIX_ERROR(PKIX_OIDLENGTHTOOSHORT); - } - - for (i = 0; i < length; i++) { - if ((!PKIX_ISDIGIT(stringRep[i]))&&(stringRep[i] != '.')) { - PKIX_ERROR(PKIX_ILLEGALCHARACTERINOID); - } - } - - /* Check that string doesn't have extra dots */ - if ((stringRep[0] == '.') || - (stringRep[length-1] == '.')|| - (PL_strstr(stringRep, "..") != NULL)) { - PKIX_ERROR(PKIX_ILLEGALDOTINOID); - } - - PKIX_OID_DEBUG("\tCalling PL_strdup).\n"); - - strCpy1 = PL_strdup(stringRep); - strCpy2 = PL_strdup(stringRep); - - /* Validate and tally the number of tokens */ - - PKIX_CHECK(pkix_pl_OID_GetNextToken - (strCpy1, &token, &rem, plContext), - PKIX_OIDGETNEXTTOKENFAILED); - - for (numTokens = 0; token != NULL; numTokens++){ - if (numTokens == 0) { - /* We know the string is all digits */ - PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n"); - value = PORT_Atoi(token); - if (value > 2) { - PKIX_ERROR(PKIX_FIRSTFIELDMUSTBEBETWEEN02); - } - - /* Set a flag if the first field is 2 */ - firstFieldTwo = (value == 2); - } else if (numTokens == 1) { - PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n"); - value = PORT_Atoi(token); - if ((!firstFieldTwo)&&(value > 39)) { - PKIX_ERROR - (PKIX_SECONDFIELDMUSTBEBETWEEN039); - } - } - - /* Check for 32-bit overflow */ - if (pkix_pl_UInt32_Overflows(token)){ - PKIX_ERROR(PKIX_OIDCOMPONENTTOOBIG); - } - - PKIX_CHECK(pkix_pl_OID_GetNextToken - (rem, &token, &rem, plContext), - PKIX_OIDGETNEXTTOKENFAILED); - } - - if (numTokens < 2) { - PKIX_ERROR(PKIX_OIDNEEDS2ORMOREFIELDS); - } - - PKIX_CHECK(PKIX_PL_Malloc - (numTokens * sizeof (PKIX_UInt32), - (void **)&components, plContext), - PKIX_MALLOCFAILED); - - PKIX_CHECK(pkix_pl_OID_GetNextToken - (strCpy2, &token, &rem, plContext), - PKIX_OIDGETNEXTTOKENFAILED); - - for (i = 0; token != NULL; i++){ - PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n"); - components[i] = PORT_Atoi(token); - - PKIX_CHECK(pkix_pl_OID_GetNextToken - (rem, &token, &rem, plContext), - PKIX_OIDGETNEXTTOKENFAILED); - } + SECStatus rv; + + PKIX_ENTER(OID, "PKIX_PL_OID_CreateBySECItem"); + PKIX_NULLCHECK_TWO(pOID, derOid); PKIX_CHECK(PKIX_PL_Object_Alloc - (PKIX_OID_TYPE, + (PKIX_OID_TYPE, sizeof (PKIX_PL_OID), (PKIX_PL_Object **)&oid, plContext), PKIX_COULDNOTCREATEOBJECT); - - oid->length = numTokens; - oid->components = components; - - *pOID = oid; - -cleanup: - - if (strCpy1){ - PKIX_OID_DEBUG("\tCalling PL_strfree).\n"); - PL_strfree(strCpy1); + rv = SECITEM_CopyItem(NULL, &oid->derOid, derOid); + if (rv != SECFailure) { + *pOID = oid; + oid = NULL; } + +cleanup: + PKIX_DECREF(oid); + + PKIX_RETURN(OID); +} - if (strCpy2){ - PKIX_OID_DEBUG("\tCalling PL_strfree).\n"); - PL_strfree(strCpy2); - } +/* + * FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h) + */ +PKIX_Error * +PKIX_PL_OID_Create( + SECOidTag idtag, + PKIX_PL_OID **pOID, + void *plContext) +{ + SECOidData *oidData = NULL; + + PKIX_ENTER(OID, "PKIX_PL_OID_Create"); + PKIX_NULLCHECK_ONE(pOID); - if (PKIX_ERROR_RECEIVED){ - PKIX_FREE(components); + oidData = SECOID_FindOIDByTag((SECOidTag)idtag); + if (!oidData) { + PKIX_ERROR(PKIX_SECOIDFINDOIDTAGDESCRIPTIONFAILED); } - + + pkixErrorResult = + PKIX_PL_OID_CreateBySECItem(&oidData->oid, pOID, plContext); +cleanup: PKIX_RETURN(OID); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h index d0327909e..2660ae8b2 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h @@ -51,8 +51,7 @@ extern "C" { #endif struct PKIX_PL_OIDStruct { - PKIX_UInt32 *components; - PKIX_UInt32 length; + SECItem derOid; }; /* see source file for function documentation */ diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h index 0c29838cc..48438c88c 100644 --- a/security/nss/lib/util/secerr.h +++ b/security/nss/lib/util/secerr.h @@ -225,6 +225,8 @@ SEC_ERROR_PKCS11_GENERAL_ERROR = (SEC_ERROR_BASE + 167), SEC_ERROR_PKCS11_FUNCTION_FAILED = (SEC_ERROR_BASE + 168), SEC_ERROR_PKCS11_DEVICE_ERROR = (SEC_ERROR_BASE + 169), +SEC_ERROR_BAD_INFO_ACCESS_METHOD = (SEC_ERROR_BASE + 170), + /* Add new error codes above here. */ SEC_ERROR_END_OF_LIST } SECErrorCodes; diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index 287e15453..7e8c1b6e1 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -361,6 +361,8 @@ CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 }; CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 }; CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 }; +CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 }; + CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 }; CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 }; @@ -1586,6 +1588,9 @@ const static SECOidData oids[SEC_OID_TOTAL] = { OD( seed_CBC, SEC_OID_SEED_CBC, "SEED-CBC", CKM_SEED_CBC, INVALID_CERT_EXTENSION), + OD( x509CertificatePoliciesAnyPolicy, SEC_OID_X509_ANY_POLICY, + "Certificate Policies AnyPolicy", + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ), }; /* PRIVATE EXTENDED SECOID Table diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h index 5457deabc..9ce5eb9be 100644 --- a/security/nss/lib/util/secoidt.h +++ b/security/nss/lib/util/secoidt.h @@ -448,6 +448,8 @@ typedef enum { SEC_OID_SEED_CBC = 302, + SEC_OID_X509_ANY_POLICY = 303, + SEC_OID_TOTAL } SECOidTag; |