diff options
author | alexei.volkov.bugs%sun.com <devnull@localhost> | 2009-01-12 22:57:22 +0000 |
---|---|---|
committer | alexei.volkov.bugs%sun.com <devnull@localhost> | 2009-01-12 22:57:22 +0000 |
commit | 3476a2e908662c3e3c70e35a4d079e5947a5f656 (patch) | |
tree | 325b3eb7c9f4802907ab65258cd8189af4ab5379 | |
parent | 2698072683c6d0e5baaf10cfebed48f703d1d49e (diff) | |
download | nss-hg-3476a2e908662c3e3c70e35a4d079e5947a5f656.tar.gz |
Bug 397805 - Avoid revalidating the whole cached chain for new cert KU and EKU. r=nelson
-rw-r--r-- | security/nss/lib/certhigh/certvfypkix.c | 4 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/include/pkix_sample_modules.h | 62 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/pkix/checker/manifest.mn | 2 | ||||
-rw-r--r--[-rwxr-xr-x] | security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c (renamed from security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c) | 331 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.h | 125 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/pkix/top/pkix_build.c | 78 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/pkix/top/pkix_build.h | 1 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn | 2 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.h | 67 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h | 1 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c | 2 |
11 files changed, 321 insertions, 354 deletions
diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c index 96537eb4f..3028a2171 100644 --- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -417,10 +417,6 @@ cert_ProcessingParamsSetKuAndEku( plContext), PKIX_COMCERTSELPARAMSSETEXTKEYUSAGEFAILED); - PKIX_CHECK( - PKIX_PL_EkuChecker_Create(procParams, plContext), - PKIX_EKUCHECKERINITIALIZEFAILED); - cleanup: PKIX_DECREF(extKeyUsage); PKIX_DECREF(certSelector); diff --git a/security/nss/lib/libpkix/include/pkix_sample_modules.h b/security/nss/lib/libpkix/include/pkix_sample_modules.h index c3a9db820..f6691770c 100755 --- a/security/nss/lib/libpkix/include/pkix_sample_modules.h +++ b/security/nss/lib/libpkix/include/pkix_sample_modules.h @@ -283,68 +283,6 @@ PKIX_PL_LdapCertStore_Create( PKIX_CertStore **pCertStore, void *plContext); -/* - * FUNCTION: PKIX_PL_EkuChecker_Create - * - * DESCRIPTION: - * Create a CertChainChecker with EkuCheckerState and add it into - * PKIX_ProcessingParams object. - * - * PARAMETERS - * "params" - * a PKIX_ProcessingParams links to PKIX_ComCertSelParams where a list of - * Extended Key Usage OIDs specified by application can be retrieved for - * verification. - * "plContext" - * Platform-specific context pointer. - * - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a UserDefinedModules Error if the function fails in a non-fatal - * way. - * Returns a Fatal Error - */ -PKIX_Error * -PKIX_PL_EkuChecker_Create( - PKIX_ProcessingParams *params, - void *plContext); - -/* - * FUNCTION: PKIX_PL_EkuChecker_GetRequiredEku - * - * DESCRIPTION: - * This function retrieves application specified ExtenedKeyUsage(s) from - * ComCertSetparams and converts its OID representations to SECCertUsageEnum. - * The result is stored and returned in bit mask at "pRequiredExtKeyUsage". - * - * PARAMETERS - * "certSelector" - * a PKIX_CertSelector links to PKIX_ComCertSelParams where a list of - * Extended Key Usage OIDs specified by application can be retrieved for - * verification. Must be non-NULL. - * "pRequiredExtKeyUsage" - * Address where the result is returned. Must be non-NULL. - * "plContext" - * Platform-specific context pointer. - * - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a UserDefinedModules Error if the function fails in a non-fatal - * way. - * Returns a Fatal Error - */ -PKIX_Error * -pkix_pl_EkuChecker_GetRequiredEku( - PKIX_CertSelector *certSelector, - PKIX_UInt32 *pRequiredExtKeyUsage, - void *plContext); - /* PKIX_PL_NssContext * * A PKIX_PL_NssContext provides an example showing how the "plContext" diff --git a/security/nss/lib/libpkix/pkix/checker/manifest.mn b/security/nss/lib/libpkix/pkix/checker/manifest.mn index e2f731dc7..6a2702871 100755 --- a/security/nss/lib/libpkix/pkix/checker/manifest.mn +++ b/security/nss/lib/libpkix/pkix/checker/manifest.mn @@ -44,6 +44,7 @@ PRIVATE_EXPORTS = \ pkix_basicconstraintschecker.h \ pkix_certchainchecker.h \ pkix_crlchecker.h \ + pkix_ekuchecker.h \ pkix_expirationchecker.h \ pkix_namechainingchecker.h \ pkix_nameconstraintschecker.h \ @@ -61,6 +62,7 @@ CSRCS = \ pkix_basicconstraintschecker.c \ pkix_certchainchecker.c \ pkix_crlchecker.c \ + pkix_ekuchecker.c \ pkix_expirationchecker.c \ pkix_namechainingchecker.c \ pkix_nameconstraintschecker.c \ diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c index 19777d6fe..0fbf7cccd 100755..100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c @@ -35,13 +35,13 @@ * * ***** END LICENSE BLOCK ***** */ /* - * pkix_pl_ekuchecker.c + * pkix_ekuchecker.c * * User Defined ExtenedKeyUsage Function Definitions * */ -#include "pkix_pl_ekuchecker.h" +#include "pkix_ekuchecker.h" char *ekuOidStrings[] = { "1.3.6.1.5.5.7.3.1", /* id-kp-serverAuth */ @@ -53,37 +53,33 @@ char *ekuOidStrings[] = { NULL }; -#define CERTUSAGE_NONE (-1) +typedef struct pkix_EkuCheckerStruct { + PKIX_List *requiredExtKeyUsageOids; + PKIX_PL_OID *ekuOID; +} pkix_EkuChecker; -PKIX_Int32 ekuCertUsages[] = { - 1<<certUsageSSLServer, - 1<<certUsageSSLClient, - 1<<certUsageObjectSigner, - 1<<certUsageEmailRecipient | 1<<certUsageEmailSigner, - CERTUSAGE_NONE, - 1<<certUsageStatusResponder -}; /* - * FUNCTION: pkix_pl_EkuChecker_Destroy - * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) + * FUNCTION: pkix_EkuChecker_Destroy + * (see comments for PKIX_DestructorCallback in pkix_pl_system.h) */ static PKIX_Error * -pkix_pl_EkuChecker_Destroy( +pkix_EkuChecker_Destroy( PKIX_PL_Object *object, void *plContext) { - pkix_pl_EkuChecker *ekuCheckerState = NULL; + pkix_EkuChecker *ekuCheckerState = NULL; - PKIX_ENTER(EKUCHECKER, "pkix_pl_EkuChecker_Destroy"); + PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Destroy"); PKIX_NULLCHECK_ONE(object); PKIX_CHECK(pkix_CheckType(object, PKIX_EKUCHECKER_TYPE, plContext), PKIX_OBJECTNOTANEKUCHECKERSTATE); - ekuCheckerState = (pkix_pl_EkuChecker *)object; + ekuCheckerState = (pkix_EkuChecker *)object; PKIX_DECREF(ekuCheckerState->ekuOID); + PKIX_DECREF(ekuCheckerState->requiredExtKeyUsageOids); cleanup: @@ -91,129 +87,30 @@ cleanup: } /* - * FUNCTION: pkix_pl_EkuChecker_GetRequiredEku + * FUNCTION: pkix_EkuChecker_RegisterSelf * * DESCRIPTION: - * This function retrieves application specified ExtenedKeyUsage(s) from - * ComCertSetparams and converts its OID representations to SECCertUsageEnum. - * The result is stored and returned in bit mask at "pRequiredExtKeyUsage". - * - * PARAMETERS - * "certSelector" - * a PKIX_CertSelector links to PKIX_ComCertSelParams where a list of - * Extended Key Usage OIDs specified by application can be retrieved for - * verification. Must be non-NULL. - * "pRequiredExtKeyUsage" - * Address where the result is returned. Must be non-NULL. - * "plContext" - * Platform-specific context pointer. + * Registers PKIX_PL_HTTPCERTSTORECONTEXT_TYPE and its related + * functions with systemClasses[] * * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * Not Thread Safe - for performance and complexity reasons * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a UserDefinedModules Error if the function fails in a non-fatal - * way. - * Returns a Fatal Error + * Since this function is only called by PKIX_PL_Initialize, which should + * only be called once, it is acceptable that this function is not + * thread-safe. */ PKIX_Error * -pkix_pl_EkuChecker_GetRequiredEku( - PKIX_CertSelector *certSelector, - PKIX_UInt32 *pRequiredExtKeyUsage, - void *plContext) +pkix_EkuChecker_RegisterSelf(void *plContext) { - PKIX_ComCertSelParams *comCertSelParams = NULL; - PKIX_List *supportedOids = NULL; - PKIX_List *requiredOid = NULL; - PKIX_UInt32 requiredExtKeyUsage = 0; - PKIX_UInt32 numItems = 0; - PKIX_PL_OID *ekuOid = NULL; - PKIX_UInt32 i; - PKIX_Boolean isContained = PKIX_FALSE; - - PKIX_ENTER(EKUCHECKER, "pkix_pl_EkuChecker_GetRequiredEku"); - PKIX_NULLCHECK_TWO(certSelector, pRequiredExtKeyUsage); - - /* Get initial EKU OIDs from ComCertSelParams, if set */ - PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams - (certSelector, &comCertSelParams, plContext), - PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED); - - if (comCertSelParams != NULL) { - - PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage - (comCertSelParams, &requiredOid, plContext), - PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED); - - } - - /* Map application specified EKU OIDs to NSS SECCertUsageEnum */ - - if (requiredOid != NULL) { - - PKIX_CHECK(PKIX_List_Create(&supportedOids, plContext), - PKIX_LISTCREATEFAILED); - - /* Create a supported OIDs list */ - i = 0; - while (ekuOidStrings[i] != NULL) { - - PKIX_CHECK(PKIX_PL_OID_Create - (ekuOidStrings[i], - &ekuOid, - plContext), - PKIX_OIDCREATEFAILED); - - PKIX_CHECK(PKIX_List_AppendItem - (supportedOids, - (PKIX_PL_Object *)ekuOid, - plContext), - PKIX_LISTAPPENDITEMFAILED); - - PKIX_DECREF(ekuOid); - i++; - } - - /* Map from OID's to SECCertUsageEnum */ - PKIX_CHECK(PKIX_List_GetLength - (supportedOids, &numItems, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (i = 0; i < numItems; i++) { - - PKIX_CHECK(PKIX_List_GetItem - (supportedOids, - i, - (PKIX_PL_Object **)&ekuOid, - plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK(pkix_List_Contains - (requiredOid, - (PKIX_PL_Object *)ekuOid, - &isContained, - plContext), - PKIX_LISTCONTAINSFAILED); - - PKIX_DECREF(ekuOid); - - if (isContained == PKIX_TRUE && - ekuCertUsages[i] != CERTUSAGE_NONE) { - - requiredExtKeyUsage |= ekuCertUsages[i]; - } - } - } - - *pRequiredExtKeyUsage = requiredExtKeyUsage; + extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; + pkix_ClassTable_Entry *entry = &systemClasses[PKIX_EKUCHECKER_TYPE]; -cleanup: + PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_RegisterSelf"); - PKIX_DECREF(ekuOid); - PKIX_DECREF(requiredOid); - PKIX_DECREF(supportedOids); - PKIX_DECREF(comCertSelParams); + entry->description = "EkuChecker"; + entry->typeObjectSize = sizeof(pkix_EkuChecker); + entry->destructor = pkix_EkuChecker_Destroy; PKIX_RETURN(EKUCHECKER); } @@ -243,21 +140,22 @@ cleanup: * Returns a Fatal Error if the function fails in an unrecoverable way. */ static PKIX_Error * -pkix_pl_EkuChecker_Create( +pkix_EkuChecker_Create( PKIX_ProcessingParams *params, - pkix_pl_EkuChecker **pState, + pkix_EkuChecker **pState, void *plContext) { - pkix_pl_EkuChecker *state = NULL; + pkix_EkuChecker *state = NULL; PKIX_CertSelector *certSelector = NULL; - PKIX_UInt32 requiredExtKeyUsage = 0; + PKIX_ComCertSelParams *comCertSelParams = NULL; + PKIX_List *requiredOids = NULL; - PKIX_ENTER(EKUCHECKER, "pkix_pl_EkuChecker_Create"); + PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Create"); PKIX_NULLCHECK_TWO(params, pState); PKIX_CHECK(PKIX_PL_Object_Alloc (PKIX_EKUCHECKER_TYPE, - sizeof (pkix_pl_EkuChecker), + sizeof (pkix_EkuChecker), (PKIX_PL_Object **)&state, plContext), PKIX_COULDNOTCREATEEKUCHECKERSTATEOBJECT); @@ -269,9 +167,17 @@ pkix_pl_EkuChecker_Create( if (certSelector != NULL) { - PKIX_CHECK(pkix_pl_EkuChecker_GetRequiredEku - (certSelector, &requiredExtKeyUsage, plContext), - PKIX_EKUCHECKERGETREQUIREDEKUFAILED); + /* Get initial EKU OIDs from ComCertSelParams, if set */ + PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams + (certSelector, &comCertSelParams, plContext), + PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED); + + if (comCertSelParams != NULL) { + PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage + (comCertSelParams, &requiredOids, plContext), + PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED); + + } } PKIX_CHECK(PKIX_PL_OID_Create @@ -280,22 +186,23 @@ pkix_pl_EkuChecker_Create( plContext), PKIX_OIDCREATEFAILED); - state->requiredExtKeyUsage = requiredExtKeyUsage; - + state->requiredExtKeyUsageOids = requiredOids; + requiredOids = NULL; *pState = state; state = NULL; cleanup: PKIX_DECREF(certSelector); - + PKIX_DECREF(comCertSelParams); + PKIX_DECREF(requiredOids); PKIX_DECREF(state); PKIX_RETURN(EKUCHECKER); } /* - * FUNCTION: pkix_pl_EkuChecker_Check + * FUNCTION: pkix_EkuChecker_Check * DESCRIPTION: * * This function determines the Extended Key Usage OIDs specified by the @@ -320,100 +227,102 @@ cleanup: * Returns a Fatal Error if the function fails in an unrecoverable way. */ static PKIX_Error * -pkix_pl_EkuChecker_Check( +pkix_EkuChecker_Check( PKIX_CertChainChecker *checker, PKIX_PL_Cert *cert, PKIX_List *unresolvedCriticalExtensions, void **pNBIOContext, void *plContext) { - pkix_pl_EkuChecker *state = NULL; - PKIX_Boolean checkPassed = PKIX_TRUE; + pkix_EkuChecker *state = NULL; + PKIX_List *requiredExtKeyUsageList = NULL; + PKIX_List *certExtKeyUsageList = NULL; + PKIX_PL_OID *ekuOid = NULL; + PKIX_Boolean isContained = PKIX_FALSE; + PKIX_UInt32 numItems = 0; + PKIX_UInt32 i; + PKIX_Boolean checkResult = PKIX_TRUE; - PKIX_ENTER(EKUCHECKER, "pkix_pl_EkuChecker_Check"); + PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Check"); PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); *pNBIOContext = NULL; /* no non-blocking IO */ - PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState - (checker, (PKIX_PL_Object **)&state, plContext), - PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); + PKIX_CHECK( + PKIX_CertChainChecker_GetCertChainCheckerState + (checker, (PKIX_PL_Object **)&state, plContext), + PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); - if (state->requiredExtKeyUsage != 0) { + requiredExtKeyUsageList = state->requiredExtKeyUsageOids; + if (requiredExtKeyUsageList == NULL) { + goto cleanup; + } - PKIX_CHECK(pkix_pl_Cert_CheckExtendedKeyUsage - (cert, - state->requiredExtKeyUsage, - &checkPassed, - plContext), - PKIX_CERTCHECKEXTENDEDKEYUSAGEFAILED); + PKIX_CHECK( + PKIX_List_GetLength(requiredExtKeyUsageList, &numItems, + plContext), + PKIX_LISTGETLENGTHFAILED); + if (numItems == 0) { + goto cleanup; + } - if (checkPassed == PKIX_FALSE) { - PKIX_ERROR(PKIX_EXTENDEDKEYUSAGECHECKINGFAILED); - } + PKIX_CHECK( + PKIX_PL_Cert_GetExtendedKeyUsage(cert, &certExtKeyUsageList, + plContext), + PKIX_CERTGETEXTENDEDKEYUSAGEFAILED); + if (certExtKeyUsageList == NULL) { + goto cleanup; + } + + for (i = 0; i < numItems; i++) { + + PKIX_CHECK( + PKIX_List_GetItem(requiredExtKeyUsageList, i, + (PKIX_PL_Object **)&ekuOid, plContext), + PKIX_LISTGETITEMFAILED); + + PKIX_CHECK( + pkix_List_Contains(certExtKeyUsageList, + (PKIX_PL_Object *)ekuOid, + &isContained, + plContext), + PKIX_LISTCONTAINSFAILED); + + PKIX_DECREF(ekuOid); + if (isContained != PKIX_TRUE) { + checkResult = PKIX_FALSE; + goto cleanup; + } } cleanup: - + if (!pkixErrorResult && checkResult == PKIX_FALSE) { + pkixErrorReceived = PKIX_TRUE; + pkixErrorCode = PKIX_EXTENDEDKEYUSAGECHECKINGFAILED; + } + + PKIX_DECREF(ekuOid); + PKIX_DECREF(certExtKeyUsageList); PKIX_DECREF(state); PKIX_RETURN(EKUCHECKER); } /* - * FUNCTION: pkix_pl_EkuChecker_RegisterSelf - * - * DESCRIPTION: - * Registers PKIX_PL_HTTPCERTSTORECONTEXT_TYPE and its related - * functions with systemClasses[] - * - * THREAD SAFETY: - * Not Thread Safe - for performance and complexity reasons - * - * Since this function is only called by PKIX_PL_Initialize, which should - * only be called once, it is acceptable that this function is not - * thread-safe. - */ -PKIX_Error * -pkix_pl_EkuChecker_RegisterSelf(void *plContext) -{ - extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; - pkix_ClassTable_Entry entry; - - PKIX_ENTER - (EKUCHECKER, - "pkix_pl_EkuChecker_RegisterSelf"); - - entry.description = "EkuChecker"; - entry.objCounter = 0; - entry.typeObjectSize = sizeof(pkix_pl_EkuChecker); - entry.destructor = pkix_pl_EkuChecker_Destroy, - entry.equalsFunction = NULL; - entry.hashcodeFunction = NULL; - entry.toStringFunction = NULL; - entry.comparator = NULL; - entry.duplicateFunction = NULL; - - systemClasses[PKIX_EKUCHECKER_TYPE] = entry; - - PKIX_RETURN(EKUCHECKER); -} - -/* - * FUNCTION: pkix_pl_EkuChecker_Initialize + * FUNCTION: pkix_EkuChecker_Initialize * (see comments in pkix_sample_modules.h) */ PKIX_Error * -PKIX_PL_EkuChecker_Create( +PKIX_EkuChecker_Create( PKIX_ProcessingParams *params, + PKIX_CertChainChecker **pEkuChecker, void *plContext) { - PKIX_CertChainChecker *checker = NULL; - pkix_pl_EkuChecker *state = NULL; + pkix_EkuChecker *state = NULL; PKIX_List *critExtOIDsList = NULL; - PKIX_ENTER(EKUCHECKER, "PKIX_PL_EkuChecker_Initialize"); + PKIX_ENTER(EKUCHECKER, "PKIX_EkuChecker_Initialize"); PKIX_NULLCHECK_ONE(params); /* @@ -421,7 +330,7 @@ PKIX_PL_EkuChecker_Create( * an application defined checker can be hooked into libpkix. */ - PKIX_CHECK(pkix_pl_EkuChecker_Create + PKIX_CHECK(pkix_EkuChecker_Create (params, &state, plContext), PKIX_EKUCHECKERSTATECREATEFAILED); @@ -435,23 +344,17 @@ PKIX_PL_EkuChecker_Create( PKIX_LISTAPPENDITEMFAILED); PKIX_CHECK(PKIX_CertChainChecker_Create - (pkix_pl_EkuChecker_Check, + (pkix_EkuChecker_Check, PKIX_TRUE, /* forwardCheckingSupported */ PKIX_FALSE, /* forwardDirectionExpected */ critExtOIDsList, (PKIX_PL_Object *) state, - &checker, + pEkuChecker, plContext), PKIX_CERTCHAINCHECKERCREATEFAILED); - - PKIX_CHECK(PKIX_ProcessingParams_AddCertChainChecker - (params, checker, plContext), - PKIX_PROCESSINGPARAMSADDCERTCHAINCHECKERFAILED); - cleanup: PKIX_DECREF(critExtOIDsList); - PKIX_DECREF(checker); PKIX_DECREF(state); PKIX_RETURN(EKUCHECKER); diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.h new file mode 100644 index 000000000..51643cec9 --- /dev/null +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.h @@ -0,0 +1,125 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the PKIX-C library. + * + * The Initial Developer of the Original Code is + * Sun Microsystems, Inc. + * Portions created by the Initial Developer are + * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved. + * + * Contributor(s): + * Sun Microsystems, Inc. + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +/* + * pkix_ekuchecker.h + * + * User Defined Object Type Extended Key Usage Definition + * + */ + +#ifndef _PKIX_EKUCHECKER_H +#define _PKIX_EKUCHECKER_H + +#include "pkix_pl_common.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * FUNCTION: PKIX_PL_EkuChecker_Create + * + * DESCRIPTION: + * Create a CertChainChecker with EkuCheckerState and add it into + * PKIX_ProcessingParams object. + * + * PARAMETERS + * "params" + * a PKIX_ProcessingParams links to PKIX_ComCertSelParams where a list of + * Extended Key Usage OIDs specified by application can be retrieved for + * verification. + * "ekuChecker" + * Address of created ekuchecker. + * "plContext" + * Platform-specific context pointer. + * + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a UserDefinedModules Error if the function fails in a non-fatal + * way. + * Returns a Fatal Error + */ +PKIX_Error * +PKIX_EkuChecker_Create( + PKIX_ProcessingParams *params, + PKIX_CertChainChecker **ekuChecker, + void *plContext); + +/* + * FUNCTION: PKIX_PL_EkuChecker_GetRequiredEku + * + * DESCRIPTION: + * This function retrieves application specified ExtenedKeyUsage(s) from + * ComCertSetparams and converts its OID representations to SECCertUsageEnum. + * The result is stored and returned in bit mask at "pRequiredExtKeyUsage". + * + * PARAMETERS + * "certSelector" + * a PKIX_CertSelector links to PKIX_ComCertSelParams where a list of + * Extended Key Usage OIDs specified by application can be retrieved for + * verification. Must be non-NULL. + * "pRequiredExtKeyUsage" + * Address where the result is returned. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a UserDefinedModules Error if the function fails in a non-fatal + * way. + * Returns a Fatal Error + */ +PKIX_Error * +pkix_EkuChecker_GetRequiredEku( + PKIX_CertSelector *certSelector, + PKIX_UInt32 *pRequiredExtKeyUsage, + void *plContext); + +/* see source file for function documentation */ +PKIX_Error *pkix_pl_EkuChecker_RegisterSelf(void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_PL_EKUCHECKER_H */ diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index 70c9f0cf6..1aeebf244 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -1268,6 +1268,9 @@ cleanup: * Address of List of Certs to be validated. Must be non-NULL. * "anchor" * Address of TrustAnchor to be used. Must be non-NULL. + * "addEkuChecker" + * Boolean flags that tells to add eku checker to the list + * of checkers. Only needs to be done for existing chain revalidation. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: @@ -1282,6 +1285,7 @@ pkix_Build_ValidationCheckers( PKIX_ForwardBuilderState *state, PKIX_List *certChain, PKIX_TrustAnchor *anchor, + PKIX_Boolean addEkuChecker, void *plContext) { PKIX_List *checkers = NULL; @@ -1294,6 +1298,7 @@ pkix_Build_ValidationCheckers( PKIX_CertChainChecker *sigChecker = NULL; PKIX_CertChainChecker *policyChecker = NULL; PKIX_CertChainChecker *userChecker = NULL; + PKIX_CertChainChecker *ekuChecker = NULL; PKIX_List *userCheckersList = NULL; PKIX_List *userCheckerExtOIDs = NULL; PKIX_PL_OID *oid = NULL; @@ -1322,6 +1327,23 @@ pkix_Build_ValidationCheckers( procParams = state->buildConstants.procParams; + /* Do need to add eku checker for chains, that we just + * built. KU and EKU get checked by certificate selector + * during chain construction. For other cases when trying + * short cut or for cached chain we need to verify key + * usage again. For those cases the function shoud be + * called with addEkuChecker set to true. */ + if (addEkuChecker) { + PKIX_CHECK( + PKIX_EkuChecker_Create(procParams, &ekuChecker, + plContext), + PKIX_EKUCHECKERINITIALIZEFAILED); + + PKIX_CHECK(PKIX_List_AppendItem + (checkers, (PKIX_PL_Object *)ekuChecker, plContext), + PKIX_LISTAPPENDITEMFAILED); + } + PKIX_CHECK(PKIX_ProcessingParams_GetInitialPolicies (procParams, &initialPolicies, plContext), PKIX_PROCESSINGPARAMSGETINITIALPOLICIESFAILED); @@ -1463,8 +1485,8 @@ pkix_Build_ValidationCheckers( state->reversedCertChain = reversedCertChain; PKIX_INCREF(buildCheckedCritExtOIDsList); state->checkedCritExtOIDs = buildCheckedCritExtOIDsList; - PKIX_INCREF(checkers); state->checkerChain = checkers; + checkers = NULL; state->certCheckedIndex = 0; state->checkerIndex = 0; state->revChecking = PKIX_FALSE; @@ -1484,6 +1506,7 @@ cleanup: PKIX_DECREF(userChecker); PKIX_DECREF(userCheckersList); PKIX_DECREF(userCheckerExtOIDs); + PKIX_DECREF(ekuChecker); PKIX_RETURN(BUILD); } @@ -1682,6 +1705,10 @@ pkix_Build_BuildSelectorAndParams( PKIX_CertSelector *certSel = NULL; PKIX_PL_X500Name *currentIssuer = NULL; PKIX_PL_Date *testDate = NULL; + PKIX_CertSelector *callerCertSelector = NULL; + PKIX_ComCertSelParams *callerComCertSelParams = NULL; + PKIX_UInt32 reqKu = 0; + PKIX_List *reqEkuOids = NULL; PKIX_ENTER(BUILD, "pkix_Build_BuildSelectorAndParams"); PKIX_NULLCHECK_THREE(state, state->prevCert, state->traversedSubjNames); @@ -1712,6 +1739,40 @@ pkix_Build_BuildSelectorAndParams( (certSelParams, state->traversedSubjNames, plContext), PKIX_COMCERTSELPARAMSSETPATHTONAMESFAILED); + PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints + (state->buildConstants.procParams, + &callerCertSelector, plContext), + PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); + + if (callerCertSelector != NULL) { + + /* Get initial EKU OIDs from ComCertSelParams, if set */ + PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams + (callerCertSelector, &callerComCertSelParams, plContext), + PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED); + + if (callerComCertSelParams != NULL) { + PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage + (callerComCertSelParams, &reqEkuOids, plContext), + PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED); + + PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage + (callerComCertSelParams, &reqKu, plContext), + PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED); + } + } + + PKIX_CHECK( + PKIX_ComCertSelParams_SetKeyUsage(certSelParams, reqKu, + plContext), + PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED); + + PKIX_CHECK( + PKIX_ComCertSelParams_SetExtendedKeyUsage(certSelParams, + reqEkuOids, + plContext), + PKIX_COMCERTSELPARAMSSETEXTKEYUSAGEFAILED); + PKIX_CHECK(PKIX_CertSelector_Create (NULL, NULL, &state->certSel, plContext), PKIX_CERTSELECTORCREATEFAILED); @@ -1730,6 +1791,9 @@ cleanup: PKIX_DECREF(certSel); PKIX_DECREF(currentIssuer); PKIX_DECREF(testDate); + PKIX_DECREF(reqEkuOids); + PKIX_DECREF(callerComCertSelParams); + PKIX_DECREF(callerCertSelector); PKIX_RETURN(BUILD); } @@ -2706,6 +2770,9 @@ pkix_BuildForwardDepthFirstSearch( (state, state->trustChain, trustAnchor, + PKIX_FALSE, /* do not add eku checker + * since eku was already + * checked */ plContext), PKIX_BUILDVALIDATIONCHECKERSFAILED); @@ -2869,6 +2936,9 @@ pkix_BuildForwardDepthFirstSearch( (state, state->trustChain, trustAnchor, + PKIX_FALSE, /* do not add eku checker + * since eku was already + * checked */ plContext), PKIX_BUILDVALIDATIONCHECKERSFAILED); @@ -3396,7 +3466,8 @@ pkix_Build_TryShortcut( PKIX_CHECK( pkix_Build_ValidationCheckers(state, state->trustChain, - anchor, plContext), + anchor, PKIX_TRUE, + plContext), PKIX_BUILDVALIDATIONCHECKERSFAILED); PKIX_CHECK_ONLY_FATAL( @@ -3562,6 +3633,7 @@ pkix_Build_CheckInCache( (state, certList, matchingAnchor, + PKIX_TRUE, /* Adding eku checker. */ plContext), PKIX_BUILDVALIDATIONCHECKERSFAILED); @@ -3994,7 +4066,7 @@ pkix_Build_InitiateBuildChain( } } - PKIX_CHECK( + PKIX_CHECK_ONLY_FATAL( pkix_Build_CheckInCache(state, &buildResult, &nbioContext, plContext), PKIX_UNABLETOBUILDCHAIN); diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.h b/security/nss/lib/libpkix/pkix/top/pkix_build.h index 570df34de..80fc9ab28 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.h +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.h @@ -45,6 +45,7 @@ #define _PKIX_BUILD_H #include "pkix_tools.h" #include "pkix_pl_ldapt.h" +#include "pkix_ekuchecker.h" #ifdef __cplusplus extern "C" { diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn index 5a5176a6f..c757dfe94 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn @@ -43,7 +43,6 @@ EXPORTS = \ PRIVATE_EXPORTS = \ pkix_pl_aiamgr.h \ pkix_pl_colcertstore.h \ - pkix_pl_ekuchecker.h \ pkix_pl_httpcertstore.h \ pkix_pl_httpdefaultclient.h \ pkix_pl_ldapt.h \ @@ -63,7 +62,6 @@ DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DS CSRCS = \ pkix_pl_aiamgr.c \ - pkix_pl_ekuchecker.c \ pkix_pl_colcertstore.c \ pkix_pl_httpcertstore.c \ pkix_pl_httpdefaultclient.c \ diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.h deleted file mode 100755 index 01bb71fd1..000000000 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.h +++ /dev/null @@ -1,67 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the PKIX-C library. - * - * The Initial Developer of the Original Code is - * Sun Microsystems, Inc. - * Portions created by the Initial Developer are - * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved. - * - * Contributor(s): - * Sun Microsystems, Inc. - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ -/* - * pkix_pl_ekuchecker.h - * - * User Defined Object Type Extended Key Usage Definition - * - */ - -#ifndef _PKIX_PL_EKUCHECKER_H -#define _PKIX_PL_EKUCHECKER_H - -#include "pkix_pl_common.h" - -#ifdef __cplusplus -extern "C" { -#endif - -typedef struct pkix_pl_EkuChecker pkix_pl_EkuChecker; - -struct pkix_pl_EkuChecker { - PKIX_UInt32 requiredExtKeyUsage; - PKIX_PL_OID *ekuOID; -}; - -/* see source file for function documentation */ -PKIX_Error *pkix_pl_EkuChecker_RegisterSelf(void *plContext); - -#ifdef __cplusplus -} -#endif - -#endif /* _PKIX_PL_EKUCHECKER_H */ diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h index a365deee7..d3f4d847e 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h @@ -102,7 +102,6 @@ #include "pkix_pl_httpdefaultclient.h" #include "pkix_pl_infoaccess.h" #include "pkix_sample_modules.h" -#include "pkix_pl_ekuchecker.h" #define MAX_DIGITS_32 (PKIX_UInt32) 10 diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c index 246896e8e..ae33daeb8 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c @@ -252,7 +252,7 @@ PKIX_PL_Initialize( pkix_pl_OcspResponse_RegisterSelf(plContext); pkix_pl_HttpDefaultClient_RegisterSelf(plContext); pkix_VerifyNode_RegisterSelf(plContext); - pkix_pl_EkuChecker_RegisterSelf(plContext); + pkix_EkuChecker_RegisterSelf(plContext); if (pPlContext) { PKIX_CHECK(PKIX_PL_NssContext_Create |