diff options
author | Franziskus Kiefer <franziskuskiefer@gmail.com> | 2015-12-15 13:28:02 +0100 |
---|---|---|
committer | Franziskus Kiefer <franziskuskiefer@gmail.com> | 2015-12-15 13:28:02 +0100 |
commit | 95da51969b89add904c2b8928868d6ddad7202a8 (patch) | |
tree | bd0fff890c27dbbc3b556509b1dd0ef0b2f0a62a | |
parent | 37aa902bc92baf60ad47daf428194752d2c8e81d (diff) | |
download | nss-hg-95da51969b89add904c2b8928868d6ddad7202a8.tar.gz |
Bug 1229362 - clang format on lib/certhigh with minor manual corrections, r=kaie
-rw-r--r-- | lib/certhigh/certhigh.c | 1188 | ||||
-rw-r--r-- | lib/certhigh/certhtml.c | 419 | ||||
-rw-r--r-- | lib/certhigh/certreq.c | 193 | ||||
-rw-r--r-- | lib/certhigh/certvfy.c | 2300 | ||||
-rw-r--r-- | lib/certhigh/certvfypkix.c | 1400 | ||||
-rw-r--r-- | lib/certhigh/crlv2.c | 100 | ||||
-rw-r--r-- | lib/certhigh/ocsp.c | 2949 | ||||
-rw-r--r-- | lib/certhigh/ocsp.h | 107 | ||||
-rw-r--r-- | lib/certhigh/ocspi.h | 38 | ||||
-rw-r--r-- | lib/certhigh/ocspsig.c | 365 | ||||
-rw-r--r-- | lib/certhigh/ocspt.h | 128 | ||||
-rw-r--r-- | lib/certhigh/ocspti.h | 113 | ||||
-rw-r--r-- | lib/certhigh/xcrldist.c | 316 |
13 files changed, 4817 insertions, 4799 deletions
diff --git a/lib/certhigh/certhigh.c b/lib/certhigh/certhigh.c index b06b7af33..2cb6b8c81 100644 --- a/lib/certhigh/certhigh.c +++ b/lib/certhigh/certhigh.c @@ -17,36 +17,37 @@ #include "pkitm.h" #include "pki3hack.h" - PRBool -CERT_MatchNickname(char *name1, char *name2) { - char *nickname1= NULL; +CERT_MatchNickname(char *name1, char *name2) +{ + char *nickname1 = NULL; char *nickname2 = NULL; char *token1; char *token2; /* first deal with the straight comparison */ if (PORT_Strcmp(name1, name2) == 0) { - return PR_TRUE; + return PR_TRUE; } /* we need to handle the case where one name has an explicit token and the other * doesn't */ - token1 = PORT_Strchr(name1,':'); - token2 = PORT_Strchr(name2,':'); + token1 = PORT_Strchr(name1, ':'); + token2 = PORT_Strchr(name2, ':'); if ((token1 && token2) || (!token1 && !token2)) { - /* either both token names are specified or neither are, not match */ - return PR_FALSE; + /* either both token names are specified or neither are, not match */ + return PR_FALSE; } if (token1) { - nickname1=token1; - nickname2=name2; - } else { - nickname1=token2; - nickname2=name1; + nickname1 = token1; + nickname2 = name2; + } + else { + nickname1 = token2; + nickname2 = name1; } nickname1++; - if (PORT_Strcmp(nickname1,nickname2) != 0) { - return PR_FALSE; + if (PORT_Strcmp(nickname1, nickname2) != 0) { + return PR_FALSE; } /* Bug 1192443 - compare the other token with the internal slot here */ return PR_TRUE; @@ -54,7 +55,7 @@ CERT_MatchNickname(char *name1, char *name2) { /* * Find all user certificates that match the given criteria. - * + * * "handle" - database to search * "usage" - certificate usage to match * "oneCertPerName" - if set then only return the "best" cert per @@ -64,10 +65,10 @@ CERT_MatchNickname(char *name1, char *name2) { */ CERTCertList * CERT_FindUserCertsByUsage(CERTCertDBHandle *handle, - SECCertUsage usage, - PRBool oneCertPerName, - PRBool validOnly, - void *proto_win) + SECCertUsage usage, + PRBool oneCertPerName, + PRBool validOnly, + void *proto_win) { CERTCertNicknames *nicknames = NULL; char **nnptr; @@ -79,29 +80,29 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle, CERTCertListNode *node = NULL; CERTCertListNode *freenode = NULL; int n; - + time = PR_Now(); - + nicknames = CERT_GetCertNicknames(handle, SEC_CERT_NICKNAMES_USER, - proto_win); - - if ( ( nicknames == NULL ) || ( nicknames->numnicknames == 0 ) ) { - goto loser; + proto_win); + + if ((nicknames == NULL) || (nicknames->numnicknames == 0)) { + goto loser; } nnptr = nicknames->nicknames; nn = nicknames->numnicknames; - while ( nn > 0 ) { - cert = NULL; - /* use the pk11 call so that we pick up any certs on tokens, + while (nn > 0) { + cert = NULL; + /* use the pk11 call so that we pick up any certs on tokens, * which may require login */ - if ( proto_win != NULL ) { - cert = PK11_FindCertFromNickname(*nnptr,proto_win); - } + if (proto_win != NULL) { + cert = PK11_FindCertFromNickname(*nnptr, proto_win); + } - /* Sigh, It turns out if the cert is already in the temp db, because + /* Sigh, It turns out if the cert is already in the temp db, because * it's in the perm db, then the nickname lookup doesn't work. * since we already have the cert here, though, than we can just call * CERT_CreateSubjectCertList directly. For those cases where we didn't @@ -109,104 +110,105 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle, * or because the nickname is for a peer, server, or CA cert, then we * go look the cert up. */ - if (cert == NULL) { - cert = CERT_FindCertByNickname(handle,*nnptr); - } - - if ( cert != NULL ) { - /* collect certs for this nickname, sorting them into the list */ - certList = CERT_CreateSubjectCertList(certList, handle, - &cert->derSubject, time, validOnly); - - CERT_FilterCertListForUserCerts(certList); - - /* drop the extra reference */ - CERT_DestroyCertificate(cert); - } - - nnptr++; - nn--; + if (cert == NULL) { + cert = CERT_FindCertByNickname(handle, *nnptr); + } + + if (cert != NULL) { + /* collect certs for this nickname, sorting them into the list */ + certList = CERT_CreateSubjectCertList(certList, handle, + &cert->derSubject, time, validOnly); + + CERT_FilterCertListForUserCerts(certList); + + /* drop the extra reference */ + CERT_DestroyCertificate(cert); + } + + nnptr++; + nn--; } /* remove certs with incorrect usage */ rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } /* remove any extra certs for each name */ - if ( oneCertPerName ) { - PRBool *flags; - - nn = nicknames->numnicknames; - nnptr = nicknames->nicknames; - - flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn); - if ( flags == NULL ) { - goto loser; - } - - node = CERT_LIST_HEAD(certList); - - /* treverse all certs in the list */ - while ( !CERT_LIST_END(node, certList) ) { - - /* find matching nickname index */ - for ( n = 0; n < nn; n++ ) { - if ( CERT_MatchNickname(nnptr[n], node->cert->nickname) ) { - /* We found a match. If this is the first one, then + if (oneCertPerName) { + PRBool *flags; + + nn = nicknames->numnicknames; + nnptr = nicknames->nicknames; + + flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn); + if (flags == NULL) { + goto loser; + } + + node = CERT_LIST_HEAD(certList); + + /* treverse all certs in the list */ + while (!CERT_LIST_END(node, certList)) { + + /* find matching nickname index */ + for (n = 0; n < nn; n++) { + if (CERT_MatchNickname(nnptr[n], node->cert->nickname)) { + /* We found a match. If this is the first one, then * set the flag and move on to the next cert. If this * is not the first one then delete it from the list. */ - if ( flags[n] ) { - /* We have already seen a cert with this nickname, + if (flags[n]) { + /* We have already seen a cert with this nickname, * so delete this one. */ - freenode = node; - node = CERT_LIST_NEXT(node); - CERT_RemoveCertListNode(freenode); - } else { - /* keep the first cert for each nickname, but set the + freenode = node; + node = CERT_LIST_NEXT(node); + CERT_RemoveCertListNode(freenode); + } + else { + /* keep the first cert for each nickname, but set the * flag so we know to delete any others with the same * nickname. */ - flags[n] = PR_TRUE; - node = CERT_LIST_NEXT(node); - } - break; - } - } - if ( n == nn ) { - /* if we get here it means that we didn't find a matching + flags[n] = PR_TRUE; + node = CERT_LIST_NEXT(node); + } + break; + } + } + if (n == nn) { + /* if we get here it means that we didn't find a matching * nickname, which should not happen. */ - PORT_Assert(0); - node = CERT_LIST_NEXT(node); - } - } - PORT_Free(flags); + PORT_Assert(0); + node = CERT_LIST_NEXT(node); + } + } + PORT_Free(flags); } goto done; - + loser: - if ( certList != NULL ) { - CERT_DestroyCertList(certList); - certList = NULL; + if (certList != NULL) { + CERT_DestroyCertList(certList); + certList = NULL; } done: - if ( nicknames != NULL ) { - CERT_FreeNicknames(nicknames); + if (nicknames != NULL) { + CERT_FreeNicknames(nicknames); } - return(certList); + return (certList); } /* * Find a user certificate that matchs the given criteria. - * + * * "handle" - database to search * "nickname" - nickname to match * "usage" - certificate usage to match @@ -215,131 +217,129 @@ done: */ CERTCertificate * CERT_FindUserCertByUsage(CERTCertDBHandle *handle, - const char *nickname, - SECCertUsage usage, - PRBool validOnly, - void *proto_win) + const char *nickname, + SECCertUsage usage, + PRBool validOnly, + void *proto_win) { CERTCertificate *cert = NULL; CERTCertList *certList = NULL; SECStatus rv; PRTime time; - + time = PR_Now(); - + /* use the pk11 call so that we pick up any certs on tokens, * which may require login */ /* XXX - why is this restricted? */ - if ( proto_win != NULL ) { - cert = PK11_FindCertFromNickname(nickname,proto_win); + if (proto_win != NULL) { + cert = PK11_FindCertFromNickname(nickname, proto_win); } - /* sigh, There are still problems find smart cards from the temp * db. This will get smart cards working again. The real fix * is to make sure we can search the temp db by their token nickname. */ if (cert == NULL) { - cert = CERT_FindCertByNickname(handle,nickname); + cert = CERT_FindCertByNickname(handle, nickname); } - if ( cert != NULL ) { - unsigned int requiredKeyUsage; - unsigned int requiredCertType; - - rv = CERT_KeyUsageAndTypeForCertUsage(usage, PR_FALSE, - &requiredKeyUsage, &requiredCertType); - if ( rv != SECSuccess ) { - /* drop the extra reference */ - CERT_DestroyCertificate(cert); - cert = NULL; - goto loser; - } - /* If we already found the right cert, just return it */ - if ( (!validOnly || CERT_CheckCertValidTimes(cert, time, PR_FALSE) - == secCertTimeValid) && - (CERT_CheckKeyUsage(cert, requiredKeyUsage) == SECSuccess) && - (cert->nsCertType & requiredCertType) && - CERT_IsUserCert(cert) ) { - return(cert); - } - - /* collect certs for this nickname, sorting them into the list */ - certList = CERT_CreateSubjectCertList(certList, handle, - &cert->derSubject, time, validOnly); - - CERT_FilterCertListForUserCerts(certList); - - /* drop the extra reference */ - CERT_DestroyCertificate(cert); - cert = NULL; + if (cert != NULL) { + unsigned int requiredKeyUsage; + unsigned int requiredCertType; + + rv = CERT_KeyUsageAndTypeForCertUsage(usage, PR_FALSE, + &requiredKeyUsage, &requiredCertType); + if (rv != SECSuccess) { + /* drop the extra reference */ + CERT_DestroyCertificate(cert); + cert = NULL; + goto loser; + } + /* If we already found the right cert, just return it */ + if ((!validOnly || CERT_CheckCertValidTimes(cert, time, PR_FALSE) == + secCertTimeValid) && + (CERT_CheckKeyUsage(cert, requiredKeyUsage) == SECSuccess) && + (cert->nsCertType & requiredCertType) && + CERT_IsUserCert(cert)) { + return (cert); + } + + /* collect certs for this nickname, sorting them into the list */ + certList = CERT_CreateSubjectCertList(certList, handle, + &cert->derSubject, time, validOnly); + + CERT_FilterCertListForUserCerts(certList); + + /* drop the extra reference */ + CERT_DestroyCertificate(cert); + cert = NULL; } - - if ( certList == NULL ) { - goto loser; + + if (certList == NULL) { + goto loser; } - + /* remove certs with incorrect usage */ rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } - if ( ! CERT_LIST_END(CERT_LIST_HEAD(certList), certList) ) { - cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert); + if (!CERT_LIST_END(CERT_LIST_HEAD(certList), certList)) { + cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert); } - + loser: - if ( certList != NULL ) { - CERT_DestroyCertList(certList); + if (certList != NULL) { + CERT_DestroyCertList(certList); } - return(cert); + return (cert); } CERTCertList * CERT_MatchUserCert(CERTCertDBHandle *handle, - SECCertUsage usage, - int nCANames, char **caNames, - void *proto_win) + SECCertUsage usage, + int nCANames, char **caNames, + void *proto_win) { CERTCertList *certList = NULL; SECStatus rv; certList = CERT_FindUserCertsByUsage(handle, usage, PR_TRUE, PR_TRUE, - proto_win); - if ( certList == NULL ) { - goto loser; + proto_win); + if (certList == NULL) { + goto loser; } - + rv = CERT_FilterCertListByCANames(certList, nCANames, caNames, usage); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } - + goto done; - + loser: - if ( certList != NULL ) { - CERT_DestroyCertList(certList); - certList = NULL; + if (certList != NULL) { + CERT_DestroyCertList(certList); + certList = NULL; } done: - return(certList); + return (certList); } - typedef struct stringNode { struct stringNode *next; char *string; } stringNode; - + static PRStatus -CollectNicknames( NSSCertificate *c, void *data) +CollectNicknames(NSSCertificate *c, void *data) { CERTCertNicknames *names; PRBool saveit = PR_FALSE; @@ -351,103 +351,104 @@ CollectNicknames( NSSCertificate *c, void *data) #endif char *stanNickname; char *nickname = NULL; - + names = (CERTCertNicknames *)data; - stanNickname = nssCertificate_GetNickname(c,NULL); - - if ( stanNickname ) { + stanNickname = nssCertificate_GetNickname(c, NULL); + + if (stanNickname) { nss_ZFreeIf(stanNickname); stanNickname = NULL; - if (names->what == SEC_CERT_NICKNAMES_USER) { - saveit = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL); - } + if (names->what == SEC_CERT_NICKNAMES_USER) { + saveit = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL); + } #ifdef notdef - else { - td = NSSCertificate_GetTrustDomain(c); - if (!td) { - return PR_SUCCESS; - } - trust = nssTrustDomain_FindTrustForCertificate(td,c); - - switch(names->what) { - case SEC_CERT_NICKNAMES_ALL: - if ((trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) || - (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) || - (trust->objectSigningFlags & - (CERTDB_VALID_CA|CERTDB_VALID_PEER))) { - saveit = PR_TRUE; - } - - break; - case SEC_CERT_NICKNAMES_SERVER: - if ( trust->sslFlags & CERTDB_VALID_PEER ) { - saveit = PR_TRUE; - } - - break; - case SEC_CERT_NICKNAMES_CA: - if (((trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA)|| - ((trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA) || - ((trust->objectSigningFlags & CERTDB_VALID_CA ) - == CERTDB_VALID_CA)) { - saveit = PR_TRUE; - } - break; - } - } + else { + td = NSSCertificate_GetTrustDomain(c); + if (!td) { + return PR_SUCCESS; + } + trust = nssTrustDomain_FindTrustForCertificate(td, c); + + switch (names->what) { + case SEC_CERT_NICKNAMES_ALL: + if ((trust->sslFlags & (CERTDB_VALID_CA | CERTDB_VALID_PEER)) || + (trust->emailFlags & (CERTDB_VALID_CA | CERTDB_VALID_PEER)) || + (trust->objectSigningFlags & + (CERTDB_VALID_CA | CERTDB_VALID_PEER))) { + saveit = PR_TRUE; + } + + break; + case SEC_CERT_NICKNAMES_SERVER: + if (trust->sslFlags & CERTDB_VALID_PEER) { + saveit = PR_TRUE; + } + + break; + case SEC_CERT_NICKNAMES_CA: + if (((trust->sslFlags & CERTDB_VALID_CA) == CERTDB_VALID_CA) || + ((trust->emailFlags & CERTDB_VALID_CA) == CERTDB_VALID_CA) || + ((trust->objectSigningFlags & CERTDB_VALID_CA) == + CERTDB_VALID_CA)) { + saveit = PR_TRUE; + } + break; + } + } #endif } /* traverse the list of collected nicknames and make sure we don't make * a duplicate */ - if ( saveit ) { - nickname = STAN_GetCERTCertificateName(NULL, c); - /* nickname can only be NULL here if we are having memory + if (saveit) { + nickname = STAN_GetCERTCertificateName(NULL, c); + /* nickname can only be NULL here if we are having memory * alloc problems */ - if (nickname == NULL) { - return PR_FAILURE; - } - node = (stringNode *)names->head; - while ( node != NULL ) { - if ( PORT_Strcmp(nickname, node->string) == 0 ) { - /* if the string matches, then don't save this one */ - saveit = PR_FALSE; - break; - } - node = node->next; - } + if (nickname == NULL) { + return PR_FAILURE; + } + node = (stringNode *)names->head; + while (node != NULL) { + if (PORT_Strcmp(nickname, node->string) == 0) { + /* if the string matches, then don't save this one */ + saveit = PR_FALSE; + break; + } + node = node->next; + } } - if ( saveit ) { - - /* allocate the node */ - node = (stringNode*)PORT_ArenaAlloc(names->arena, sizeof(stringNode)); - if ( node == NULL ) { - PORT_Free(nickname); - return PR_FAILURE; - } - - /* copy the string */ - len = PORT_Strlen(nickname) + 1; - node->string = (char*)PORT_ArenaAlloc(names->arena, len); - if ( node->string == NULL ) { - PORT_Free(nickname); - return PR_FAILURE; - } - PORT_Memcpy(node->string, nickname, len); - - /* link it into the list */ - node->next = (stringNode *)names->head; - names->head = (void *)node; - - /* bump the count */ - names->numnicknames++; + if (saveit) { + + /* allocate the node */ + node = (stringNode *)PORT_ArenaAlloc(names->arena, sizeof(stringNode)); + if (node == NULL) { + PORT_Free(nickname); + return PR_FAILURE; + } + + /* copy the string */ + len = PORT_Strlen(nickname) + 1; + node->string = (char *)PORT_ArenaAlloc(names->arena, len); + if (node->string == NULL) { + PORT_Free(nickname); + return PR_FAILURE; + } + PORT_Memcpy(node->string, nickname, len); + + /* link it into the list */ + node->next = (stringNode *)names->head; + names->head = (void *)node; + + /* bump the count */ + names->numnicknames++; } - - if (nickname) PORT_Free(nickname); - return(PR_SUCCESS); + + if (nickname) + PORT_Free(nickname); + return (PR_SUCCESS); } CERTCertNicknames * @@ -457,16 +458,16 @@ CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx) CERTCertNicknames *names; int i; stringNode *node; - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( arena == NULL ) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return(NULL); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (NULL); } - + names = (CERTCertNicknames *)PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames)); - if ( names == NULL ) { - goto loser; + if (names == NULL) { + goto loser; } names->arena = arena; @@ -477,43 +478,44 @@ CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx) names->totallen = 0; /* make sure we are logged in */ - (void) pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, wincx); - + (void)pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, wincx); + NSSTrustDomain_TraverseCertificates(handle, - CollectNicknames, (void *)names); - if ( names->numnicknames ) { - names->nicknames = (char**)PORT_ArenaAlloc(arena, - names->numnicknames * sizeof(char *)); - - if ( names->nicknames == NULL ) { - goto loser; - } - - node = (stringNode *)names->head; - - for ( i = 0; i < names->numnicknames; i++ ) { - PORT_Assert(node != NULL); - - names->nicknames[i] = node->string; - names->totallen += PORT_Strlen(node->string); - node = node->next; - } - - PORT_Assert(node == NULL); + CollectNicknames, (void *)names); + if (names->numnicknames) { + names->nicknames = (char **)PORT_ArenaAlloc(arena, + names->numnicknames * + sizeof(char *)); + + if (names->nicknames == NULL) { + goto loser; + } + + node = (stringNode *)names->head; + + for (i = 0; i < names->numnicknames; i++) { + PORT_Assert(node != NULL); + + names->nicknames[i] = node->string; + names->totallen += PORT_Strlen(node->string); + node = node->next; + } + + PORT_Assert(node == NULL); } - return(names); - + return (names); + loser: PORT_FreeArena(arena, PR_FALSE); - return(NULL); + return (NULL); } void CERT_FreeNicknames(CERTCertNicknames *nicknames) { PORT_FreeArena(nicknames->arena, PR_FALSE); - + return; } @@ -528,53 +530,53 @@ void CERT_FreeDistNames(CERTDistNames *names) { PORT_FreeArena(names->arena, PR_FALSE); - + return; } static SECStatus -CollectDistNames( CERTCertificate *cert, SECItem *k, void *data) +CollectDistNames(CERTCertificate *cert, SECItem *k, void *data) { CERTDistNames *names; PRBool saveit = PR_FALSE; CERTCertTrust trust; dnameNode *node; int len; - + names = (CERTDistNames *)data; - - if ( CERT_GetCertTrust(cert, &trust) == SECSuccess ) { - /* only collect names of CAs trusted for issuing SSL clients */ - if ( trust.sslFlags & CERTDB_TRUSTED_CLIENT_CA ) { - saveit = PR_TRUE; - } + + if (CERT_GetCertTrust(cert, &trust) == SECSuccess) { + /* only collect names of CAs trusted for issuing SSL clients */ + if (trust.sslFlags & CERTDB_TRUSTED_CLIENT_CA) { + saveit = PR_TRUE; + } } - if ( saveit ) { - /* allocate the node */ - node = (dnameNode*)PORT_ArenaAlloc(names->arena, sizeof(dnameNode)); - if ( node == NULL ) { - return(SECFailure); - } - - /* copy the name */ - node->name.len = len = cert->derSubject.len; - node->name.type = siBuffer; - node->name.data = (unsigned char*)PORT_ArenaAlloc(names->arena, len); - if ( node->name.data == NULL ) { - return(SECFailure); - } - PORT_Memcpy(node->name.data, cert->derSubject.data, len); - - /* link it into the list */ - node->next = (dnameNode *)names->head; - names->head = (void *)node; - - /* bump the count */ - names->nnames++; + if (saveit) { + /* allocate the node */ + node = (dnameNode *)PORT_ArenaAlloc(names->arena, sizeof(dnameNode)); + if (node == NULL) { + return (SECFailure); + } + + /* copy the name */ + node->name.len = len = cert->derSubject.len; + node->name.type = siBuffer; + node->name.data = (unsigned char *)PORT_ArenaAlloc(names->arena, len); + if (node->name.data == NULL) { + return (SECFailure); + } + PORT_Memcpy(node->name.data, cert->derSubject.data, len); + + /* link it into the list */ + node->next = (dnameNode *)names->head; + names->head = (void *)node; + + /* bump the count */ + names->nnames++; } - - return(SECSuccess); + + return (SECSuccess); } /* @@ -587,18 +589,18 @@ CERT_DupDistNames(CERTDistNames *orig) CERTDistNames *names; int i; SECStatus rv; - + /* allocate an arena to use */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return(NULL); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (NULL); } - + /* allocate the header structure */ names = (CERTDistNames *)PORT_ArenaAlloc(arena, sizeof(CERTDistNames)); if (names == NULL) { - goto loser; + goto loser; } /* initialize the header struct */ @@ -606,26 +608,26 @@ CERT_DupDistNames(CERTDistNames *orig) names->head = NULL; names->nnames = orig->nnames; names->names = NULL; - + /* construct the array from the list */ if (orig->nnames) { - names->names = (SECItem*)PORT_ArenaNewArray(arena, SECItem, - orig->nnames); - if (names->names == NULL) { - goto loser; - } - for (i = 0; i < orig->nnames; i++) { + names->names = (SECItem *)PORT_ArenaNewArray(arena, SECItem, + orig->nnames); + if (names->names == NULL) { + goto loser; + } + for (i = 0; i < orig->nnames; i++) { rv = SECITEM_CopyItem(arena, &names->names[i], &orig->names[i]); if (rv != SECSuccess) { goto loser; } } } - return(names); - + return (names); + loser: PORT_FreeArena(arena, PR_FALSE); - return(NULL); + return (NULL); } CERTDistNames * @@ -636,18 +638,18 @@ CERT_GetSSLCACerts(CERTCertDBHandle *handle) int i; SECStatus rv; dnameNode *node; - + /* allocate an arena to use */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( arena == NULL ) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return(NULL); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (NULL); } - + /* allocate the header structure */ names = (CERTDistNames *)PORT_ArenaAlloc(arena, sizeof(CERTDistNames)); - if ( names == NULL ) { - goto loser; + if (names == NULL) { + goto loser; } /* initialize the header struct */ @@ -655,48 +657,48 @@ CERT_GetSSLCACerts(CERTCertDBHandle *handle) names->head = NULL; names->nnames = 0; names->names = NULL; - + /* collect the names from the database */ rv = PK11_TraverseSlotCerts(CollectDistNames, (void *)names, NULL); - if ( rv ) { - goto loser; + if (rv) { + goto loser; } /* construct the array from the list */ - if ( names->nnames ) { - names->names = (SECItem*)PORT_ArenaAlloc(arena, names->nnames * sizeof(SECItem)); - - if ( names->names == NULL ) { - goto loser; - } - - node = (dnameNode *)names->head; - - for ( i = 0; i < names->nnames; i++ ) { - PORT_Assert(node != NULL); - - names->names[i] = node->name; - node = node->next; - } - - PORT_Assert(node == NULL); + if (names->nnames) { + names->names = (SECItem *)PORT_ArenaAlloc(arena, names->nnames * sizeof(SECItem)); + + if (names->names == NULL) { + goto loser; + } + + node = (dnameNode *)names->head; + + for (i = 0; i < names->nnames; i++) { + PORT_Assert(node != NULL); + + names->names[i] = node->name; + node = node->next; + } + + PORT_Assert(node == NULL); } - return(names); - + return (names); + loser: PORT_FreeArena(arena, PR_FALSE); - return(NULL); + return (NULL); } CERTDistNames * CERT_DistNamesFromCertList(CERTCertList *certList) { - CERTDistNames * dnames = NULL; - PLArenaPool * arena; + CERTDistNames *dnames = NULL; + PLArenaPool *arena; CERTCertListNode *node = NULL; - SECItem * names = NULL; - int listLen = 0, i = 0; + SECItem *names = NULL; + int listLen = 0, i = 0; if (certList == NULL) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -704,23 +706,26 @@ CERT_DistNamesFromCertList(CERTCertList *certList) } node = CERT_LIST_HEAD(certList); - while ( ! CERT_LIST_END(node, certList) ) { + while (!CERT_LIST_END(node, certList)) { listLen += 1; node = CERT_LIST_NEXT(node); } - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) goto loser; + if (arena == NULL) + goto loser; dnames = PORT_ArenaZNew(arena, CERTDistNames); - if (dnames == NULL) goto loser; + if (dnames == NULL) + goto loser; dnames->arena = arena; dnames->nnames = listLen; dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, listLen); - if (names == NULL) goto loser; + if (names == NULL) + goto loser; node = CERT_LIST_HEAD(certList); - while ( ! CERT_LIST_END(node, certList) ) { + while (!CERT_LIST_END(node, certList)) { CERTCertificate *cert = node->cert; SECStatus rv = SECITEM_CopyItem(arena, &names[i++], &cert->derSubject); if (rv == SECFailure) { @@ -738,38 +743,43 @@ loser: CERTDistNames * CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames, - int nnames) + int nnames) { CERTDistNames *dnames = NULL; PLArenaPool *arena; int i, rv; SECItem *names = NULL; CERTCertificate *cert = NULL; - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) goto loser; + if (arena == NULL) + goto loser; dnames = PORT_ArenaZNew(arena, CERTDistNames); - if (dnames == NULL) goto loser; + if (dnames == NULL) + goto loser; dnames->arena = arena; dnames->nnames = nnames; dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, nnames); - if (names == NULL) goto loser; - + if (names == NULL) + goto loser; + for (i = 0; i < nnames; i++) { - cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]); - if (cert == NULL) goto loser; - rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject); - if (rv == SECFailure) goto loser; - CERT_DestroyCertificate(cert); + cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]); + if (cert == NULL) + goto loser; + rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject); + if (rv == SECFailure) + goto loser; + CERT_DestroyCertificate(cert); } return dnames; - + loser: if (cert != NULL) - CERT_DestroyCertificate(cert); + CERT_DestroyCertificate(cert); if (arena != NULL) - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); return NULL; } @@ -784,36 +794,36 @@ CERT_FindCertByNameString(CERTCertDBHandle *handle, char *nameStr) SECItem *nameItem; CERTCertificate *cert = NULL; PLArenaPool *arena = NULL; - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( arena == NULL ) { - goto loser; + + if (arena == NULL) { + goto loser; } - + name = CERT_AsciiToName(nameStr); - - if ( name ) { - nameItem = SEC_ASN1EncodeItem (arena, NULL, (void *)name, - CERT_NameTemplate); - if ( nameItem != NULL ) { + + if (name) { + nameItem = SEC_ASN1EncodeItem(arena, NULL, (void *)name, + CERT_NameTemplate); + if (nameItem != NULL) { cert = CERT_FindCertByName(handle, nameItem); - } - CERT_DestroyName(name); + } + CERT_DestroyName(name); } loser: - if ( arena ) { - PORT_FreeArena(arena, PR_FALSE); + if (arena) { + PORT_FreeArena(arena, PR_FALSE); } - - return(cert); + + return (cert); } /* From certv3.c */ CERTCrlDistributionPoints * -CERT_FindCRLDistributionPoints (CERTCertificate *cert) +CERT_FindCRLDistributionPoints(CERTCertificate *cert) { SECItem encodedExtenValue; SECStatus rv; @@ -823,9 +833,9 @@ CERT_FindCRLDistributionPoints (CERTCertificate *cert) encodedExtenValue.len = 0; rv = cert_FindExtension(cert->extensions, SEC_OID_X509_CRL_DIST_POINTS, - &encodedExtenValue); - if ( rv != SECSuccess ) { - return (NULL); + &encodedExtenValue); + if (rv != SECSuccess) { + return (NULL); } dps = CERT_DecodeCRLDistributionPoints(cert->arena, &encodedExtenValue); @@ -836,13 +846,13 @@ CERT_FindCRLDistributionPoints (CERTCertificate *cert) } /* From crl.c */ -CERTSignedCrl * CERT_ImportCRL - (CERTCertDBHandle *handle, SECItem *derCRL, char *url, int type, void *wincx) +CERTSignedCrl * +CERT_ImportCRL(CERTCertDBHandle *handle, SECItem *derCRL, char *url, int type, void *wincx) { - CERTSignedCrl* retCrl = NULL; - PK11SlotInfo* slot = PK11_GetInternalKeySlot(); + CERTSignedCrl *retCrl = NULL; + PK11SlotInfo *slot = PK11_GetInternalKeySlot(); retCrl = PK11_ImportCRL(slot, derCRL, url, type, wincx, - CRL_IMPORT_DEFAULT_OPTIONS, NULL, CRL_DECODE_DEFAULT_OPTIONS); + CRL_IMPORT_DEFAULT_OPTIONS, NULL, CRL_DECODE_DEFAULT_OPTIONS); PK11_FreeSlot(slot); return retCrl; @@ -861,110 +871,111 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool PRBool isca; char *nickname; unsigned int certtype; - + handle = CERT_GetDefaultCertDB(); - + while (numcerts--) { - derCert = certs; - certs++; - - /* decode my certificate */ - /* This use is ok -- only looks at decoded parts, calls NewTemp later */ - newcert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL); - if ( newcert == NULL ) { - goto loser; - } - - if (!trusted) { - /* make sure that cert is valid */ - rv = CERT_CertTimesValid(newcert); - if ( rv == SECFailure ) { - goto endloop; - } - } - - /* does it have the CA extension */ - - /* + derCert = certs; + certs++; + + /* decode my certificate */ + /* This use is ok -- only looks at decoded parts, calls NewTemp later */ + newcert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL); + if (newcert == NULL) { + goto loser; + } + + if (!trusted) { + /* make sure that cert is valid */ + rv = CERT_CertTimesValid(newcert); + if (rv == SECFailure) { + goto endloop; + } + } + + /* does it have the CA extension */ + + /* * Make sure that if this is an intermediate CA in the chain that * it was given permission by its signer to be a CA. */ - isca = CERT_IsCACert(newcert, &certtype); - - if ( !isca ) { - if (!trusted) { - goto endloop; - } - trust.sslFlags = CERTDB_VALID_CA; - trust.emailFlags = CERTDB_VALID_CA; - trust.objectSigningFlags = CERTDB_VALID_CA; - } else { - /* SSL ca's must have the ssl bit set */ - if ( ( certUsage == certUsageSSLCA ) && - (( certtype & NS_CERT_TYPE_SSL_CA ) != NS_CERT_TYPE_SSL_CA )) { - goto endloop; - } - - /* it passed all of the tests, so lets add it to the database */ - /* mark it as a CA */ - PORT_Memset((void *)&trust, 0, sizeof(trust)); - switch ( certUsage ) { - case certUsageSSLCA: - trust.sslFlags = CERTDB_VALID_CA; - break; - case certUsageUserCertImport: - if ((certtype & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) { - trust.sslFlags = CERTDB_VALID_CA; - } - if ((certtype & NS_CERT_TYPE_EMAIL_CA) - == NS_CERT_TYPE_EMAIL_CA ) { - trust.emailFlags = CERTDB_VALID_CA; - } - if ( ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) == - NS_CERT_TYPE_OBJECT_SIGNING_CA ) { - trust.objectSigningFlags = CERTDB_VALID_CA; - } - break; - default: - PORT_Assert(0); - break; - } - } - - cert = CERT_NewTempCertificate(handle, derCert, NULL, - PR_FALSE, PR_FALSE); - if ( cert == NULL ) { - goto loser; - } - - /* if the cert is temp, make it perm; otherwise we're done */ - if (cert->istemp) { - /* get a default nickname for it */ - nickname = CERT_MakeCANickname(cert); - - rv = CERT_AddTempCertToPerm(cert, nickname, &trust); - - /* free the nickname */ - if ( nickname ) { - PORT_Free(nickname); - } - } else { - rv = SECSuccess; - } - - CERT_DestroyCertificate(cert); - cert = NULL; - - if ( rv != SECSuccess ) { - goto loser; - } - -endloop: - if ( newcert ) { - CERT_DestroyCertificate(newcert); - newcert = NULL; - } - + isca = CERT_IsCACert(newcert, &certtype); + + if (!isca) { + if (!trusted) { + goto endloop; + } + trust.sslFlags = CERTDB_VALID_CA; + trust.emailFlags = CERTDB_VALID_CA; + trust.objectSigningFlags = CERTDB_VALID_CA; + } + else { + /* SSL ca's must have the ssl bit set */ + if ((certUsage == certUsageSSLCA) && + ((certtype & NS_CERT_TYPE_SSL_CA) != NS_CERT_TYPE_SSL_CA)) { + goto endloop; + } + + /* it passed all of the tests, so lets add it to the database */ + /* mark it as a CA */ + PORT_Memset((void *)&trust, 0, sizeof(trust)); + switch (certUsage) { + case certUsageSSLCA: + trust.sslFlags = CERTDB_VALID_CA; + break; + case certUsageUserCertImport: + if ((certtype & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) { + trust.sslFlags = CERTDB_VALID_CA; + } + if ((certtype & NS_CERT_TYPE_EMAIL_CA) == + NS_CERT_TYPE_EMAIL_CA) { + trust.emailFlags = CERTDB_VALID_CA; + } + if ((certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA) == + NS_CERT_TYPE_OBJECT_SIGNING_CA) { + trust.objectSigningFlags = CERTDB_VALID_CA; + } + break; + default: + PORT_Assert(0); + break; + } + } + + cert = CERT_NewTempCertificate(handle, derCert, NULL, + PR_FALSE, PR_FALSE); + if (cert == NULL) { + goto loser; + } + + /* if the cert is temp, make it perm; otherwise we're done */ + if (cert->istemp) { + /* get a default nickname for it */ + nickname = CERT_MakeCANickname(cert); + + rv = CERT_AddTempCertToPerm(cert, nickname, &trust); + + /* free the nickname */ + if (nickname) { + PORT_Free(nickname); + } + } + else { + rv = SECSuccess; + } + + CERT_DestroyCertificate(cert); + cert = NULL; + + if (rv != SECSuccess) { + goto loser; + } + + endloop: + if (newcert) { + CERT_DestroyCertificate(newcert); + newcert = NULL; + } } rv = SECSuccess; @@ -972,18 +983,18 @@ endloop: loser: rv = SECFailure; done: - - if ( newcert ) { - CERT_DestroyCertificate(newcert); - newcert = NULL; + + if (newcert) { + CERT_DestroyCertificate(newcert); + newcert = NULL; } - - if ( cert ) { - CERT_DestroyCertificate(cert); - cert = NULL; + + if (cert) { + CERT_DestroyCertificate(cert); + cert = NULL; } - - return(rv); + + return (rv); } SECStatus @@ -993,7 +1004,8 @@ CERT_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage) } SECStatus -CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage) { +CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage) +{ return cert_ImportCAChain(certs, numcerts, certUsage, PR_TRUE); } @@ -1014,7 +1026,7 @@ typedef struct certNode { CERTCertificateList * CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, - PRBool includeRoot) + PRBool includeRoot) { CERTCertificateList *chain = NULL; NSSCertificate **stanChain; @@ -1022,7 +1034,7 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, PLArenaPool *arena; NSSUsage nssUsage; int i, len; - NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); + NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); NSSCryptoContext *cc = STAN_GetDefaultCryptoContext(); stanCert = STAN_GetNSSCertificate(cert); @@ -1034,55 +1046,58 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, nssUsage.nss3usage = usage; nssUsage.nss3lookingForCA = PR_FALSE; stanChain = NSSCertificate_BuildChain(stanCert, NULL, &nssUsage, NULL, NULL, - CERT_MAX_CERT_CHAIN, NULL, NULL, td, cc); + CERT_MAX_CERT_CHAIN, NULL, NULL, td, cc); if (!stanChain) { - PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); - return NULL; + PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); + return NULL; } len = 0; stanCert = stanChain[0]; while (stanCert) { - stanCert = stanChain[++len]; + stanCert = stanChain[++len]; } arena = PORT_NewArena(4096); if (arena == NULL) { - goto loser; + goto loser; } - chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, - sizeof(CERTCertificateList)); - if (!chain) goto loser; - chain->certs = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem)); - if (!chain->certs) goto loser; + chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, + sizeof(CERTCertificateList)); + if (!chain) + goto loser; + chain->certs = (SECItem *)PORT_ArenaAlloc(arena, len * sizeof(SECItem)); + if (!chain->certs) + goto loser; i = 0; stanCert = stanChain[i]; while (stanCert) { - SECItem derCert; - CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert); - if (!cCert) { - goto loser; - } - derCert.len = (unsigned int)stanCert->encoding.size; - derCert.data = (unsigned char *)stanCert->encoding.data; - derCert.type = siBuffer; - SECITEM_CopyItem(arena, &chain->certs[i], &derCert); - stanCert = stanChain[++i]; - if (!stanCert && !cCert->isRoot) { - /* reached the end of the chain, but the final cert is + SECItem derCert; + CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert); + if (!cCert) { + goto loser; + } + derCert.len = (unsigned int)stanCert->encoding.size; + derCert.data = (unsigned char *)stanCert->encoding.data; + derCert.type = siBuffer; + SECITEM_CopyItem(arena, &chain->certs[i], &derCert); + stanCert = stanChain[++i]; + if (!stanCert && !cCert->isRoot) { + /* reached the end of the chain, but the final cert is * not a root. Don't discard it. */ - includeRoot = PR_TRUE; - } - CERT_DestroyCertificate(cCert); + includeRoot = PR_TRUE; + } + CERT_DestroyCertificate(cCert); } - if ( !includeRoot && len > 1) { - chain->len = len - 1; - } else { - chain->len = len; + if (!includeRoot && len > 1) { + chain->len = len - 1; } - + else { + chain->len = len; + } + chain->arena = arena; nss_ZFreeIf(stanChain); return chain; @@ -1090,15 +1105,15 @@ loser: i = 0; stanCert = stanChain[i]; while (stanCert) { - CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert); - if (cCert) { - CERT_DestroyCertificate(cCert); - } - stanCert = stanChain[++i]; + CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert); + if (cCert) { + CERT_DestroyCertificate(cCert); + } + stanCert = stanChain[++i]; } nss_ZFreeIf(stanChain); if (arena) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return NULL; } @@ -1115,15 +1130,19 @@ CERT_CertListFromCert(CERTCertificate *cert) /* arena for SecCertificateList */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) goto no_memory; + if (arena == NULL) + goto no_memory; /* build the CERTCertificateList */ chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, sizeof(CERTCertificateList)); - if (chain == NULL) goto no_memory; - chain->certs = (SECItem*)PORT_ArenaAlloc(arena, 1 * sizeof(SECItem)); - if (chain->certs == NULL) goto no_memory; + if (chain == NULL) + goto no_memory; + chain->certs = (SECItem *)PORT_ArenaAlloc(arena, 1 * sizeof(SECItem)); + if (chain->certs == NULL) + goto no_memory; rv = SECITEM_CopyItem(arena, chain->certs, &(cert->derCert)); - if (rv < 0) goto loser; + if (rv < 0) + goto loser; chain->len = 1; chain->arena = arena; @@ -1133,41 +1152,41 @@ no_memory: PORT_SetError(SEC_ERROR_NO_MEMORY); loser: if (arena != NULL) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return NULL; } CERTCertificateList * -CERT_DupCertList(const CERTCertificateList * oldList) +CERT_DupCertList(const CERTCertificateList *oldList) { CERTCertificateList *newList = NULL; - PLArenaPool *arena = NULL; - SECItem *newItem; - SECItem *oldItem; - int len = oldList->len; - int rv; + PLArenaPool *arena = NULL; + SECItem *newItem; + SECItem *oldItem; + int len = oldList->len; + int rv; /* arena for SecCertificateList */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) - goto no_memory; + if (arena == NULL) + goto no_memory; /* now build the CERTCertificateList */ newList = PORT_ArenaNew(arena, CERTCertificateList); - if (newList == NULL) - goto no_memory; + if (newList == NULL) + goto no_memory; newList->arena = arena; - newItem = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem)); - if (newItem == NULL) - goto no_memory; + newItem = (SECItem *)PORT_ArenaAlloc(arena, len * sizeof(SECItem)); + if (newItem == NULL) + goto no_memory; newList->certs = newItem; - newList->len = len; + newList->len = len; for (oldItem = oldList->certs; len > 0; --len, ++newItem, ++oldItem) { - rv = SECITEM_CopyItem(arena, newItem, oldItem); - if (rv < 0) - goto loser; + rv = SECITEM_CopyItem(arena, newItem, oldItem); + if (rv < 0) + goto loser; } return newList; @@ -1175,7 +1194,7 @@ no_memory: PORT_SetError(SEC_ERROR_NO_MEMORY); loser: if (arena != NULL) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return NULL; } @@ -1185,4 +1204,3 @@ CERT_DestroyCertificateList(CERTCertificateList *list) { PORT_FreeArena(list->arena, PR_FALSE); } - diff --git a/lib/certhigh/certhtml.c b/lib/certhigh/certhtml.c index aad66b0ec..a522f6925 100644 --- a/lib/certhigh/certhtml.c +++ b/lib/certhigh/certhtml.c @@ -22,31 +22,33 @@ static char *hex = "0123456789ABCDEF"; /* ** Convert a der-encoded integer to a hex printable string form */ -char *CERT_Hexify (SECItem *i, int do_colon) +char * +CERT_Hexify(SECItem *i, int do_colon) { unsigned char *cp, *end; char *rv, *o; if (!i->len) { - return PORT_Strdup("00"); + return PORT_Strdup("00"); } - rv = o = (char*) PORT_Alloc(i->len * 3); - if (!rv) return rv; + rv = o = (char *)PORT_Alloc(i->len * 3); + if (!rv) + return rv; cp = i->data; end = cp + i->len; while (cp < end) { - unsigned char ch = *cp++; - *o++ = hex[(ch >> 4) & 0xf]; - *o++ = hex[ch & 0xf]; - if (cp != end) { - if (do_colon) { - *o++ = ':'; - } - } + unsigned char ch = *cp++; + *o++ = hex[(ch >> 4) & 0xf]; + *o++ = hex[ch & 0xf]; + if (cp != end) { + if (do_colon) { + *o++ = ':'; + } + } } - *o = 0; /* Null terminate the string */ + *o = 0; /* Null terminate the string */ return rv; } @@ -58,132 +60,132 @@ char *CERT_Hexify (SECItem *i, int do_colon) #define MAX_OUS 20 #define MAX_DC MAX_OUS - -char *CERT_FormatName (CERTName *name) +char * +CERT_FormatName(CERTName *name) { - CERTRDN** rdns; - CERTRDN * rdn; - CERTAVA** avas; - CERTAVA* ava; - char * buf = 0; - char * tmpbuf = 0; - SECItem * cn = 0; - SECItem * email = 0; - SECItem * org = 0; - SECItem * loc = 0; - SECItem * state = 0; - SECItem * country = 0; - SECItem * dq = 0; + CERTRDN **rdns; + CERTRDN *rdn; + CERTAVA **avas; + CERTAVA *ava; + char *buf = 0; + char *tmpbuf = 0; + SECItem *cn = 0; + SECItem *email = 0; + SECItem *org = 0; + SECItem *loc = 0; + SECItem *state = 0; + SECItem *country = 0; + SECItem *dq = 0; - unsigned len = 0; - int tag; - int i; - int ou_count = 0; - int dc_count = 0; - PRBool first; - SECItem * orgunit[MAX_OUS]; - SECItem * dc[MAX_DC]; + unsigned len = 0; + int tag; + int i; + int ou_count = 0; + int dc_count = 0; + PRBool first; + SECItem *orgunit[MAX_OUS]; + SECItem *dc[MAX_DC]; /* Loop over name components and gather the interesting ones */ rdns = name->rdns; while ((rdn = *rdns++) != 0) { - avas = rdn->avas; - while ((ava = *avas++) != 0) { - tag = CERT_GetAVATag(ava); - switch(tag) { - case SEC_OID_AVA_COMMON_NAME: - if (cn) { - break; - } - cn = CERT_DecodeAVAValue(&ava->value); - if (!cn) { - goto loser; - } - len += cn->len; - break; - case SEC_OID_AVA_COUNTRY_NAME: - if (country) { - break; - } - country = CERT_DecodeAVAValue(&ava->value); - if (!country) { - goto loser; - } - len += country->len; - break; - case SEC_OID_AVA_LOCALITY: - if (loc) { - break; - } - loc = CERT_DecodeAVAValue(&ava->value); - if (!loc) { - goto loser; - } - len += loc->len; - break; - case SEC_OID_AVA_STATE_OR_PROVINCE: - if (state) { - break; - } - state = CERT_DecodeAVAValue(&ava->value); - if (!state) { - goto loser; - } - len += state->len; - break; - case SEC_OID_AVA_ORGANIZATION_NAME: - if (org) { - break; - } - org = CERT_DecodeAVAValue(&ava->value); - if (!org) { - goto loser; - } - len += org->len; - break; - case SEC_OID_AVA_DN_QUALIFIER: - if (dq) { - break; - } - dq = CERT_DecodeAVAValue(&ava->value); - if (!dq) { - goto loser; - } - len += dq->len; - break; - case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME: - if (ou_count < MAX_OUS) { - orgunit[ou_count] = CERT_DecodeAVAValue(&ava->value); - if (!orgunit[ou_count]) { - goto loser; + avas = rdn->avas; + while ((ava = *avas++) != 0) { + tag = CERT_GetAVATag(ava); + switch (tag) { + case SEC_OID_AVA_COMMON_NAME: + if (cn) { + break; + } + cn = CERT_DecodeAVAValue(&ava->value); + if (!cn) { + goto loser; + } + len += cn->len; + break; + case SEC_OID_AVA_COUNTRY_NAME: + if (country) { + break; + } + country = CERT_DecodeAVAValue(&ava->value); + if (!country) { + goto loser; + } + len += country->len; + break; + case SEC_OID_AVA_LOCALITY: + if (loc) { + break; + } + loc = CERT_DecodeAVAValue(&ava->value); + if (!loc) { + goto loser; + } + len += loc->len; + break; + case SEC_OID_AVA_STATE_OR_PROVINCE: + if (state) { + break; + } + state = CERT_DecodeAVAValue(&ava->value); + if (!state) { + goto loser; + } + len += state->len; + break; + case SEC_OID_AVA_ORGANIZATION_NAME: + if (org) { + break; + } + org = CERT_DecodeAVAValue(&ava->value); + if (!org) { + goto loser; + } + len += org->len; + break; + case SEC_OID_AVA_DN_QUALIFIER: + if (dq) { + break; + } + dq = CERT_DecodeAVAValue(&ava->value); + if (!dq) { + goto loser; + } + len += dq->len; + break; + case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME: + if (ou_count < MAX_OUS) { + orgunit[ou_count] = CERT_DecodeAVAValue(&ava->value); + if (!orgunit[ou_count]) { + goto loser; + } + len += orgunit[ou_count++]->len; + } + break; + case SEC_OID_AVA_DC: + if (dc_count < MAX_DC) { + dc[dc_count] = CERT_DecodeAVAValue(&ava->value); + if (!dc[dc_count]) { + goto loser; } - len += orgunit[ou_count++]->len; - } - break; - case SEC_OID_AVA_DC: - if (dc_count < MAX_DC) { - dc[dc_count] = CERT_DecodeAVAValue(&ava->value); - if (!dc[dc_count]) { - goto loser; - } - len += dc[dc_count++]->len; - } - break; - case SEC_OID_PKCS9_EMAIL_ADDRESS: - case SEC_OID_RFC1274_MAIL: - if (email) { - break; - } - email = CERT_DecodeAVAValue(&ava->value); - if (!email) { - goto loser; - } - len += email->len; - break; - default: - break; - } - } + len += dc[dc_count++]->len; + } + break; + case SEC_OID_PKCS9_EMAIL_ADDRESS: + case SEC_OID_RFC1274_MAIL: + if (email) { + break; + } + email = CERT_DecodeAVAValue(&ava->value); + if (!email) { + goto loser; + } + len += email->len; + break; + default: + break; + } + } } /* XXX - add some for formatting */ @@ -191,109 +193,108 @@ char *CERT_FormatName (CERTName *name) /* allocate buffer */ buf = (char *)PORT_Alloc(len); - if ( !buf ) { - goto loser; + if (!buf) { + goto loser; } tmpbuf = buf; - - if ( cn ) { - PORT_Memcpy(tmpbuf, cn->data, cn->len); - tmpbuf += cn->len; - PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); - tmpbuf += BREAKLEN; + + if (cn) { + PORT_Memcpy(tmpbuf, cn->data, cn->len); + tmpbuf += cn->len; + PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); + tmpbuf += BREAKLEN; } - if ( email ) { - PORT_Memcpy(tmpbuf, email->data, email->len); - tmpbuf += ( email->len ); - PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); - tmpbuf += BREAKLEN; + if (email) { + PORT_Memcpy(tmpbuf, email->data, email->len); + tmpbuf += (email->len); + PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); + tmpbuf += BREAKLEN; } - for (i=ou_count-1; i >= 0; i--) { - PORT_Memcpy(tmpbuf, orgunit[i]->data, orgunit[i]->len); - tmpbuf += ( orgunit[i]->len ); - PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); - tmpbuf += BREAKLEN; + for (i = ou_count - 1; i >= 0; i--) { + PORT_Memcpy(tmpbuf, orgunit[i]->data, orgunit[i]->len); + tmpbuf += (orgunit[i]->len); + PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); + tmpbuf += BREAKLEN; } - if ( dq ) { - PORT_Memcpy(tmpbuf, dq->data, dq->len); - tmpbuf += ( dq->len ); - PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); - tmpbuf += BREAKLEN; + if (dq) { + PORT_Memcpy(tmpbuf, dq->data, dq->len); + tmpbuf += (dq->len); + PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); + tmpbuf += BREAKLEN; } - if ( org ) { - PORT_Memcpy(tmpbuf, org->data, org->len); - tmpbuf += ( org->len ); - PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); - tmpbuf += BREAKLEN; + if (org) { + PORT_Memcpy(tmpbuf, org->data, org->len); + tmpbuf += (org->len); + PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); + tmpbuf += BREAKLEN; } - for (i=dc_count-1; i >= 0; i--) { - PORT_Memcpy(tmpbuf, dc[i]->data, dc[i]->len); - tmpbuf += ( dc[i]->len ); - PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); - tmpbuf += BREAKLEN; + for (i = dc_count - 1; i >= 0; i--) { + PORT_Memcpy(tmpbuf, dc[i]->data, dc[i]->len); + tmpbuf += (dc[i]->len); + PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); + tmpbuf += BREAKLEN; } first = PR_TRUE; - if ( loc ) { - PORT_Memcpy(tmpbuf, loc->data, loc->len); - tmpbuf += ( loc->len ); - first = PR_FALSE; + if (loc) { + PORT_Memcpy(tmpbuf, loc->data, loc->len); + tmpbuf += (loc->len); + first = PR_FALSE; } - if ( state ) { - if ( !first ) { - PORT_Memcpy(tmpbuf, COMMA, COMMALEN); - tmpbuf += COMMALEN; - } - PORT_Memcpy(tmpbuf, state->data, state->len); - tmpbuf += ( state->len ); - first = PR_FALSE; + if (state) { + if (!first) { + PORT_Memcpy(tmpbuf, COMMA, COMMALEN); + tmpbuf += COMMALEN; + } + PORT_Memcpy(tmpbuf, state->data, state->len); + tmpbuf += (state->len); + first = PR_FALSE; } - if ( country ) { - if ( !first ) { - PORT_Memcpy(tmpbuf, COMMA, COMMALEN); - tmpbuf += COMMALEN; - } - PORT_Memcpy(tmpbuf, country->data, country->len); - tmpbuf += ( country->len ); - first = PR_FALSE; + if (country) { + if (!first) { + PORT_Memcpy(tmpbuf, COMMA, COMMALEN); + tmpbuf += COMMALEN; + } + PORT_Memcpy(tmpbuf, country->data, country->len); + tmpbuf += (country->len); + first = PR_FALSE; } - if ( !first ) { - PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); - tmpbuf += BREAKLEN; + if (!first) { + PORT_Memcpy(tmpbuf, BREAK, BREAKLEN); + tmpbuf += BREAKLEN; } *tmpbuf = 0; - /* fall through and clean */ +/* fall through and clean */ loser: - if ( cn ) { - SECITEM_FreeItem(cn, PR_TRUE); + if (cn) { + SECITEM_FreeItem(cn, PR_TRUE); } - if ( email ) { - SECITEM_FreeItem(email, PR_TRUE); + if (email) { + SECITEM_FreeItem(email, PR_TRUE); } - for (i=ou_count-1; i >= 0; i--) { - SECITEM_FreeItem(orgunit[i], PR_TRUE); + for (i = ou_count - 1; i >= 0; i--) { + SECITEM_FreeItem(orgunit[i], PR_TRUE); } - if ( dq ) { - SECITEM_FreeItem(dq, PR_TRUE); + if (dq) { + SECITEM_FreeItem(dq, PR_TRUE); } - if ( org ) { - SECITEM_FreeItem(org, PR_TRUE); + if (org) { + SECITEM_FreeItem(org, PR_TRUE); } - for (i=dc_count-1; i >= 0; i--) { - SECITEM_FreeItem(dc[i], PR_TRUE); + for (i = dc_count - 1; i >= 0; i--) { + SECITEM_FreeItem(dc[i], PR_TRUE); } - if ( loc ) { - SECITEM_FreeItem(loc, PR_TRUE); + if (loc) { + SECITEM_FreeItem(loc, PR_TRUE); } - if ( state ) { - SECITEM_FreeItem(state, PR_TRUE); + if (state) { + SECITEM_FreeItem(state, PR_TRUE); } - if ( country ) { - SECITEM_FreeItem(country, PR_TRUE); + if (country) { + SECITEM_FreeItem(country, PR_TRUE); } - return(buf); + return (buf); } - diff --git a/lib/certhigh/certreq.c b/lib/certhigh/certreq.c index f5098a0dd..4087bc978 100644 --- a/lib/certhigh/certreq.c +++ b/lib/certhigh/certreq.c @@ -14,10 +14,10 @@ SEC_ASN1_MKSUB(SEC_AnyTemplate) const SEC_ASN1Template CERT_AttributeTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTAttribute) }, + 0, NULL, sizeof(CERTAttribute) }, { SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) }, { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(CERTAttribute, attrValue), - SEC_ASN1_SUB(SEC_AnyTemplate) }, + SEC_ASN1_SUB(SEC_AnyTemplate) }, { 0 } }; @@ -27,18 +27,18 @@ const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = { const SEC_ASN1Template CERT_CertificateRequestTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTCertificateRequest) }, + 0, NULL, sizeof(CERTCertificateRequest) }, { SEC_ASN1_INTEGER, - offsetof(CERTCertificateRequest,version) }, + offsetof(CERTCertificateRequest, version) }, { SEC_ASN1_INLINE, - offsetof(CERTCertificateRequest,subject), - CERT_NameTemplate }, + offsetof(CERTCertificateRequest, subject), + CERT_NameTemplate }, { SEC_ASN1_INLINE, - offsetof(CERTCertificateRequest,subjectPublicKeyInfo), - CERT_SubjectPublicKeyInfoTemplate }, + offsetof(CERTCertificateRequest, subjectPublicKeyInfo), + CERT_SubjectPublicKeyInfoTemplate }, { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(CERTCertificateRequest,attributes), - CERT_SetOfAttributeTemplate }, + offsetof(CERTCertificateRequest, attributes), + CERT_SetOfAttributeTemplate }, { 0 } }; @@ -46,25 +46,25 @@ SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate) CERTCertificate * CERT_CreateCertificate(unsigned long serialNumber, - CERTName *issuer, - CERTValidity *validity, - CERTCertificateRequest *req) + CERTName *issuer, + CERTValidity *validity, + CERTCertificateRequest *req) { CERTCertificate *c; int rv; PLArenaPool *arena; - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( !arena ) { - return(0); + + if (!arena) { + return (0); } c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate)); - + if (!c) { - PORT_FreeArena(arena, PR_FALSE); - return 0; + PORT_FreeArena(arena, PR_FALSE); + return 0; } c->referenceCount = 1; @@ -75,44 +75,50 @@ CERT_CreateCertificate(unsigned long serialNumber, * If extensions are added, it will get changed as appropriate. */ rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1); - if (rv) goto loser; + if (rv) + goto loser; rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber); - if (rv) goto loser; + if (rv) + goto loser; rv = CERT_CopyName(arena, &c->issuer, issuer); - if (rv) goto loser; + if (rv) + goto loser; rv = CERT_CopyValidity(arena, &c->validity, validity); - if (rv) goto loser; + if (rv) + goto loser; rv = CERT_CopyName(arena, &c->subject, &req->subject); - if (rv) goto loser; + if (rv) + goto loser; rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo, - &req->subjectPublicKeyInfo); - if (rv) goto loser; + &req->subjectPublicKeyInfo); + if (rv) + goto loser; return c; - loser: +loser: CERT_DestroyCertificate(c); return 0; } /************************************************************************/ -/* It's clear from the comments that the original author of this +/* It's clear from the comments that the original author of this * function expected the template for certificate requests to treat - * the attributes as a SET OF ANY. This function expected to be + * the attributes as a SET OF ANY. This function expected to be * passed an array of SECItems each of which contained an already encoded - * Attribute. But the cert request template does not treat the + * Attribute. But the cert request template does not treat the * Attributes as a SET OF ANY, and AFAIK never has. Instead the template * encodes attributes as a SET OF xxxxxxx. That is, it expects to encode - * each of the Attributes, not have them pre-encoded. Consequently an - * array of SECItems containing encoded Attributes is of no value to this + * each of the Attributes, not have them pre-encoded. Consequently an + * array of SECItems containing encoded Attributes is of no value to this * function. But we cannot change the signature of this public function. * It must continue to take SECItems. * - * I have recoded this function so that each SECItem contains an + * I have recoded this function so that each SECItem contains an * encoded cert extension. The encoded cert extensions form the list for the * single attribute of the cert request. In this implementation there is at most * one attribute and it is always of type SEC_OID_PKCS9_EXTENSION_REQUEST. @@ -120,95 +126,95 @@ CERT_CreateCertificate(unsigned long serialNumber, CERTCertificateRequest * CERT_CreateCertificateRequest(CERTName *subject, - CERTSubjectPublicKeyInfo *spki, - SECItem **attributes) + CERTSubjectPublicKeyInfo *spki, + SECItem **attributes) { CERTCertificateRequest *certreq; PLArenaPool *arena; - CERTAttribute * attribute; - SECOidData * oidData; + CERTAttribute *attribute; + SECOidData *oidData; SECStatus rv; int i = 0; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( arena == NULL ) { - return NULL; + if (arena == NULL) { + return NULL; } - + certreq = PORT_ArenaZNew(arena, CERTCertificateRequest); if (!certreq) { - PORT_FreeArena(arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } /* below here it is safe to goto loser */ certreq->arena = arena; - + rv = DER_SetUInteger(arena, &certreq->version, - SEC_CERTIFICATE_REQUEST_VERSION); + SEC_CERTIFICATE_REQUEST_VERSION); if (rv != SECSuccess) - goto loser; + goto loser; rv = CERT_CopyName(arena, &certreq->subject, subject); if (rv != SECSuccess) - goto loser; + goto loser; rv = SECKEY_CopySubjectPublicKeyInfo(arena, - &certreq->subjectPublicKeyInfo, - spki); + &certreq->subjectPublicKeyInfo, + spki); if (rv != SECSuccess) - goto loser; + goto loser; - certreq->attributes = PORT_ArenaZNewArray(arena, CERTAttribute*, 2); - if(!certreq->attributes) - goto loser; + certreq->attributes = PORT_ArenaZNewArray(arena, CERTAttribute *, 2); + if (!certreq->attributes) + goto loser; /* Copy over attribute information */ if (!attributes || !attributes[0]) { - /* + /* ** Invent empty attribute information. According to the ** pkcs#10 spec, attributes has this ASN.1 type: ** ** attributes [0] IMPLICIT Attributes - ** + ** ** Which means, we should create a NULL terminated list ** with the first entry being NULL; */ - certreq->attributes[0] = NULL; - return certreq; - } + certreq->attributes[0] = NULL; + return certreq; + } /* allocate space for attributes */ attribute = PORT_ArenaZNew(arena, CERTAttribute); - if (!attribute) - goto loser; + if (!attribute) + goto loser; - oidData = SECOID_FindOIDByTag( SEC_OID_PKCS9_EXTENSION_REQUEST ); + oidData = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST); PORT_Assert(oidData); if (!oidData) - goto loser; + goto loser; rv = SECITEM_CopyItem(arena, &attribute->attrType, &oidData->oid); if (rv != SECSuccess) - goto loser; + goto loser; - for (i = 0; attributes[i] != NULL ; i++) - ; - attribute->attrValue = PORT_ArenaZNewArray(arena, SECItem *, i+1); - if (!attribute->attrValue) - goto loser; + for (i = 0; attributes[i] != NULL; i++) + ; + attribute->attrValue = PORT_ArenaZNewArray(arena, SECItem *, i + 1); + if (!attribute->attrValue) + goto loser; /* copy attributes */ for (i = 0; attributes[i]; i++) { - /* + /* ** Attributes are a SetOf Attribute which implies ** lexigraphical ordering. It is assumes that the ** attributes are passed in sorted. If we need to ** add functionality to sort them, there is an ** example in the PKCS 7 code. */ - attribute->attrValue[i] = SECITEM_ArenaDupItem(arena, attributes[i]); - if(!attribute->attrValue[i]) - goto loser; + attribute->attrValue[i] = SECITEM_ArenaDupItem(arena, attributes[i]); + if (!attribute->attrValue[i]) + goto loser; } certreq->attributes[0] = attribute; @@ -224,7 +230,7 @@ void CERT_DestroyCertificateRequest(CERTCertificateRequest *req) { if (req && req->arena) { - PORT_FreeArena(req->arena, PR_FALSE); + PORT_FreeArena(req->arena, PR_FALSE); } return; } @@ -241,11 +247,11 @@ setCRExt(void *o, CERTCertExtension **exts) ** attribute list by CERT_FinishCRAttributes(). */ extern void *cert_StartExtensions(void *owner, PLArenaPool *ownerArena, - void (*setExts)(void *object, CERTCertExtension **exts)); + void (*setExts)(void *object, CERTCertExtension **exts)); void * CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req) { - return (cert_StartExtensions ((void *)req, req->arena, setCRExt)); + return (cert_StartExtensions((void *)req, req->arena, setCRExt)); } /* @@ -257,38 +263,39 @@ CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req) */ SECStatus CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req) -{ SECItem *extlist; +{ + SECItem *extlist; SECOidData *oidrec; CERTAttribute *attribute; - + if (!req || !req->arena) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); + PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (req->attributes == NULL || req->attributes[0] == NULL) return SECSuccess; extlist = SEC_ASN1EncodeItem(req->arena, NULL, &req->attributes, - SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate)); + SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate)); if (extlist == NULL) - return(SECFailure); + return (SECFailure); oidrec = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST); if (oidrec == NULL) - return SECFailure; + return SECFailure; /* now change the list of cert extensions into a list of attributes */ - req->attributes = PORT_ArenaZNewArray(req->arena, CERTAttribute*, 2); + req->attributes = PORT_ArenaZNewArray(req->arena, CERTAttribute *, 2); attribute = PORT_ArenaZNew(req->arena, CERTAttribute); - + if (req->attributes == NULL || attribute == NULL || SECITEM_CopyItem(req->arena, &attribute->attrType, &oidrec->oid) != 0) { PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; + return SECFailure; } - attribute->attrValue = PORT_ArenaZNewArray(req->arena, SECItem*, 2); + attribute->attrValue = PORT_ArenaZNewArray(req->arena, SECItem *, 2); if (attribute->attrValue == NULL) return SECFailure; @@ -303,22 +310,22 @@ CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req) SECStatus CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, - CERTCertExtension ***exts) + CERTCertExtension ***exts) { if (req == NULL || exts == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); + PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - + if (req->attributes == NULL || *req->attributes == NULL) return SECSuccess; - + if ((*req->attributes)->attrValue == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); + PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - return(SEC_ASN1DecodeItem(req->arena, exts, - SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), - (*req->attributes)->attrValue[0])); + return (SEC_ASN1DecodeItem(req->arena, exts, + SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), + (*req->attributes)->attrValue[0])); } diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c index d5dcbe8a1..cb23ab374 100644 --- a/lib/certhigh/certvfy.c +++ b/lib/certhigh/certvfy.c @@ -16,7 +16,6 @@ /*#include "pkix_sample_modules.h" */ #include "pkix_pl_cert.h" - #include "nsspki.h" #include "pkitm.h" #include "pkim.h" @@ -34,9 +33,10 @@ CERT_CertTimesValid(CERTCertificate *c) return (valid == secCertTimeValid) ? SECSuccess : SECFailure; } -SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key) +SECStatus +checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key) { - SECStatus rv; + SECStatus rv; SECOidTag sigAlg; SECOidTag curve; PRUint32 policyFlags = 0; @@ -44,81 +44,83 @@ SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicK sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm); - switch(sigAlg) { + switch (sigAlg) { case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: - if (key->keyType != ecKey) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return SECFailure; - } + case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: + if (key->keyType != ecKey) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } curve = SECKEY_GetECCOid(&key->u.ec.DEREncodedParams); - if (curve != 0) { - if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure || - !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { - PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - return SECFailure; - } else { - return SECSuccess; + if (curve != 0) { + if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure || + !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { + PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + return SECFailure; } - } else { - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - return SECFailure; - } + else { + return SECSuccess; + } + } + else { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return SECFailure; + } return SECSuccess; - case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: - case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: - case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: - if (key->keyType != rsaKey && key->keyType != rsaPssKey) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return SECFailure; - } + case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: + case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: + if (key->keyType != rsaKey && key->keyType != rsaPssKey) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } len = 8 * key->u.rsa.modulus.len; rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minLen); if (rv != SECSuccess) { return SECFailure; - } + } if (len < minLen) { return SECFailure; - } + } return SECSuccess; - case SEC_OID_ANSIX9_DSA_SIGNATURE: - case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: - case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: - case SEC_OID_SDN702_DSA_SIGNATURE: - case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: - case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: - if (key->keyType != dsaKey) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return SECFailure; - } + case SEC_OID_ANSIX9_DSA_SIGNATURE: + case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: + case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: + case SEC_OID_SDN702_DSA_SIGNATURE: + case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: + case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: + if (key->keyType != dsaKey) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } len = 8 * key->u.dsa.params.prime.len; rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minLen); if (rv != SECSuccess) { return SECFailure; - } + } if (len < minLen) { return SECFailure; - } + } return SECSuccess; - default: - return SECSuccess; + default: + return SECSuccess; } } @@ -128,38 +130,38 @@ SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicK SECStatus CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, SECKEYPublicKey *pubKey, - void *wincx) + void *wincx) { - SECStatus rv; - SECItem sig; - SECOidTag hashAlg = SEC_OID_UNKNOWN; + SECStatus rv; + SECItem sig; + SECOidTag hashAlg = SEC_OID_UNKNOWN; - if ( !pubKey || !sd ) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); - return SECFailure; + if (!pubKey || !sd) { + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + return SECFailure; } /* check the signature */ sig = sd->signature; /* convert sig->len from bit counts to byte count. */ DER_ConvertBitString(&sig); - rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey, - &sig, &sd->signatureAlgorithm, &hashAlg, wincx); + rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey, + &sig, &sd->signatureAlgorithm, &hashAlg, wincx); if (rv == SECSuccess) { /* Are we honoring signatures for this algorithm? */ - PRUint32 policyFlags = 0; - rv = checkKeyParams(&sd->signatureAlgorithm, pubKey); - if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - return SECFailure; - } - - rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags); - if (rv == SECSuccess && - !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { - PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - return SECFailure; - } + PRUint32 policyFlags = 0; + rv = checkKeyParams(&sd->signatureAlgorithm, pubKey); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + return SECFailure; + } + + rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags); + if (rv == SECSuccess && + !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { + PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + return SECFailure; + } } return rv; } @@ -168,18 +170,18 @@ CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, * verify the signature of a signed data object with the given DER publickey */ SECStatus -CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, +CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, CERTSubjectPublicKeyInfo *pubKeyInfo, - void *wincx) + void *wincx) { SECKEYPublicKey *pubKey; - SECStatus rv = SECFailure; + SECStatus rv = SECFailure; /* get cert's public key */ pubKey = SECKEY_ExtractPublicKey(pubKeyInfo); if (pubKey) { - rv = CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx); - SECKEY_DestroyPublicKey(pubKey); + rv = CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx); + SECKEY_DestroyPublicKey(pubKey); } return rv; } @@ -189,31 +191,30 @@ CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, */ SECStatus CERT_VerifySignedData(CERTSignedData *sd, CERTCertificate *cert, - PRTime t, void *wincx) + PRTime t, void *wincx) { SECKEYPublicKey *pubKey = 0; - SECStatus rv = SECFailure; + SECStatus rv = SECFailure; SECCertTimeValidity validity; /* check the certificate's validity */ validity = CERT_CheckCertValidTimes(cert, t, PR_FALSE); - if ( validity != secCertTimeValid ) { - return rv; + if (validity != secCertTimeValid) { + return rv; } /* get cert's public key */ pubKey = CERT_ExtractPublicKey(cert); if (pubKey) { - rv = CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx); - SECKEY_DestroyPublicKey(pubKey); + rv = CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx); + SECKEY_DestroyPublicKey(pubKey); } return rv; } - SECStatus -SEC_CheckCRL(CERTCertDBHandle *handle,CERTCertificate *cert, - CERTCertificate *caCert, PRTime t, void * wincx) +SEC_CheckCRL(CERTCertDBHandle *handle, CERTCertificate *cert, + CERTCertificate *caCert, PRTime t, void *wincx) { return CERT_CheckCRL(cert, caCert, NULL, t, wincx); } @@ -235,33 +236,33 @@ CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage) me = STAN_GetNSSCertificate(cert); if (!me) { PORT_SetError(SEC_ERROR_NO_MEMORY); - return NULL; + return NULL; } nssTime = NSSTime_SetPRTime(NULL, validTime); nssUsage.anyUsage = PR_FALSE; nssUsage.nss3usage = usage; nssUsage.nss3lookingForCA = PR_TRUE; - memset(chain, 0, 3*sizeof(NSSCertificate *)); - td = STAN_GetDefaultTrustDomain(); + memset(chain, 0, 3 * sizeof(NSSCertificate *)); + td = STAN_GetDefaultTrustDomain(); cc = STAN_GetDefaultCryptoContext(); - (void)NSSCertificate_BuildChain(me, nssTime, &nssUsage, NULL, + (void)NSSCertificate_BuildChain(me, nssTime, &nssUsage, NULL, chain, 2, NULL, &status, td, cc); nss_ZFreeIf(nssTime); if (status == PR_SUCCESS) { - PORT_Assert(me == chain[0]); - /* if it's a root, the chain will only have one cert */ - if (!chain[1]) { - /* already has a reference from the call to BuildChain */ - return cert; - } - NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */ - return STAN_GetCERTCertificate(chain[1]); /* return the 2nd */ - } + PORT_Assert(me == chain[0]); + /* if it's a root, the chain will only have one cert */ + if (!chain[1]) { + /* already has a reference from the call to BuildChain */ + return cert; + } + NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */ + return STAN_GetCERTCertificate(chain[1]); /* return the 2nd */ + } if (chain[0]) { - PORT_Assert(me == chain[0]); - NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */ + PORT_Assert(me == chain[0]); + NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */ } - PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER); + PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); return NULL; } @@ -270,136 +271,140 @@ CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage) */ SECStatus CERT_TrustFlagsForCACertUsage(SECCertUsage usage, - unsigned int *retFlags, - SECTrustType *retTrustType) + unsigned int *retFlags, + SECTrustType *retTrustType) { unsigned int requiredFlags; SECTrustType trustType; - switch ( usage ) { - case certUsageSSLClient: - requiredFlags = CERTDB_TRUSTED_CLIENT_CA; - trustType = trustSSL; - break; - case certUsageSSLServer: - case certUsageSSLCA: - requiredFlags = CERTDB_TRUSTED_CA; - trustType = trustSSL; - break; - case certUsageSSLServerWithStepUp: - requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA; - trustType = trustSSL; - break; - case certUsageEmailSigner: - case certUsageEmailRecipient: - requiredFlags = CERTDB_TRUSTED_CA; - trustType = trustEmail; - break; - case certUsageObjectSigner: - requiredFlags = CERTDB_TRUSTED_CA; - trustType = trustObjectSigning; - break; - case certUsageVerifyCA: - case certUsageAnyCA: - case certUsageStatusResponder: - requiredFlags = CERTDB_TRUSTED_CA; - trustType = trustTypeNone; - break; - default: - PORT_Assert(0); - goto loser; - } - if ( retFlags != NULL ) { - *retFlags = requiredFlags; - } - if ( retTrustType != NULL ) { - *retTrustType = trustType; - } - - return(SECSuccess); + switch (usage) { + case certUsageSSLClient: + requiredFlags = CERTDB_TRUSTED_CLIENT_CA; + trustType = trustSSL; + break; + case certUsageSSLServer: + case certUsageSSLCA: + requiredFlags = CERTDB_TRUSTED_CA; + trustType = trustSSL; + break; + case certUsageSSLServerWithStepUp: + requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA; + trustType = trustSSL; + break; + case certUsageEmailSigner: + case certUsageEmailRecipient: + requiredFlags = CERTDB_TRUSTED_CA; + trustType = trustEmail; + break; + case certUsageObjectSigner: + requiredFlags = CERTDB_TRUSTED_CA; + trustType = trustObjectSigning; + break; + case certUsageVerifyCA: + case certUsageAnyCA: + case certUsageStatusResponder: + requiredFlags = CERTDB_TRUSTED_CA; + trustType = trustTypeNone; + break; + default: + PORT_Assert(0); + goto loser; + } + if (retFlags != NULL) { + *retFlags = requiredFlags; + } + if (retTrustType != NULL) { + *retTrustType = trustType; + } + + return (SECSuccess); loser: - return(SECFailure); + return (SECFailure); } void cert_AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, long error, - unsigned int depth, void *arg) + unsigned int depth, void *arg) { CERTVerifyLogNode *node, *tnode; PORT_Assert(log != NULL); - + node = (CERTVerifyLogNode *)PORT_ArenaAlloc(log->arena, - sizeof(CERTVerifyLogNode)); - if ( node != NULL ) { - node->cert = CERT_DupCertificate(cert); - node->error = error; - node->depth = depth; - node->arg = arg; - - if ( log->tail == NULL ) { - /* empty list */ - log->head = log->tail = node; - node->prev = NULL; - node->next = NULL; - } else if ( depth >= log->tail->depth ) { - /* add to tail */ - node->prev = log->tail; - log->tail->next = node; - log->tail = node; - node->next = NULL; - } else if ( depth < log->head->depth ) { - /* add at head */ - node->prev = NULL; - node->next = log->head; - log->head->prev = node; - log->head = node; - } else { - /* add in middle */ - tnode = log->tail; - while ( tnode != NULL ) { - if ( depth >= tnode->depth ) { - /* insert after tnode */ - node->prev = tnode; - node->next = tnode->next; - tnode->next->prev = node; - tnode->next = node; - break; - } - - tnode = tnode->prev; - } - } - - log->count++; + sizeof(CERTVerifyLogNode)); + if (node != NULL) { + node->cert = CERT_DupCertificate(cert); + node->error = error; + node->depth = depth; + node->arg = arg; + + if (log->tail == NULL) { + /* empty list */ + log->head = log->tail = node; + node->prev = NULL; + node->next = NULL; + } + else if (depth >= log->tail->depth) { + /* add to tail */ + node->prev = log->tail; + log->tail->next = node; + log->tail = node; + node->next = NULL; + } + else if (depth < log->head->depth) { + /* add at head */ + node->prev = NULL; + node->next = log->head; + log->head->prev = node; + log->head = node; + } + else { + /* add in middle */ + tnode = log->tail; + while (tnode != NULL) { + if (depth >= tnode->depth) { + /* insert after tnode */ + node->prev = tnode; + node->next = tnode->next; + tnode->next->prev = node; + tnode->next = node; + break; + } + + tnode = tnode->prev; + } + } + + log->count++; } return; } #define EXIT_IF_NOT_LOGGING(log) \ - if ( log == NULL ) { \ - goto loser; \ + if (log == NULL) { \ + goto loser; \ } -#define LOG_ERROR_OR_EXIT(log,cert,depth,arg) \ - if ( log != NULL ) { \ - cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \ - (void *)(PRWord)arg); \ - } else { \ - goto loser; \ +#define LOG_ERROR_OR_EXIT(log, cert, depth, arg) \ + if (log != NULL) { \ + cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \ + (void *)(PRWord)arg); \ + } \ + else { \ + goto loser; \ } -#define LOG_ERROR(log,cert,depth,arg) \ - if ( log != NULL ) { \ - cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \ - (void *)(PRWord)arg); \ +#define LOG_ERROR(log, cert, depth, arg) \ + if (log != NULL) { \ + cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \ + (void *)(PRWord)arg); \ } static SECStatus cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool checkSig, PRBool* sigerror, - SECCertUsage certUsage, PRTime t, void *wincx, - CERTVerifyLog *log, PRBool* revoked) + PRBool checkSig, PRBool *sigerror, + SECCertUsage certUsage, PRTime t, void *wincx, + CERTVerifyLog *log, PRBool *revoked) { SECTrustType trustType; CERTBasicConstraints basicConstraint; @@ -417,7 +422,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, unsigned int requiredFlags; PLArenaPool *arena = NULL; CERTGeneralName *namesList = NULL; - CERTCertificate **certsList = NULL; + CERTCertificate **certsList = NULL; int certsListLen = 16; int namesCount = 0; PRBool subjectCertIsSelfIssued; @@ -428,177 +433,180 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, } if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE, - &requiredCAKeyUsage, - &caCertType) - != SECSuccess ) { - PORT_Assert(0); - EXIT_IF_NOT_LOGGING(log); - requiredCAKeyUsage = 0; - caCertType = 0; - } - - switch ( certUsage ) { - case certUsageSSLClient: - case certUsageSSLServer: - case certUsageSSLCA: - case certUsageSSLServerWithStepUp: - case certUsageEmailSigner: - case certUsageEmailRecipient: - case certUsageObjectSigner: - case certUsageVerifyCA: - case certUsageAnyCA: - case certUsageStatusResponder: - if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, - &trustType) != SECSuccess ) { - PORT_Assert(0); - EXIT_IF_NOT_LOGGING(log); - /* XXX continuing with requiredFlags = 0 seems wrong. It'll - * cause the following test to be true incorrectly: - * flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType); - * if (( flags & requiredFlags ) == requiredFlags) { - * rv = rvFinal; - * goto done; - * } - * There are three other instances of this problem. - */ - requiredFlags = 0; - trustType = trustSSL; - } - break; - default: - PORT_Assert(0); - EXIT_IF_NOT_LOGGING(log); - requiredFlags = 0; - trustType = trustSSL;/* This used to be 0, but we need something + &requiredCAKeyUsage, + &caCertType) != + SECSuccess) { + PORT_Assert(0); + EXIT_IF_NOT_LOGGING(log); + requiredCAKeyUsage = 0; + caCertType = 0; + } + + switch (certUsage) { + case certUsageSSLClient: + case certUsageSSLServer: + case certUsageSSLCA: + case certUsageSSLServerWithStepUp: + case certUsageEmailSigner: + case certUsageEmailRecipient: + case certUsageObjectSigner: + case certUsageVerifyCA: + case certUsageAnyCA: + case certUsageStatusResponder: + if (CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, + &trustType) != SECSuccess) { + PORT_Assert(0); + EXIT_IF_NOT_LOGGING(log); + /* XXX continuing with requiredFlags = 0 seems wrong. It'll + * cause the following test to be true incorrectly: + * flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType); + * if (( flags & requiredFlags ) == requiredFlags) { + * rv = rvFinal; + * goto done; + * } + * There are three other instances of this problem. + */ + requiredFlags = 0; + trustType = trustSSL; + } + break; + default: + PORT_Assert(0); + EXIT_IF_NOT_LOGGING(log); + requiredFlags = 0; + trustType = trustSSL; /* This used to be 0, but we need something * that matches the enumeration type. */ - caCertType = 0; + caCertType = 0; } - + subjectCert = CERT_DupCertificate(cert); - if ( subjectCert == NULL ) { - goto loser; + if (subjectCert == NULL) { + goto loser; } arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - goto loser; + goto loser; } certsList = PORT_ZNewArray(CERTCertificate *, certsListLen); if (certsList == NULL) - goto loser; + goto loser; /* RFC 3280 says that the name constraints will apply to the names ** in the leaf (EE) cert, whether it is self issued or not, so ** we pretend that it is not. */ subjectCertIsSelfIssued = PR_FALSE; - for ( count = 0; count < CERT_MAX_CERT_CHAIN; count++ ) { - PRBool validCAOverride = PR_FALSE; - - /* Construct a list of names for the current and all previous - * certifcates (except leaf (EE) certs, root CAs, and self-issued - * intermediate CAs) to be verified against the name constraints - * extension of the issuer certificate. - */ - if (subjectCertIsSelfIssued == PR_FALSE) { - CERTGeneralName *subjectNameList; - int subjectNameListLen; - int i; - PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer); - subjectNameList = - CERT_GetConstrainedCertificateNames(subjectCert, arena, - getSubjectCN); - if (!subjectNameList) - goto loser; - subjectNameListLen = CERT_GetNamesLength(subjectNameList); - if (!subjectNameListLen) - goto loser; - if (certsListLen <= namesCount + subjectNameListLen) { - CERTCertificate **tmpCertsList; - certsListLen = (namesCount + subjectNameListLen) * 2; - tmpCertsList = - (CERTCertificate **)PORT_Realloc(certsList, - certsListLen * sizeof(CERTCertificate *)); - if (tmpCertsList == NULL) { - goto loser; - } - certsList = tmpCertsList; - } - for (i = 0; i < subjectNameListLen; i++) { - certsList[namesCount + i] = subjectCert; - } - namesCount += subjectNameListLen; - namesList = cert_CombineNamesLists(namesList, subjectNameList); - } + for (count = 0; count < CERT_MAX_CERT_CHAIN; count++) { + PRBool validCAOverride = PR_FALSE; + + /* Construct a list of names for the current and all previous + * certifcates (except leaf (EE) certs, root CAs, and self-issued + * intermediate CAs) to be verified against the name constraints + * extension of the issuer certificate. + */ + if (subjectCertIsSelfIssued == PR_FALSE) { + CERTGeneralName *subjectNameList; + int subjectNameListLen; + int i; + PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer); + subjectNameList = + CERT_GetConstrainedCertificateNames(subjectCert, arena, + getSubjectCN); + if (!subjectNameList) + goto loser; + subjectNameListLen = CERT_GetNamesLength(subjectNameList); + if (!subjectNameListLen) + goto loser; + if (certsListLen <= namesCount + subjectNameListLen) { + CERTCertificate **tmpCertsList; + certsListLen = (namesCount + subjectNameListLen) * 2; + tmpCertsList = + (CERTCertificate **)PORT_Realloc(certsList, + certsListLen * + sizeof(CERTCertificate *)); + if (tmpCertsList == NULL) { + goto loser; + } + certsList = tmpCertsList; + } + for (i = 0; i < subjectNameListLen; i++) { + certsList[namesCount + i] = subjectCert; + } + namesCount += subjectNameListLen; + namesList = cert_CombineNamesLists(namesList, subjectNameList); + } /* check if the cert has an unsupported critical extension */ - if ( subjectCert->options.bits.hasUnsupportedCriticalExt ) { - PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION); - LOG_ERROR_OR_EXIT(log,subjectCert,count,0); - } - - /* find the certificate of the issuer */ - issuerCert = CERT_FindCertIssuer(subjectCert, t, certUsage); - if ( ! issuerCert ) { - PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); - LOG_ERROR(log,subjectCert,count,0); - goto loser; - } - - /* verify the signature on the cert */ - if ( checkSig ) { - rv = CERT_VerifySignedData(&subjectCert->signatureWrap, - issuerCert, t, wincx); - - if ( rv != SECSuccess ) { + if (subjectCert->options.bits.hasUnsupportedCriticalExt) { + PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION); + LOG_ERROR_OR_EXIT(log, subjectCert, count, 0); + } + + /* find the certificate of the issuer */ + issuerCert = CERT_FindCertIssuer(subjectCert, t, certUsage); + if (!issuerCert) { + PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); + LOG_ERROR(log, subjectCert, count, 0); + goto loser; + } + + /* verify the signature on the cert */ + if (checkSig) { + rv = CERT_VerifySignedData(&subjectCert->signatureWrap, + issuerCert, t, wincx); + + if (rv != SECSuccess) { if (sigerror) { *sigerror = PR_TRUE; } - if ( PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE ) { - PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE); - LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); - } else { - if (PORT_GetError() != - SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - } - LOG_ERROR_OR_EXIT(log,subjectCert,count,0); - } - } - } - - /* If the basicConstraint extension is included in an immediate CA - * certificate, make sure that the isCA flag is on. If the - * pathLenConstraint component exists, it must be greater than the - * number of CA certificates we have seen so far. If the extension - * is omitted, we will assume that this is a CA certificate with - * an unlimited pathLenConstraint (since it already passes the - * netscape-cert-type extension checking). - */ - - rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint); - if ( rv != SECSuccess ) { - if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { - LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); - } - pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT; - /* no basic constraints found, we aren't (yet) a CA. */ - isca = PR_FALSE; - } else { - if ( basicConstraint.isCA == PR_FALSE ) { - PORT_SetError (SEC_ERROR_CA_CERT_INVALID); - LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); - } - pathLengthLimit = basicConstraint.pathLenConstraint; - isca = PR_TRUE; - } - /* make sure that the path len constraint is properly set.*/ - if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) { - PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID); - LOG_ERROR_OR_EXIT(log, issuerCert, count+1, pathLengthLimit); - } + if (PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE) { + PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE); + LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0); + } + else { + if (PORT_GetError() != + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + } + LOG_ERROR_OR_EXIT(log, subjectCert, count, 0); + } + } + } + + /* If the basicConstraint extension is included in an immediate CA + * certificate, make sure that the isCA flag is on. If the + * pathLenConstraint component exists, it must be greater than the + * number of CA certificates we have seen so far. If the extension + * is omitted, we will assume that this is a CA certificate with + * an unlimited pathLenConstraint (since it already passes the + * netscape-cert-type extension checking). + */ + + rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint); + if (rv != SECSuccess) { + if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { + LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0); + } + pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT; + /* no basic constraints found, we aren't (yet) a CA. */ + isca = PR_FALSE; + } + else { + if (basicConstraint.isCA == PR_FALSE) { + PORT_SetError(SEC_ERROR_CA_CERT_INVALID); + LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0); + } + pathLengthLimit = basicConstraint.pathLenConstraint; + isca = PR_TRUE; + } + /* make sure that the path len constraint is properly set.*/ + if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) { + PORT_SetError(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID); + LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, pathLengthLimit); + } /* make sure that the entire chain is within the name space of the * current issuer certificate. @@ -611,17 +619,18 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, goto loser; } - /* XXX - the error logging may need to go down into CRL stuff at some - * point - */ - /* check revoked list (issuer) */ + /* XXX - the error logging may need to go down into CRL stuff at some + * point + */ + /* check revoked list (issuer) */ rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx); if (rv == SECFailure) { if (revoked) { *revoked = PR_TRUE; } - LOG_ERROR_OR_EXIT(log,subjectCert,count,0); - } else if (rv == SECWouldBlock) { + LOG_ERROR_OR_EXIT(log, subjectCert, count, 0); + } + else if (rv == SECWouldBlock) { /* We found something fishy, so we intend to issue an * error to the user, but the user may wish to continue * processing, in which case we better make sure nothing @@ -630,163 +639,167 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, if (revoked) { *revoked = PR_TRUE; } - LOG_ERROR(log,subjectCert,count,0); - } - - if ( CERT_GetCertTrust(issuerCert, &issuerTrust) == SECSuccess) { - /* we have some trust info, but this does NOT imply that this - * cert is actually trusted for any purpose. The cert may be - * explicitly UNtrusted. We won't know until we examine the - * trust bits. - */ - unsigned int flags; - - if (certUsage != certUsageAnyCA && - certUsage != certUsageStatusResponder) { - - /* - * XXX This choice of trustType seems arbitrary. - */ - if ( certUsage == certUsageVerifyCA ) { - if ( subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA ) { - trustType = trustEmail; - } else if ( subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA ) { - trustType = trustSSL; - } else { - trustType = trustObjectSigning; - } - } - - flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType); - if (( flags & requiredFlags ) == requiredFlags) { - /* we found a trusted one, so return */ - rv = rvFinal; - goto done; - } - if (flags & CERTDB_VALID_CA) { - validCAOverride = PR_TRUE; - } - /* is it explicitly distrusted? */ - if ((flags & CERTDB_TERMINAL_RECORD) && - ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0)) { - /* untrusted -- the cert is explicitly untrusted, not - * just that it doesn't chain to a trusted cert */ - PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); - LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags); - } - } else { + LOG_ERROR(log, subjectCert, count, 0); + } + + if (CERT_GetCertTrust(issuerCert, &issuerTrust) == SECSuccess) { + /* we have some trust info, but this does NOT imply that this + * cert is actually trusted for any purpose. The cert may be + * explicitly UNtrusted. We won't know until we examine the + * trust bits. + */ + unsigned int flags; + + if (certUsage != certUsageAnyCA && + certUsage != certUsageStatusResponder) { + + /* + * XXX This choice of trustType seems arbitrary. + */ + if (certUsage == certUsageVerifyCA) { + if (subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) { + trustType = trustEmail; + } + else if (subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA) { + trustType = trustSSL; + } + else { + trustType = trustObjectSigning; + } + } + + flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType); + if ((flags & requiredFlags) == requiredFlags) { + /* we found a trusted one, so return */ + rv = rvFinal; + goto done; + } + if (flags & CERTDB_VALID_CA) { + validCAOverride = PR_TRUE; + } + /* is it explicitly distrusted? */ + if ((flags & CERTDB_TERMINAL_RECORD) && + ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) { + /* untrusted -- the cert is explicitly untrusted, not + * just that it doesn't chain to a trusted cert */ + PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); + LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, flags); + } + } + else { /* Check if we have any valid trust when cheching for * certUsageAnyCA or certUsageStatusResponder. */ for (trustType = trustSSL; trustType < trustTypeNone; trustType++) { flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType); if ((flags & requiredFlags) == requiredFlags) { - rv = rvFinal; - goto done; + rv = rvFinal; + goto done; } if (flags & CERTDB_VALID_CA) validCAOverride = PR_TRUE; } - /* We have 2 separate loops because we want any single trust - * bit to allow this usage to return trusted. Only if none of - * the trust bits are on do we check to see if the cert is - * untrusted */ + /* We have 2 separate loops because we want any single trust + * bit to allow this usage to return trusted. Only if none of + * the trust bits are on do we check to see if the cert is + * untrusted */ for (trustType = trustSSL; trustType < trustTypeNone; trustType++) { flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType); - /* is it explicitly distrusted? */ - if ((flags & CERTDB_TERMINAL_RECORD) && - ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0)) { - /* untrusted -- the cert is explicitly untrusted, not - * just that it doesn't chain to a trusted cert */ - PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); - LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags); - } + /* is it explicitly distrusted? */ + if ((flags & CERTDB_TERMINAL_RECORD) && + ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) { + /* untrusted -- the cert is explicitly untrusted, not + * just that it doesn't chain to a trusted cert */ + PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); + LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, flags); + } } } } - if (!validCAOverride) { - /* - * Make sure that if this is an intermediate CA in the chain that - * it was given permission by its signer to be a CA. - */ - /* - * if basicConstraints says it is a ca, then we check the - * nsCertType. If the nsCertType has any CA bits set, then - * it must have the right one. - */ - if (!isca || (issuerCert->nsCertType & NS_CERT_TYPE_CA)) { - isca = (issuerCert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE; - } - - if ( !isca ) { - PORT_SetError(SEC_ERROR_CA_CERT_INVALID); - LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); - } - - /* make sure key usage allows cert signing */ - if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) { - PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); - LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage); - } - } - - /* make sure that the issuer is not self signed. If it is, then - * stop here to prevent looping. - */ - if (issuerCert->isRoot) { - PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); - LOG_ERROR(log, issuerCert, count+1, 0); - goto loser; - } - /* The issuer cert will be the subject cert in the next loop. - * A cert is self-issued if its subject and issuer are equal and - * both are of non-zero length. - */ - subjectCertIsSelfIssued = (PRBool) - SECITEM_ItemsAreEqual(&issuerCert->derIssuer, - &issuerCert->derSubject) && - issuerCert->derSubject.len > 0; - if (subjectCertIsSelfIssued == PR_FALSE) { - /* RFC 3280 says only non-self-issued intermediate CA certs - * count in path length. - */ - ++currentPathLen; - } - - CERT_DestroyCertificate(subjectCert); - subjectCert = issuerCert; - issuerCert = NULL; + if (!validCAOverride) { + /* + * Make sure that if this is an intermediate CA in the chain that + * it was given permission by its signer to be a CA. + */ + /* + * if basicConstraints says it is a ca, then we check the + * nsCertType. If the nsCertType has any CA bits set, then + * it must have the right one. + */ + if (!isca || (issuerCert->nsCertType & NS_CERT_TYPE_CA)) { + isca = (issuerCert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE; + } + + if (!isca) { + PORT_SetError(SEC_ERROR_CA_CERT_INVALID); + LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0); + } + + /* make sure key usage allows cert signing */ + if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) { + PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); + LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, requiredCAKeyUsage); + } + } + + /* make sure that the issuer is not self signed. If it is, then + * stop here to prevent looping. + */ + if (issuerCert->isRoot) { + PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); + LOG_ERROR(log, issuerCert, count + 1, 0); + goto loser; + } + /* The issuer cert will be the subject cert in the next loop. + * A cert is self-issued if its subject and issuer are equal and + * both are of non-zero length. + */ + subjectCertIsSelfIssued = (PRBool) + SECITEM_ItemsAreEqual(&issuerCert->derIssuer, + &issuerCert->derSubject) && + issuerCert->derSubject.len > + 0; + if (subjectCertIsSelfIssued == PR_FALSE) { + /* RFC 3280 says only non-self-issued intermediate CA certs + * count in path length. + */ + ++currentPathLen; + } + + CERT_DestroyCertificate(subjectCert); + subjectCert = issuerCert; + issuerCert = NULL; } PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); - LOG_ERROR(log,subjectCert,count,0); + LOG_ERROR(log, subjectCert, count, 0); loser: rv = SECFailure; done: if (certsList != NULL) { - PORT_Free(certsList); + PORT_Free(certsList); } - if ( issuerCert ) { - CERT_DestroyCertificate(issuerCert); + if (issuerCert) { + CERT_DestroyCertificate(issuerCert); } - - if ( subjectCert ) { - CERT_DestroyCertificate(subjectCert); + + if (subjectCert) { + CERT_DestroyCertificate(subjectCert); } - if ( arena != NULL ) { - PORT_FreeArena(arena, PR_FALSE); + if (arena != NULL) { + PORT_FreeArena(arena, PR_FALSE); } return rv; } SECStatus cert_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool checkSig, PRBool* sigerror, + PRBool checkSig, PRBool *sigerror, SECCertUsage certUsage, PRTime t, void *wincx, - CERTVerifyLog *log, PRBool* revoked) + CERTVerifyLog *log, PRBool *revoked) { if (CERT_GetUsePKIXForValidation()) { return cert_VerifyCertChainPkix(cert, checkSig, certUsage, t, @@ -798,11 +811,11 @@ cert_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, SECStatus CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool checkSig, SECCertUsage certUsage, PRTime t, - void *wincx, CERTVerifyLog *log) + PRBool checkSig, SECCertUsage certUsage, PRTime t, + void *wincx, CERTVerifyLog *log) { return cert_VerifyCertChain(handle, cert, checkSig, NULL, certUsage, t, - wincx, log, NULL); + wincx, log, NULL); } /* @@ -810,8 +823,8 @@ CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, */ SECStatus CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool checkSig, SECCertUsage certUsage, PRTime t, - void *wincx, CERTVerifyLog *log) + PRBool checkSig, SECCertUsage certUsage, PRTime t, + void *wincx, CERTVerifyLog *log) { SECTrustType trustType; CERTBasicConstraints basicConstraint; @@ -826,44 +839,43 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, CERTCertificate *issuerCert; CERTCertTrust certTrust; - if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE, - &requiredCAKeyUsage, - &caCertType) != SECSuccess ) { - PORT_Assert(0); - EXIT_IF_NOT_LOGGING(log); - requiredCAKeyUsage = 0; - caCertType = 0; - } - - switch ( certUsage ) { - case certUsageSSLClient: - case certUsageSSLServer: - case certUsageSSLCA: - case certUsageSSLServerWithStepUp: - case certUsageEmailSigner: - case certUsageEmailRecipient: - case certUsageObjectSigner: - case certUsageVerifyCA: - case certUsageStatusResponder: - if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, - &trustType) != SECSuccess ) { - PORT_Assert(0); - EXIT_IF_NOT_LOGGING(log); - requiredFlags = 0; - trustType = trustSSL; - } - break; - default: - PORT_Assert(0); - EXIT_IF_NOT_LOGGING(log); - requiredFlags = 0; - trustType = trustSSL;/* This used to be 0, but we need something - * that matches the enumeration type. - */ - caCertType = 0; + &requiredCAKeyUsage, + &caCertType) != SECSuccess) { + PORT_Assert(0); + EXIT_IF_NOT_LOGGING(log); + requiredCAKeyUsage = 0; + caCertType = 0; + } + + switch (certUsage) { + case certUsageSSLClient: + case certUsageSSLServer: + case certUsageSSLCA: + case certUsageSSLServerWithStepUp: + case certUsageEmailSigner: + case certUsageEmailRecipient: + case certUsageObjectSigner: + case certUsageVerifyCA: + case certUsageStatusResponder: + if (CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, + &trustType) != SECSuccess) { + PORT_Assert(0); + EXIT_IF_NOT_LOGGING(log); + requiredFlags = 0; + trustType = trustSSL; + } + break; + default: + PORT_Assert(0); + EXIT_IF_NOT_LOGGING(log); + requiredFlags = 0; + trustType = trustSSL; /* This used to be 0, but we need something + * that matches the enumeration type. + */ + caCertType = 0; } - + /* If the basicConstraint extension is included in an intermmediate CA * certificate, make sure that the isCA flag is on. If the * pathLenConstraint component exists, it must be greater than the @@ -874,133 +886,137 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, */ rv = CERT_FindBasicConstraintExten(cert, &basicConstraint); - if ( rv != SECSuccess ) { - if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { - LOG_ERROR_OR_EXIT(log,cert,0,0); - } - /* no basic constraints found, we aren't (yet) a CA. */ - isca = PR_FALSE; - } else { - if ( basicConstraint.isCA == PR_FALSE ) { - PORT_SetError (SEC_ERROR_CA_CERT_INVALID); - LOG_ERROR_OR_EXIT(log,cert,0,0); - } - - /* can't check path length if we don't know the previous path */ - isca = PR_TRUE; - } - - if ( CERT_GetCertTrust(cert, &certTrust) == SECSuccess ) { - /* we have some trust info, but this does NOT imply that this - * cert is actually trusted for any purpose. The cert may be - * explicitly UNtrusted. We won't know until we examine the - * trust bits. - */ + if (rv != SECSuccess) { + if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { + LOG_ERROR_OR_EXIT(log, cert, 0, 0); + } + /* no basic constraints found, we aren't (yet) a CA. */ + isca = PR_FALSE; + } + else { + if (basicConstraint.isCA == PR_FALSE) { + PORT_SetError(SEC_ERROR_CA_CERT_INVALID); + LOG_ERROR_OR_EXIT(log, cert, 0, 0); + } + + /* can't check path length if we don't know the previous path */ + isca = PR_TRUE; + } + + if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) { + /* we have some trust info, but this does NOT imply that this + * cert is actually trusted for any purpose. The cert may be + * explicitly UNtrusted. We won't know until we examine the + * trust bits. + */ if (certUsage == certUsageStatusResponder) { - /* Check the special case of certUsageStatusResponder */ + /* Check the special case of certUsageStatusResponder */ issuerCert = CERT_FindCertIssuer(cert, t, certUsage); if (issuerCert) { - if (SEC_CheckCRL(handle, cert, issuerCert, t, wincx) - != SECSuccess) { + if (SEC_CheckCRL(handle, cert, issuerCert, t, wincx) != + SECSuccess) { PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); CERT_DestroyCertificate(issuerCert); goto loser; } CERT_DestroyCertificate(issuerCert); } - /* XXX We have NOT determined that this cert is trusted. - * For years, NSS has treated this as trusted, - * but it seems incorrect. - */ - rv = rvFinal; - goto done; - } - - /* - * check the trust params of the issuer - */ - flags = SEC_GET_TRUST_FLAGS(&certTrust, trustType); - if ( ( flags & requiredFlags ) == requiredFlags) { - /* we found a trusted one, so return */ - rv = rvFinal; - goto done; - } - if (flags & CERTDB_VALID_CA) { - validCAOverride = PR_TRUE; - } - /* is it explicitly distrusted? */ - if ((flags & CERTDB_TERMINAL_RECORD) && - ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0)) { - /* untrusted -- the cert is explicitly untrusted, not - * just that it doesn't chain to a trusted cert */ - PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); - LOG_ERROR_OR_EXIT(log,cert,0,flags); - } + /* XXX We have NOT determined that this cert is trusted. + * For years, NSS has treated this as trusted, + * but it seems incorrect. + */ + rv = rvFinal; + goto done; + } + + /* + * check the trust params of the issuer + */ + flags = SEC_GET_TRUST_FLAGS(&certTrust, trustType); + if ((flags & requiredFlags) == requiredFlags) { + /* we found a trusted one, so return */ + rv = rvFinal; + goto done; + } + if (flags & CERTDB_VALID_CA) { + validCAOverride = PR_TRUE; + } + /* is it explicitly distrusted? */ + if ((flags & CERTDB_TERMINAL_RECORD) && + ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) { + /* untrusted -- the cert is explicitly untrusted, not + * just that it doesn't chain to a trusted cert */ + PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); + LOG_ERROR_OR_EXIT(log, cert, 0, flags); + } } if (!validCAOverride) { - /* - * Make sure that if this is an intermediate CA in the chain that - * it was given permission by its signer to be a CA. - */ - /* - * if basicConstraints says it is a ca, then we check the - * nsCertType. If the nsCertType has any CA bits set, then - * it must have the right one. - */ - if (!isca || (cert->nsCertType & NS_CERT_TYPE_CA)) { - isca = (cert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE; - } - - if (!isca) { - PORT_SetError(SEC_ERROR_CA_CERT_INVALID); - LOG_ERROR_OR_EXIT(log,cert,0,0); - } - - /* make sure key usage allows cert signing */ - if (CERT_CheckKeyUsage(cert, requiredCAKeyUsage) != SECSuccess) { - PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); - LOG_ERROR_OR_EXIT(log,cert,0,requiredCAKeyUsage); - } + /* + * Make sure that if this is an intermediate CA in the chain that + * it was given permission by its signer to be a CA. + */ + /* + * if basicConstraints says it is a ca, then we check the + * nsCertType. If the nsCertType has any CA bits set, then + * it must have the right one. + */ + if (!isca || (cert->nsCertType & NS_CERT_TYPE_CA)) { + isca = (cert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE; + } + + if (!isca) { + PORT_SetError(SEC_ERROR_CA_CERT_INVALID); + LOG_ERROR_OR_EXIT(log, cert, 0, 0); + } + + /* make sure key usage allows cert signing */ + if (CERT_CheckKeyUsage(cert, requiredCAKeyUsage) != SECSuccess) { + PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); + LOG_ERROR_OR_EXIT(log, cert, 0, requiredCAKeyUsage); + } } /* make sure that the issuer is not self signed. If it is, then * stop here to prevent looping. */ if (cert->isRoot) { - PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); - LOG_ERROR(log, cert, 0, 0); - goto loser; + PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); + LOG_ERROR(log, cert, 0, 0); + goto loser; } - return CERT_VerifyCertChain(handle, cert, checkSig, certUsage, t, - wincx, log); + return CERT_VerifyCertChain(handle, cert, checkSig, certUsage, t, + wincx, log); loser: rv = SECFailure; done: return rv; } -#define NEXT_USAGE() { \ - i*=2; \ - certUsage++; \ - continue; \ -} +#define NEXT_USAGE() \ + { \ + i *= 2; \ + certUsage++; \ + continue; \ + } -#define VALID_USAGE() { \ - NEXT_USAGE(); \ -} +#define VALID_USAGE() \ + { \ + NEXT_USAGE(); \ + } -#define INVALID_USAGE() { \ - if (returnedUsages) { \ - *returnedUsages &= (~i); \ - } \ - if (PR_TRUE == requiredUsage) { \ - valid = SECFailure; \ - } \ - NEXT_USAGE(); \ -} +#define INVALID_USAGE() \ + { \ + if (returnedUsages) { \ + *returnedUsages &= (~i); \ + } \ + if (PR_TRUE == requiredUsage) { \ + valid = SECFailure; \ + } \ + NEXT_USAGE(); \ + } /* - * check the leaf cert against trust and usage. + * check the leaf cert against trust and usage. * returns success if the cert is not distrusted. If the cert is * trusted, then the trusted bool will be true. * returns failure if the cert is distrusted. If failure, flags @@ -1008,141 +1024,143 @@ done: */ SECStatus cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage, - unsigned int *failedFlags, PRBool *trusted) + unsigned int *failedFlags, PRBool *trusted) { unsigned int flags; CERTCertTrust trust; *failedFlags = 0; *trusted = PR_FALSE; - + /* check trust flags to see if this cert is directly trusted */ - if ( CERT_GetCertTrust(cert, &trust) == SECSuccess ) { - switch ( certUsage ) { - case certUsageSSLClient: - case certUsageSSLServer: - flags = trust.sslFlags; - - /* is the cert directly trusted or not trusted ? */ - if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is - * authoritative */ - if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ - *trusted = PR_TRUE; - return SECSuccess; - } else { /* don't trust this cert */ - *failedFlags = flags; - return SECFailure; - } - } - break; - case certUsageSSLServerWithStepUp: - /* XXX - step up certs can't be directly trusted, only distrust */ - flags = trust.sslFlags; - if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is - * authoritative */ - if (( flags & CERTDB_TRUSTED ) == 0) { - /* don't trust this cert */ - *failedFlags = flags; - return SECFailure; - } - } - break; - case certUsageSSLCA: - flags = trust.sslFlags; - if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + if (CERT_GetCertTrust(cert, &trust) == SECSuccess) { + switch (certUsage) { + case certUsageSSLClient: + case certUsageSSLServer: + flags = trust.sslFlags; + + /* is the cert directly trusted or not trusted ? */ + if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is * authoritative */ - if (( flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA) ) == 0) { - /* don't trust this cert */ - *failedFlags = flags; - return SECFailure; - } - } - break; - case certUsageEmailSigner: - case certUsageEmailRecipient: - flags = trust.emailFlags; - if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is - * authoritative */ - if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ - *trusted = PR_TRUE; - return SECSuccess; - } - else { /* don't trust this cert */ - *failedFlags = flags; - return SECFailure; - } - } - - break; - case certUsageObjectSigner: - flags = trust.objectSigningFlags; - - if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is - * authoritative */ - if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ - *trusted = PR_TRUE; - return SECSuccess; - } else { /* don't trust this cert */ - *failedFlags = flags; - return SECFailure; - } - } - break; - case certUsageVerifyCA: - case certUsageStatusResponder: - flags = trust.sslFlags; - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == - ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { - *trusted = PR_TRUE; - return SECSuccess; - } - flags = trust.emailFlags; - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == - ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { - *trusted = PR_TRUE; - return SECSuccess; - } - flags = trust.objectSigningFlags; - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == - ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { - *trusted = PR_TRUE; - return SECSuccess; - } - /* fall through to test distrust */ - case certUsageAnyCA: - case certUsageUserCertImport: - /* do we distrust these certs explicitly */ - flags = trust.sslFlags; - if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is - * authoritative */ - if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) { - *failedFlags = flags; - return SECFailure; - } - } - flags = trust.emailFlags; - if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + if (flags & CERTDB_TRUSTED) { /* trust this cert */ + *trusted = PR_TRUE; + return SECSuccess; + } + else { /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + break; + case certUsageSSLServerWithStepUp: + /* XXX - step up certs can't be directly trusted, only distrust */ + flags = trust.sslFlags; + if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if ((flags & CERTDB_TRUSTED) == 0) { + /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + break; + case certUsageSSLCA: + flags = trust.sslFlags; + if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) { + /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + break; + case certUsageEmailSigner: + case certUsageEmailRecipient: + flags = trust.emailFlags; + if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if (flags & CERTDB_TRUSTED) { /* trust this cert */ + *trusted = PR_TRUE; + return SECSuccess; + } + else { /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + + break; + case certUsageObjectSigner: + flags = trust.objectSigningFlags; + + if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if (flags & CERTDB_TRUSTED) { /* trust this cert */ + *trusted = PR_TRUE; + return SECSuccess; + } + else { /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + break; + case certUsageVerifyCA: + case certUsageStatusResponder: + flags = trust.sslFlags; + /* is the cert directly trusted or not trusted ? */ + if ((flags & (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) == + (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) { + *trusted = PR_TRUE; + return SECSuccess; + } + flags = trust.emailFlags; + /* is the cert directly trusted or not trusted ? */ + if ((flags & (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) == + (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) { + *trusted = PR_TRUE; + return SECSuccess; + } + flags = trust.objectSigningFlags; + /* is the cert directly trusted or not trusted ? */ + if ((flags & (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) == + (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) { + *trusted = PR_TRUE; + return SECSuccess; + } + /* fall through to test distrust */ + case certUsageAnyCA: + case certUsageUserCertImport: + /* do we distrust these certs explicitly */ + flags = trust.sslFlags; + if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is * authoritative */ - if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) { - *failedFlags = flags; - return SECFailure; - } - } - /* fall through */ - case certUsageProtectedObjectSigner: - flags = trust.objectSigningFlags; - if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) { + *failedFlags = flags; + return SECFailure; + } + } + flags = trust.emailFlags; + if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is * authoritative */ - if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) { - *failedFlags = flags; - return SECFailure; - } - } - break; - } + if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) { + *failedFlags = flags; + return SECFailure; + } + } + /* fall through */ + case certUsageProtectedObjectSigner: + flags = trust.objectSigningFlags; + if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) { + *failedFlags = flags; + return SECFailure; + } + } + break; + } } return SECSuccess; } @@ -1161,8 +1179,8 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage, */ SECStatus CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool checkSig, SECCertificateUsage requiredUsages, PRTime t, - void *wincx, CERTVerifyLog *log, SECCertificateUsage* returnedUsages) + PRBool checkSig, SECCertificateUsage requiredUsages, PRTime t, + void *wincx, CERTVerifyLog *log, SECCertificateUsage *returnedUsages) { SECStatus rv; SECStatus valid; @@ -1170,7 +1188,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, unsigned int requiredCertType; unsigned int flags; unsigned int certType; - PRBool allowOverride; + PRBool allowOverride; SECCertTimeValidity validity; CERTStatusConfig *statusConfig; PRInt32 i; @@ -1189,28 +1207,29 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, if (returnedUsages) { *returnedUsages = 0; - } else { + } + else { /* we don't have a place to return status for all usages, so we can skip checks for usages that aren't required */ checkAllUsages = PR_FALSE; } - valid = SECSuccess ; /* start off assuming cert is valid */ - + valid = SECSuccess; /* start off assuming cert is valid */ + /* make sure that the cert is valid at time t */ allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) || (requiredUsages & certificateUsageSSLServerWithStepUp)); validity = CERT_CheckCertValidTimes(cert, t, allowOverride); - if ( validity != secCertTimeValid ) { + if (validity != secCertTimeValid) { valid = SECFailure; - LOG_ERROR_OR_EXIT(log,cert,0,validity); + LOG_ERROR_OR_EXIT(log, cert, 0, validity); } /* check key usage and netscape cert type */ cert_GetCertType(cert); certType = cert->nsCertType; - for (i=1; i<=certificateUsageHighest && - (SECSuccess == valid || returnedUsages || log) ; ) { + for (i = 1; i <= certificateUsageHighest && + (SECSuccess == valid || returnedUsages || log);) { PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE; if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) { NEXT_USAGE(); @@ -1218,74 +1237,75 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, if (returnedUsages) { *returnedUsages |= i; /* start off assuming this usage is valid */ } - switch ( certUsage ) { - case certUsageSSLClient: - case certUsageSSLServer: - case certUsageSSLServerWithStepUp: - case certUsageSSLCA: - case certUsageEmailSigner: - case certUsageEmailRecipient: - case certUsageObjectSigner: - case certUsageStatusResponder: - rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE, - &requiredKeyUsage, - &requiredCertType); - if ( rv != SECSuccess ) { + switch (certUsage) { + case certUsageSSLClient: + case certUsageSSLServer: + case certUsageSSLServerWithStepUp: + case certUsageSSLCA: + case certUsageEmailSigner: + case certUsageEmailRecipient: + case certUsageObjectSigner: + case certUsageStatusResponder: + rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE, + &requiredKeyUsage, + &requiredCertType); + if (rv != SECSuccess) { + PORT_Assert(0); + /* EXIT_IF_NOT_LOGGING(log); XXX ??? */ + requiredKeyUsage = 0; + requiredCertType = 0; + INVALID_USAGE(); + } + break; + + case certUsageAnyCA: + case certUsageProtectedObjectSigner: + case certUsageUserCertImport: + case certUsageVerifyCA: + /* these usages cannot be verified */ + NEXT_USAGE(); + + default: PORT_Assert(0); - /* EXIT_IF_NOT_LOGGING(log); XXX ??? */ requiredKeyUsage = 0; requiredCertType = 0; INVALID_USAGE(); - } - break; - - case certUsageAnyCA: - case certUsageProtectedObjectSigner: - case certUsageUserCertImport: - case certUsageVerifyCA: - /* these usages cannot be verified */ - NEXT_USAGE(); - - default: - PORT_Assert(0); - requiredKeyUsage = 0; - requiredCertType = 0; - INVALID_USAGE(); } - if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) { + if (CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess) { if (PR_TRUE == requiredUsage) { PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); } - LOG_ERROR(log,cert,0,requiredKeyUsage); + LOG_ERROR(log, cert, 0, requiredKeyUsage); INVALID_USAGE(); } - if ( !( certType & requiredCertType ) ) { + if (!(certType & requiredCertType)) { if (PR_TRUE == requiredUsage) { PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE); } - LOG_ERROR(log,cert,0,requiredCertType); + LOG_ERROR(log, cert, 0, requiredCertType); INVALID_USAGE(); } - rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted); - if (rv == SECFailure) { - if (PR_TRUE == requiredUsage) { - PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); - } - LOG_ERROR(log, cert, 0, flags); - INVALID_USAGE(); - } else if (trusted) { - VALID_USAGE(); - } + rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted); + if (rv == SECFailure) { + if (PR_TRUE == requiredUsage) { + PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); + } + LOG_ERROR(log, cert, 0, flags); + INVALID_USAGE(); + } + else if (trusted) { + VALID_USAGE(); + } - if (PR_TRUE == revoked || PR_TRUE == sigerror) { - INVALID_USAGE(); - } + if (PR_TRUE == revoked || PR_TRUE == sigerror) { + INVALID_USAGE(); + } rv = cert_VerifyCertChain(handle, cert, - checkSig, &sigerror, - certUsage, t, wincx, log, - &revoked); + checkSig, &sigerror, + certUsage, t, wincx, log, + &revoked); if (rv != SECSuccess) { /* EXIT_IF_NOT_LOGGING(log); XXX ???? */ @@ -1306,10 +1326,10 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, if (requiredUsages != certificateUsageStatusResponder && statusConfig != NULL) { if (statusConfig->statusChecker != NULL) { - rv = (* statusConfig->statusChecker)(handle, cert, - t, wincx); + rv = (*statusConfig->statusChecker)(handle, cert, + t, wincx); if (rv != SECSuccess) { - LOG_ERROR(log,cert,0,0); + LOG_ERROR(log, cert, 0, 0); revoked = PR_TRUE; INVALID_USAGE(); } @@ -1319,15 +1339,15 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, NEXT_USAGE(); } - + loser: - return(valid); + return (valid); } SECStatus CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool checkSig, SECCertUsage certUsage, PRTime t, - void *wincx, CERTVerifyLog *log) + PRBool checkSig, SECCertUsage certUsage, PRTime t, + void *wincx, CERTVerifyLog *log) { return cert_VerifyCertWithFlags(handle, cert, checkSig, certUsage, t, CERT_VERIFYCERT_USE_DEFAULTS, wincx, log); @@ -1343,86 +1363,86 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert, unsigned int requiredCertType; unsigned int failedFlags; unsigned int certType; - PRBool trusted; - PRBool allowOverride; + PRBool trusted; + PRBool allowOverride; SECCertTimeValidity validity; CERTStatusConfig *statusConfig; - -#ifdef notdef + +#ifdef notdef /* check if this cert is in the Evil list */ rv = CERT_CheckForEvilCert(cert); - if ( rv != SECSuccess ) { - PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); - LOG_ERROR_OR_EXIT(log,cert,0,0); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); + LOG_ERROR_OR_EXIT(log, cert, 0, 0); } #endif - + /* make sure that the cert is valid at time t */ allowOverride = (PRBool)((certUsage == certUsageSSLServer) || (certUsage == certUsageSSLServerWithStepUp)); validity = CERT_CheckCertValidTimes(cert, t, allowOverride); - if ( validity != secCertTimeValid ) { - LOG_ERROR_OR_EXIT(log,cert,0,validity); + if (validity != secCertTimeValid) { + LOG_ERROR_OR_EXIT(log, cert, 0, validity); } /* check key usage and netscape cert type */ cert_GetCertType(cert); certType = cert->nsCertType; - switch ( certUsage ) { - case certUsageSSLClient: - case certUsageSSLServer: - case certUsageSSLServerWithStepUp: - case certUsageSSLCA: - case certUsageEmailSigner: - case certUsageEmailRecipient: - case certUsageObjectSigner: - case certUsageStatusResponder: - rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE, - &requiredKeyUsage, - &requiredCertType); - if ( rv != SECSuccess ) { - PORT_Assert(0); - EXIT_IF_NOT_LOGGING(log); - requiredKeyUsage = 0; - requiredCertType = 0; - } - break; - case certUsageVerifyCA: - case certUsageAnyCA: - requiredKeyUsage = KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_CA; - if ( ! ( certType & NS_CERT_TYPE_CA ) ) { - certType |= NS_CERT_TYPE_CA; - } - break; - default: - PORT_Assert(0); - EXIT_IF_NOT_LOGGING(log); - requiredKeyUsage = 0; - requiredCertType = 0; - } - if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) { - PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); - LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage); - } - if ( !( certType & requiredCertType ) ) { - PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE); - LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType); + switch (certUsage) { + case certUsageSSLClient: + case certUsageSSLServer: + case certUsageSSLServerWithStepUp: + case certUsageSSLCA: + case certUsageEmailSigner: + case certUsageEmailRecipient: + case certUsageObjectSigner: + case certUsageStatusResponder: + rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE, + &requiredKeyUsage, + &requiredCertType); + if (rv != SECSuccess) { + PORT_Assert(0); + EXIT_IF_NOT_LOGGING(log); + requiredKeyUsage = 0; + requiredCertType = 0; + } + break; + case certUsageVerifyCA: + case certUsageAnyCA: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_CA; + if (!(certType & NS_CERT_TYPE_CA)) { + certType |= NS_CERT_TYPE_CA; + } + break; + default: + PORT_Assert(0); + EXIT_IF_NOT_LOGGING(log); + requiredKeyUsage = 0; + requiredCertType = 0; + } + if (CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess) { + PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); + LOG_ERROR_OR_EXIT(log, cert, 0, requiredKeyUsage); + } + if (!(certType & requiredCertType)) { + PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE); + LOG_ERROR_OR_EXIT(log, cert, 0, requiredCertType); } rv = cert_CheckLeafTrust(cert, certUsage, &failedFlags, &trusted); - if (rv == SECFailure) { - PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); - LOG_ERROR_OR_EXIT(log, cert, 0, failedFlags); - } else if (trusted) { - goto done; + if (rv == SECFailure) { + PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); + LOG_ERROR_OR_EXIT(log, cert, 0, failedFlags); + } + else if (trusted) { + goto done; } - rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage, - t, wincx, log); + t, wincx, log); if (rv != SECSuccess) { - EXIT_IF_NOT_LOGGING(log); + EXIT_IF_NOT_LOGGING(log); } /* @@ -1434,27 +1454,27 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert, * code. */ if (!(flags & CERT_VERIFYCERT_SKIP_OCSP) && - certUsage != certUsageStatusResponder) { - statusConfig = CERT_GetStatusConfig(handle); - if (statusConfig && statusConfig->statusChecker) { - rv = (* statusConfig->statusChecker)(handle, cert, - t, wincx); - if (rv != SECSuccess) { - LOG_ERROR_OR_EXIT(log,cert,0,0); - } - } + certUsage != certUsageStatusResponder) { + statusConfig = CERT_GetStatusConfig(handle); + if (statusConfig && statusConfig->statusChecker) { + rv = (*statusConfig->statusChecker)(handle, cert, + t, wincx); + if (rv != SECSuccess) { + LOG_ERROR_OR_EXIT(log, cert, 0, 0); + } + } } done: if (log && log->head) { - return SECFailure; + return SECFailure; } - return(SECSuccess); + return (SECSuccess); loser: rv = SECFailure; - - return(rv); + + return (rv); } /* @@ -1463,23 +1483,22 @@ loser: */ SECStatus CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool checkSig, SECCertificateUsage requiredUsages, - void *wincx, SECCertificateUsage* returnedUsages) + PRBool checkSig, SECCertificateUsage requiredUsages, + void *wincx, SECCertificateUsage *returnedUsages) { - return(CERT_VerifyCertificate(handle, cert, checkSig, - requiredUsages, PR_Now(), wincx, NULL, returnedUsages)); + return (CERT_VerifyCertificate(handle, cert, checkSig, + requiredUsages, PR_Now(), wincx, NULL, returnedUsages)); } /* obsolete, do not use for new code */ SECStatus CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool checkSig, SECCertUsage certUsage, void *wincx) + PRBool checkSig, SECCertUsage certUsage, void *wincx) { - return(CERT_VerifyCert(handle, cert, checkSig, - certUsage, PR_Now(), wincx, NULL)); + return (CERT_VerifyCert(handle, cert, checkSig, + certUsage, PR_Now(), wincx, NULL)); } - /* [ FROM pcertdb.c ] */ /* * Supported usage values and types: @@ -1493,8 +1512,8 @@ CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert, CERTCertificate * CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName, - CERTCertOwner owner, SECCertUsage usage, - PRBool preferTrusted, PRTime validTime, PRBool validOnly) + CERTCertOwner owner, SECCertUsage usage, + PRBool preferTrusted, PRTime validTime, PRBool validOnly) { CERTCertList *certList = NULL; CERTCertificate *cert = NULL; @@ -1502,94 +1521,94 @@ CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName, unsigned int requiredTrustFlags; SECTrustType requiredTrustType; unsigned int flags; - + PRBool lookingForCA = PR_FALSE; SECStatus rv; CERTCertListNode *node; CERTCertificate *saveUntrustedCA = NULL; - + /* if preferTrusted is set, must be a CA cert */ - PORT_Assert( ! ( preferTrusted && ( owner != certOwnerCA ) ) ); - - if ( owner == certOwnerCA ) { - lookingForCA = PR_TRUE; - if ( preferTrusted ) { - rv = CERT_TrustFlagsForCACertUsage(usage, &requiredTrustFlags, - &requiredTrustType); - if ( rv != SECSuccess ) { - goto loser; - } - requiredTrustFlags |= CERTDB_VALID_CA; - } + PORT_Assert(!(preferTrusted && (owner != certOwnerCA))); + + if (owner == certOwnerCA) { + lookingForCA = PR_TRUE; + if (preferTrusted) { + rv = CERT_TrustFlagsForCACertUsage(usage, &requiredTrustFlags, + &requiredTrustType); + if (rv != SECSuccess) { + goto loser; + } + requiredTrustFlags |= CERTDB_VALID_CA; + } } certList = CERT_CreateSubjectCertList(NULL, handle, derName, validTime, - validOnly); - if ( certList != NULL ) { - rv = CERT_FilterCertListByUsage(certList, usage, lookingForCA); - if ( rv != SECSuccess ) { - goto loser; - } - - node = CERT_LIST_HEAD(certList); - - while ( !CERT_LIST_END(node, certList) ) { - cert = node->cert; - - /* looking for a trusted CA cert */ - if ( ( owner == certOwnerCA ) && preferTrusted && - ( requiredTrustType != trustTypeNone ) ) { - - if ( CERT_GetCertTrust(cert, &certTrust) != SECSuccess ) { - flags = 0; - } else { - flags = SEC_GET_TRUST_FLAGS(&certTrust, requiredTrustType); - } - - if ( ( flags & requiredTrustFlags ) != requiredTrustFlags ) { - /* cert is not trusted */ - /* if this is the first cert to get this far, then save + validOnly); + if (certList != NULL) { + rv = CERT_FilterCertListByUsage(certList, usage, lookingForCA); + if (rv != SECSuccess) { + goto loser; + } + + node = CERT_LIST_HEAD(certList); + + while (!CERT_LIST_END(node, certList)) { + cert = node->cert; + + /* looking for a trusted CA cert */ + if ((owner == certOwnerCA) && preferTrusted && + (requiredTrustType != trustTypeNone)) { + + if (CERT_GetCertTrust(cert, &certTrust) != SECSuccess) { + flags = 0; + } + else { + flags = SEC_GET_TRUST_FLAGS(&certTrust, requiredTrustType); + } + + if ((flags & requiredTrustFlags) != requiredTrustFlags) { + /* cert is not trusted */ + /* if this is the first cert to get this far, then save * it, so we can use it if we can't find a trusted one */ - if ( saveUntrustedCA == NULL ) { - saveUntrustedCA = cert; - } - goto endloop; - } - } - /* if we got this far, then this cert meets all criteria */ - break; - -endloop: - node = CERT_LIST_NEXT(node); - cert = NULL; - } - - /* use the saved one if we have it */ - if ( cert == NULL ) { - cert = saveUntrustedCA; - } - - /* if we found one then bump the ref count before freeing the list */ - if ( cert != NULL ) { - /* bump the ref count */ - cert = CERT_DupCertificate(cert); - } - - CERT_DestroyCertList(certList); - } - - return(cert); + if (saveUntrustedCA == NULL) { + saveUntrustedCA = cert; + } + goto endloop; + } + } + /* if we got this far, then this cert meets all criteria */ + break; + + endloop: + node = CERT_LIST_NEXT(node); + cert = NULL; + } + + /* use the saved one if we have it */ + if (cert == NULL) { + cert = saveUntrustedCA; + } + + /* if we found one then bump the ref count before freeing the list */ + if (cert != NULL) { + /* bump the ref count */ + cert = CERT_DupCertificate(cert); + } + + CERT_DestroyCertList(certList); + } + + return (cert); loser: - if ( certList != NULL ) { - CERT_DestroyCertList(certList); + if (certList != NULL) { + CERT_DestroyCertList(certList); } - return(NULL); + return (NULL); } - /* [ From certdb.c ] */ /* * Filter a list of certificates, removing those certs that do not have @@ -1603,7 +1622,7 @@ loser: */ SECStatus CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames, - char **caNames, SECCertUsage usage) + char **caNames, SECCertUsage usage) { CERTCertificate *issuerCert = NULL; CERTCertificate *subjectCert; @@ -1613,65 +1632,65 @@ CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames, char **names; PRBool found; PRTime time; - - if ( nCANames <= 0 ) { - return(SECSuccess); + + if (nCANames <= 0) { + return (SECSuccess); } time = PR_Now(); - + node = CERT_LIST_HEAD(certList); - - while ( ! CERT_LIST_END(node, certList) ) { - cert = node->cert; - - subjectCert = CERT_DupCertificate(cert); - - /* traverse the CA certs for this cert */ - found = PR_FALSE; - while ( subjectCert != NULL ) { - n = nCANames; - names = caNames; - - if (subjectCert->issuerName != NULL) { - while ( n > 0 ) { - if ( PORT_Strcmp(*names, subjectCert->issuerName) == 0 ) { - found = PR_TRUE; - break; - } - - n--; - names++; + + while (!CERT_LIST_END(node, certList)) { + cert = node->cert; + + subjectCert = CERT_DupCertificate(cert); + + /* traverse the CA certs for this cert */ + found = PR_FALSE; + while (subjectCert != NULL) { + n = nCANames; + names = caNames; + + if (subjectCert->issuerName != NULL) { + while (n > 0) { + if (PORT_Strcmp(*names, subjectCert->issuerName) == 0) { + found = PR_TRUE; + break; + } + + n--; + names++; } - } - - if ( found ) { - break; - } - - issuerCert = CERT_FindCertIssuer(subjectCert, time, usage); - if ( issuerCert == subjectCert ) { - CERT_DestroyCertificate(issuerCert); - issuerCert = NULL; - break; - } - CERT_DestroyCertificate(subjectCert); - subjectCert = issuerCert; - - } - CERT_DestroyCertificate(subjectCert); - if ( !found ) { - /* CA was not found, so remove this cert from the list */ - freenode = node; - node = CERT_LIST_NEXT(node); - CERT_RemoveCertListNode(freenode); - } else { - /* CA was found, so leave it in the list */ - node = CERT_LIST_NEXT(node); - } - } - - return(SECSuccess); + } + + if (found) { + break; + } + + issuerCert = CERT_FindCertIssuer(subjectCert, time, usage); + if (issuerCert == subjectCert) { + CERT_DestroyCertificate(issuerCert); + issuerCert = NULL; + break; + } + CERT_DestroyCertificate(subjectCert); + subjectCert = issuerCert; + } + CERT_DestroyCertificate(subjectCert); + if (!found) { + /* CA was not found, so remove this cert from the list */ + freenode = node; + node = CERT_LIST_NEXT(node); + CERT_RemoveCertListNode(freenode); + } + else { + /* CA was found, so leave it in the list */ + node = CERT_LIST_NEXT(node); + } + } + + return (SECSuccess); } /* @@ -1689,61 +1708,66 @@ CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames, */ char * CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert, - char *expiredString, char *notYetGoodString) + char *expiredString, char *notYetGoodString) { SECCertTimeValidity validity; char *nickname = NULL, *tmpstr = NULL; - + validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE); /* if the cert is good, then just use the nickname directly */ - if ( validity == secCertTimeValid ) { - if ( arena == NULL ) { - nickname = PORT_Strdup(cert->nickname); - } else { - nickname = PORT_ArenaStrdup(arena, cert->nickname); - } - - if ( nickname == NULL ) { - goto loser; - } - } else { - - /* if the cert is not valid, then tack one of the strings on the - * end - */ - if ( validity == secCertTimeExpired ) { - tmpstr = PR_smprintf("%s%s", cert->nickname, - expiredString); - } else if ( validity == secCertTimeNotValidYet ) { - /* not yet valid */ - tmpstr = PR_smprintf("%s%s", cert->nickname, - notYetGoodString); - } else { + if (validity == secCertTimeValid) { + if (arena == NULL) { + nickname = PORT_Strdup(cert->nickname); + } + else { + nickname = PORT_ArenaStrdup(arena, cert->nickname); + } + + if (nickname == NULL) { + goto loser; + } + } + else { + + /* if the cert is not valid, then tack one of the strings on the + * end + */ + if (validity == secCertTimeExpired) { + tmpstr = PR_smprintf("%s%s", cert->nickname, + expiredString); + } + else if (validity == secCertTimeNotValidYet) { + /* not yet valid */ + tmpstr = PR_smprintf("%s%s", cert->nickname, + notYetGoodString); + } + else { /* undetermined */ - tmpstr = PR_smprintf("%s", - "(NULL) (Validity Unknown)"); - } - - if ( tmpstr == NULL ) { - goto loser; - } - - if ( arena ) { - /* copy the string into the arena and free the malloc'd one */ - nickname = PORT_ArenaStrdup(arena, tmpstr); - PORT_Free(tmpstr); - } else { - nickname = tmpstr; - } - if ( nickname == NULL ) { - goto loser; - } - } - return(nickname); + tmpstr = PR_smprintf("%s", + "(NULL) (Validity Unknown)"); + } + + if (tmpstr == NULL) { + goto loser; + } + + if (arena) { + /* copy the string into the arena and free the malloc'd one */ + nickname = PORT_ArenaStrdup(arena, tmpstr); + PORT_Free(tmpstr); + } + else { + nickname = tmpstr; + } + if (nickname == NULL) { + goto loser; + } + } + return (nickname); loser: - return(NULL); + return (NULL); } /* @@ -1757,23 +1781,23 @@ loser: */ CERTCertNicknames * CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString, - char *notYetGoodString) + char *notYetGoodString) { CERTCertNicknames *names; PLArenaPool *arena; CERTCertListNode *node; char **nn; - + /* allocate an arena */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( arena == NULL ) { - return(NULL); + if (arena == NULL) { + return (NULL); } - + /* allocate the structure */ names = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames)); - if ( names == NULL ) { - goto loser; + if (names == NULL) { + goto loser; } /* init the structure */ @@ -1785,49 +1809,49 @@ CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString, /* count the certs in the list */ node = CERT_LIST_HEAD(certList); - while ( ! CERT_LIST_END(node, certList) ) { - names->numnicknames++; - node = CERT_LIST_NEXT(node); + while (!CERT_LIST_END(node, certList)) { + names->numnicknames++; + node = CERT_LIST_NEXT(node); } - + /* allocate nicknames array */ names->nicknames = PORT_ArenaAlloc(arena, - sizeof(char *) * names->numnicknames); - if ( names->nicknames == NULL ) { - goto loser; + sizeof(char *) * names->numnicknames); + if (names->nicknames == NULL) { + goto loser; } /* just in case printf can't deal with null strings */ - if (expiredString == NULL ) { - expiredString = ""; + if (expiredString == NULL) { + expiredString = ""; } - if ( notYetGoodString == NULL ) { - notYetGoodString = ""; + if (notYetGoodString == NULL) { + notYetGoodString = ""; } - + /* traverse the list of certs and collect the nicknames */ nn = names->nicknames; node = CERT_LIST_HEAD(certList); - while ( ! CERT_LIST_END(node, certList) ) { - *nn = CERT_GetCertNicknameWithValidity(arena, node->cert, - expiredString, - notYetGoodString); - if ( *nn == NULL ) { - goto loser; - } + while (!CERT_LIST_END(node, certList)) { + *nn = CERT_GetCertNicknameWithValidity(arena, node->cert, + expiredString, + notYetGoodString); + if (*nn == NULL) { + goto loser; + } + + names->totallen += PORT_Strlen(*nn); - names->totallen += PORT_Strlen(*nn); - - nn++; - node = CERT_LIST_NEXT(node); + nn++; + node = CERT_LIST_NEXT(node); } - return(names); + return (names); loser: PORT_FreeArena(arena, PR_FALSE); - return(NULL); + return (NULL); } /* @@ -1844,54 +1868,54 @@ loser: */ char * CERT_ExtractNicknameString(char *namestring, char *expiredString, - char *notYetGoodString) + char *notYetGoodString) { int explen, nyglen, namelen; int retlen; char *retstr; - + namelen = PORT_Strlen(namestring); explen = PORT_Strlen(expiredString); nyglen = PORT_Strlen(notYetGoodString); - - if ( namelen > explen ) { - if ( PORT_Strcmp(expiredString, &namestring[namelen-explen]) == 0 ) { - retlen = namelen - explen; - retstr = (char *)PORT_Alloc(retlen+1); - if ( retstr == NULL ) { - goto loser; - } - - PORT_Memcpy(retstr, namestring, retlen); - retstr[retlen] = '\0'; - goto done; - } - } - - if ( namelen > nyglen ) { - if ( PORT_Strcmp(notYetGoodString, &namestring[namelen-nyglen]) == 0) { - retlen = namelen - nyglen; - retstr = (char *)PORT_Alloc(retlen+1); - if ( retstr == NULL ) { - goto loser; - } - - PORT_Memcpy(retstr, namestring, retlen); - retstr[retlen] = '\0'; - goto done; - } + + if (namelen > explen) { + if (PORT_Strcmp(expiredString, &namestring[namelen - explen]) == 0) { + retlen = namelen - explen; + retstr = (char *)PORT_Alloc(retlen + 1); + if (retstr == NULL) { + goto loser; + } + + PORT_Memcpy(retstr, namestring, retlen); + retstr[retlen] = '\0'; + goto done; + } + } + + if (namelen > nyglen) { + if (PORT_Strcmp(notYetGoodString, &namestring[namelen - nyglen]) == 0) { + retlen = namelen - nyglen; + retstr = (char *)PORT_Alloc(retlen + 1); + if (retstr == NULL) { + goto loser; + } + + PORT_Memcpy(retstr, namestring, retlen); + retstr[retlen] = '\0'; + goto done; + } } /* if name string is shorter than either invalid string, then it must * be a raw nickname */ retstr = PORT_Strdup(namestring); - + done: - return(retstr); + return (retstr); loser: - return(NULL); + return (NULL); } CERTCertList * @@ -1903,7 +1927,7 @@ CERT_GetCertChainFromCert(CERTCertificate *cert, PRTime time, SECCertUsage usage if (NULL == cert) { return NULL; } - + cert = CERT_DupCertificate(cert); if (NULL == cert) { PORT_SetError(SEC_ERROR_NO_MEMORY); @@ -1917,18 +1941,18 @@ CERT_GetCertChainFromCert(CERTCertificate *cert, PRTime time, SECCertUsage usage } while (cert != NULL && ++count <= CERT_MAX_CERT_CHAIN) { - if (SECSuccess != CERT_AddCertToListTail(chain, cert)) { + if (SECSuccess != CERT_AddCertToListTail(chain, cert)) { /* return partial chain */ PORT_SetError(SEC_ERROR_NO_MEMORY); return chain; } - if (cert->isRoot) { + if (cert->isRoot) { /* return complete chain */ - return chain; - } + return chain; + } - cert = CERT_FindCertIssuer(cert, time, usage); + cert = CERT_FindCertIssuer(cert, time, usage); } /* return partial chain */ diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c index b89fe215f..7ae10b0c1 100644 --- a/lib/certhigh/certvfypkix.c +++ b/lib/certhigh/certvfypkix.c @@ -12,7 +12,7 @@ */ #include "prerror.h" #include "prprf.h" - + #include "nspr.h" #include "pk11func.h" #include "certdb.h" @@ -38,7 +38,6 @@ pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable); PRInt32 parallelFnInvocationCount; #endif /* PKIX_OBJECT_LEAK_TEST */ - static PRBool usePKIXValidationEngine = PR_FALSE; /* @@ -104,7 +103,7 @@ CERT_GetUsePKIXForValidation() * Returns NULL if the function succeeds. * Returns a Fatal Error if the function fails in an unrecoverable way. */ -static PKIX_Error* +static PKIX_Error * cert_NssKeyUsagesToPkix( PRUint32 nssKeyUsage, PKIX_UInt32 *pPkixKeyUsage, @@ -120,7 +119,7 @@ cert_NssKeyUsagesToPkix( if (nssKeyUsage & KU_DIGITAL_SIGNATURE) { pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE; } - + if (nssKeyUsage & KU_NON_REPUDIATION) { pkixKeyUsage |= PKIX_NON_REPUDIATION; } @@ -128,19 +127,19 @@ cert_NssKeyUsagesToPkix( if (nssKeyUsage & KU_KEY_ENCIPHERMENT) { pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT; } - + if (nssKeyUsage & KU_DATA_ENCIPHERMENT) { pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT; } - + if (nssKeyUsage & KU_KEY_AGREEMENT) { pkixKeyUsage |= PKIX_KEY_AGREEMENT; } - + if (nssKeyUsage & KU_KEY_CERT_SIGN) { pkixKeyUsage |= PKIX_KEY_CERT_SIGN; } - + if (nssKeyUsage & KU_CRL_SIGN) { pkixKeyUsage |= PKIX_CRL_SIGN; } @@ -148,7 +147,7 @@ cert_NssKeyUsagesToPkix( if (nssKeyUsage & KU_ENCIPHER_ONLY) { pkixKeyUsage |= PKIX_ENCIPHER_ONLY; } - + /* Not supported. XXX we should support this once it is * fixed in NSS */ /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */ @@ -176,17 +175,17 @@ typedef struct { } SECCertUsageToEku; const SECCertUsageToEku certUsageEkuStringMap[] = { - {certUsageSSLClient, ekuIndexSSLClient}, - {certUsageSSLServer, ekuIndexSSLServer}, - {certUsageSSLCA, ekuIndexSSLServer}, - {certUsageEmailSigner, ekuIndexEmail}, - {certUsageEmailRecipient, ekuIndexEmail}, - {certUsageObjectSigner, ekuIndexCodeSigner}, - {certUsageUserCertImport, ekuIndexUnknown}, - {certUsageVerifyCA, ekuIndexUnknown}, - {certUsageProtectedObjectSigner, ekuIndexUnknown}, - {certUsageStatusResponder, ekuIndexStatusResponder}, - {certUsageAnyCA, ekuIndexUnknown}, + { certUsageSSLClient, ekuIndexSSLClient }, + { certUsageSSLServer, ekuIndexSSLServer }, + { certUsageSSLCA, ekuIndexSSLServer }, + { certUsageEmailSigner, ekuIndexEmail }, + { certUsageEmailRecipient, ekuIndexEmail }, + { certUsageObjectSigner, ekuIndexCodeSigner }, + { certUsageUserCertImport, ekuIndexUnknown }, + { certUsageVerifyCA, ekuIndexUnknown }, + { certUsageProtectedObjectSigner, ekuIndexUnknown }, + { certUsageStatusResponder, ekuIndexStatusResponder }, + { certUsageAnyCA, ekuIndexUnknown }, }; /* @@ -200,15 +199,15 @@ const SECCertUsageToEku certUsageEkuStringMap[] = { * "cert" * Pointer to CERTCertificate structure of validating cert. * "requiredCertUsages" - * Required usage that will be converted to pkix eku and ku. + * Required usage that will be converted to pkix eku and ku. * "requiredKeyUsage", * Additional key usages impose to cert. * "isCA", - * it true, convert usages for cert that is a CA cert. + * it true, convert usages for cert that is a CA cert. * "ppkixEKUList" * Returned address of a list of pkix extended key usages. * "ppkixKU" - * Returned address of pkix required key usages bit field. + * Returned address of pkix required key usages bit field. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: @@ -218,29 +217,29 @@ const SECCertUsageToEku certUsageEkuStringMap[] = { * Returns a Cert Verify Error if the function fails in an unrecoverable way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ -static PKIX_Error* +static PKIX_Error * cert_NssCertificateUsageToPkixKUAndEKU( CERTCertificate *cert, - SECCertUsage requiredCertUsage, - PRUint32 requiredKeyUsages, - PRBool isCA, - PKIX_List **ppkixEKUList, - PKIX_UInt32 *ppkixKU, - void *plContext) + SECCertUsage requiredCertUsage, + PRUint32 requiredKeyUsages, + PRBool isCA, + PKIX_List **ppkixEKUList, + PKIX_UInt32 *ppkixKU, + void *plContext) { - PKIX_List *ekuOidsList = NULL; - PKIX_PL_OID *ekuOid = NULL; - int i = 0; - int ekuIndex = ekuIndexUnknown; + PKIX_List *ekuOidsList = NULL; + PKIX_PL_OID *ekuOid = NULL; + int i = 0; + int ekuIndex = ekuIndexUnknown; PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku"); PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU); - + PKIX_CHECK( PKIX_List_Create(&ekuOidsList, plContext), PKIX_LISTCREATEFAILED); - for (;i < PR_ARRAY_SIZE(certUsageEkuStringMap);i++) { + for (; i < PR_ARRAY_SIZE(certUsageEkuStringMap); i++) { const SECCertUsageToEku *usageToEkuElem = &certUsageEkuStringMap[i]; if (usageToEkuElem->certUsage == requiredCertUsage) { @@ -249,25 +248,25 @@ cert_NssCertificateUsageToPkixKUAndEKU( } } if (ekuIndex != ekuIndexUnknown) { - PRUint32 reqKeyUsage = 0; - PRUint32 reqCertType = 0; + PRUint32 reqKeyUsage = 0; + PRUint32 reqCertType = 0; CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA, &reqKeyUsage, &reqCertType); - + requiredKeyUsages |= reqKeyUsage; - + PKIX_CHECK( PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid, plContext), PKIX_OIDCREATEFAILED); - + PKIX_CHECK( PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid, plContext), PKIX_LISTAPPENDITEMFAILED); - + PKIX_DECREF(ekuOid); } @@ -279,7 +278,7 @@ cert_NssCertificateUsageToPkixKUAndEKU( ekuOidsList = NULL; cleanup: - + PKIX_DECREF(ekuOid); PKIX_DECREF(ekuOidsList); @@ -313,37 +312,36 @@ cleanup: * Returns a Cert Verify Error if the function fails in an unrecoverable way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ -static PKIX_Error* +static PKIX_Error * cert_ProcessingParamsSetKeyAndCertUsage( PKIX_ProcessingParams *procParams, - SECCertUsage requiredCertUsage, - PRUint32 requiredKeyUsages, - void *plContext) + SECCertUsage requiredCertUsage, + PRUint32 requiredKeyUsages, + void *plContext) { - PKIX_CertSelector *certSelector = NULL; + PKIX_CertSelector *certSelector = NULL; PKIX_ComCertSelParams *certSelParams = NULL; - PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext*)plContext; - + PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext; + PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage"); PKIX_NULLCHECK_TWO(procParams, nssContext); - + PKIX_CHECK( pkix_pl_NssContext_SetCertUsage( - ((SECCertificateUsage)1) << requiredCertUsage, nssContext), - PKIX_NSSCONTEXTSETCERTUSAGEFAILED); + ((SECCertificateUsage)1) << requiredCertUsage, nssContext), + PKIX_NSSCONTEXTSETCERTUSAGEFAILED); if (requiredKeyUsages) { PKIX_CHECK( PKIX_ProcessingParams_GetTargetCertConstraints(procParams, &certSelector, plContext), PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); - + PKIX_CHECK( PKIX_CertSelector_GetCommonCertSelectorParams(certSelector, &certSelParams, plContext), PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED); - - + PKIX_CHECK( PKIX_ComCertSelParams_SetKeyUsage(certSelParams, requiredKeyUsages, plContext), @@ -357,7 +355,7 @@ cleanup: } /* - * Unused parameters: + * Unused parameters: * * CERTCertList *initialChain, * CERTCertStores certStores, @@ -398,44 +396,44 @@ cleanup: * Returns a Cert Verify Error if the function fails in an unrecoverable way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ -static PKIX_Error* +static PKIX_Error * cert_CreatePkixProcessingParams( - CERTCertificate *cert, - PRBool checkSig, /* not used yet. See bug 391476 */ - PRTime time, - void *wincx, - PRBool useArena, - PRBool disableOCSPRemoteFetching, + CERTCertificate *cert, + PRBool checkSig, /* not used yet. See bug 391476 */ + PRTime time, + void *wincx, + PRBool useArena, + PRBool disableOCSPRemoteFetching, PKIX_ProcessingParams **pprocParams, - void **pplContext) + void **pplContext) { - PKIX_List *anchors = NULL; - PKIX_PL_Cert *targetCert = NULL; - PKIX_PL_Date *date = NULL; + PKIX_List *anchors = NULL; + PKIX_PL_Cert *targetCert = NULL; + PKIX_PL_Date *date = NULL; PKIX_ProcessingParams *procParams = NULL; - PKIX_CertSelector *certSelector = NULL; + PKIX_CertSelector *certSelector = NULL; PKIX_ComCertSelParams *certSelParams = NULL; - PKIX_CertStore *certStore = NULL; - PKIX_List *certStores = NULL; + PKIX_CertStore *certStore = NULL; + PKIX_List *certStores = NULL; PKIX_RevocationChecker *revChecker = NULL; - PKIX_UInt32 methodFlags = 0; - void *plContext = NULL; - CERTStatusConfig *statusConfig = NULL; - + PKIX_UInt32 methodFlags = 0; + void *plContext = NULL; + CERTStatusConfig *statusConfig = NULL; + PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams"); PKIX_NULLCHECK_TWO(cert, pprocParams); - + PKIX_CHECK( PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext), PKIX_NSSCONTEXTCREATEFAILED); *pplContext = plContext; -#ifdef PKIX_NOTDEF +#ifdef PKIX_NOTDEF /* Functions should be implemented in patch for 390532 */ PKIX_CHECK( pkix_pl_NssContext_SetCertSignatureCheck(checkSig, - (PKIX_PL_NssContext*)plContext), + (PKIX_PL_NssContext *)plContext), PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED); #endif /* PKIX_NOTDEF */ @@ -443,11 +441,11 @@ cert_CreatePkixProcessingParams( PKIX_CHECK( PKIX_ProcessingParams_Create(&procParams, plContext), PKIX_PROCESSINGPARAMSCREATEFAILED); - + PKIX_CHECK( PKIX_ComCertSelParams_Create(&certSelParams, plContext), PKIX_COMCERTSELPARAMSCREATEFAILED); - + PKIX_CHECK( PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext), PKIX_CERTCREATEWITHNSSCERTFAILED); @@ -456,16 +454,16 @@ cert_CreatePkixProcessingParams( PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext), PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED); - + PKIX_CHECK( PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext), PKIX_COULDNOTCREATECERTSELECTOROBJECT); - + PKIX_CHECK( PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext), PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED); - + PKIX_CHECK( PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext), @@ -482,11 +480,11 @@ cert_CreatePkixProcessingParams( PKIX_CHECK( PKIX_PL_Pk11CertStore_Create(&certStore, plContext), PKIX_PK11CERTSTORECREATEFAILED); - + PKIX_CHECK( PKIX_List_Create(&certStores, plContext), PKIX_UNABLETOCREATELIST); - + PKIX_CHECK( PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext), @@ -507,11 +505,11 @@ cert_CreatePkixProcessingParams( PKIX_CHECK( PKIX_RevocationChecker_Create( - PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | - PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, - PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | - PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, - &revChecker, plContext), + PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | + PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, + PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | + PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, + &revChecker, plContext), PKIX_REVOCATIONCHECKERCREATEFAILED); PKIX_CHECK( @@ -520,27 +518,27 @@ cert_CreatePkixProcessingParams( PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED); /* CRL method flags */ - methodFlags = + methodFlags = PKIX_REV_M_TEST_USING_THIS_METHOD | PKIX_REV_M_FORBID_NETWORK_FETCHING | - PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ - PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ + PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ + PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; /* add CRL revocation method to check the leaf certificate */ PKIX_CHECK( PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, - PKIX_RevocationMethod_CRL, methodFlags, - 0, NULL, PKIX_TRUE, plContext), + PKIX_RevocationMethod_CRL, methodFlags, + 0, NULL, PKIX_TRUE, plContext), PKIX_REVOCATIONCHECKERADDMETHODFAILED); /* add CRL revocation method for other certs in the chain. */ PKIX_CHECK( PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, - PKIX_RevocationMethod_CRL, methodFlags, - 0, NULL, PKIX_FALSE, plContext), + PKIX_RevocationMethod_CRL, methodFlags, + 0, NULL, PKIX_FALSE, plContext), PKIX_REVOCATIONCHECKERADDMETHODFAILED); - + /* For compatibility with the old code, need to check that * statusConfig is set in the db handle and status checker * is defined befor allow ocsp status check on the leaf cert.*/ @@ -551,30 +549,30 @@ cert_CreatePkixProcessingParams( /* OCSP method flags */ methodFlags = PKIX_REV_M_TEST_USING_THIS_METHOD | - PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */ - PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */ - PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ - PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ + PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */ + PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */ + PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ + PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; - + /* Disabling ocsp fetching when checking the status * of ocsp response signer. Here and in the next if, * adjust flags for ocsp signer cert validation case. */ if (disableOCSPRemoteFetching) { methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; } - - if (ocsp_FetchingFailureIsVerificationFailure() - && !disableOCSPRemoteFetching) { + + if (ocsp_FetchingFailureIsVerificationFailure() && + !disableOCSPRemoteFetching) { methodFlags |= PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO; } - + /* add OCSP revocation method to check only the leaf certificate.*/ PKIX_CHECK( PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, - PKIX_RevocationMethod_OCSP, methodFlags, - 1, NULL, PKIX_TRUE, plContext), + PKIX_RevocationMethod_OCSP, methodFlags, + 1, NULL, PKIX_TRUE, plContext), PKIX_REVOCATIONCHECKERADDMETHODFAILED); } @@ -585,14 +583,14 @@ cert_CreatePkixProcessingParams( PKIX_CHECK( PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE, - plContext), + plContext), PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED); PKIX_CHECK( PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, PR_FALSE, plContext), PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED); - + *pprocParams = procParams; procParams = NULL; @@ -615,10 +613,10 @@ cleanup: * DESCRIPTION: * * Converts pkix cert list into nss cert list. - * + * * PARAMETERS: * "pkixCertChain" - * Pkix certificate list. + * Pkix certificate list. * "pvalidChain" * An address of returned nss certificate list. * "plContext" @@ -630,18 +628,18 @@ cleanup: * Returns a Cert Verify Error if the function fails in an unrecoverable way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ -static PKIX_Error* +static PKIX_Error * cert_PkixToNssCertsChain( - PKIX_List *pkixCertChain, - CERTCertList **pvalidChain, + PKIX_List *pkixCertChain, + CERTCertList **pvalidChain, void *plContext) { - PLArenaPool *arena = NULL; + PLArenaPool *arena = NULL; CERTCertificate *nssCert = NULL; - CERTCertList *validChain = NULL; - PKIX_PL_Object *certItem = NULL; - PKIX_UInt32 length = 0; - PKIX_UInt32 i = 0; + CERTCertList *validChain = NULL; + PKIX_PL_Object *certItem = NULL; + PKIX_UInt32 length = 0; + PKIX_UInt32 i = 0; PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain"); PKIX_NULLCHECK_ONE(pvalidChain); @@ -653,7 +651,7 @@ cert_PkixToNssCertsChain( if (arena == NULL) { PKIX_ERROR(PKIX_OUTOFMEMORY); } - validChain = (CERTCertList*)PORT_ArenaZAlloc(arena, sizeof(CERTCertList)); + validChain = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList)); if (validChain == NULL) { PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); } @@ -665,22 +663,22 @@ cert_PkixToNssCertsChain( PKIX_List_GetLength(pkixCertChain, &length, plContext), PKIX_LISTGETLENGTHFAILED); - for (i = 0; i < length; i++){ + for (i = 0; i < length; i++) { CERTCertListNode *node = NULL; PKIX_CHECK( PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext), PKIX_LISTGETITEMFAILED); - + PKIX_CHECK( - PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert*)certItem, &nssCert, - plContext), + PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert *)certItem, &nssCert, + plContext), PKIX_CERTGETCERTCERTIFICATEFAILED); - + node = (CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena, sizeof(CERTCertListNode)); - if ( node == NULL ) { + if (node == NULL) { PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); } @@ -695,10 +693,11 @@ cert_PkixToNssCertsChain( *pvalidChain = validChain; cleanup: - if (PKIX_ERROR_RECEIVED){ + if (PKIX_ERROR_RECEIVED) { if (validChain) { CERT_DestroyCertList(validChain); - } else if (arena) { + } + else if (arena) { PORT_FreeArena(arena, PR_FALSE); } if (nssCert) { @@ -710,7 +709,6 @@ cleanup: PKIX_RETURN(CERTVFYPKIX); } - /* * FUNCTION: cert_BuildAndValidateChain * DESCRIPTION: @@ -738,7 +736,7 @@ cleanup: * Returns a Cert Verify Error if the function fails in an unrecoverable way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ -static PKIX_Error* +static PKIX_Error * cert_BuildAndValidateChain( PKIX_ProcessingParams *procParams, PKIX_BuildResult **pResult, @@ -746,19 +744,19 @@ cert_BuildAndValidateChain( void *plContext) { PKIX_BuildResult *result = NULL; - PKIX_VerifyNode *verifyNode = NULL; - void *nbioContext = NULL; - void *state = NULL; - + PKIX_VerifyNode *verifyNode = NULL; + void *nbioContext = NULL; + void *state = NULL; + PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain"); PKIX_NULLCHECK_TWO(procParams, pResult); - + do { if (nbioContext && state) { /* PKIX-XXX: need to test functionality of NBIO handling in libPkix. * See bug 391180 */ PRInt32 filesReady = 0; - PRPollDesc *pollDesc = (PRPollDesc*)nbioContext; + PRPollDesc *pollDesc = (PRPollDesc *)nbioContext; filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT); if (filesReady <= 0) { PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM); @@ -769,7 +767,7 @@ cert_BuildAndValidateChain( PKIX_BuildChain(procParams, &nbioContext, &state, &result, &verifyNode, plContext), PKIX_UNABLETOBUILDCHAIN); - + } while (nbioContext && state); *pResult = result; @@ -782,7 +780,6 @@ cleanup: PKIX_RETURN(CERTVFYPKIX); } - /* * FUNCTION: cert_PkixErrorToNssCode * DESCRIPTION: @@ -817,16 +814,17 @@ cert_PkixErrorToNssCode( PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode"); PKIX_NULLCHECK_TWO(error, pNssErr); - + /* Loop until we find at least one error with non-null * plErr code, that is going to be nss error code. */ while (errPtr) { if (errPtr->plErr && !nssErr) { nssErr = errPtr->plErr; - if (!pkixLog) break; + if (!pkixLog) + break; } if (pkixLog) { -#ifdef PKIX_ERROR_DESCRIPTION +#ifdef PKIX_ERROR_DESCRIPTION PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel, PKIX_ErrorText[errPtr->errCode])); #else @@ -835,12 +833,13 @@ cert_PkixErrorToNssCode( #endif /* PKIX_ERROR_DESCRIPTION */ } errPtr = errPtr->cause; - errLevel += 1; + errLevel += 1; } PORT_Assert(nssErr); if (!nssErr) { *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL; - } else { + } + else { *pNssErr = nssErr; } @@ -856,7 +855,7 @@ cert_PkixErrorToNssCode( * * PARAMETERS: * "log" - * Pointed to already allocated CERTVerifyLog structure. + * Pointed to already allocated CERTVerifyLog structure. * "node" * A node of PKIX_VerifyNode tree. * "plContext" @@ -874,7 +873,7 @@ cert_GetLogFromVerifyNode( PKIX_VerifyNode *node, void *plContext) { - PKIX_List *children = NULL; + PKIX_List *children = NULL; PKIX_VerifyNode *childNode = NULL; PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode"); @@ -894,26 +893,27 @@ cert_GetLogFromVerifyNode( cert_PkixErrorToNssCode(node->error, &nssErrorCode, plContext), PKIX_GETPKIXERRORCODEFAILED); - + cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL); } } PKIX_RETURN(CERTVFYPKIX); - } else { - PRUint32 i = 0; - PKIX_UInt32 length = 0; + } + else { + PRUint32 i = 0; + PKIX_UInt32 length = 0; PKIX_CHECK( PKIX_List_GetLength(children, &length, plContext), PKIX_LISTGETLENGTHFAILED); - - for (i = 0; i < length; i++){ + + for (i = 0; i < length; i++) { PKIX_CHECK( - PKIX_List_GetItem(children, i, (PKIX_PL_Object**)&childNode, + PKIX_List_GetItem(children, i, (PKIX_PL_Object **)&childNode, plContext), PKIX_LISTGETITEMFAILED); - + PKIX_CHECK( cert_GetLogFromVerifyNode(log, childNode, plContext), PKIX_ERRORINRECURSIVEEQUALSCALL); @@ -943,7 +943,7 @@ cleanup: * In case of failure it will convert: * * pkix error to PR error code(will set it with PORT_SetError) * * pkix validation log to nss CERTVerifyLog - * + * * PARAMETERS: * "buildResult" * Build results returned by PKIX_BuildChain. @@ -968,23 +968,23 @@ cleanup: * Returns a Cert Verify Error if the function fails in an unrecoverable way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ -static PKIX_Error* +static PKIX_Error * cert_GetBuildResults( PKIX_BuildResult *buildResult, - PKIX_VerifyNode *verifyNode, - PKIX_Error *error, - CERTVerifyLog *log, + PKIX_VerifyNode *verifyNode, + PKIX_Error *error, + CERTVerifyLog *log, CERTCertificate **ptrustedRoot, - CERTCertList **pvalidChain, - void *plContext) + CERTCertList **pvalidChain, + void *plContext) { PKIX_ValidateResult *validResult = NULL; - CERTCertList *validChain = NULL; - CERTCertificate *trustedRoot = NULL; - PKIX_TrustAnchor *trustAnchor = NULL; - PKIX_PL_Cert *trustedCert = NULL; - PKIX_List *pkixCertChain = NULL; - + CERTCertList *validChain = NULL; + CERTCertificate *trustedRoot = NULL; + PKIX_TrustAnchor *trustAnchor = NULL; + PKIX_PL_Cert *trustedCert = NULL; + PKIX_List *pkixCertChain = NULL; + PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults"); if (buildResult == NULL && error == NULL) { PKIX_ERROR(PKIX_NULLARGUMENT); @@ -1036,7 +1036,7 @@ cert_GetBuildResults( plContext), PKIX_CERTGETCERTCERTIFICATEFAILED); } - + PORT_Assert(!PKIX_ERROR_RECEIVED); if (trustedRoot) { @@ -1062,7 +1062,7 @@ cleanup: PKIX_DECREF(error); PKIX_DECREF(verifyNode); PKIX_DECREF(buildResult); - + PKIX_RETURN(CERTVFYPKIX); } @@ -1103,27 +1103,27 @@ cleanup: SECStatus cert_VerifyCertChainPkix( CERTCertificate *cert, - PRBool checkSig, - SECCertUsage requiredUsage, - PRTime time, - void *wincx, - CERTVerifyLog *log, - PRBool *pSigerror, - PRBool *pRevoked) + PRBool checkSig, + SECCertUsage requiredUsage, + PRTime time, + void *wincx, + CERTVerifyLog *log, + PRBool *pSigerror, + PRBool *pRevoked) { PKIX_ProcessingParams *procParams = NULL; - PKIX_BuildResult *result = NULL; - PKIX_VerifyNode *verifyNode = NULL; - PKIX_Error *error = NULL; + PKIX_BuildResult *result = NULL; + PKIX_VerifyNode *verifyNode = NULL; + PKIX_Error *error = NULL; - SECStatus rv = SECFailure; - void *plContext = NULL; + SECStatus rv = SECFailure; + void *plContext = NULL; #ifdef PKIX_OBJECT_LEAK_TEST - int leakedObjNum = 0; - int memLeakLoopCount = 0; - int objCountTable[PKIX_NUMTYPES]; - int fnInvLocalCount = 0; + int leakedObjNum = 0; + int memLeakLoopCount = 0; + int objCountTable[PKIX_NUMTYPES]; + int fnInvLocalCount = 0; PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; if (usePKIXValidationEngine) { @@ -1136,93 +1136,95 @@ cert_VerifyCertChainPkix( testStartFnStackPosition = 2; fnStackNameArr[0] = "cert_VerifyCertChainPkix"; fnStackInvCountArr[0] = 0; - PKIX_Boolean abortOnLeak = + PKIX_Boolean abortOnLeak = (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? - PKIX_FALSE : PKIX_TRUE; + PKIX_FALSE + : PKIX_TRUE; runningLeakTest = PKIX_TRUE; /* Prevent multi-threaded run of object leak test */ fnInvLocalCount = PR_ATOMIC_INCREMENT(¶llelFnInvocationCount); PORT_Assert(fnInvLocalCount == 1); -do { - rv = SECFailure; - plContext = NULL; - procParams = NULL; - result = NULL; - verifyNode = NULL; - error = NULL; - errorGenerated = PKIX_FALSE; - stackPosition = 0; - - if (leakedObjNum) { - pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); - } - memLeakLoopCount += 1; + do { + rv = SECFailure; + plContext = NULL; + procParams = NULL; + result = NULL; + verifyNode = NULL; + error = NULL; + errorGenerated = PKIX_FALSE; + stackPosition = 0; + + if (leakedObjNum) { + pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); + } + memLeakLoopCount += 1; #endif /* PKIX_OBJECT_LEAK_TEST */ - error = - cert_CreatePkixProcessingParams(cert, checkSig, time, wincx, - PR_FALSE/*use arena*/, - requiredUsage == certUsageStatusResponder, - &procParams, &plContext); - if (error) { - goto cleanup; - } + error = + cert_CreatePkixProcessingParams(cert, checkSig, time, wincx, + PR_FALSE /*use arena*/, + requiredUsage == certUsageStatusResponder, + &procParams, &plContext); + if (error) { + goto cleanup; + } - error = - cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0, - plContext); - if (error) { - goto cleanup; - } + error = + cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0, + plContext); + if (error) { + goto cleanup; + } - error = - cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext); - if (error) { - goto cleanup; - } - - if (pRevoked) { - /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ - *pRevoked = PR_FALSE; - } - if (pSigerror) { - /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ - *pSigerror = PR_FALSE; - } - rv = SECSuccess; + error = + cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext); + if (error) { + goto cleanup; + } -cleanup: - error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL, - plContext); - if (error) { - PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); - } - if (procParams) { - PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); - } - if (plContext) { - PKIX_PL_NssContext_Destroy(plContext); - } + if (pRevoked) { + /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ + *pRevoked = PR_FALSE; + } + if (pSigerror) { + /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ + *pSigerror = PR_FALSE; + } + rv = SECSuccess; + + cleanup: + error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL, + plContext); + if (error) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); + } + if (procParams) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); + } + if (plContext) { + PKIX_PL_NssContext_Destroy(plContext); + } #ifdef PKIX_OBJECT_LEAK_TEST - leakedObjNum = - pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL); - - if (pkixLog && leakedObjNum) { - PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." - "Stack %s\n", memLeakLoopCount, errorFnStackString)); - } - PR_Free(errorFnStackString); - errorFnStackString = NULL; - if (abortOnLeak) { - PORT_Assert(leakedObjNum == 0); - } + leakedObjNum = + pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL); -} while (errorGenerated); + if (pkixLog && leakedObjNum) { + PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." + "Stack %s\n", + memLeakLoopCount, errorFnStackString)); + } + PR_Free(errorFnStackString); + errorFnStackString = NULL; + if (abortOnLeak) { + PORT_Assert(leakedObjNum == 0); + } + + } while (errorGenerated); - runningLeakTest = PKIX_FALSE; + runningLeakTest = PKIX_FALSE; PR_ATOMIC_DECREMENT(¶llelFnInvocationCount); usePKIXValidationEngine = savedUsePkixEngFlag; #endif /* PKIX_OBJECT_LEAK_TEST */ @@ -1231,50 +1233,55 @@ cleanup: } PKIX_CertSelector * -cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext) +cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext) { PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; - PKIX_CertSelector *r= NULL; + PKIX_CertSelector *r = NULL; PKIX_PL_Cert *eeCert = NULL; PKIX_Error *error = NULL; error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext); - if (error != NULL) goto cleanup; + if (error != NULL) + goto cleanup; error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext); - if (error != NULL) goto cleanup; + if (error != NULL) + goto cleanup; error = PKIX_ComCertSelParams_Create(&certSelParams, plContext); - if (error != NULL) goto cleanup; + if (error != NULL) + goto cleanup; error = PKIX_ComCertSelParams_SetCertificate( - certSelParams, eeCert, plContext); - if (error != NULL) goto cleanup; + certSelParams, eeCert, plContext); + if (error != NULL) + goto cleanup; - error = PKIX_CertSelector_SetCommonCertSelectorParams - (certSelector, certSelParams, plContext); - if (error != NULL) goto cleanup; + error = PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext); + if (error != NULL) + goto cleanup; error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext); - if (error == NULL) r = certSelector; + if (error == NULL) + r = certSelector; cleanup: - if (certSelParams != NULL) + if (certSelParams != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext); - if (eeCert != NULL) + if (eeCert != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext); - if (certSelector != NULL) + if (certSelector != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); if (error != NULL) { - SECErrorCodes nssErr; + SECErrorCodes nssErr; - cert_PkixErrorToNssCode(error, &nssErr, plContext); + cert_PkixErrorToNssCode(error, &nssErr, plContext); PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); - PORT_SetError(nssErr); + PORT_SetError(nssErr); } return r; @@ -1289,39 +1296,42 @@ cert_GetCertStores(void *plContext) PKIX_Error *error = NULL; error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext); - if (error != NULL) goto cleanup; + if (error != NULL) + goto cleanup; error = PKIX_List_Create(&certStores, plContext); - if (error != NULL) goto cleanup; + if (error != NULL) + goto cleanup; - error = PKIX_List_AppendItem( certStores, - (PKIX_PL_Object *)certStore, plContext); - if (error != NULL) goto cleanup; + error = PKIX_List_AppendItem(certStores, + (PKIX_PL_Object *)certStore, plContext); + if (error != NULL) + goto cleanup; error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext); - if (error == NULL) r = certStores; + if (error == NULL) + r = certStores; cleanup: - if (certStores != NULL) + if (certStores != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); - if (certStore != NULL) + if (certStore != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext); if (error != NULL) { - SECErrorCodes nssErr; + SECErrorCodes nssErr; - cert_PkixErrorToNssCode(error, &nssErr, plContext); + cert_PkixErrorToNssCode(error, &nssErr, plContext); PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); - PORT_SetError(nssErr); + PORT_SetError(nssErr); } return r; } - struct fake_PKIX_PL_CertStruct { - CERTCertificate *nssCert; + CERTCertificate *nssCert; }; /* This needs to be part of the PKIX_PL_* */ @@ -1332,12 +1342,13 @@ cert_NSSCertFromPKIXCert(const PKIX_PL_Cert *pkix_cert) { struct fake_PKIX_PL_CertStruct *fcert = NULL; - fcert = (struct fake_PKIX_PL_CertStruct*)pkix_cert; + fcert = (struct fake_PKIX_PL_CertStruct *)pkix_cert; return CERT_DupCertificate(fcert->nssCert); } -PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext) +PKIX_List * +cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext) { PKIX_List *r = NULL; PKIX_List *policyList = NULL; @@ -1347,16 +1358,16 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon error = PKIX_List_Create(&policyList, plContext); if (error != NULL) { - goto cleanup; + goto cleanup; } - for (i=0; i<oidCount; i++) { + for (i = 0; i < oidCount; i++) { error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext); if (error) { goto cleanup; } - error = PKIX_List_AppendItem(policyList, - (PKIX_PL_Object *)policyOID, plContext); + error = PKIX_List_AppendItem(policyList, + (PKIX_PL_Object *)policyOID, plContext); if (error != NULL) { goto cleanup; } @@ -1365,19 +1376,21 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon } error = PKIX_List_SetImmutable(policyList, plContext); - if (error != NULL) goto cleanup; + if (error != NULL) + goto cleanup; error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext); - if (error == NULL) r = policyList; + if (error == NULL) + r = policyList; cleanup: - if (policyOID != NULL) { + if (policyOID != NULL) { PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); } - if (policyList != NULL) { + if (policyList != NULL) { PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext); } - if (error != NULL) { + if (error != NULL) { PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); } @@ -1393,14 +1406,13 @@ cert_pkix_FindOutputParam(CERTValOutParam *params, const CERTValParamOutType t) } for (i = params; i->type != cert_po_end; i++) { if (i->type == t) { - return i; + return i; } } return NULL; } - -static PKIX_Error* +static PKIX_Error * setRevocationMethod(PKIX_RevocationChecker *revChecker, PKIX_ProcessingParams *procParams, const CERTRevocationTests *revTest, @@ -1413,14 +1425,14 @@ setRevocationMethod(PKIX_RevocationChecker *revChecker, PKIX_UInt32 methodFlags = 0; PKIX_Error *error = NULL; PKIX_UInt32 priority = 0; - + if (revTest->number_of_defined_methods <= (PRUint32)certRevMethod) { return NULL; } if (revTest->preferred_methods) { unsigned int i = 0; - for (;i < revTest->number_of_preferred_methods;i++) { - if (revTest->preferred_methods[i] == certRevMethod) + for (; i < revTest->number_of_preferred_methods; i++) { + if (revTest->preferred_methods[i] == certRevMethod) break; } priority = i; @@ -1432,19 +1444,18 @@ setRevocationMethod(PKIX_RevocationChecker *revChecker, } error = PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, - pkixRevMethod, methodFlags, - priority, NULL, - isLeafTest, plContext); + pkixRevMethod, methodFlags, + priority, NULL, + isLeafTest, plContext); return error; } - SECStatus -cert_pkixSetParam(PKIX_ProcessingParams *procParams, - const CERTValInParam *param, void *plContext) +cert_pkixSetParam(PKIX_ProcessingParams *procParams, + const CERTValInParam *param, void *plContext) { - PKIX_Error * error = NULL; - SECStatus r=SECSuccess; + PKIX_Error *error = NULL; + SECStatus r = SECSuccess; PKIX_PL_Date *date = NULL; PKIX_List *policyOIDList = NULL; PKIX_List *certListPkix = NULL; @@ -1465,22 +1476,22 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, /* needed? */ error = PKIX_ProcessingParams_SetExplicitPolicyRequired( - procParams, PKIX_TRUE, plContext); + procParams, PKIX_TRUE, plContext); - if (error != NULL) { + if (error != NULL) { break; } policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids, - param->value.arraySize,plContext); - if (policyOIDList == NULL) { - r = SECFailure; - PORT_SetError(SEC_ERROR_INVALID_ARGS); - break; - } + param->value.arraySize, plContext); + if (policyOIDList == NULL) { + r = SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + break; + } error = PKIX_ProcessingParams_SetInitialPolicies( - procParams,policyOIDList,plContext); + procParams, policyOIDList, plContext); break; case cert_pi_date: @@ -1490,9 +1501,10 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, errCode = SEC_ERROR_INVALID_TIME; break; } - } else { + } + else { error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time, - &date, plContext); + &date, plContext); if (error != NULL) { errCode = SEC_ERROR_INVALID_TIME; break; @@ -1505,8 +1517,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, } break; - case cert_pi_revocationFlags: - { + case cert_pi_revocationFlags: { PKIX_UInt32 leafIMFlags = 0; PKIX_UInt32 chainIMFlags = 0; PKIX_Boolean validatingResponderCert = PKIX_FALSE; @@ -1518,7 +1529,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, break; } - leafIMFlags = + leafIMFlags = flags->leafTests.cert_rev_method_independent_flags; chainIMFlags = flags->chainTests.cert_rev_method_independent_flags; @@ -1532,12 +1543,12 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, error = PKIX_ProcessingParams_SetRevocationChecker(procParams, - revChecker, plContext); + revChecker, plContext); if (error) { break; } - if (((PKIX_PL_NssContext*)plContext)->certificateUsage & + if (((PKIX_PL_NssContext *)plContext)->certificateUsage & certificateUsageStatusResponder) { validatingResponderCert = PKIX_TRUE; } @@ -1582,8 +1593,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, break; } - } - break; + } break; case cert_pi_trustAnchors: certList = param->value.pointer.chain; @@ -1596,10 +1606,10 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, if (error != NULL) { break; } - for(node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); - node = CERT_LIST_NEXT(node) ) { + for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); + node = CERT_LIST_NEXT(node)) { error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert, - &certPkix, plContext); + &certPkix, plContext); if (error) { break; } @@ -1609,8 +1619,8 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, break; } error = PKIX_List_AppendItem(certListPkix, - (PKIX_PL_Object*)trustAnchor, plContext); - if (error) { + (PKIX_PL_Object *)trustAnchor, plContext); + if (error) { break; } PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); @@ -1626,12 +1636,12 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, case cert_pi_useAIACertFetch: error = PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams, - (PRBool)(param->value.scalar.b != 0), + (PRBool)(param->value.scalar.b != + 0), plContext); break; - case cert_pi_chainVerifyCallback: - { + case cert_pi_chainVerifyCallback: { const CERTChainVerifyCallback *chainVerifyCallback = param->value.pointer.chainVerifyCallback; if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) { @@ -1641,13 +1651,13 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, } nssContext->chainVerifyCallback = *chainVerifyCallback; - } - break; + } break; case cert_pi_useOnlyTrustAnchors: error = PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams, - (PRBool)(param->value.scalar.b != 0), + (PRBool)(param->value.scalar.b != + 0), plContext); break; @@ -1660,19 +1670,19 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, if (policyOIDList != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext); - if (date != NULL) + if (date != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext); - if (revChecker != NULL) + if (revChecker != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext); - if (certListPkix) + if (certListPkix) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext); - if (trustAnchor) + if (trustAnchor) PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); - if (certPkix) + if (certPkix) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext); if (error != NULL) { @@ -1681,8 +1691,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, r = SECFailure; } - return r; - + return r; } void @@ -1695,207 +1704,188 @@ cert_pkixDestroyValOutParam(CERTValOutParam *params) } for (i = params; i->type != cert_po_end; i++) { switch (i->type) { - case cert_po_trustAnchor: - if (i->value.pointer.cert) { - CERT_DestroyCertificate(i->value.pointer.cert); - i->value.pointer.cert = NULL; - } - break; + case cert_po_trustAnchor: + if (i->value.pointer.cert) { + CERT_DestroyCertificate(i->value.pointer.cert); + i->value.pointer.cert = NULL; + } + break; - case cert_po_certList: - if (i->value.pointer.chain) { - CERT_DestroyCertList(i->value.pointer.chain); - i->value.pointer.chain = NULL; - } - break; + case cert_po_certList: + if (i->value.pointer.chain) { + CERT_DestroyCertList(i->value.pointer.chain); + i->value.pointer.chain = NULL; + } + break; - default: - break; + default: + break; } } } static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags[2] = { - /* crl */ - CERT_REV_M_TEST_USING_THIS_METHOD - | CERT_REV_M_FORBID_NETWORK_FETCHING - | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, - /* ocsp */ - CERT_REV_M_TEST_USING_THIS_METHOD + /* crl */ + CERT_REV_M_TEST_USING_THIS_METHOD | + CERT_REV_M_FORBID_NETWORK_FETCHING | + CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, + /* ocsp */ + CERT_REV_M_TEST_USING_THIS_METHOD }; static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags[2] = { - /* crl */ - CERT_REV_M_TEST_USING_THIS_METHOD - | CERT_REV_M_FORBID_NETWORK_FETCHING - | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, - /* ocsp */ - 0 + /* crl */ + CERT_REV_M_TEST_USING_THIS_METHOD | + CERT_REV_M_FORBID_NETWORK_FETCHING | + CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, + /* ocsp */ + 0 }; -static CERTRevocationMethodIndex -certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = { - cert_revocation_method_crl -}; +static CERTRevocationMethodIndex + certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = { + cert_revocation_method_crl + }; static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy = { - { - /* leafTests */ - 2, - certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags, - 1, - &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference, - 0 - }, - { - /* chainTests */ - 2, - certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags, - 0, - 0, - 0 - } + { /* leafTests */ + 2, + certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags, + 1, + &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference, + 0 }, + { /* chainTests */ + 2, + certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags, + 0, + 0, + 0 } }; -extern const CERTRevocationFlags* +extern const CERTRevocationFlags * CERT_GetClassicOCSPEnabledSoftFailurePolicy() { return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy; } - static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = { - /* crl */ - CERT_REV_M_TEST_USING_THIS_METHOD - | CERT_REV_M_FORBID_NETWORK_FETCHING - | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, - /* ocsp */ - CERT_REV_M_TEST_USING_THIS_METHOD - | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO + /* crl */ + CERT_REV_M_TEST_USING_THIS_METHOD | + CERT_REV_M_FORBID_NETWORK_FETCHING | + CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, + /* ocsp */ + CERT_REV_M_TEST_USING_THIS_METHOD | + CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO }; static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags[2] = { - /* crl */ - CERT_REV_M_TEST_USING_THIS_METHOD - | CERT_REV_M_FORBID_NETWORK_FETCHING - | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, - /* ocsp */ - 0 + /* crl */ + CERT_REV_M_TEST_USING_THIS_METHOD | + CERT_REV_M_FORBID_NETWORK_FETCHING | + CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, + /* ocsp */ + 0 }; -static CERTRevocationMethodIndex -certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = { - cert_revocation_method_crl -}; +static CERTRevocationMethodIndex + certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = { + cert_revocation_method_crl + }; static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy = { - { - /* leafTests */ - 2, - certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags, - 1, - &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference, - 0 - }, - { - /* chainTests */ - 2, - certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags, - 0, - 0, - 0 - } + { /* leafTests */ + 2, + certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags, + 1, + &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference, + 0 }, + { /* chainTests */ + 2, + certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags, + 0, + 0, + 0 } }; -extern const CERTRevocationFlags* +extern const CERTRevocationFlags * CERT_GetClassicOCSPEnabledHardFailurePolicy() { return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy; } - static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = { - /* crl */ - CERT_REV_M_TEST_USING_THIS_METHOD - | CERT_REV_M_FORBID_NETWORK_FETCHING - | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, - /* ocsp */ - 0 + /* crl */ + CERT_REV_M_TEST_USING_THIS_METHOD | + CERT_REV_M_FORBID_NETWORK_FETCHING | + CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, + /* ocsp */ + 0 }; static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags[2] = { - /* crl */ - CERT_REV_M_TEST_USING_THIS_METHOD - | CERT_REV_M_FORBID_NETWORK_FETCHING - | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, - /* ocsp */ - 0 + /* crl */ + CERT_REV_M_TEST_USING_THIS_METHOD | + CERT_REV_M_FORBID_NETWORK_FETCHING | + CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, + /* ocsp */ + 0 }; static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Disabled_Policy = { - { - /* leafTests */ - 2, - certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags, - 0, - 0, - 0 - }, - { - /* chainTests */ - 2, - certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags, - 0, - 0, - 0 - } + { /* leafTests */ + 2, + certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags, + 0, + 0, + 0 }, + { /* chainTests */ + 2, + certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags, + 0, + 0, + 0 } }; -extern const CERTRevocationFlags* +extern const CERTRevocationFlags * CERT_GetClassicOCSPDisabledPolicy() { return &certRev_NSS_3_11_Ocsp_Disabled_Policy; } - static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = { - /* crl */ - CERT_REV_M_TEST_USING_THIS_METHOD - | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO - | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, - /* ocsp */ - 0 + /* crl */ + CERT_REV_M_TEST_USING_THIS_METHOD | + CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | + CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, + /* ocsp */ + 0 }; static PRUint64 certRev_PKIX_Verify_Nist_Policy_ChainFlags[2] = { - /* crl */ - CERT_REV_M_TEST_USING_THIS_METHOD - | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO - | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, - /* ocsp */ - 0 + /* crl */ + CERT_REV_M_TEST_USING_THIS_METHOD | + CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | + CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, + /* ocsp */ + 0 }; static const CERTRevocationFlags certRev_PKIX_Verify_Nist_Policy = { - { - /* leafTests */ - 2, - certRev_PKIX_Verify_Nist_Policy_LeafFlags, - 0, - 0, - 0 - }, - { - /* chainTests */ - 2, - certRev_PKIX_Verify_Nist_Policy_ChainFlags, - 0, - 0, - 0 - } + { /* leafTests */ + 2, + certRev_PKIX_Verify_Nist_Policy_LeafFlags, + 0, + 0, + 0 }, + { /* chainTests */ + 2, + certRev_PKIX_Verify_Nist_Policy_ChainFlags, + 0, + 0, + 0 } }; -extern const CERTRevocationFlags* +extern const CERTRevocationFlags * CERT_GetPKIXVerifyNistRevocationPolicy() { return &certRev_PKIX_Verify_Nist_Policy; @@ -1907,56 +1897,57 @@ CERT_AllocCERTRevocationFlags( PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods) { CERTRevocationFlags *flags; - + flags = PORT_New(CERTRevocationFlags); if (!flags) - return(NULL); - + return (NULL); + flags->leafTests.number_of_defined_methods = number_leaf_methods; - flags->leafTests.cert_rev_flags_per_method = + flags->leafTests.cert_rev_flags_per_method = PORT_NewArray(PRUint64, number_leaf_methods); flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods; - flags->leafTests.preferred_methods = + flags->leafTests.preferred_methods = PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods); flags->chainTests.number_of_defined_methods = number_chain_methods; - flags->chainTests.cert_rev_flags_per_method = + flags->chainTests.cert_rev_flags_per_method = PORT_NewArray(PRUint64, number_chain_methods); flags->chainTests.number_of_preferred_methods = number_chain_pref_methods; - flags->chainTests.preferred_methods = + flags->chainTests.preferred_methods = PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods); - - if (!flags->leafTests.cert_rev_flags_per_method - || !flags->leafTests.preferred_methods - || !flags->chainTests.cert_rev_flags_per_method - || !flags->chainTests.preferred_methods) { + + if (!flags->leafTests.cert_rev_flags_per_method || + !flags->leafTests.preferred_methods || + !flags->chainTests.cert_rev_flags_per_method || + !flags->chainTests.preferred_methods) { CERT_DestroyCERTRevocationFlags(flags); return (NULL); } - + return flags; } -void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags) +void +CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags) { if (!flags) - return; - + return; + if (flags->leafTests.cert_rev_flags_per_method) PORT_Free(flags->leafTests.cert_rev_flags_per_method); if (flags->leafTests.preferred_methods) PORT_Free(flags->leafTests.preferred_methods); - + if (flags->chainTests.cert_rev_flags_per_method) PORT_Free(flags->chainTests.cert_rev_flags_per_method); if (flags->chainTests.preferred_methods) PORT_Free(flags->chainTests.preferred_methods); - PORT_Free(flags); + PORT_Free(flags); } /* @@ -1984,36 +1975,37 @@ void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags) * * CERT_PKIXVerifyCert(cert, &output, args */ -SECStatus CERT_PKIXVerifyCert( - CERTCertificate *cert, - SECCertificateUsage usages, - CERTValInParam *paramsIn, - CERTValOutParam *paramsOut, - void *wincx) +SECStatus +CERT_PKIXVerifyCert( + CERTCertificate *cert, + SECCertificateUsage usages, + CERTValInParam *paramsIn, + CERTValOutParam *paramsOut, + void *wincx) { - SECStatus r = SECFailure; - PKIX_Error * error = NULL; + SECStatus r = SECFailure; + PKIX_Error *error = NULL; PKIX_ProcessingParams *procParams = NULL; - PKIX_BuildResult * buildResult = NULL; - void * nbioContext = NULL; /* for non-blocking IO */ - void * buildState = NULL; /* for non-blocking IO */ - PKIX_CertSelector * certSelector = NULL; - PKIX_List * certStores = NULL; - PKIX_ValidateResult * valResult = NULL; - PKIX_VerifyNode * verifyNode = NULL; - PKIX_TrustAnchor * trustAnchor = NULL; - PKIX_PL_Cert * trustAnchorCert = NULL; - PKIX_List * builtCertList = NULL; - CERTValOutParam * oparam = NULL; - int i=0; + PKIX_BuildResult *buildResult = NULL; + void *nbioContext = NULL; /* for non-blocking IO */ + void *buildState = NULL; /* for non-blocking IO */ + PKIX_CertSelector *certSelector = NULL; + PKIX_List *certStores = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_VerifyNode *verifyNode = NULL; + PKIX_TrustAnchor *trustAnchor = NULL; + PKIX_PL_Cert *trustAnchorCert = NULL; + PKIX_List *builtCertList = NULL; + CERTValOutParam *oparam = NULL; + int i = 0; void *plContext = NULL; #ifdef PKIX_OBJECT_LEAK_TEST - int leakedObjNum = 0; - int memLeakLoopCount = 0; - int objCountTable[PKIX_NUMTYPES]; - int fnInvLocalCount = 0; + int leakedObjNum = 0; + int memLeakLoopCount = 0; + int objCountTable[PKIX_NUMTYPES]; + int fnInvLocalCount = 0; PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; if (usePKIXValidationEngine) { @@ -2026,227 +2018,231 @@ SECStatus CERT_PKIXVerifyCert( testStartFnStackPosition = 1; fnStackNameArr[0] = "CERT_PKIXVerifyCert"; fnStackInvCountArr[0] = 0; - PKIX_Boolean abortOnLeak = + PKIX_Boolean abortOnLeak = (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? - PKIX_FALSE : PKIX_TRUE; + PKIX_FALSE + : PKIX_TRUE; runningLeakTest = PKIX_TRUE; /* Prevent multi-threaded run of object leak test */ fnInvLocalCount = PR_ATOMIC_INCREMENT(¶llelFnInvocationCount); PORT_Assert(fnInvLocalCount == 1); -do { - r = SECFailure; - error = NULL; - procParams = NULL; - buildResult = NULL; - nbioContext = NULL; /* for non-blocking IO */ - buildState = NULL; /* for non-blocking IO */ - certSelector = NULL; - certStores = NULL; - valResult = NULL; - verifyNode = NULL; - trustAnchor = NULL; - trustAnchorCert = NULL; - builtCertList = NULL; - oparam = NULL; - i=0; - errorGenerated = PKIX_FALSE; - stackPosition = 0; - - if (leakedObjNum) { - pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); - } - memLeakLoopCount += 1; + do { + r = SECFailure; + error = NULL; + procParams = NULL; + buildResult = NULL; + nbioContext = NULL; /* for non-blocking IO */ + buildState = NULL; /* for non-blocking IO */ + certSelector = NULL; + certStores = NULL; + valResult = NULL; + verifyNode = NULL; + trustAnchor = NULL; + trustAnchorCert = NULL; + builtCertList = NULL; + oparam = NULL; + i = 0; + errorGenerated = PKIX_FALSE; + stackPosition = 0; + + if (leakedObjNum) { + pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); + } + memLeakLoopCount += 1; #endif /* PKIX_OBJECT_LEAK_TEST */ - error = PKIX_PL_NssContext_Create( + error = PKIX_PL_NssContext_Create( 0, PR_FALSE /*use arena*/, wincx, &plContext); - if (error != NULL) { /* need pkix->nss error map */ - PORT_SetError(SEC_ERROR_CERT_NOT_VALID); - goto cleanup; - } + if (error != NULL) { /* need pkix->nss error map */ + PORT_SetError(SEC_ERROR_CERT_NOT_VALID); + goto cleanup; + } - error = pkix_pl_NssContext_SetCertUsage(usages, plContext); - if (error != NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto cleanup; - } + error = pkix_pl_NssContext_SetCertUsage(usages, plContext); + if (error != NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto cleanup; + } - error = PKIX_ProcessingParams_Create(&procParams, plContext); - if (error != NULL) { /* need pkix->nss error map */ - PORT_SetError(SEC_ERROR_CERT_NOT_VALID); - goto cleanup; - } + error = PKIX_ProcessingParams_Create(&procParams, plContext); + if (error != NULL) { /* need pkix->nss error map */ + PORT_SetError(SEC_ERROR_CERT_NOT_VALID); + goto cleanup; + } - /* local cert store should be set into procParams before - * filling in revocation settings. */ - certStores = cert_GetCertStores(plContext); - if (certStores == NULL) { - goto cleanup; - } - error = PKIX_ProcessingParams_SetCertStores - (procParams, certStores, plContext); - if (error != NULL) { - goto cleanup; - } + /* local cert store should be set into procParams before + * filling in revocation settings. */ + certStores = cert_GetCertStores(plContext); + if (certStores == NULL) { + goto cleanup; + } + error = PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext); + if (error != NULL) { + goto cleanup; + } - /* now process the extensible input parameters structure */ - if (paramsIn != NULL) { - i=0; - while (paramsIn[i].type != cert_pi_end) { - if (paramsIn[i].type >= cert_pi_max) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto cleanup; - } - if (cert_pkixSetParam(procParams, - ¶msIn[i],plContext) != SECSuccess) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto cleanup; + /* now process the extensible input parameters structure */ + if (paramsIn != NULL) { + i = 0; + while (paramsIn[i].type != cert_pi_end) { + if (paramsIn[i].type >= cert_pi_max) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto cleanup; + } + if (cert_pkixSetParam(procParams, + ¶msIn[i], plContext) != + SECSuccess) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto cleanup; + } + i++; } - i++; } - } - certSelector = cert_GetTargetCertConstraints(cert, plContext); - if (certSelector == NULL) { - goto cleanup; - } - error = PKIX_ProcessingParams_SetTargetCertConstraints - (procParams, certSelector, plContext); - if (error != NULL) { - goto cleanup; - } - - error = PKIX_BuildChain( procParams, &nbioContext, - &buildState, &buildResult, &verifyNode, - plContext); - if (error != NULL) { - goto cleanup; - } + certSelector = cert_GetTargetCertConstraints(cert, plContext); + if (certSelector == NULL) { + goto cleanup; + } + error = PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext); + if (error != NULL) { + goto cleanup; + } - error = PKIX_BuildResult_GetValidateResult( buildResult, &valResult, - plContext); - if (error != NULL) { - goto cleanup; - } + error = PKIX_BuildChain(procParams, &nbioContext, + &buildState, &buildResult, &verifyNode, + plContext); + if (error != NULL) { + goto cleanup; + } - error = PKIX_ValidateResult_GetTrustAnchor( valResult, &trustAnchor, - plContext); - if (error != NULL) { - goto cleanup; - } + error = PKIX_BuildResult_GetValidateResult(buildResult, &valResult, + plContext); + if (error != NULL) { + goto cleanup; + } - if (trustAnchor != NULL) { - error = PKIX_TrustAnchor_GetTrustedCert( trustAnchor, &trustAnchorCert, - plContext); + error = PKIX_ValidateResult_GetTrustAnchor(valResult, &trustAnchor, + plContext); if (error != NULL) { goto cleanup; } - } + + if (trustAnchor != NULL) { + error = PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustAnchorCert, + plContext); + if (error != NULL) { + goto cleanup; + } + } #ifdef PKIX_OBJECT_LEAK_TEST - /* Can not continue if error was generated but not returned. - * Jumping to cleanup. */ - if (errorGenerated) goto cleanup; + /* Can not continue if error was generated but not returned. + * Jumping to cleanup. */ + if (errorGenerated) + goto cleanup; #endif /* PKIX_OBJECT_LEAK_TEST */ - oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor); - if (oparam != NULL) { - if (trustAnchorCert != NULL) { - oparam->value.pointer.cert = + oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor); + if (oparam != NULL) { + if (trustAnchorCert != NULL) { + oparam->value.pointer.cert = cert_NSSCertFromPKIXCert(trustAnchorCert); - } else { - oparam->value.pointer.cert = NULL; + } + else { + oparam->value.pointer.cert = NULL; + } } - } - error = PKIX_BuildResult_GetCertChain( buildResult, &builtCertList, - plContext); - if (error != NULL) { - goto cleanup; - } + error = PKIX_BuildResult_GetCertChain(buildResult, &builtCertList, + plContext); + if (error != NULL) { + goto cleanup; + } - oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList); - if (oparam != NULL) { - error = cert_PkixToNssCertsChain(builtCertList, - &oparam->value.pointer.chain, - plContext); - if (error) goto cleanup; - } + oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList); + if (oparam != NULL) { + error = cert_PkixToNssCertsChain(builtCertList, + &oparam->value.pointer.chain, + plContext); + if (error) + goto cleanup; + } - r = SECSuccess; + r = SECSuccess; -cleanup: - if (verifyNode) { - /* Return validation log only upon error. */ - oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog); + cleanup: + if (verifyNode) { + /* Return validation log only upon error. */ + oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog); #ifdef PKIX_OBJECT_LEAK_TEST - if (!errorGenerated) + if (!errorGenerated) #endif /* PKIX_OBJECT_LEAK_TEST */ - if (r && oparam != NULL) { - PKIX_Error *tmpError = - cert_GetLogFromVerifyNode(oparam->value.pointer.log, - verifyNode, plContext); - if (tmpError) { - PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext); - } + if (r && oparam != NULL) { + PKIX_Error *tmpError = + cert_GetLogFromVerifyNode(oparam->value.pointer.log, + verifyNode, plContext); + if (tmpError) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext); + } + } + PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext); } - PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext); - } - if (procParams != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); + if (procParams != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); - if (trustAnchorCert != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext); + if (trustAnchorCert != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext); - if (trustAnchor != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); + if (trustAnchor != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); - if (valResult != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext); + if (valResult != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext); - if (buildResult != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext); + if (buildResult != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext); - if (certStores != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); + if (certStores != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); - if (certSelector != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); + if (certSelector != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); - if (builtCertList != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext); + if (builtCertList != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext); - if (error != NULL) { - SECErrorCodes nssErrorCode = 0; + if (error != NULL) { + SECErrorCodes nssErrorCode = 0; - cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); - cert_pkixDestroyValOutParam(paramsOut); - PORT_SetError(nssErrorCode); - PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); - } + cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); + cert_pkixDestroyValOutParam(paramsOut); + PORT_SetError(nssErrorCode); + PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); + } - PKIX_PL_NssContext_Destroy(plContext); + PKIX_PL_NssContext_Destroy(plContext); #ifdef PKIX_OBJECT_LEAK_TEST - leakedObjNum = - pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL); + leakedObjNum = + pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL); - if (pkixLog && leakedObjNum) { - PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." - "Stack %s\n", memLeakLoopCount, errorFnStackString)); - } - PR_Free(errorFnStackString); - errorFnStackString = NULL; - if (abortOnLeak) { - PORT_Assert(leakedObjNum == 0); - } - -} while (errorGenerated); + if (pkixLog && leakedObjNum) { + PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." + "Stack %s\n", + memLeakLoopCount, errorFnStackString)); + } + PR_Free(errorFnStackString); + errorFnStackString = NULL; + if (abortOnLeak) { + PORT_Assert(leakedObjNum == 0); + } + + } while (errorGenerated); - runningLeakTest = PKIX_FALSE; + runningLeakTest = PKIX_FALSE; PR_ATOMIC_DECREMENT(¶llelFnInvocationCount); usePKIXValidationEngine = savedUsePkixEngFlag; #endif /* PKIX_OBJECT_LEAK_TEST */ diff --git a/lib/certhigh/crlv2.c b/lib/certhigh/crlv2.c index 7d8dbb9fa..beb90cbe2 100644 --- a/lib/certhigh/crlv2.c +++ b/lib/certhigh/crlv2.c @@ -17,17 +17,15 @@ SECStatus CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid, SECItem *value) { - return (cert_FindExtensionByOID (crl->extensions, oid, value)); + return (cert_FindExtensionByOID(crl->extensions, oid, value)); } - SECStatus CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value) { - return (cert_FindExtension (crl->extensions, tag, value)); + return (cert_FindExtension(crl->extensions, tag, value)); } - /* Callback to set extensions and adjust verison */ static void SetCrlExts(void *object, CERTCertExtension **exts) @@ -35,13 +33,13 @@ SetCrlExts(void *object, CERTCertExtension **exts) CERTCrl *crl = (CERTCrl *)object; crl->extensions = exts; - DER_SetUInteger (crl->arena, &crl->version, SEC_CRL_VERSION_2); + DER_SetUInteger(crl->arena, &crl->version, SEC_CRL_VERSION_2); } void * CERT_StartCRLExtensions(CERTCrl *crl) { - return (cert_StartExtensions ((void *)crl, crl->arena, SetCrlExts)); + return (cert_StartExtensions((void *)crl, crl->arena, SetCrlExts)); } static void @@ -55,11 +53,12 @@ SetCrlEntryExts(void *object, CERTCertExtension **exts) void * CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry) { - return (cert_StartExtensions (entry, crl->arena, SetCrlEntryExts)); + return (cert_StartExtensions(entry, crl->arena, SetCrlEntryExts)); } -SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl, - SECItem *value) +SECStatus +CERT_FindCRLNumberExten(PLArenaPool *arena, CERTCrl *crl, + SECItem *value) { SECItem encodedExtenValue; SECItem *tmpItem = NULL; @@ -70,91 +69,94 @@ SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl, encodedExtenValue.len = 0; rv = cert_FindExtension(crl->extensions, SEC_OID_X509_CRL_NUMBER, - &encodedExtenValue); - if ( rv != SECSuccess ) - return (rv); + &encodedExtenValue); + if (rv != SECSuccess) + return (rv); mark = PORT_ArenaMark(arena); tmpItem = SECITEM_ArenaDupItem(arena, &encodedExtenValue); if (tmpItem) { - rv = SEC_QuickDERDecodeItem (arena, value, - SEC_ASN1_GET(SEC_IntegerTemplate), - tmpItem); - } else { + rv = SEC_QuickDERDecodeItem(arena, value, + SEC_ASN1_GET(SEC_IntegerTemplate), + tmpItem); + } + else { rv = SECFailure; } - PORT_Free (encodedExtenValue.data); + PORT_Free(encodedExtenValue.data); if (rv == SECFailure) { PORT_ArenaRelease(arena, mark); - } else { + } + else { PORT_ArenaUnmark(arena, mark); } return (rv); } -SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry, - CERTCRLEntryReasonCode *value) +SECStatus +CERT_FindCRLEntryReasonExten(CERTCrlEntry *crlEntry, + CERTCRLEntryReasonCode *value) { - SECItem wrapperItem = {siBuffer,0}; - SECItem tmpItem = {siBuffer,0}; + SECItem wrapperItem = { siBuffer, 0 }; + SECItem tmpItem = { siBuffer, 0 }; SECStatus rv; PLArenaPool *arena = NULL; - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( ! arena ) { - return(SECFailure); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + return (SECFailure); } - - rv = cert_FindExtension(crlEntry->extensions, SEC_OID_X509_REASON_CODE, + + rv = cert_FindExtension(crlEntry->extensions, SEC_OID_X509_REASON_CODE, &wrapperItem); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } rv = SEC_QuickDERDecodeItem(arena, &tmpItem, SEC_ASN1_GET(SEC_EnumeratedTemplate), &wrapperItem); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } - *value = (CERTCRLEntryReasonCode) DER_GetInteger(&tmpItem); + *value = (CERTCRLEntryReasonCode)DER_GetInteger(&tmpItem); loser: - if ( arena ) { - PORT_FreeArena(arena, PR_FALSE); + if (arena) { + PORT_FreeArena(arena, PR_FALSE); } - - if ( wrapperItem.data ) { - PORT_Free(wrapperItem.data); + + if (wrapperItem.data) { + PORT_Free(wrapperItem.data); } return (rv); } -SECStatus CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value) +SECStatus +CERT_FindInvalidDateExten(CERTCrl *crl, PRTime *value) { SECItem encodedExtenValue; - SECItem decodedExtenValue = {siBuffer,0}; + SECItem decodedExtenValue = { siBuffer, 0 }; SECStatus rv; encodedExtenValue.data = decodedExtenValue.data = NULL; encodedExtenValue.len = decodedExtenValue.len = 0; - rv = cert_FindExtension - (crl->extensions, SEC_OID_X509_INVALID_DATE, &encodedExtenValue); - if ( rv != SECSuccess ) - return (rv); + rv = cert_FindExtension(crl->extensions, SEC_OID_X509_INVALID_DATE, &encodedExtenValue); + if (rv != SECSuccess) + return (rv); - rv = SEC_ASN1DecodeItem (NULL, &decodedExtenValue, - SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), - &encodedExtenValue); + rv = SEC_ASN1DecodeItem(NULL, &decodedExtenValue, + SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), + &encodedExtenValue); if (rv == SECSuccess) - rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue); - PORT_Free (decodedExtenValue.data); - PORT_Free (encodedExtenValue.data); + rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue); + PORT_Free(decodedExtenValue.data); + PORT_Free(encodedExtenValue.data); return (rv); } diff --git a/lib/certhigh/ocsp.c b/lib/certhigh/ocsp.c index 86ae0a063..e6c9c219e 100644 --- a/lib/certhigh/ocsp.c +++ b/lib/certhigh/ocsp.c @@ -33,13 +33,13 @@ #include "ocspi.h" #include "genname.h" #include "certxutl.h" -#include "pk11func.h" /* for PK11_HashBuf */ +#include "pk11func.h" /* for PK11_HashBuf */ #include <stdarg.h> #include <plhash.h> #define DEFAULT_OCSP_CACHE_SIZE 1000 -#define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1*60*60L -#define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24*60*60L +#define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1 * 60 * 60L +#define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24 * 60 * 60L #define DEFAULT_OSCP_TIMEOUT_SECONDS 60 #define MICROSECONDS_PER_SECOND 1000000L @@ -89,48 +89,45 @@ static struct OCSPGlobalStruct { SEC_OcspFailureMode ocspFailureMode; CERT_StringFromCertFcn alternateOCSPAIAFcn; PRBool forcePost; -} OCSP_Global = { NULL, - NULL, - DEFAULT_OCSP_CACHE_SIZE, +} OCSP_Global = { NULL, + NULL, + DEFAULT_OCSP_CACHE_SIZE, DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT, DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT, DEFAULT_OSCP_TIMEOUT_SECONDS, - {NULL, 0, NULL, NULL}, + { NULL, 0, NULL, NULL }, ocspMode_FailureIsVerificationFailure, NULL, - PR_FALSE - }; - - + PR_FALSE }; /* Forward declarations */ static SECItem * -ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, +ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, CERTOCSPRequest *request, const char *location, - const char *method, - PRTime time, + const char *method, + PRTime time, PRBool addServiceLocator, void *pwArg, CERTOCSPRequest **pRequest); static SECStatus -ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, - CERTOCSPCertID *certID, - CERTCertificate *cert, - PRTime time, +ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, + CERTOCSPCertID *certID, + CERTCertificate *cert, + PRTime time, void *pwArg, PRBool *certIDWasConsumed, SECStatus *rv_ocsp); static SECStatus ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle, - CERTOCSPCertID *certID, - CERTCertificate *cert, - PRTime time, - void *pwArg, - const SECItem *encodedResponse, - CERTOCSPResponse **pDecodedResponse, - CERTOCSPSingleResponse **pSingle); + CERTOCSPCertID *certID, + CERTCertificate *cert, + PRTime time, + void *pwArg, + const SECItem *encodedResponse, + CERTOCSPResponse **pDecodedResponse, + CERTOCSPSingleResponse **pSingle); static SECStatus ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time); @@ -149,12 +146,13 @@ cert_DupOCSPCertID(const CERTOCSPCertID *src); #define OCSP_TRACE_CERT(cert) dumpCertificate(cert) #define OCSP_TRACE_CERTID(certid) dumpCertID(certid) -#if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) \ - || defined(XP_MACOSX) +#if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) || \ + defined(XP_MACOSX) #define NSS_HAVE_GETENV 1 #endif -static PRBool wantOcspTrace(void) +static PRBool +wantOcspTrace(void) { static PRBool firstTime = PR_TRUE; static PRBool wantTrace = PR_FALSE; @@ -176,7 +174,7 @@ ocsp_Trace(const char *format, ...) { char buf[2000]; va_list args; - + if (!wantOcspTrace()) return; va_start(args, format); @@ -208,7 +206,8 @@ printHexString(const char *prefix, SECItem *hexval) for (i = 0; i < hexval->len; i++) { if (i != hexval->len - 1) { hexbuf = PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]); - } else { + } + else { hexbuf = PR_sprintf_append(hexbuf, "%02x", hexval->data[i]); } } @@ -235,10 +234,10 @@ dumpCertificate(CERTCertificate *cert) DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter); PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable); PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable); - rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y", - &beforePrintable); - rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y", - &afterPrintable); + rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y", + &beforePrintable); + rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y", + &afterPrintable); ocsp_Trace("OCSP ## VALIDITY: %s to %s\n", rv1 ? beforestr : "", rv2 ? afterstr : ""); } @@ -261,27 +260,27 @@ SECStatus SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable) { if (!OCSP_Global.monitor) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return SECFailure; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; } - + PR_EnterMonitor(OCSP_Global.monitor); OCSP_Global.defaultHttpClientFcn = fcnTable; PR_ExitMonitor(OCSP_Global.monitor); - + return SECSuccess; } SECStatus CERT_RegisterAlternateOCSPAIAInfoCallBack( - CERT_StringFromCertFcn newCallback, - CERT_StringFromCertFcn * oldCallback) + CERT_StringFromCertFcn newCallback, + CERT_StringFromCertFcn *oldCallback) { CERT_StringFromCertFcn old; if (!OCSP_Global.monitor) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return SECFailure; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; } PR_EnterMonitor(OCSP_Global.monitor); @@ -289,7 +288,7 @@ CERT_RegisterAlternateOCSPAIAInfoCallBack( OCSP_Global.alternateOCSPAIAFcn = newCallback; PR_ExitMonitor(OCSP_Global.monitor); if (oldCallback) - *oldCallback = old; + *oldCallback = old; return SECSuccess; } @@ -300,18 +299,18 @@ ocsp_CacheKeyHashFunction(const void *key) PLHashNumber hash = 0; unsigned int i; unsigned char *walk; - + /* a very simple hash calculation for the initial coding phase */ - walk = (unsigned char*)cid->issuerNameHash.data; - for (i=0; i < cid->issuerNameHash.len; ++i, ++walk) { + walk = (unsigned char *)cid->issuerNameHash.data; + for (i = 0; i < cid->issuerNameHash.len; ++i, ++walk) { hash += *walk; } - walk = (unsigned char*)cid->issuerKeyHash.data; - for (i=0; i < cid->issuerKeyHash.len; ++i, ++walk) { + walk = (unsigned char *)cid->issuerKeyHash.data; + for (i = 0; i < cid->issuerKeyHash.len; ++i, ++walk) { hash += *walk; } - walk = (unsigned char*)cid->serialNumber.data; - for (i=0; i < cid->serialNumber.len; ++i, ++walk) { + walk = (unsigned char *)cid->serialNumber.data; + for (i = 0; i < cid->serialNumber.len; ++i, ++walk) { hash += *walk; } return hash; @@ -322,13 +321,13 @@ ocsp_CacheKeyCompareFunction(const void *v1, const void *v2) { CERTOCSPCertID *cid1 = (CERTOCSPCertID *)v1; CERTOCSPCertID *cid2 = (CERTOCSPCertID *)v2; - - return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash, - &cid2->issuerNameHash) - && SECEqual == SECITEM_CompareItem(&cid1->issuerKeyHash, - &cid2->issuerKeyHash) - && SECEqual == SECITEM_CompareItem(&cid1->serialNumber, - &cid2->serialNumber)); + + return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash, + &cid2->issuerNameHash) && + SECEqual == SECITEM_CompareItem(&cid1->issuerKeyHash, + &cid2->issuerKeyHash) && + SECEqual == SECITEM_CompareItem(&cid1->serialNumber, + &cid2->serialNumber)); } static SECStatus @@ -337,32 +336,33 @@ ocsp_CopyRevokedInfo(PLArenaPool *arena, ocspCertStatus *dest, { SECStatus rv = SECFailure; void *mark; - + mark = PORT_ArenaMark(arena); - - dest->certStatusInfo.revokedInfo = - (ocspRevokedInfo *) PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo)); + + dest->certStatusInfo.revokedInfo = + (ocspRevokedInfo *)PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo)); if (!dest->certStatusInfo.revokedInfo) { goto loser; } - - rv = SECITEM_CopyItem(arena, - &dest->certStatusInfo.revokedInfo->revocationTime, + + rv = SECITEM_CopyItem(arena, + &dest->certStatusInfo.revokedInfo->revocationTime, &src->revocationTime); if (rv != SECSuccess) { goto loser; } - + if (src->revocationReason) { - dest->certStatusInfo.revokedInfo->revocationReason = + dest->certStatusInfo.revokedInfo->revocationReason = SECITEM_ArenaDupItem(arena, src->revocationReason); if (!dest->certStatusInfo.revokedInfo->revocationReason) { goto loser; } - } else { + } + else { dest->certStatusInfo.revokedInfo->revocationReason = NULL; } - + PORT_ArenaUnmark(arena, mark); return SECSuccess; @@ -373,39 +373,39 @@ loser: static SECStatus ocsp_CopyCertStatus(PLArenaPool *arena, ocspCertStatus *dest, - ocspCertStatus*src) + ocspCertStatus *src) { SECStatus rv = SECFailure; dest->certStatusType = src->certStatusType; - + switch (src->certStatusType) { - case ocspCertStatus_good: - dest->certStatusInfo.goodInfo = - SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo); - if (dest->certStatusInfo.goodInfo != NULL) { - rv = SECSuccess; - } - break; - case ocspCertStatus_revoked: - rv = ocsp_CopyRevokedInfo(arena, dest, - src->certStatusInfo.revokedInfo); - break; - case ocspCertStatus_unknown: - dest->certStatusInfo.unknownInfo = - SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo); - if (dest->certStatusInfo.unknownInfo != NULL) { - rv = SECSuccess; - } - break; - case ocspCertStatus_other: - default: - PORT_Assert(src->certStatusType == ocspCertStatus_other); - dest->certStatusInfo.otherInfo = - SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo); - if (dest->certStatusInfo.otherInfo != NULL) { - rv = SECSuccess; - } - break; + case ocspCertStatus_good: + dest->certStatusInfo.goodInfo = + SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo); + if (dest->certStatusInfo.goodInfo != NULL) { + rv = SECSuccess; + } + break; + case ocspCertStatus_revoked: + rv = ocsp_CopyRevokedInfo(arena, dest, + src->certStatusInfo.revokedInfo); + break; + case ocspCertStatus_unknown: + dest->certStatusInfo.unknownInfo = + SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo); + if (dest->certStatusInfo.unknownInfo != NULL) { + rv = SECSuccess; + } + break; + case ocspCertStatus_other: + default: + PORT_Assert(src->certStatusType == ocspCertStatus_other); + dest->certStatusInfo.otherInfo = + SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo); + if (dest->certStatusInfo.otherInfo != NULL) { + rv = SECSuccess; + } + break; } return rv; } @@ -453,7 +453,7 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item) } PORT_Assert(cache->numberOfEntries > 1); - + if (item == cache->LRUitem) { PORT_Assert(item != cache->MRUitem); PORT_Assert(item->lessRecent == NULL); @@ -468,7 +468,8 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item) PORT_Assert(item->lessRecent->moreRecent == item); cache->MRUitem = item->lessRecent; cache->MRUitem->moreRecent = NULL; - } else { + } + else { /* remove an entry in the middle of the list */ PORT_Assert(item->moreRecent != NULL); PORT_Assert(item->lessRecent != NULL); @@ -487,7 +488,7 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item) static void ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, OCSPCacheItem *new_most_recent) { - OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n", + OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n", PR_GetCurrentThread())); PR_EnterMonitor(OCSP_Global.monitor); if (cache->MRUitem == new_most_recent) { @@ -504,7 +505,7 @@ ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, OCSPCacheItem *new_most_rece static PRBool ocsp_IsCacheDisabled(void) { - /* + /* * maxCacheEntries == 0 means unlimited cache entries * maxCacheEntries < 0 means cache is disabled */ @@ -524,12 +525,12 @@ ocsp_FindCacheEntry(OCSPCacheData *cache, CERTOCSPCertID *certID) PR_EnterMonitor(OCSP_Global.monitor); if (ocsp_IsCacheDisabled()) goto loser; - + found_ocsp_item = (OCSPCacheItem *)PL_HashTableLookup( - cache->entries, certID); + cache->entries, certID); if (!found_ocsp_item) goto loser; - + OCSP_TRACE(("OCSP ocsp_FindCacheEntry FOUND!\n")); ocsp_MakeCacheEntryMostRecent(cache, found_ocsp_item); @@ -556,7 +557,7 @@ ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item) { /* The item we're removing could be either the least recently used item, * or it could be an item that couldn't get updated with newer status info - * because of an allocation failure, or it could get removed because we're + * because of an allocation failure, or it could get removed because we're * cleaning up. */ OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread())); @@ -586,8 +587,8 @@ ocsp_CheckCacheSize(OCSPCacheData *cache) /* Cache is not disabled. Number of cache entries is limited. * The monitor ensures that maxCacheEntries remains positive. */ - while (cache->numberOfEntries > - (PRUint32)OCSP_Global.maxCacheEntries) { + while (cache->numberOfEntries > + (PRUint32)OCSP_Global.maxCacheEntries) { ocsp_RemoveCacheItem(cache, cache->LRUitem); } } @@ -600,7 +601,7 @@ CERT_ClearOCSPCache(void) OCSP_TRACE(("OCSP CERT_ClearOCSPCache\n")); PR_EnterMonitor(OCSP_Global.monitor); while (OCSP_Global.cache.numberOfEntries > 0) { - ocsp_RemoveCacheItem(&OCSP_Global.cache, + ocsp_RemoveCacheItem(&OCSP_Global.cache, OCSP_Global.cache.LRUitem); } PR_ExitMonitor(OCSP_Global.monitor); @@ -609,30 +610,30 @@ CERT_ClearOCSPCache(void) static SECStatus ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache, - CERTOCSPCertID *certID, + CERTOCSPCertID *certID, OCSPCacheItem **pCacheItem) { PLArenaPool *arena; void *mark; PLHashEntry *new_hash_entry; OCSPCacheItem *item; - + PORT_Assert(pCacheItem != NULL); *pCacheItem = NULL; PR_EnterMonitor(OCSP_Global.monitor); arena = certID->poolp; mark = PORT_ArenaMark(arena); - + /* ZAlloc will init all Bools to False and all Pointers to NULL and all error codes to zero/good. */ - item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp, + item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp, sizeof(OCSPCacheItem)); if (!item) { - goto loser; + goto loser; } item->certID = certID; - new_hash_entry = PL_HashTableAdd(cache->entries, item->certID, + new_hash_entry = PL_HashTableAdd(cache->entries, item->certID, item); if (!new_hash_entry) { goto loser; @@ -644,7 +645,7 @@ ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache, PR_ExitMonitor(OCSP_Global.monitor); return SECSuccess; - + loser: PORT_ArenaRelease(arena, mark); PR_ExitMonitor(OCSP_Global.monitor); @@ -666,7 +667,7 @@ ocsp_SetCacheItemResponse(OCSPCacheItem *item, if (item->certStatusArena == NULL) { return SECFailure; } - rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus, + rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus, response->certStatus); if (rv != SECSuccess) { PORT_FreeArena(item->certStatusArena, PR_FALSE); @@ -674,14 +675,15 @@ ocsp_SetCacheItemResponse(OCSPCacheItem *item, return rv; } item->missingResponseError = 0; - rv = DER_GeneralizedTimeToTime(&item->thisUpdate, + rv = DER_GeneralizedTimeToTime(&item->thisUpdate, &response->thisUpdate); item->haveThisUpdate = (rv == SECSuccess); if (response->nextUpdate) { - rv = DER_GeneralizedTimeToTime(&item->nextUpdate, + rv = DER_GeneralizedTimeToTime(&item->nextUpdate, response->nextUpdate); item->haveNextUpdate = (rv == SECSuccess); - } else { + } + else { item->haveNextUpdate = PR_FALSE; } } @@ -694,60 +696,61 @@ ocsp_FreshenCacheItemNextFetchAttemptTime(OCSPCacheItem *cacheItem) PRTime now; PRTime earliestAllowedNextFetchAttemptTime; PRTime latestTimeWhenResponseIsConsideredFresh; - + OCSP_TRACE(("OCSP ocsp_FreshenCacheItemNextFetchAttemptTime\n")); PR_EnterMonitor(OCSP_Global.monitor); - + now = PR_Now(); OCSP_TRACE_TIME("now:", now); - + if (cacheItem->haveThisUpdate) { OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate); latestTimeWhenResponseIsConsideredFresh = cacheItem->thisUpdate + - OCSP_Global.maximumSecondsToNextFetchAttempt * - MICROSECONDS_PER_SECOND; - OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:", + OCSP_Global.maximumSecondsToNextFetchAttempt * + MICROSECONDS_PER_SECOND; + OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:", latestTimeWhenResponseIsConsideredFresh); - } else { + } + else { latestTimeWhenResponseIsConsideredFresh = now + - OCSP_Global.minimumSecondsToNextFetchAttempt * - MICROSECONDS_PER_SECOND; + OCSP_Global.minimumSecondsToNextFetchAttempt * + MICROSECONDS_PER_SECOND; OCSP_TRACE_TIME("no thisUpdate, " - "latestTimeWhenResponseIsConsideredFresh:", + "latestTimeWhenResponseIsConsideredFresh:", latestTimeWhenResponseIsConsideredFresh); } - + if (cacheItem->haveNextUpdate) { OCSP_TRACE_TIME("have nextUpdate:", cacheItem->nextUpdate); } - + if (cacheItem->haveNextUpdate && cacheItem->nextUpdate < latestTimeWhenResponseIsConsideredFresh) { latestTimeWhenResponseIsConsideredFresh = cacheItem->nextUpdate; OCSP_TRACE_TIME("nextUpdate is smaller than latestFresh, setting " - "latestTimeWhenResponseIsConsideredFresh:", + "latestTimeWhenResponseIsConsideredFresh:", latestTimeWhenResponseIsConsideredFresh); } - + earliestAllowedNextFetchAttemptTime = now + - OCSP_Global.minimumSecondsToNextFetchAttempt * - MICROSECONDS_PER_SECOND; - OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:", + OCSP_Global.minimumSecondsToNextFetchAttempt * + MICROSECONDS_PER_SECOND; + OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:", earliestAllowedNextFetchAttemptTime); - - if (latestTimeWhenResponseIsConsideredFresh < + + if (latestTimeWhenResponseIsConsideredFresh < earliestAllowedNextFetchAttemptTime) { - latestTimeWhenResponseIsConsideredFresh = + latestTimeWhenResponseIsConsideredFresh = earliestAllowedNextFetchAttemptTime; - OCSP_TRACE_TIME("latest < earliest, setting latest to:", + OCSP_TRACE_TIME("latest < earliest, setting latest to:", latestTimeWhenResponseIsConsideredFresh); } - - cacheItem->nextFetchAttemptTime = + + cacheItem->nextFetchAttemptTime = latestTimeWhenResponseIsConsideredFresh; - OCSP_TRACE_TIME("nextFetchAttemptTime", - latestTimeWhenResponseIsConsideredFresh); + OCSP_TRACE_TIME("nextFetchAttemptTime", + latestTimeWhenResponseIsConsideredFresh); PR_ExitMonitor(OCSP_Global.monitor); } @@ -776,14 +779,14 @@ ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem) } /* - * Status in *certIDWasConsumed will always be correct, regardless of + * Status in *certIDWasConsumed will always be correct, regardless of * return value. * If the caller is unable to transfer ownership of certID, * then the caller must set certIDWasConsumed to NULL, * and this function will potentially duplicate the certID object. */ static SECStatus -ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, +ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, CERTOCSPCertID *certID, CERTOCSPSingleResponse *single, PRBool *certIDWasConsumed) @@ -791,13 +794,13 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, SECStatus rv; OCSPCacheItem *cacheItem; OCSP_TRACE(("OCSP ocsp_CreateOrUpdateCacheEntry\n")); - + if (certIDWasConsumed) *certIDWasConsumed = PR_FALSE; - + PR_EnterMonitor(OCSP_Global.monitor); PORT_Assert(OCSP_Global.maxCacheEntries >= 0); - + cacheItem = ocsp_FindCacheEntry(cache, certID); /* Don't replace an unknown or revoked entry with an error entry, even if @@ -817,7 +820,8 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, if (certIDWasConsumed) { myCertID = certID; *certIDWasConsumed = PR_TRUE; - } else { + } + else { myCertID = cert_DupOCSPCertID(certID); if (!myCertID) { PR_ExitMonitor(OCSP_Global.monitor); @@ -845,11 +849,13 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, PR_ExitMonitor(OCSP_Global.monitor); return rv; } - } else { + } + else { OCSP_TRACE(("Not caching response because the response is not " "newer than the cache")); } - } else { + } + else { cacheItem->missingResponseError = PORT_GetError(); if (cacheItem->certStatusArena) { PORT_FreeArena(cacheItem->certStatusArena, PR_FALSE); @@ -867,12 +873,12 @@ extern SECStatus CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode) { switch (ocspFailureMode) { - case ocspMode_FailureIsVerificationFailure: - case ocspMode_FailureIsNotAVerificationFailure: - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + case ocspMode_FailureIsVerificationFailure: + case ocspMode_FailureIsNotAVerificationFailure: + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } PR_EnterMonitor(OCSP_Global.monitor); @@ -886,39 +892,41 @@ CERT_OCSPCacheSettings(PRInt32 maxCacheEntries, PRUint32 minimumSecondsToNextFetchAttempt, PRUint32 maximumSecondsToNextFetchAttempt) { - if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt - || maxCacheEntries < -1) { + if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt || + maxCacheEntries < -1) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - + PR_EnterMonitor(OCSP_Global.monitor); - + if (maxCacheEntries < 0) { OCSP_Global.maxCacheEntries = -1; /* disable cache */ - } else if (maxCacheEntries == 0) { + } + else if (maxCacheEntries == 0) { OCSP_Global.maxCacheEntries = 0; /* unlimited cache entries */ - } else { + } + else { OCSP_Global.maxCacheEntries = maxCacheEntries; } - - if (minimumSecondsToNextFetchAttempt < - OCSP_Global.minimumSecondsToNextFetchAttempt - || maximumSecondsToNextFetchAttempt < + + if (minimumSecondsToNextFetchAttempt < + OCSP_Global.minimumSecondsToNextFetchAttempt || + maximumSecondsToNextFetchAttempt < OCSP_Global.maximumSecondsToNextFetchAttempt) { /* - * Ensure our existing cache entries are not used longer than the + * Ensure our existing cache entries are not used longer than the * new settings allow, we're lazy and just clear the cache */ CERT_ClearOCSPCache(); } - - OCSP_Global.minimumSecondsToNextFetchAttempt = + + OCSP_Global.minimumSecondsToNextFetchAttempt = minimumSecondsToNextFetchAttempt; - OCSP_Global.maximumSecondsToNextFetchAttempt = + OCSP_Global.maximumSecondsToNextFetchAttempt = maximumSecondsToNextFetchAttempt; ocsp_CheckCacheSize(&OCSP_Global.cache); - + PR_ExitMonitor(OCSP_Global.monitor); return SECSuccess; } @@ -932,7 +940,8 @@ CERT_SetOCSPTimeout(PRUint32 seconds) } /* this function is called at NSS initialization time */ -SECStatus OCSP_InitGlobal(void) +SECStatus +OCSP_InitGlobal(void) { SECStatus rv = SECFailure; @@ -944,18 +953,19 @@ SECStatus OCSP_InitGlobal(void) PR_EnterMonitor(OCSP_Global.monitor); if (!OCSP_Global.cache.entries) { - OCSP_Global.cache.entries = - PL_NewHashTable(0, - ocsp_CacheKeyHashFunction, - ocsp_CacheKeyCompareFunction, - PL_CompareValues, - NULL, + OCSP_Global.cache.entries = + PL_NewHashTable(0, + ocsp_CacheKeyHashFunction, + ocsp_CacheKeyCompareFunction, + PL_CompareValues, + NULL, NULL); OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure; OCSP_Global.cache.numberOfEntries = 0; OCSP_Global.cache.MRUitem = NULL; OCSP_Global.cache.LRUitem = NULL; - } else { + } + else { /* * NSS might call this function twice while attempting to init. * But it's not allowed to call this again after any activity. @@ -969,7 +979,8 @@ SECStatus OCSP_InitGlobal(void) return rv; } -SECStatus OCSP_ShutdownGlobal(void) +SECStatus +OCSP_ShutdownGlobal(void) { if (!OCSP_Global.monitor) return SECSuccess; @@ -986,12 +997,12 @@ SECStatus OCSP_ShutdownGlobal(void) OCSP_Global.defaultHttpClientFcn = NULL; OCSP_Global.maxCacheEntries = DEFAULT_OCSP_CACHE_SIZE; - OCSP_Global.minimumSecondsToNextFetchAttempt = - DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; + OCSP_Global.minimumSecondsToNextFetchAttempt = + DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; OCSP_Global.maximumSecondsToNextFetchAttempt = - DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; + DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; OCSP_Global.ocspFailureMode = - ocspMode_FailureIsVerificationFailure; + ocspMode_FailureIsVerificationFailure; PR_ExitMonitor(OCSP_Global.monitor); PR_DestroyMonitor(OCSP_Global.monitor); @@ -1000,22 +1011,23 @@ SECStatus OCSP_ShutdownGlobal(void) } /* - * A return value of NULL means: + * A return value of NULL means: * The application did not register it's own HTTP client. */ -const SEC_HttpClientFcn *SEC_GetRegisteredHttpClient(void) +const SEC_HttpClientFcn * +SEC_GetRegisteredHttpClient(void) { const SEC_HttpClientFcn *retval; if (!OCSP_Global.monitor) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return NULL; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return NULL; } PR_EnterMonitor(OCSP_Global.monitor); retval = OCSP_Global.defaultHttpClientFcn; PR_ExitMonitor(OCSP_Global.monitor); - + return retval; } @@ -1057,7 +1069,6 @@ extern const SEC_ASN1Template ocsp_SingleRequestTemplate[]; extern const SEC_ASN1Template ocsp_SingleResponseTemplate[]; extern const SEC_ASN1Template ocsp_TBSRequestTemplate[]; - /* * Request-related templates... */ @@ -1069,14 +1080,14 @@ extern const SEC_ASN1Template ocsp_TBSRequestTemplate[]; */ static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTOCSPRequest) }, + 0, NULL, sizeof(CERTOCSPRequest) }, { SEC_ASN1_POINTER, - offsetof(CERTOCSPRequest, tbsRequest), - ocsp_TBSRequestTemplate }, + offsetof(CERTOCSPRequest, tbsRequest), + ocsp_TBSRequestTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(CERTOCSPRequest, optionalSignature), - ocsp_PointerToSignatureTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(CERTOCSPRequest, optionalSignature), + ocsp_PointerToSignatureTemplate }, { 0 } }; @@ -1095,22 +1106,22 @@ static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = { */ const SEC_ASN1Template ocsp_TBSRequestTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspTBSRequest) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(ocspTBSRequest, version), - SEC_ASN1_SUB(SEC_IntegerTemplate) }, + 0, NULL, sizeof(ocspTBSRequest) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + offsetof(ocspTBSRequest, version), + SEC_ASN1_SUB(SEC_IntegerTemplate) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, - offsetof(ocspTBSRequest, derRequestorName), - SEC_ASN1_SUB(SEC_PointerToAnyTemplate) }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, + offsetof(ocspTBSRequest, derRequestorName), + SEC_ASN1_SUB(SEC_PointerToAnyTemplate) }, { SEC_ASN1_SEQUENCE_OF, - offsetof(ocspTBSRequest, requestList), - ocsp_SingleRequestTemplate }, + offsetof(ocspTBSRequest, requestList), + ocsp_SingleRequestTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2, - offsetof(ocspTBSRequest, requestExtensions), - CERT_SequenceOfCertExtensionTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2, + offsetof(ocspTBSRequest, requestExtensions), + CERT_SequenceOfCertExtensionTemplate }, { 0 } }; @@ -1122,16 +1133,16 @@ const SEC_ASN1Template ocsp_TBSRequestTemplate[] = { */ static const SEC_ASN1Template ocsp_SignatureTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspSignature) }, + 0, NULL, sizeof(ocspSignature) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(ocspSignature, signatureAlgorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(ocspSignature, signatureAlgorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_BIT_STRING, - offsetof(ocspSignature, signature) }, + offsetof(ocspSignature, signature) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(ocspSignature, derCerts), - SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + offsetof(ocspSignature, derCerts), + SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) }, { 0 } }; @@ -1157,19 +1168,18 @@ const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = { * is the only way it will compile. */ const SEC_ASN1Template ocsp_SingleRequestTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspSingleRequest) }, + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(ocspSingleRequest) }, { SEC_ASN1_POINTER, - offsetof(ocspSingleRequest, reqCert), - ocsp_CertIDTemplate }, + offsetof(ocspSingleRequest, reqCert), + ocsp_CertIDTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(ocspSingleRequest, singleRequestExtensions), - CERT_SequenceOfCertExtensionTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(ocspSingleRequest, singleRequestExtensions), + CERT_SequenceOfCertExtensionTemplate }, { 0 } }; - /* * This data structure and template (CertID) is used by both OCSP * requests and responses. It is the only one that is shared. @@ -1187,21 +1197,20 @@ const SEC_ASN1Template ocsp_SingleRequestTemplate[] = { * is the only way it will compile. */ const SEC_ASN1Template ocsp_CertIDTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTOCSPCertID) }, + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTOCSPCertID) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(CERTOCSPCertID, hashAlgorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(CERTOCSPCertID, hashAlgorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_OCTET_STRING, - offsetof(CERTOCSPCertID, issuerNameHash) }, + offsetof(CERTOCSPCertID, issuerNameHash) }, { SEC_ASN1_OCTET_STRING, - offsetof(CERTOCSPCertID, issuerKeyHash) }, - { SEC_ASN1_INTEGER, - offsetof(CERTOCSPCertID, serialNumber) }, + offsetof(CERTOCSPCertID, issuerKeyHash) }, + { SEC_ASN1_INTEGER, + offsetof(CERTOCSPCertID, serialNumber) }, { 0 } }; - /* * Response-related templates... */ @@ -1212,14 +1221,14 @@ const SEC_ASN1Template ocsp_CertIDTemplate[] = { * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } */ const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTOCSPResponse) }, - { SEC_ASN1_ENUMERATED, - offsetof(CERTOCSPResponse, responseStatus) }, + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTOCSPResponse) }, + { SEC_ASN1_ENUMERATED, + offsetof(CERTOCSPResponse, responseStatus) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(CERTOCSPResponse, responseBytes), - ocsp_PointerToResponseBytesTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(CERTOCSPResponse, responseBytes), + ocsp_PointerToResponseBytesTemplate }, { 0 } }; @@ -1230,11 +1239,11 @@ const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = { */ const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspResponseBytes) }, + 0, NULL, sizeof(ocspResponseBytes) }, { SEC_ASN1_OBJECT_ID, - offsetof(ocspResponseBytes, responseType) }, + offsetof(ocspResponseBytes, responseType) }, { SEC_ASN1_OCTET_STRING, - offsetof(ocspResponseBytes, response) }, + offsetof(ocspResponseBytes, response) }, { 0 } }; @@ -1259,21 +1268,21 @@ const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = { */ static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspBasicOCSPResponse) }, + 0, NULL, sizeof(ocspBasicOCSPResponse) }, { SEC_ASN1_ANY | SEC_ASN1_SAVE, - offsetof(ocspBasicOCSPResponse, tbsResponseDataDER) }, + offsetof(ocspBasicOCSPResponse, tbsResponseDataDER) }, { SEC_ASN1_POINTER, - offsetof(ocspBasicOCSPResponse, tbsResponseData), - ocsp_ResponseDataTemplate }, + offsetof(ocspBasicOCSPResponse, tbsResponseData), + ocsp_ResponseDataTemplate }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_BIT_STRING, - offsetof(ocspBasicOCSPResponse, responseSignature.signature) }, + offsetof(ocspBasicOCSPResponse, responseSignature.signature) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(ocspBasicOCSPResponse, responseSignature.derCerts), - SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + offsetof(ocspBasicOCSPResponse, responseSignature.derCerts), + SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) }, { 0 } }; @@ -1291,22 +1300,22 @@ static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = { */ const SEC_ASN1Template ocsp_ResponseDataTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspResponseData) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(ocspResponseData, version), - SEC_ASN1_SUB(SEC_IntegerTemplate) }, + 0, NULL, sizeof(ocspResponseData) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + offsetof(ocspResponseData, version), + SEC_ASN1_SUB(SEC_IntegerTemplate) }, { SEC_ASN1_ANY, - offsetof(ocspResponseData, derResponderID) }, + offsetof(ocspResponseData, derResponderID) }, { SEC_ASN1_GENERALIZED_TIME, - offsetof(ocspResponseData, producedAt) }, + offsetof(ocspResponseData, producedAt) }, { SEC_ASN1_SEQUENCE_OF, - offsetof(ocspResponseData, responses), - ocsp_SingleResponseTemplate }, + offsetof(ocspResponseData, responses), + ocsp_SingleResponseTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(ocspResponseData, responseExtensions), - CERT_SequenceOfCertExtensionTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(ocspResponseData, responseExtensions), + CERT_SequenceOfCertExtensionTemplate }, { 0 } }; @@ -1327,24 +1336,25 @@ const SEC_ASN1Template ocsp_ResponseDataTemplate[] = { */ const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = { { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(ocspResponderID, responderIDValue.name), - CERT_NameTemplate } + offsetof(ocspResponderID, responderIDValue.name), + CERT_NameTemplate } }; const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = { { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_XTRN | 2, - offsetof(ocspResponderID, responderIDValue.keyHash), - SEC_ASN1_SUB(SEC_OctetStringTemplate) } + SEC_ASN1_XTRN | 2, + offsetof(ocspResponderID, responderIDValue.keyHash), + SEC_ASN1_SUB(SEC_OctetStringTemplate) } }; static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = { { SEC_ASN1_ANY, - offsetof(ocspResponderID, responderIDValue.other) } + offsetof(ocspResponderID, responderIDValue.other) } }; /* Decode choice container, but leave x509 name object encoded */ static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = { { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_XTRN | 1, 0, SEC_ASN1_SUB(SEC_AnyTemplate) } + SEC_ASN1_XTRN | 1, + 0, SEC_ASN1_SUB(SEC_AnyTemplate) } }; /* @@ -1361,22 +1371,22 @@ static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = { */ const SEC_ASN1Template ocsp_SingleResponseTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTOCSPSingleResponse) }, + 0, NULL, sizeof(CERTOCSPSingleResponse) }, { SEC_ASN1_POINTER, - offsetof(CERTOCSPSingleResponse, certID), - ocsp_CertIDTemplate }, + offsetof(CERTOCSPSingleResponse, certID), + ocsp_CertIDTemplate }, { SEC_ASN1_ANY, - offsetof(CERTOCSPSingleResponse, derCertStatus) }, + offsetof(CERTOCSPSingleResponse, derCertStatus) }, { SEC_ASN1_GENERALIZED_TIME, - offsetof(CERTOCSPSingleResponse, thisUpdate) }, + offsetof(CERTOCSPSingleResponse, thisUpdate) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(CERTOCSPSingleResponse, nextUpdate), - SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate) }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + offsetof(CERTOCSPSingleResponse, nextUpdate), + SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(CERTOCSPSingleResponse, singleExtensions), - CERT_SequenceOfCertExtensionTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(CERTOCSPSingleResponse, singleExtensions), + CERT_SequenceOfCertExtensionTemplate }, { 0 } }; @@ -1395,23 +1405,23 @@ const SEC_ASN1Template ocsp_SingleResponseTemplate[] = { */ static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = { { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(ocspCertStatus, certStatusInfo.goodInfo), - SEC_ASN1_SUB(SEC_NullTemplate) } + offsetof(ocspCertStatus, certStatusInfo.goodInfo), + SEC_ASN1_SUB(SEC_NullTemplate) } }; static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = { - { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(ocspCertStatus, certStatusInfo.revokedInfo), - ocsp_RevokedInfoTemplate } + { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(ocspCertStatus, certStatusInfo.revokedInfo), + ocsp_RevokedInfoTemplate } }; static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = { { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2, - offsetof(ocspCertStatus, certStatusInfo.unknownInfo), - SEC_ASN1_SUB(SEC_NullTemplate) } + offsetof(ocspCertStatus, certStatusInfo.unknownInfo), + SEC_ASN1_SUB(SEC_NullTemplate) } }; static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = { { SEC_ASN1_POINTER | SEC_ASN1_XTRN, - offsetof(ocspCertStatus, certStatusInfo.otherInfo), - SEC_ASN1_SUB(SEC_AnyTemplate) } + offsetof(ocspCertStatus, certStatusInfo.otherInfo), + SEC_ASN1_SUB(SEC_AnyTemplate) } }; /* @@ -1425,18 +1435,17 @@ static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = { */ const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspRevokedInfo) }, + 0, NULL, sizeof(ocspRevokedInfo) }, { SEC_ASN1_GENERALIZED_TIME, - offsetof(ocspRevokedInfo, revocationTime) }, + offsetof(ocspRevokedInfo, revocationTime) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_XTRN | 0, - offsetof(ocspRevokedInfo, revocationReason), - SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate) }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_XTRN | 0, + offsetof(ocspRevokedInfo, revocationReason), + SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate) }, { 0 } }; - /* * OCSP-specific extension templates: */ @@ -1448,25 +1457,24 @@ const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = { */ static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspServiceLocator) }, + 0, NULL, sizeof(ocspServiceLocator) }, { SEC_ASN1_POINTER, - offsetof(ocspServiceLocator, issuer), - CERT_NameTemplate }, + offsetof(ocspServiceLocator, issuer), + CERT_NameTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, - offsetof(ocspServiceLocator, locator) }, + offsetof(ocspServiceLocator, locator) }, { 0 } }; - /* * REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy): */ -/* +/* * FUNCTION: CERT_EncodeOCSPRequest * DER encodes an OCSP Request, possibly adding a signature as well. * XXX Signing is not yet supported, however; see comments in code. - * INPUTS: + * INPUTS: * PLArenaPool *arena * The return value is allocated from here. * If a NULL is passed in, allocation is done from the heap instead. @@ -1482,7 +1490,7 @@ static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = { */ SECItem * CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, - void *pwArg) + void *pwArg) { SECStatus rv; @@ -1491,10 +1499,10 @@ CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, PORT_Assert(request->tbsRequest); if (request->tbsRequest->extensionHandle != NULL) { - rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle); - request->tbsRequest->extensionHandle = NULL; - if (rv != SECSuccess) - return NULL; + rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle); + request->tbsRequest->extensionHandle = NULL; + if (rv != SECSuccess) + return NULL; } /* @@ -1510,7 +1518,6 @@ CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate); } - /* * FUNCTION: CERT_DecodeOCSPRequest * Decode a DER encoded OCSP Request. @@ -1533,27 +1540,27 @@ CERT_DecodeOCSPRequest(const SECItem *src) arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - goto loser; + goto loser; } - dest = (CERTOCSPRequest *) PORT_ArenaZAlloc(arena, - sizeof(CERTOCSPRequest)); + dest = (CERTOCSPRequest *)PORT_ArenaZAlloc(arena, + sizeof(CERTOCSPRequest)); if (dest == NULL) { - goto loser; + goto loser; } dest->arena = arena; /* copy the DER into the arena, since Quick DER returns data that points into the DER input, which may get freed by the caller */ rv = SECITEM_CopyItem(arena, &newSrc, src); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } rv = SEC_QuickDERDecodeItem(arena, dest, ocsp_OCSPRequestTemplate, &newSrc); if (rv != SECSuccess) { - if (PORT_GetError() == SEC_ERROR_BAD_DER) - PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); - goto loser; + if (PORT_GetError() == SEC_ERROR_BAD_DER) + PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); + goto loser; } /* @@ -1561,24 +1568,24 @@ CERT_DecodeOCSPRequest(const SECItem *src) * of doing this copying of the arena pointer. */ for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) { - dest->tbsRequest->requestList[i]->arena = arena; + dest->tbsRequest->requestList[i]->arena = arena; } return dest; loser: if (arena != NULL) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return NULL; } SECStatus -CERT_DestroyOCSPCertID(CERTOCSPCertID* certID) +CERT_DestroyOCSPCertID(CERTOCSPCertID *certID) { if (certID && certID->poolp) { - PORT_FreeArena(certID->poolp, PR_FALSE); - return SECSuccess; + PORT_FreeArena(certID->poolp, PR_FALSE); + return SECSuccess; } PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; @@ -1593,7 +1600,7 @@ CERT_DestroyOCSPCertID(CERTOCSPCertID* certID) */ SECItem * -ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, +ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, SECItem *fill, const SECItem *src) { const SECHashObject *digestObject; @@ -1601,27 +1608,28 @@ ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, void *mark = NULL; void *digestBuff = NULL; - if ( arena != NULL ) { + if (arena != NULL) { mark = PORT_ArenaMark(arena); } digestObject = HASH_GetHashObjectByOidTag(digestAlg); - if ( digestObject == NULL ) { + if (digestObject == NULL) { goto loser; } if (fill == NULL || fill->data == NULL) { - result = SECITEM_AllocItem(arena, fill, digestObject->length); - if ( result == NULL ) { - goto loser; - } - digestBuff = result->data; - } else { - if (fill->len < digestObject->length) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto loser; - } - digestBuff = fill->data; + result = SECITEM_AllocItem(arena, fill, digestObject->length); + if (result == NULL) { + goto loser; + } + digestBuff = result->data; + } + else { + if (fill->len < digestObject->length) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + digestBuff = fill->data; } if (PK11_HashBuf(digestAlg, digestBuff, @@ -1629,7 +1637,7 @@ ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, goto loser; } - if ( arena != NULL ) { + if (arena != NULL) { PORT_ArenaUnmark(arena, mark); } @@ -1641,12 +1649,13 @@ ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, loser: if (arena != NULL) { PORT_ArenaRelease(arena, mark); - } else { + } + else { if (result != NULL) { SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE); } } - return(NULL); + return (NULL); } /* @@ -1713,18 +1722,18 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time) certID = PORT_ArenaZNew(arena, CERTOCSPCertID); if (certID == NULL) { - goto loser; + goto loser; } rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1, - NULL); + NULL); if (rv != SECSuccess) { - goto loser; + goto loser; } issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA); if (issuerCert == NULL) { - goto loser; + goto loser; } if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1, @@ -1745,29 +1754,28 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time) } if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1, - &certID->issuerKeyHash) == NULL) { - goto loser; + &certID->issuerKeyHash) == NULL) { + goto loser; } certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data; certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len; /* cache the other two hash algorithms as well */ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5, - &certID->issuerMD5KeyHash) == NULL) { - goto loser; + &certID->issuerMD5KeyHash) == NULL) { + goto loser; } if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2, - &certID->issuerMD2KeyHash) == NULL) { - goto loser; + &certID->issuerMD2KeyHash) == NULL) { + goto loser; } - /* now we are done with issuerCert */ CERT_DestroyCertificate(issuerCert); issuerCert = NULL; rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber); if (rv != SECSuccess) { - goto loser; + goto loser; } PORT_ArenaUnmark(arena, mark); @@ -1775,25 +1783,25 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time) loser: if (issuerCert != NULL) { - CERT_DestroyCertificate(issuerCert); + CERT_DestroyCertificate(issuerCert); } PORT_ArenaRelease(arena, mark); return NULL; } -CERTOCSPCertID* +CERTOCSPCertID * CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time) { PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTOCSPCertID *certID; PORT_Assert(arena != NULL); if (!arena) - return NULL; - + return NULL; + certID = ocsp_CreateCertID(arena, cert, time); if (!certID) { - PORT_FreeArena(arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } certID->poolp = arena; return certID; @@ -1818,11 +1826,11 @@ cert_DupOCSPCertID(const CERTOCSPCertID *src) if (!dest) goto loser; -#define DUPHELP(element) \ - if (src->element.data && \ - SECITEM_CopyItem(arena, &dest->element, &src->element) \ - != SECSuccess) { \ - goto loser; \ +#define DUPHELP(element) \ + if (src->element.data && \ + SECITEM_CopyItem(arena, &dest->element, &src->element) != \ + SECSuccess) { \ + goto loser; \ } DUPHELP(hashAlgorithm.algorithm) @@ -1850,12 +1858,13 @@ loser: /* * Callback to set Extensions in request object */ -void SetSingleReqExts(void *object, CERTCertExtension **exts) +void +SetSingleReqExts(void *object, CERTCertExtension **exts) { - ocspSingleRequest *singleRequest = - (ocspSingleRequest *)object; + ocspSingleRequest *singleRequest = + (ocspSingleRequest *)object; - singleRequest->singleRequestExtensions = exts; + singleRequest->singleRequestExtensions = exts; } /* @@ -1866,7 +1875,7 @@ void SetSingleReqExts(void *object, CERTCertExtension **exts) */ static SECStatus ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest, - CERTCertificate *cert) + CERTCertificate *cert) { ocspServiceLocator *serviceLocator = NULL; void *extensionHandle = NULL; @@ -1874,7 +1883,7 @@ ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest, serviceLocator = PORT_ZNew(ocspServiceLocator); if (serviceLocator == NULL) - goto loser; + goto loser; /* * Normally it would be a bad idea to do a direct reference like @@ -1886,10 +1895,10 @@ ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest, serviceLocator->issuer = &cert->issuer; rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS, - &serviceLocator->locator); + &serviceLocator->locator); if (rv != SECSuccess) { - if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) - goto loser; + if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) + goto loser; } /* prepare for following loser gotos */ @@ -1897,33 +1906,33 @@ ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest, PORT_SetError(0); extensionHandle = cert_StartExtensions(singleRequest, - singleRequest->arena, SetSingleReqExts); + singleRequest->arena, SetSingleReqExts); if (extensionHandle == NULL) - goto loser; + goto loser; rv = CERT_EncodeAndAddExtension(extensionHandle, - SEC_OID_PKIX_OCSP_SERVICE_LOCATOR, - serviceLocator, PR_FALSE, - ocsp_ServiceLocatorTemplate); + SEC_OID_PKIX_OCSP_SERVICE_LOCATOR, + serviceLocator, PR_FALSE, + ocsp_ServiceLocatorTemplate); loser: if (extensionHandle != NULL) { - /* + /* * Either way we have to finish out the extension context (so it gets * freed). But careful not to override any already-set bad status. */ - SECStatus tmprv = CERT_FinishExtensions(extensionHandle); - if (rv == SECSuccess) - rv = tmprv; + SECStatus tmprv = CERT_FinishExtensions(extensionHandle); + if (rv == SECSuccess) + rv = tmprv; } /* * Finally, free the serviceLocator structure itself and we are done. */ if (serviceLocator != NULL) { - if (serviceLocator->locator.data != NULL) - SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE); - PORT_Free(serviceLocator); + if (serviceLocator->locator.data != NULL) + SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE); + PORT_Free(serviceLocator); } return rv; @@ -1949,18 +1958,18 @@ ocsp_CreateSingleRequestList(PLArenaPool *arena, CERTCertList *certList, CERTCertListNode *node = NULL; int i, count; void *mark = PORT_ArenaMark(arena); - + node = CERT_LIST_HEAD(certList); for (count = 0; !CERT_LIST_END(node, certList); count++) { node = CERT_LIST_NEXT(node); } if (count == 0) - goto loser; + goto loser; requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1); if (requestList == NULL) - goto loser; + goto loser; node = CERT_LIST_HEAD(certList); for (i = 0; !CERT_LIST_END(node, certList); i++) { @@ -1998,7 +2007,7 @@ loser: static ocspSingleRequest ** ocsp_CreateRequestFromCert(PLArenaPool *arena, - CERTOCSPCertID *certID, + CERTOCSPCertID *certID, CERTCertificate *singleCert, PRTime time, PRBool includeLocator) @@ -2016,7 +2025,7 @@ ocsp_CreateRequestFromCert(PLArenaPool *arena, goto loser; requestList[0]->arena = arena; /* certID will live longer than the request */ - requestList[0]->reqCert = certID; + requestList[0]->reqCert = certID; if (includeLocator == PR_TRUE) { SECStatus rv; @@ -2067,8 +2076,8 @@ loser: } CERTOCSPRequest * -cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, - CERTCertificate *singleCert, +cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, + CERTCertificate *singleCert, PRTime time, PRBool addServiceLocator, CERTCertificate *signerCert) @@ -2091,8 +2100,8 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, * Version 1 is the default, so we need not fill in a version number. * Now create the list of single requests, one for each cert. */ - request->tbsRequest->requestList = - ocsp_CreateRequestFromCert(request->arena, + request->tbsRequest->requestList = + ocsp_CreateRequestFromCert(request->arena, certID, singleCert, time, @@ -2106,7 +2115,7 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, /* * FUNCTION: CERT_CreateOCSPRequest - * Creates a CERTOCSPRequest, requesting the status of the certs in + * Creates a CERTOCSPRequest, requesting the status of the certs in * the given list. * INPUTS: * CERTCertList *certList @@ -2118,7 +2127,7 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, * to this routine), who knows about where the request(s) are being * sent and whether there are any trusted responders in place. * PRTime time - * Indicates the time for which the certificate status is to be + * Indicates the time for which the certificate status is to be * determined -- this may be used in the search for the cert's issuer * but has no effect on the request itself. * PRBool addServiceLocator @@ -2137,8 +2146,8 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, */ CERTOCSPRequest * CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, - PRBool addServiceLocator, - CERTCertificate *signerCert) + PRBool addServiceLocator, + CERTCertificate *signerCert) { CERTOCSPRequest *request = NULL; @@ -2147,7 +2156,7 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, return NULL; } /* - * XXX When we are prepared to put signing of requests back in, + * XXX When we are prepared to put signing of requests back in, * we will need to allocate a signature * structure for the request, fill in the "derCerts" field in it, * save the signerCert there, as well as fill in the "requestorName" @@ -2163,8 +2172,8 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, /* * Now create the list of single requests, one for each cert. */ - request->tbsRequest->requestList = - ocsp_CreateSingleRequestList(request->arena, + request->tbsRequest->requestList = + ocsp_CreateSingleRequestList(request->arena, certList, time, addServiceLocator); @@ -2192,16 +2201,17 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, * All errors are internal or low-level problems (e.g. no memory). */ -void SetRequestExts(void *object, CERTCertExtension **exts) +void +SetRequestExts(void *object, CERTCertExtension **exts) { - CERTOCSPRequest *request = (CERTOCSPRequest *)object; + CERTOCSPRequest *request = (CERTOCSPRequest *)object; - request->tbsRequest->requestExtensions = exts; + request->tbsRequest->requestExtensions = exts; } SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, - SECOidTag responseType0, ...) + SECOidTag responseType0, ...) { void *extHandle; va_list ap; @@ -2213,60 +2223,59 @@ CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, extHandle = request->tbsRequest->extensionHandle; if (extHandle == NULL) { - extHandle = cert_StartExtensions(request, request->arena, SetRequestExts); - if (extHandle == NULL) - goto loser; + extHandle = cert_StartExtensions(request, request->arena, SetRequestExts); + if (extHandle == NULL) + goto loser; } /* Count number of OIDS going into the extension value. */ count = 1; if (responseType0 != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { - va_start(ap, responseType0); - do { - count++; - responseType = va_arg(ap, SECOidTag); - } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE); - va_end(ap); + va_start(ap, responseType0); + do { + count++; + responseType = va_arg(ap, SECOidTag); + } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE); + va_end(ap); } acceptableResponses = PORT_NewArray(SECItem *, count + 1); if (acceptableResponses == NULL) - goto loser; + goto loser; i = 0; responseOid = SECOID_FindOIDByTag(responseType0); acceptableResponses[i++] = &(responseOid->oid); if (count > 1) { - va_start(ap, responseType0); - for ( ; i < count; i++) { - responseType = va_arg(ap, SECOidTag); - responseOid = SECOID_FindOIDByTag(responseType); - acceptableResponses[i] = &(responseOid->oid); - } - va_end(ap); + va_start(ap, responseType0); + for (; i < count; i++) { + responseType = va_arg(ap, SECOidTag); + responseOid = SECOID_FindOIDByTag(responseType); + acceptableResponses[i] = &(responseOid->oid); + } + va_end(ap); } acceptableResponses[i] = NULL; rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE, - &acceptableResponses, PR_FALSE, - SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate)); + &acceptableResponses, PR_FALSE, + SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate)); if (rv != SECSuccess) - goto loser; + goto loser; PORT_Free(acceptableResponses); if (request->tbsRequest->extensionHandle == NULL) - request->tbsRequest->extensionHandle = extHandle; + request->tbsRequest->extensionHandle = extHandle; return SECSuccess; loser: if (acceptableResponses != NULL) - PORT_Free(acceptableResponses); + PORT_Free(acceptableResponses); if (extHandle != NULL) - (void) CERT_FinishExtensions(extHandle); + (void)CERT_FinishExtensions(extHandle); return rv; } - /* * FUNCTION: CERT_DestroyOCSPRequest * Frees an OCSP Request structure. @@ -2280,20 +2289,20 @@ void CERT_DestroyOCSPRequest(CERTOCSPRequest *request) { if (request == NULL) - return; + return; if (request->tbsRequest != NULL) { - if (request->tbsRequest->requestorName != NULL) - CERT_DestroyGeneralNameList(request->tbsRequest->requestorName); - if (request->tbsRequest->extensionHandle != NULL) - (void) CERT_FinishExtensions(request->tbsRequest->extensionHandle); + if (request->tbsRequest->requestorName != NULL) + CERT_DestroyGeneralNameList(request->tbsRequest->requestorName); + if (request->tbsRequest->extensionHandle != NULL) + (void)CERT_FinishExtensions(request->tbsRequest->extensionHandle); } if (request->optionalSignature != NULL) { - if (request->optionalSignature->cert != NULL) - CERT_DestroyCertificate(request->optionalSignature->cert); + if (request->optionalSignature->cert != NULL) + CERT_DestroyCertificate(request->optionalSignature->cert); - /* + /* * XXX Need to free derCerts? Or do they come out of arena? * (Currently we never fill in derCerts, which is why the * answer is not obvious. Once we do, add any necessary code @@ -2308,10 +2317,9 @@ CERT_DestroyOCSPRequest(CERTOCSPRequest *request) */ PORT_Assert(request->arena != NULL); if (request->arena != NULL) - PORT_FreeArena(request->arena, PR_FALSE); + PORT_FreeArena(request->arena, PR_FALSE); } - /* * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy): */ @@ -2326,17 +2334,17 @@ ocsp_ResponderIDTemplateByType(CERTOCSPResponderIDType responderIDType) const SEC_ASN1Template *responderIDTemplate; switch (responderIDType) { - case ocspResponderID_byName: - responderIDTemplate = ocsp_ResponderIDByNameTemplate; - break; - case ocspResponderID_byKey: - responderIDTemplate = ocsp_ResponderIDByKeyTemplate; - break; - case ocspResponderID_other: - default: - PORT_Assert(responderIDType == ocspResponderID_other); - responderIDTemplate = ocsp_ResponderIDOtherTemplate; - break; + case ocspResponderID_byName: + responderIDTemplate = ocsp_ResponderIDByNameTemplate; + break; + case ocspResponderID_byKey: + responderIDTemplate = ocsp_ResponderIDByKeyTemplate; + break; + case ocspResponderID_other: + default: + PORT_Assert(responderIDType == ocspResponderID_other); + responderIDTemplate = ocsp_ResponderIDOtherTemplate; + break; } return responderIDTemplate; @@ -2352,20 +2360,20 @@ ocsp_CertStatusTemplateByType(ocspCertStatusType certStatusType) const SEC_ASN1Template *certStatusTemplate; switch (certStatusType) { - case ocspCertStatus_good: - certStatusTemplate = ocsp_CertStatusGoodTemplate; - break; - case ocspCertStatus_revoked: - certStatusTemplate = ocsp_CertStatusRevokedTemplate; - break; - case ocspCertStatus_unknown: - certStatusTemplate = ocsp_CertStatusUnknownTemplate; - break; - case ocspCertStatus_other: - default: - PORT_Assert(certStatusType == ocspCertStatus_other); - certStatusTemplate = ocsp_CertStatusOtherTemplate; - break; + case ocspCertStatus_good: + certStatusTemplate = ocsp_CertStatusGoodTemplate; + break; + case ocspCertStatus_revoked: + certStatusTemplate = ocsp_CertStatusRevokedTemplate; + break; + case ocspCertStatus_unknown: + certStatusTemplate = ocsp_CertStatusUnknownTemplate; + break; + case ocspCertStatus_other: + default: + PORT_Assert(certStatusType == ocspCertStatus_other); + certStatusTemplate = ocsp_CertStatusOtherTemplate; + break; } return certStatusTemplate; @@ -2381,18 +2389,18 @@ ocsp_CertStatusTypeByTag(int derTag) ocspCertStatusType certStatusType; switch (derTag) { - case 0: - certStatusType = ocspCertStatus_good; - break; - case 1: - certStatusType = ocspCertStatus_revoked; - break; - case 2: - certStatusType = ocspCertStatus_unknown; - break; - default: - certStatusType = ocspCertStatus_other; - break; + case 0: + certStatusType = ocspCertStatus_good; + break; + case 1: + certStatusType = ocspCertStatus_revoked; + break; + case 2: + certStatusType = ocspCertStatus_unknown; + break; + default: + certStatusType = ocspCertStatus_other; + break; } return certStatusType; @@ -2407,7 +2415,7 @@ ocsp_CertStatusTypeByTag(int derTag) */ static SECStatus ocsp_FinishDecodingSingleResponses(PLArenaPool *reqArena, - CERTOCSPSingleResponse **responses) + CERTOCSPSingleResponse **responses) { ocspCertStatus *certStatus; ocspCertStatusType certStatusType; @@ -2421,39 +2429,39 @@ ocsp_FinishDecodingSingleResponses(PLArenaPool *reqArena, return SECFailure; } - if (responses == NULL) /* nothing to do */ - return SECSuccess; + if (responses == NULL) /* nothing to do */ + return SECSuccess; for (i = 0; responses[i] != NULL; i++) { - SECItem* newStatus; - /* + SECItem *newStatus; + /* * The following assert points out internal errors (problems in * the template definitions or in the ASN.1 decoder itself, etc.). */ - PORT_Assert(responses[i]->derCertStatus.data != NULL); + PORT_Assert(responses[i]->derCertStatus.data != NULL); - derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK; - certStatusType = ocsp_CertStatusTypeByTag(derTag); - certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType); + derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK; + certStatusType = ocsp_CertStatusTypeByTag(derTag); + certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType); - certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus)); - if (certStatus == NULL) { - goto loser; - } + certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus)); + if (certStatus == NULL) { + goto loser; + } newStatus = SECITEM_ArenaDupItem(reqArena, &responses[i]->derCertStatus); if (!newStatus) { goto loser; } - rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate, - newStatus); - if (rv != SECSuccess) { - if (PORT_GetError() == SEC_ERROR_BAD_DER) - PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); - goto loser; - } + rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate, + newStatus); + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_BAD_DER) + PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); + goto loser; + } - certStatus->certStatusType = certStatusType; - responses[i]->certStatus = certStatus; + certStatus->certStatusType = certStatusType; + responses[i]->certStatus = certStatus; } return SECSuccess; @@ -2472,15 +2480,15 @@ ocsp_ResponderIDTypeByTag(int derTag) CERTOCSPResponderIDType responderIDType; switch (derTag) { - case 1: - responderIDType = ocspResponderID_byName; - break; - case 2: - responderIDType = ocspResponderID_byKey; - break; - default: - responderIDType = ocspResponderID_other; - break; + case 1: + responderIDType = ocspResponderID_byName; + break; + case 2: + responderIDType = ocspResponderID_byKey; + break; + default: + responderIDType = ocspResponderID_other; + break; } return responderIDType; @@ -2506,22 +2514,22 @@ ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src) basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse)); if (basicResponse == NULL) { - goto loser; + goto loser; } /* copy the DER into the arena, since Quick DER returns data that points into the DER input, which may get freed by the caller */ rv = SECITEM_CopyItem(arena, &newsrc, src); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } rv = SEC_QuickDERDecodeItem(arena, basicResponse, - ocsp_BasicOCSPResponseTemplate, &newsrc); + ocsp_BasicOCSPResponseTemplate, &newsrc); if (rv != SECSuccess) { - if (PORT_GetError() == SEC_ERROR_BAD_DER) - PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); - goto loser; + if (PORT_GetError() == SEC_ERROR_BAD_DER) + PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); + goto loser; } responseData = basicResponse->tbsResponseData; @@ -2543,15 +2551,15 @@ ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src) responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID)); if (responderID == NULL) { - goto loser; + goto loser; } rv = SEC_QuickDERDecodeItem(arena, responderID, responderIDTemplate, - &responseData->derResponderID); + &responseData->derResponderID); if (rv != SECSuccess) { - if (PORT_GetError() == SEC_ERROR_BAD_DER) - PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); - goto loser; + if (PORT_GetError() == SEC_ERROR_BAD_DER) + PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); + goto loser; } responderID->responderIDType = responderIDType; @@ -2563,7 +2571,7 @@ ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src) */ rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses); if (rv != SECSuccess) { - goto loser; + goto loser; } PORT_ArenaUnmark(arena, mark); @@ -2574,7 +2582,6 @@ loser: return NULL; } - /* * Decode the responseBytes based on the responseType found in "rbytes", * leaving the resulting translated/decoded information in there as well. @@ -2583,38 +2590,35 @@ static SECStatus ocsp_DecodeResponseBytes(PLArenaPool *arena, ocspResponseBytes *rbytes) { if (rbytes == NULL) { - PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); - return SECFailure; + PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); + return SECFailure; } rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType); switch (rbytes->responseTypeTag) { - case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: - { - ocspBasicOCSPResponse *basicResponse; + case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: { + ocspBasicOCSPResponse *basicResponse; - basicResponse = ocsp_DecodeBasicOCSPResponse(arena, - &rbytes->response); - if (basicResponse == NULL) - return SECFailure; + basicResponse = ocsp_DecodeBasicOCSPResponse(arena, + &rbytes->response); + if (basicResponse == NULL) + return SECFailure; - rbytes->decodedResponse.basic = basicResponse; - } - break; + rbytes->decodedResponse.basic = basicResponse; + } break; - /* + /* * Add new/future response types here. */ - default: - PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); - return SECFailure; + default: + PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); + return SECFailure; } return SECSuccess; } - /* * FUNCTION: CERT_DecodeOCSPResponse * Decode a DER encoded OCSP Response. @@ -2639,37 +2643,37 @@ CERT_DecodeOCSPResponse(const SECItem *src) arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - goto loser; + goto loser; } - response = (CERTOCSPResponse *) PORT_ArenaZAlloc(arena, - sizeof(CERTOCSPResponse)); + response = (CERTOCSPResponse *)PORT_ArenaZAlloc(arena, + sizeof(CERTOCSPResponse)); if (response == NULL) { - goto loser; + goto loser; } response->arena = arena; /* copy the DER into the arena, since Quick DER returns data that points into the DER input, which may get freed by the caller */ rv = SECITEM_CopyItem(arena, &newSrc, src); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } rv = SEC_QuickDERDecodeItem(arena, response, ocsp_OCSPResponseTemplate, &newSrc); if (rv != SECSuccess) { - if (PORT_GetError() == SEC_ERROR_BAD_DER) - PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); - goto loser; + if (PORT_GetError() == SEC_ERROR_BAD_DER) + PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); + goto loser; } - sv = (ocspResponseStatus) DER_GetInteger(&response->responseStatus); + sv = (ocspResponseStatus)DER_GetInteger(&response->responseStatus); response->statusValue = sv; if (sv != ocspResponse_successful) { - /* + /* * If the response status is anything but successful, then we * are all done with decoding; the status is all there is. */ - return response; + return response; } /* @@ -2678,14 +2682,14 @@ CERT_DecodeOCSPResponse(const SECItem *src) */ rv = ocsp_DecodeResponseBytes(arena, response->responseBytes); if (rv != SECSuccess) { - goto loser; + goto loser; } return response; loser: if (arena != NULL) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return NULL; } @@ -2711,7 +2715,7 @@ loser: * * FUNCTION: ocsp_GetResponseData * Returns ocspResponseData structure and a pointer to tbs response - * data DER from a valid ocsp response. + * data DER from a valid ocsp response. * INPUTS: * CERTOCSPResponse *response * structure of a valid ocsp response @@ -2729,8 +2733,8 @@ ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER) PORT_Assert(response->responseBytes != NULL); - PORT_Assert(response->responseBytes->responseTypeTag - == SEC_OID_PKIX_OCSP_BASIC_RESPONSE); + PORT_Assert(response->responseBytes->responseTypeTag == + SEC_OID_PKIX_OCSP_BASIC_RESPONSE); basic = response->responseBytes->decodedResponse.basic; PORT_Assert(basic != NULL); @@ -2761,8 +2765,8 @@ ocsp_GetResponseSignature(CERTOCSPResponse *response) if (NULL == response->responseBytes) { return NULL; } - if (response->responseBytes->responseTypeTag - != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { + if (response->responseBytes->responseTypeTag != + SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { return NULL; } basic = response->responseBytes->decodedResponse.basic; @@ -2771,7 +2775,6 @@ ocsp_GetResponseSignature(CERTOCSPResponse *response) return &(basic->responseSignature); } - /* * FUNCTION: CERT_DestroyOCSPResponse * Frees an OCSP Response structure. @@ -2785,28 +2788,26 @@ void CERT_DestroyOCSPResponse(CERTOCSPResponse *response) { if (response != NULL) { - ocspSignature *signature = ocsp_GetResponseSignature(response); - if (signature && signature->cert != NULL) - CERT_DestroyCertificate(signature->cert); + ocspSignature *signature = ocsp_GetResponseSignature(response); + if (signature && signature->cert != NULL) + CERT_DestroyCertificate(signature->cert); - /* + /* * We should actually never have a response without an arena, * but check just in case. (If there isn't one, there is not * much we can do about it...) */ - PORT_Assert(response->arena != NULL); - if (response->arena != NULL) { - PORT_FreeArena(response->arena, PR_FALSE); - } + PORT_Assert(response->arena != NULL); + if (response->arena != NULL) { + PORT_FreeArena(response->arena, PR_FALSE); + } } } - /* * OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response): */ - /* * Pick apart a URL, saving the important things in the passed-in pointers. * @@ -2822,7 +2823,7 @@ CERT_DestroyOCSPResponse(CERTOCSPResponse *response) static SECStatus ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) { - unsigned short port = 80; /* default, in case not in url */ + unsigned short port = 80; /* default, in case not in url */ char *hostname = NULL; char *path = NULL; const char *save; @@ -2830,25 +2831,25 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) int len; if (url == NULL) - goto loser; + goto loser; /* * Skip beginning whitespace. */ c = *url; while ((c == ' ' || c == '\t') && c != '\0') { - url++; - c = *url; + url++; + c = *url; } if (c == '\0') - goto loser; + goto loser; /* * Confirm, then skip, protocol. (Since we only know how to do http, * that is all we will accept). */ if (PORT_Strncasecmp(url, "http://", 7) != 0) - goto loser; + goto loser; url += 7; /* @@ -2866,13 +2867,13 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) save = url; c = *url; while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') { - url++; - c = *url; + url++; + c = *url; } len = url - save; hostname = PORT_Alloc(len + 1); if (hostname == NULL) - goto loser; + goto loser; PORT_Memcpy(hostname, save, len); hostname[len] = '\0'; @@ -2881,15 +2882,15 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) * If so, we need to parse it (as a number) and skip it. */ if (c == ':') { - url++; - port = (unsigned short) PORT_Atoi(url); - c = *url; - while (c != '/' && c != '\0' && c != ' ' && c != '\t') { - if (c < '0' || c > '9') - goto loser; - url++; - c = *url; - } + url++; + port = (unsigned short)PORT_Atoi(url); + c = *url; + while (c != '/' && c != '\0' && c != ' ' && c != '\t') { + if (c < '0' || c > '9') + goto loser; + url++; + c = *url; + } } /* @@ -2897,21 +2898,22 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) * if nothing else -- but if there is not we provide one. */ if (c == '/') { - save = url; - while (c != '\0' && c != ' ' && c != '\t') { - url++; - c = *url; - } - len = url - save; - path = PORT_Alloc(len + 1); - if (path == NULL) - goto loser; - PORT_Memcpy(path, save, len); - path[len] = '\0'; - } else { - path = PORT_Strdup("/"); - if (path == NULL) - goto loser; + save = url; + while (c != '\0' && c != ' ' && c != '\t') { + url++; + c = *url; + } + len = url - save; + path = PORT_Alloc(len + 1); + if (path == NULL) + goto loser; + PORT_Memcpy(path, save, len); + path[len] = '\0'; + } + else { + path = PORT_Strdup("/"); + if (path == NULL) + goto loser; } *pHostname = hostname; @@ -2921,7 +2923,7 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) loser: if (hostname != NULL) - PORT_Free(hostname); + PORT_Free(hostname); PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); return SECFailure; } @@ -2940,7 +2942,7 @@ ocsp_ConnectToHost(const char *host, PRUint16 port) sock = PR_NewTCPSocket(); if (sock == NULL) - goto loser; + goto loser; /* XXX Some day need a way to set (and get?) the following value */ timeout = PR_SecondsToInterval(30); @@ -2954,42 +2956,43 @@ ocsp_ConnectToHost(const char *host, PRUint16 port) * valid numerical IP address from a hostname. */ if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) { - PRIntn hostIndex; - PRHostEnt hostEntry; - - netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE); - if (netdbbuf == NULL) - goto loser; - - if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE, - &hostEntry) != PR_SUCCESS) - goto loser; - - hostIndex = 0; - do { - hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr); - if (hostIndex <= 0) - goto loser; - } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS); - - PORT_Free(netdbbuf); - } else { - /* + PRIntn hostIndex; + PRHostEnt hostEntry; + + netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE); + if (netdbbuf == NULL) + goto loser; + + if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE, + &hostEntry) != PR_SUCCESS) + goto loser; + + hostIndex = 0; + do { + hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr); + if (hostIndex <= 0) + goto loser; + } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS); + + PORT_Free(netdbbuf); + } + else { + /* * First put the port into the address, then connect. */ - if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS) - goto loser; - if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS) - goto loser; + if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS) + goto loser; + if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS) + goto loser; } return sock; loser: if (sock != NULL) - PR_Close(sock); + PR_Close(sock); if (netdbbuf != NULL) - PORT_Free(netdbbuf); + PORT_Free(netdbbuf); return NULL; } @@ -3024,14 +3027,14 @@ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest) */ rv = ocsp_ParseURL(location, &hostname, &port, &path); if (rv != SECSuccess) - goto loser; + goto loser; PORT_Assert(hostname != NULL); PORT_Assert(path != NULL); sock = ocsp_ConnectToHost(hostname, port); if (sock == NULL) - goto loser; + goto loser; portstr[0] = '\0'; if (port != 80) { @@ -3039,38 +3042,38 @@ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest) } if (!encodedRequest) { - header = PR_smprintf("GET %s HTTP/1.0\r\n" - "Host: %s%s\r\n\r\n", - path, hostname, portstr); - if (header == NULL) - goto loser; - - /* - * The NSPR documentation promises that if it can, it will write the full - * amount; this will not return a partial value expecting us to loop. - */ - if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0) - goto loser; + header = PR_smprintf("GET %s HTTP/1.0\r\n" + "Host: %s%s\r\n\r\n", + path, hostname, portstr); + if (header == NULL) + goto loser; + + /* + * The NSPR documentation promises that if it can, it will write the full + * amount; this will not return a partial value expecting us to loop. + */ + if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0) + goto loser; } else { - header = PR_smprintf("POST %s HTTP/1.0\r\n" - "Host: %s%s\r\n" - "Content-Type: application/ocsp-request\r\n" - "Content-Length: %u\r\n\r\n", - path, hostname, portstr, encodedRequest->len); - if (header == NULL) - goto loser; - - /* - * The NSPR documentation promises that if it can, it will write the full - * amount; this will not return a partial value expecting us to loop. - */ - if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0) - goto loser; - - if (PR_Write(sock, encodedRequest->data, - (PRInt32) encodedRequest->len) < 0) - goto loser; + header = PR_smprintf("POST %s HTTP/1.0\r\n" + "Host: %s%s\r\n" + "Content-Type: application/ocsp-request\r\n" + "Content-Length: %u\r\n\r\n", + path, hostname, portstr, encodedRequest->len); + if (header == NULL) + goto loser; + + /* + * The NSPR documentation promises that if it can, it will write the full + * amount; this will not return a partial value expecting us to loop. + */ + if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0) + goto loser; + + if (PR_Write(sock, encodedRequest->data, + (PRInt32)encodedRequest->len) < 0) + goto loser; } returnSock = sock; @@ -3078,13 +3081,13 @@ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest) loser: if (header != NULL) - PORT_Free(header); + PORT_Free(header); if (sock != NULL) - PR_Close(sock); + PR_Close(sock); if (path != NULL) - PORT_Free(path); + PORT_Free(path); if (hostname != NULL) - PORT_Free(hostname); + PORT_Free(hostname); return returnSock; } @@ -3099,22 +3102,17 @@ ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout) { int total = 0; - while (total < toread) - { + while (total < toread) { PRInt32 got; - got = PR_Recv(fd, buf + total, (PRInt32) (toread - total), 0, timeout); - if (got < 0) - { - if (0 == total) - { + got = PR_Recv(fd, buf + total, (PRInt32)(toread - total), 0, timeout); + if (got < 0) { + if (0 == total) { total = -1; /* report the error if we didn't read anything yet */ } break; } - else - if (got == 0) - { /* EOS */ + else if (got == 0) { /* EOS */ break; } @@ -3126,14 +3124,13 @@ ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout) #define OCSP_BUFSIZE 1024 -#define AbortHttpDecode(error) \ -{ \ - if (inBuffer) \ +#define AbortHttpDecode(error) \ + { \ + if (inBuffer) \ PORT_Free(inBuffer); \ - PORT_SetError(error); \ - return NULL; \ -} - + PORT_SetError(error); \ + return NULL; \ + } /* * Reads on the given socket and returns an encoded response when received. @@ -3148,92 +3145,82 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock) { /* first read HTTP status line and headers */ - char* inBuffer = NULL; + char *inBuffer = NULL; PRInt32 offset = 0; PRInt32 inBufsize = 0; - const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */ - const PRInt32 maxBufSize = 8 * bufSizeIncrement ; /* 8 KB max */ - const char* CRLF = "\r\n"; + const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */ + const PRInt32 maxBufSize = 8 * bufSizeIncrement; /* 8 KB max */ + const char *CRLF = "\r\n"; const PRInt32 CRLFlen = strlen(CRLF); - const char* headerEndMark = "\r\n\r\n"; + const char *headerEndMark = "\r\n\r\n"; const PRInt32 markLen = strlen(headerEndMark); const PRIntervalTime ocsptimeout = PR_SecondsToInterval(30); /* hardcoded to 30s for now */ - char* headerEnd = NULL; + char *headerEnd = NULL; PRBool EOS = PR_FALSE; - const char* httpprotocol = "HTTP/"; + const char *httpprotocol = "HTTP/"; const PRInt32 httplen = strlen(httpprotocol); - const char* httpcode = NULL; - const char* contenttype = NULL; + const char *httpcode = NULL; + const char *contenttype = NULL; PRInt32 contentlength = 0; PRInt32 bytesRead = 0; - char* statusLineEnd = NULL; - char* space = NULL; - char* nextHeader = NULL; - SECItem* result = NULL; + char *statusLineEnd = NULL; + char *space = NULL; + char *nextHeader = NULL; + SECItem *result = NULL; /* read up to at least the end of the HTTP headers */ - do - { + do { inBufsize += bufSizeIncrement; - inBuffer = PORT_Realloc(inBuffer, inBufsize+1); - if (NULL == inBuffer) - { + inBuffer = PORT_Realloc(inBuffer, inBufsize + 1); + if (NULL == inBuffer) { AbortHttpDecode(SEC_ERROR_NO_MEMORY); } bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement, - ocsptimeout); - if (bytesRead > 0) - { - PRInt32 searchOffset = (offset - markLen) >0 ? offset-markLen : 0; + ocsptimeout); + if (bytesRead > 0) { + PRInt32 searchOffset = (offset - markLen) > 0 ? offset - markLen : 0; offset += bytesRead; *(inBuffer + offset) = '\0'; /* NULL termination */ - headerEnd = strstr((const char*)inBuffer + searchOffset, headerEndMark); - if (bytesRead < bufSizeIncrement) - { + headerEnd = strstr((const char *)inBuffer + searchOffset, headerEndMark); + if (bytesRead < bufSizeIncrement) { /* we read less data than requested, therefore we are at EOS or there was a read error */ EOS = PR_TRUE; } } - else - { + else { /* recv error or EOS */ EOS = PR_TRUE; } - } while ( (!headerEnd) && (PR_FALSE == EOS) && - (inBufsize < maxBufSize) ); + } while ((!headerEnd) && (PR_FALSE == EOS) && + (inBufsize < maxBufSize)); - if (!headerEnd) - { + if (!headerEnd) { AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); } /* parse the HTTP status line */ - statusLineEnd = strstr((const char*)inBuffer, CRLF); - if (!statusLineEnd) - { + statusLineEnd = strstr((const char *)inBuffer, CRLF); + if (!statusLineEnd) { AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); } *statusLineEnd = '\0'; /* check for HTTP/ response */ - space = strchr((const char*)inBuffer, ' '); - if (!space || PORT_Strncasecmp((const char*)inBuffer, httpprotocol, httplen) != 0 ) - { + space = strchr((const char *)inBuffer, ' '); + if (!space || PORT_Strncasecmp((const char *)inBuffer, httpprotocol, httplen) != 0) { AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); } /* check the HTTP status code of 200 */ - httpcode = space +1; + httpcode = space + 1; space = strchr(httpcode, ' '); - if (!space) - { + if (!space) { AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); } *space = 0; - if (0 != strcmp(httpcode, "200")) - { + if (0 != strcmp(httpcode, "200")) { AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); } @@ -3243,14 +3230,12 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock) nextHeader = statusLineEnd + CRLFlen; *headerEnd = '\0'; /* terminate */ - do - { - char* thisHeaderEnd = NULL; - char* value = NULL; - char* colon = strchr(nextHeader, ':'); - - if (!colon) - { + do { + char *thisHeaderEnd = NULL; + char *value = NULL; + char *colon = strchr(nextHeader, ':'); + + if (!colon) { AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); } @@ -3263,90 +3248,74 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock) and should not be an issue, but it could become one in the future */ - if (*value != ' ') - { + if (*value != ' ') { AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); } value++; - thisHeaderEnd = strstr(value, CRLF); - if (thisHeaderEnd ) - { - *thisHeaderEnd = '\0'; + thisHeaderEnd = strstr(value, CRLF); + if (thisHeaderEnd) { + *thisHeaderEnd = '\0'; } - if (0 == PORT_Strcasecmp(nextHeader, "content-type")) - { + if (0 == PORT_Strcasecmp(nextHeader, "content-type")) { contenttype = value; } - else - if (0 == PORT_Strcasecmp(nextHeader, "content-length")) - { + else if (0 == PORT_Strcasecmp(nextHeader, "content-length")) { contentlength = atoi(value); } - if (thisHeaderEnd ) - { + if (thisHeaderEnd) { nextHeader = thisHeaderEnd + CRLFlen; } - else - { + else { nextHeader = NULL; } - } while (nextHeader && (nextHeader < (headerEnd + CRLFlen) ) ); + } while (nextHeader && (nextHeader < (headerEnd + CRLFlen))); /* check content-type */ if (!contenttype || - (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response")) ) - { + (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response"))) { AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); } /* read the body of the OCSP response */ - offset = offset - (PRInt32) (headerEnd - (const char*)inBuffer) - markLen; - if (offset) - { + offset = offset - (PRInt32)(headerEnd - (const char *)inBuffer) - markLen; + if (offset) { /* move all data to the beginning of the buffer */ PORT_Memmove(inBuffer, headerEnd + markLen, offset); } /* resize buffer to only what's needed to hold the current response */ - inBufsize = (1 + (offset-1) / bufSizeIncrement ) * bufSizeIncrement ; + inBufsize = (1 + (offset - 1) / bufSizeIncrement) * bufSizeIncrement; - while ( (PR_FALSE == EOS) && - ( (contentlength == 0) || (offset < contentlength) ) && - (inBufsize < maxBufSize) - ) - { + while ((PR_FALSE == EOS) && + ((contentlength == 0) || (offset < contentlength)) && + (inBufsize < maxBufSize)) { /* we still need to receive more body data */ inBufsize += bufSizeIncrement; - inBuffer = PORT_Realloc(inBuffer, inBufsize+1); - if (NULL == inBuffer) - { + inBuffer = PORT_Realloc(inBuffer, inBufsize + 1); + if (NULL == inBuffer) { AbortHttpDecode(SEC_ERROR_NO_MEMORY); } bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement, ocsptimeout); - if (bytesRead > 0) - { + if (bytesRead > 0) { offset += bytesRead; - if (bytesRead < bufSizeIncrement) - { + if (bytesRead < bufSizeIncrement) { /* we read less data than requested, therefore we are at EOS or there was a read error */ EOS = PR_TRUE; } } - else - { + else { /* recv error or EOS */ EOS = PR_TRUE; } } - if (0 == offset) - { + if (0 == offset) { AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); } @@ -3354,14 +3323,13 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock) * Now allocate the item to hold the data. */ result = SECITEM_AllocItem(arena, NULL, offset); - if (NULL == result) - { + if (NULL == result) { AbortHttpDecode(SEC_ERROR_NO_MEMORY); } /* * And copy the data left in the buffer. - */ + */ PORT_Memcpy(result->data, inBuffer, offset); /* and free the temporary buffer */ @@ -3378,7 +3346,7 @@ CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) /* * Limit the size of http responses we are willing to accept. */ -#define MAX_WANTED_OCSP_RESPONSE_LEN 64*1024 +#define MAX_WANTED_OCSP_RESPONSE_LEN 64 * 1024 /* if (encodedRequest == NULL) * then location MUST already include the full request, @@ -3388,9 +3356,9 @@ CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) * then the request will be sent with POST */ static SECItem * -fetchOcspHttpClientV1(PLArenaPool *arena, - const SEC_HttpClientFcnV1 *hcv1, - const char *location, +fetchOcspHttpClientV1(PLArenaPool *arena, + const SEC_HttpClientFcnV1 *hcv1, + const char *location, const SECItem *encodedRequest) { char *hostname = NULL; @@ -3407,13 +3375,13 @@ fetchOcspHttpClientV1(PLArenaPool *arena, PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); goto loser; } - + PORT_Assert(hostname != NULL); PORT_Assert(path != NULL); if ((*hcv1->createSessionFcn)( - hostname, - port, + hostname, + port, &pServerSession) != SECSuccess) { PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); goto loser; @@ -3439,8 +3407,8 @@ fetchOcspHttpClientV1(PLArenaPool *arena, if (encodedRequest && (*hcv1->setPostDataFcn)( - pRequestSession, - (char*)encodedRequest->data, + pRequestSession, + (char *)encodedRequest->data, encodedRequest->len, "application/ocsp-request") != SECSuccess) { PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); @@ -3453,7 +3421,7 @@ fetchOcspHttpClientV1(PLArenaPool *arena, OCSP_TRACE(("OCSP trySendAndReceive %s\n", location)); if ((*hcv1->trySendAndReceiveFcn)( - pRequestSession, + pRequestSession, NULL, &myHttpResponseCode, NULL, @@ -3481,15 +3449,15 @@ fetchOcspHttpClientV1(PLArenaPool *arena, PORT_Memcpy(encodedResponse->data, myHttpResponseData, myHttpResponseDataLen); loser: - if (pRequestSession != NULL) + if (pRequestSession != NULL) (*hcv1->freeFcn)(pRequestSession); if (pServerSession != NULL) (*hcv1->freeSessionFcn)(pServerSession); if (path != NULL) - PORT_Free(path); + PORT_Free(path); if (hostname != NULL) - PORT_Free(hostname); - + PORT_Free(hostname); + return encodedResponse; } @@ -3518,7 +3486,7 @@ loser: * Additionals methods for http or other protocols might be added * in the future. * PRTime time - * Indicates the time for which the certificate status is to be + * Indicates the time for which the certificate status is to be * determined -- this may be used in the search for the cert's issuer * but has no other bearing on the operation. * PRBool addServiceLocator @@ -3546,10 +3514,10 @@ loser: */ SECItem * CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList, - const char *location, const char *method, - PRTime time, PRBool addServiceLocator, - CERTCertificate *signerCert, void *pwArg, - CERTOCSPRequest **pRequest) + const char *location, const char *method, + PRTime time, PRBool addServiceLocator, + CERTCertificate *signerCert, void *pwArg, + CERTOCSPRequest **pRequest) { CERTOCSPRequest *request; request = CERT_CreateOCSPRequest(certList, time, addServiceLocator, @@ -3571,25 +3539,25 @@ CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList, */ SECItem * CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, - const char *location, PRTime time, - PRBool addServiceLocator, - CERTCertificate *signerCert, void *pwArg, - CERTOCSPRequest **pRequest) + const char *location, PRTime time, + PRBool addServiceLocator, + CERTCertificate *signerCert, void *pwArg, + CERTOCSPRequest **pRequest) { return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location, - "POST", time, addServiceLocator, - signerCert, pwArg, pRequest); + "POST", time, addServiceLocator, + signerCert, pwArg, pRequest); } /* URL encode a buffer that consists of base64-characters, only, * which means we can use a simple encoding logic. - * + * * No output buffer size checking is performed. * You should call the function twice, to calculate the required buffer size. - * - * If the outpufBuf parameter is NULL, the function will calculate the + * + * If the outpufBuf parameter is NULL, the function will calculate the * required size, including the trailing zero termination char. - * + * * The function returns the number of bytes calculated or produced. */ size_t @@ -3598,44 +3566,44 @@ ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf) const char *walkInput = NULL; char *walkOutput = outputBuf; size_t count = 0; - - for (walkInput=base64Buf; *walkInput; ++walkInput) { - char c = *walkInput; - if (isspace(c)) - continue; - switch (c) { - case '+': - if (outputBuf) { - strcpy(walkOutput, "%2B"); - walkOutput += 3; - } - count += 3; - break; - case '/': - if (outputBuf) { - strcpy(walkOutput, "%2F"); - walkOutput += 3; - } - count += 3; - break; - case '=': - if (outputBuf) { - strcpy(walkOutput, "%3D"); - walkOutput += 3; - } - count += 3; - break; - default: - if (outputBuf) { - *walkOutput = *walkInput; - ++walkOutput; - } - ++count; - break; - } + + for (walkInput = base64Buf; *walkInput; ++walkInput) { + char c = *walkInput; + if (isspace(c)) + continue; + switch (c) { + case '+': + if (outputBuf) { + strcpy(walkOutput, "%2B"); + walkOutput += 3; + } + count += 3; + break; + case '/': + if (outputBuf) { + strcpy(walkOutput, "%2F"); + walkOutput += 3; + } + count += 3; + break; + case '=': + if (outputBuf) { + strcpy(walkOutput, "%3D"); + walkOutput += 3; + } + count += 3; + break; + default: + if (outputBuf) { + *walkOutput = *walkInput; + ++walkOutput; + } + ++count; + break; + } } if (outputBuf) { - *walkOutput = 0; + *walkOutput = 0; } ++count; return count; @@ -3644,15 +3612,15 @@ ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf) enum { max_get_request_size = 255 }; /* defined by RFC2560 */ static SECItem * -cert_GetOCSPResponse(PLArenaPool *arena, const char *location, +cert_GetOCSPResponse(PLArenaPool *arena, const char *location, const SECItem *encodedRequest); static SECItem * ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, CERTOCSPRequest *request, const char *location, - const char *method, - PRTime time, + const char *method, + PRTime time, PRBool addServiceLocator, void *pwArg, CERTOCSPRequest **pRequest) @@ -3665,13 +3633,13 @@ ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, goto loser; rv = CERT_AddOCSPAcceptableResponses(request, - SEC_OID_PKIX_OCSP_BASIC_RESPONSE); + SEC_OID_PKIX_OCSP_BASIC_RESPONSE); if (rv != SECSuccess) - goto loser; + goto loser; encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg); if (encodedRequest == NULL) - goto loser; + goto loser; if (!strcmp(method, "GET")) { encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest); @@ -3680,29 +3648,29 @@ ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest); } else { - goto loser; + goto loser; } if (encodedResponse != NULL && pRequest != NULL) { - *pRequest = request; - request = NULL; /* avoid destroying below */ + *pRequest = request; + request = NULL; /* avoid destroying below */ } loser: if (request != NULL) - CERT_DestroyOCSPRequest(request); + CERT_DestroyOCSPRequest(request); if (encodedRequest != NULL) - SECITEM_FreeItem(encodedRequest, PR_TRUE); + SECITEM_FreeItem(encodedRequest, PR_TRUE); return encodedResponse; } static SECItem * -cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, +cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, const SECItem *encodedRequest); /* using HTTP GET method */ static SECItem * -cert_GetOCSPResponse(PLArenaPool *arena, const char *location, +cert_GetOCSPResponse(PLArenaPool *arena, const char *location, const SECItem *encodedRequest) { char *walkOutput = NULL; @@ -3710,49 +3678,50 @@ cert_GetOCSPResponse(PLArenaPool *arena, const char *location, size_t pathLength; PRInt32 urlEncodedBufLength; size_t base64size; - char b64ReqBuf[max_get_request_size+1]; + char b64ReqBuf[max_get_request_size + 1]; size_t slashLengthIfNeeded = 0; size_t getURLLength; SECItem *item; if (!location || !*location) { - return NULL; + return NULL; } - + pathLength = strlen(location); - if (location[pathLength-1] != '/') { - slashLengthIfNeeded = 1; + if (location[pathLength - 1] != '/') { + slashLengthIfNeeded = 1; } - + /* Calculation as documented by PL_Base64Encode function. * Use integer conversion to avoid having to use function ceil(). */ - base64size = (((encodedRequest->len +2)/3) * 4); + base64size = (((encodedRequest->len + 2) / 3) * 4); if (base64size > max_get_request_size) { - return NULL; + return NULL; } memset(b64ReqBuf, 0, sizeof(b64ReqBuf)); - PL_Base64Encode((const char*)encodedRequest->data, encodedRequest->len, - b64ReqBuf); + PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len, + b64ReqBuf); urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL); getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded; - + /* urlEncodedBufLength already contains room for the zero terminator. * Add another if we must add the '/' char. */ if (arena) { - fullGetPath = (char*)PORT_ArenaAlloc(arena, getURLLength); - } else { - fullGetPath = (char*)PORT_Alloc(getURLLength); + fullGetPath = (char *)PORT_ArenaAlloc(arena, getURLLength); + } + else { + fullGetPath = (char *)PORT_Alloc(getURLLength); } if (!fullGetPath) { - return NULL; + return NULL; } - + strcpy(fullGetPath, location); walkOutput = fullGetPath + pathLength; - + if (walkOutput > fullGetPath && slashLengthIfNeeded) { strcpy(walkOutput, "/"); ++walkOutput; @@ -3761,20 +3730,20 @@ cert_GetOCSPResponse(PLArenaPool *arena, const char *location, item = cert_FetchOCSPResponse(arena, fullGetPath, NULL); if (!arena) { - PORT_Free(fullGetPath); + PORT_Free(fullGetPath); } return item; } SECItem * -CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, +CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, const SECItem *encodedRequest) { return cert_FetchOCSPResponse(arena, location, encodedRequest); } SECItem * -cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, +cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, const SECItem *encodedRequest) { const SEC_HttpClientFcn *registeredHttpClient; @@ -3784,11 +3753,12 @@ cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, if (registeredHttpClient && registeredHttpClient->version == 1) { encodedResponse = fetchOcspHttpClientV1( - arena, - ®isteredHttpClient->fcnTable.ftable1, - location, - encodedRequest); - } else { + arena, + ®isteredHttpClient->fcnTable.ftable1, + location, + encodedRequest); + } + else { /* use internal http client */ PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest); if (sock) { @@ -3801,18 +3771,18 @@ cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, } static SECItem * -ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena, - CERTOCSPCertID *certID, - CERTCertificate *singleCert, +ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena, + CERTOCSPCertID *certID, + CERTCertificate *singleCert, const char *location, - const char *method, - PRTime time, + const char *method, + PRTime time, PRBool addServiceLocator, void *pwArg, CERTOCSPRequest **pRequest) { CERTOCSPRequest *request; - request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time, + request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time, addServiceLocator, NULL); if (!request) return NULL; @@ -3833,29 +3803,28 @@ ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert) PRBool retval; CERTOidSequence *oidSeq = NULL; - extItem.data = NULL; rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } oidSeq = CERT_DecodeOidSequence(&extItem); - if ( oidSeq == NULL ) { - goto loser; + if (oidSeq == NULL) { + goto loser; } oids = oidSeq->oids; - while ( *oids != NULL ) { - oid = *oids; - - oidTag = SECOID_FindOIDTag(oid); - - if ( oidTag == SEC_OID_OCSP_RESPONDER ) { - goto success; - } - - oids++; + while (*oids != NULL) { + oid = *oids; + + oidTag = SECOID_FindOIDTag(oid); + + if (oidTag == SEC_OID_OCSP_RESPONDER) { + goto success; + } + + oids++; } loser: @@ -3865,42 +3834,41 @@ loser: success: retval = PR_TRUE; done: - if ( extItem.data != NULL ) { - PORT_Free(extItem.data); + if (extItem.data != NULL) { + PORT_Free(extItem.data); } - if ( oidSeq != NULL ) { - CERT_DestroyOidSequence(oidSeq); + if (oidSeq != NULL) { + CERT_DestroyOidSequence(oidSeq); } - - return(retval); -} + return (retval); +} -#ifdef LATER /* - * XXX This function is not currently used, but will - * be needed later when we do revocation checking of - * the responder certificate. Of course, it may need - * revising then, if the cert extension interface has - * changed. (Hopefully it will!) - */ +#ifdef LATER /* + * XXX This function is not currently used, but will + * be needed later when we do revocation checking of + * the responder certificate. Of course, it may need + * revising then, if the cert extension interface has + * changed. (Hopefully it will!) + */ /* Checks a certificate to see if it has the OCSP no check extension. */ static PRBool ocsp_CertHasNoCheckExtension(CERTCertificate *cert) { SECStatus rv; - - rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK, - NULL); + + rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK, + NULL); if (rv == SECSuccess) { - return PR_TRUE; + return PR_TRUE; } return PR_FALSE; } -#endif /* LATER */ +#endif /* LATER */ static PRBool -ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert) +ocsp_matchcert(SECItem *certIndex, CERTCertificate *testCert) { SECItem item; unsigned char buf[HASH_LENGTH_MAX]; @@ -3908,33 +3876,33 @@ ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert) item.data = buf; item.len = SHA1_LENGTH; - if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1, - &item) == NULL) { - return PR_FALSE; + if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_SHA1, + &item) == NULL) { + return PR_FALSE; } - if (SECITEM_ItemsAreEqual(certIndex,&item)) { - return PR_TRUE; + if (SECITEM_ItemsAreEqual(certIndex, &item)) { + return PR_TRUE; } - if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5, - &item) == NULL) { - return PR_FALSE; + if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD5, + &item) == NULL) { + return PR_FALSE; } - if (SECITEM_ItemsAreEqual(certIndex,&item)) { - return PR_TRUE; + if (SECITEM_ItemsAreEqual(certIndex, &item)) { + return PR_TRUE; } - if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2, - &item) == NULL) { - return PR_FALSE; + if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD2, + &item) == NULL) { + return PR_FALSE; } - if (SECITEM_ItemsAreEqual(certIndex,&item)) { - return PR_TRUE; + if (SECITEM_ItemsAreEqual(certIndex, &item)) { + return PR_TRUE; } return PR_FALSE; } static CERTCertificate * -ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle,CERTOCSPCertID *certID); +ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID); CERTCertificate * ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, @@ -3949,19 +3917,19 @@ ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, PORT_Assert(tbsData->responderID != NULL); switch (tbsData->responderID->responderIDType) { - case ocspResponderID_byName: - lookupByName = PR_TRUE; - certIndex = &tbsData->derResponderID; - break; - case ocspResponderID_byKey: - lookupByName = PR_FALSE; - certIndex = &tbsData->responderID->responderIDValue.keyHash; - break; - case ocspResponderID_other: - default: - PORT_Assert(0); - PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); - return NULL; + case ocspResponderID_byName: + lookupByName = PR_TRUE; + certIndex = &tbsData->derResponderID; + break; + case ocspResponderID_byKey: + lookupByName = PR_FALSE; + certIndex = &tbsData->responderID->responderIDValue.keyHash; + break; + case ocspResponderID_other: + default: + PORT_Assert(0); + PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); + return NULL; } /* @@ -3972,14 +3940,14 @@ ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, * to be destroyed. */ if (signature->derCerts != NULL) { - for (; signature->derCerts[certCount] != NULL; certCount++) { - /* just counting */ - } - rv = CERT_ImportCerts(handle, certUsageStatusResponder, certCount, - signature->derCerts, &certs, - PR_FALSE, PR_FALSE, NULL); - if (rv != SECSuccess) - goto finish; + for (; signature->derCerts[certCount] != NULL; certCount++) { + /* just counting */ + } + rv = CERT_ImportCerts(handle, certUsageStatusResponder, certCount, + signature->derCerts, &certs, + PR_FALSE, PR_FALSE, NULL); + if (rv != SECSuccess) + goto finish; } /* @@ -3987,51 +3955,54 @@ ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, * The signer can be specified either by name or by key hash. */ if (lookupByName) { - SECItem *crIndex = (SECItem*)certIndex; - SECItem encodedName; - PLArenaPool *arena; - - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena != NULL) { - - rv = SEC_QuickDERDecodeItem(arena, &encodedName, - ocsp_ResponderIDDerNameTemplate, - crIndex); - if (rv != SECSuccess) { - if (PORT_GetError() == SEC_ERROR_BAD_DER) - PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); - } else { - signerCert = CERT_FindCertByName(handle, &encodedName); - } - PORT_FreeArena(arena, PR_FALSE); - } - } else { - /* - * The signer is either 1) a known issuer CA we passed in, - * 2) the default OCSP responder, or 3) an intermediate CA - * passed in the cert list to use. Figure out which it is. - */ - int i; - CERTCertificate *responder = + SECItem *crIndex = (SECItem *)certIndex; + SECItem encodedName; + PLArenaPool *arena; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena != NULL) { + + rv = SEC_QuickDERDecodeItem(arena, &encodedName, + ocsp_ResponderIDDerNameTemplate, + crIndex); + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_BAD_DER) + PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); + } + else { + signerCert = CERT_FindCertByName(handle, &encodedName); + } + PORT_FreeArena(arena, PR_FALSE); + } + } + else { + /* + * The signer is either 1) a known issuer CA we passed in, + * 2) the default OCSP responder, or 3) an intermediate CA + * passed in the cert list to use. Figure out which it is. + */ + int i; + CERTCertificate *responder = ocsp_CertGetDefaultResponder(handle, NULL); - if (responder && ocsp_matchcert(certIndex,responder)) { - signerCert = CERT_DupCertificate(responder); - } else if (issuer && ocsp_matchcert(certIndex,issuer)) { - signerCert = CERT_DupCertificate(issuer); - } - for (i=0; (signerCert == NULL) && (i < certCount); i++) { - if (ocsp_matchcert(certIndex,certs[i])) { - signerCert = CERT_DupCertificate(certs[i]); - } - } - if (signerCert == NULL) { - PORT_SetError(SEC_ERROR_UNKNOWN_CERT); - } + if (responder && ocsp_matchcert(certIndex, responder)) { + signerCert = CERT_DupCertificate(responder); + } + else if (issuer && ocsp_matchcert(certIndex, issuer)) { + signerCert = CERT_DupCertificate(issuer); + } + for (i = 0; (signerCert == NULL) && (i < certCount); i++) { + if (ocsp_matchcert(certIndex, certs[i])) { + signerCert = CERT_DupCertificate(certs[i]); + } + } + if (signerCert == NULL) { + PORT_SetError(SEC_ERROR_UNKNOWN_CERT); + } } finish: if (certs != NULL) { - CERT_DestroyCertArray(certs, certCount); + CERT_DestroyCertArray(certs, certCount); } return signerCert; @@ -4067,7 +4038,7 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert, rv = CERT_VerifySignedDataWithPublicKey(&signedData, signerKey, pwArg); if (rv != SECSuccess && - (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE || + (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE || PORT_GetError() == SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)) { PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); } @@ -4079,7 +4050,6 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert, return rv; } - /* * FUNCTION: CERT_VerifyOCSPResponseSignature * Check the signature on an OCSP Response. Will also perform a @@ -4110,10 +4080,10 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert, * verifying the signer's cert, or low-level problems (no memory, etc.) */ SECStatus -CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, - CERTCertDBHandle *handle, void *pwArg, - CERTCertificate **pSignerCert, - CERTCertificate *issuer) +CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, + CERTCertDBHandle *handle, void *pwArg, + CERTCertificate **pSignerCert, + CERTCertificate *issuer) { SECItem *tbsResponseDataDER; CERTCertificate *signerCert = NULL; @@ -4138,24 +4108,25 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, * return the cached result. */ if (signature->wasChecked) { - if (signature->status == SECSuccess) { - if (pSignerCert != NULL) - *pSignerCert = CERT_DupCertificate(signature->cert); - } else { - PORT_SetError(signature->failureReason); - } - return signature->status; + if (signature->status == SECSuccess) { + if (pSignerCert != NULL) + *pSignerCert = CERT_DupCertificate(signature->cert); + } + else { + PORT_SetError(signature->failureReason); + } + return signature->status; } signerCert = ocsp_GetSignerCertificate(handle, tbsData, signature, issuer); if (signerCert == NULL) { - rv = SECFailure; - if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) { - /* Make the error a little more specific. */ - PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); - } - goto finish; + rv = SECFailure; + if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) { + /* Make the error a little more specific. */ + PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); + } + goto finish; } /* @@ -4182,11 +4153,13 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, */ if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) { rv = SECSuccess; - } else { + } + else { SECCertUsage certUsage; if (CERT_IsCACert(signerCert, NULL)) { certUsage = certUsageAnyCA; - } else { + } + else { certUsage = certUsageStatusResponder; } rv = cert_VerifyCertWithFlags(handle, signerCert, PR_TRUE, certUsage, @@ -4204,24 +4177,25 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, finish: if (signature->wasChecked) - signature->status = rv; + signature->status = rv; if (rv != SECSuccess) { - signature->failureReason = PORT_GetError(); - if (signerCert != NULL) - CERT_DestroyCertificate(signerCert); - } else { - /* - * Save signer's certificate in signature. - */ - signature->cert = signerCert; - if (pSignerCert != NULL) { - /* - * Pass pointer to signer's certificate back to our caller, - * who is also now responsible for destroying it. - */ - *pSignerCert = CERT_DupCertificate(signerCert); - } + signature->failureReason = PORT_GetError(); + if (signerCert != NULL) + CERT_DestroyCertificate(signerCert); + } + else { + /* + * Save signer's certificate in signature. + */ + signature->cert = signerCert; + if (pSignerCert != NULL) { + /* + * Pass pointer to signer's certificate back to our caller, + * who is also now responsible for destroying it. + */ + *pSignerCert = CERT_DupCertificate(signerCert); + } } return rv; @@ -4234,7 +4208,7 @@ finish: */ static PRBool ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID, - CERTOCSPCertID *responseCertID) + CERTOCSPCertID *responseCertID) { PRBool match = PR_FALSE; SECOidTag hashAlg; @@ -4248,8 +4222,8 @@ ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID, * We just compare the easier things first. */ if (SECITEM_CompareItem(&requestCertID->serialNumber, - &responseCertID->serialNumber) != SECEqual) { - goto done; + &responseCertID->serialNumber) != SECEqual) { + goto done; } /* @@ -4257,48 +4231,49 @@ ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID, * requestCertID->hashAlgorithm, we don't need to check it. */ if (responseCertID->hashAlgorithm.parameters.len > 2) { - goto done; + goto done; } if (SECITEM_CompareItem(&requestCertID->hashAlgorithm.algorithm, - &responseCertID->hashAlgorithm.algorithm) == SECEqual) { - /* - * If the hash algorithms match then we can do a simple compare - * of the hash values themselves. - */ - if ((SECITEM_CompareItem(&requestCertID->issuerNameHash, - &responseCertID->issuerNameHash) == SECEqual) - && (SECITEM_CompareItem(&requestCertID->issuerKeyHash, - &responseCertID->issuerKeyHash) == SECEqual)) { - match = PR_TRUE; - } - goto done; + &responseCertID->hashAlgorithm.algorithm) == + SECEqual) { + /* + * If the hash algorithms match then we can do a simple compare + * of the hash values themselves. + */ + if ((SECITEM_CompareItem(&requestCertID->issuerNameHash, + &responseCertID->issuerNameHash) == SECEqual) && + (SECITEM_CompareItem(&requestCertID->issuerKeyHash, + &responseCertID->issuerKeyHash) == SECEqual)) { + match = PR_TRUE; + } + goto done; } hashAlg = SECOID_FindOIDTag(&responseCertID->hashAlgorithm.algorithm); switch (hashAlg) { - case SEC_OID_SHA1: - keyHash = &requestCertID->issuerSHA1KeyHash; - nameHash = &requestCertID->issuerSHA1NameHash; - break; - case SEC_OID_MD5: - keyHash = &requestCertID->issuerMD5KeyHash; - nameHash = &requestCertID->issuerMD5NameHash; - break; - case SEC_OID_MD2: - keyHash = &requestCertID->issuerMD2KeyHash; - nameHash = &requestCertID->issuerMD2NameHash; - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return PR_FALSE; - } - - if ((keyHash != NULL) - && (SECITEM_CompareItem(nameHash, - &responseCertID->issuerNameHash) == SECEqual) - && (SECITEM_CompareItem(keyHash, - &responseCertID->issuerKeyHash) == SECEqual)) { - match = PR_TRUE; + case SEC_OID_SHA1: + keyHash = &requestCertID->issuerSHA1KeyHash; + nameHash = &requestCertID->issuerSHA1NameHash; + break; + case SEC_OID_MD5: + keyHash = &requestCertID->issuerMD5KeyHash; + nameHash = &requestCertID->issuerMD5NameHash; + break; + case SEC_OID_MD2: + keyHash = &requestCertID->issuerMD2KeyHash; + nameHash = &requestCertID->issuerMD2NameHash; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return PR_FALSE; + } + + if ((keyHash != NULL) && + (SECITEM_CompareItem(nameHash, + &responseCertID->issuerNameHash) == SECEqual) && + (SECITEM_CompareItem(keyHash, + &responseCertID->issuerKeyHash) == SECEqual)) { + match = PR_TRUE; } done: @@ -4313,27 +4288,27 @@ done: */ static CERTOCSPSingleResponse * ocsp_GetSingleResponseForCertID(CERTOCSPSingleResponse **responses, - CERTCertDBHandle *handle, - CERTOCSPCertID *certID) + CERTCertDBHandle *handle, + CERTOCSPCertID *certID) { CERTOCSPSingleResponse *single; int i; if (responses == NULL) - return NULL; + return NULL; for (i = 0; responses[i] != NULL; i++) { - single = responses[i]; - if (ocsp_CertIDsMatch(certID, single->certID)) { - return single; - } + single = responses[i]; + if (ocsp_CertIDsMatch(certID, single->certID)) { + return single; + } } /* * The OCSP server should have included a response even if it knew * nothing about the certificate in question. Since it did not, * this will make it look as if it had. - * + * * XXX Should we make this a separate error to notice the server's * bad behavior? */ @@ -4349,19 +4324,19 @@ ocsp_GetCheckingContext(CERTCertDBHandle *handle) statusConfig = CERT_GetStatusConfig(handle); if (statusConfig != NULL) { - ocspcx = statusConfig->statusContext; + ocspcx = statusConfig->statusContext; - /* - * This is actually an internal error, because we should never - * have a good statusConfig without a good statusContext, too. - * For lack of anything better, though, we just assert and use - * the same error as if there were no statusConfig (set below). - */ - PORT_Assert(ocspcx != NULL); + /* + * This is actually an internal error, because we should never + * have a good statusConfig without a good statusContext, too. + * For lack of anything better, though, we just assert and use + * the same error as if there were no statusConfig (set below). + */ + PORT_Assert(ocspcx != NULL); } if (ocspcx == NULL) - PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); + PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); return ocspcx; } @@ -4377,19 +4352,19 @@ ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID) ocspcx = ocsp_GetCheckingContext(handle); if (ocspcx == NULL) - goto loser; - - /* - * Right now we have only one default responder. It applies to - * all certs when it is used, so the check is simple and certID - * has no bearing on the answer. Someday in the future we may - * allow configuration of different responders for different - * issuers, and then we would have to use the issuer specified - * in certID to determine if signerCert is the right one. - */ + goto loser; + + /* + * Right now we have only one default responder. It applies to + * all certs when it is used, so the check is simple and certID + * has no bearing on the answer. Someday in the future we may + * allow configuration of different responders for different + * issuers, and then we would have to use the issuer specified + * in certID to determine if signerCert is the right one. + */ if (ocspcx->useDefaultResponder) { - PORT_Assert(ocspcx->defaultResponderCert != NULL); - return ocspcx->defaultResponderCert; + PORT_Assert(ocspcx->defaultResponderCert != NULL); + return ocspcx->defaultResponderCert; } loser: @@ -4407,19 +4382,19 @@ ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert) ocspcx = ocsp_GetCheckingContext(handle); if (ocspcx == NULL) - return PR_FALSE; - - /* - * Right now we have only one default responder. It applies to - * all certs when it is used, so the check is simple and certID - * has no bearing on the answer. Someday in the future we may - * allow configuration of different responders for different - * issuers, and then we would have to use the issuer specified - * in certID to determine if signerCert is the right one. - */ + return PR_FALSE; + + /* + * Right now we have only one default responder. It applies to + * all certs when it is used, so the check is simple and certID + * has no bearing on the answer. Someday in the future we may + * allow configuration of different responders for different + * issuers, and then we would have to use the issuer specified + * in certID to determine if signerCert is the right one. + */ if (ocspcx->useDefaultResponder && CERT_CompareCerts(ocspcx->defaultResponderCert, cert)) { - return PR_TRUE; + return PR_TRUE; } return PR_FALSE; @@ -4444,9 +4419,9 @@ ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert) */ static PRBool ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, - CERTCertificate *signerCert, - CERTOCSPCertID *certID, - PRTime thisUpdate) + CERTCertificate *signerCert, + CERTOCSPCertID *certID, + PRTime thisUpdate) { CERTCertificate *issuerCert = NULL, *defRespCert; SECItem *keyHash = NULL; @@ -4490,7 +4465,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, nameHashEQ = (SECITEM_CompareItem(nameHash, &certID->issuerNameHash) == SECEqual); - + SECITEM_FreeItem(nameHash, PR_TRUE); if (nameHashEQ) { /* The issuer of the cert is the the signer of the response */ @@ -4498,7 +4473,6 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, } } - keyHashEQ = PR_FALSE; nameHashEQ = PR_FALSE; @@ -4529,7 +4503,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, CERT_DestroyCertificate(issuerCert); if (keyHash != NULL && nameHash != NULL) { - keyHashEQ = + keyHashEQ = (SECITEM_CompareItem(keyHash, &certID->issuerKeyHash) == SECEqual); @@ -4565,7 +4539,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, * want something from within the last 24 hours. This macro defines that * number in seconds. */ -#define OCSP_ALLOWABLE_LAPSE_SECONDS (24L * 60L * 60L) +#define OCSP_ALLOWABLE_LAPSE_SECONDS (24L * 60L * 60L) static PRBool ocsp_TimeIsRecent(PRTime checkTime) @@ -4575,19 +4549,19 @@ ocsp_TimeIsRecent(PRTime checkTime) LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS); LL_I2L(tmp, PR_USEC_PER_SEC); - LL_MUL(lapse, lapse, tmp); /* allowable lapse in microseconds */ + LL_MUL(lapse, lapse, tmp); /* allowable lapse in microseconds */ LL_ADD(checkTime, checkTime, lapse); if (LL_CMP(now, >, checkTime)) - return PR_FALSE; + return PR_FALSE; return PR_TRUE; } -#define OCSP_SLOP (5L*60L) /* OCSP responses are allowed to be 5 minutes - in the future by default */ +#define OCSP_SLOP (5L * 60L) /* OCSP responses are allowed to be 5 minutes \ + in the future by default */ -static PRUint32 ocspsloptime = OCSP_SLOP; /* seconds */ +static PRUint32 ocspsloptime = OCSP_SLOP; /* seconds */ /* * If an old response contains the revoked certificate status, we want @@ -4610,7 +4584,6 @@ ocsp_HandleOldSingleResponse(CERTOCSPSingleResponse *single, PRTime time) */ return SECSuccess; } - } PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE); return SECFailure; @@ -4638,19 +4611,19 @@ ocsp_HandleOldSingleResponse(CERTOCSPSingleResponse *single, PRTime time) * SEC_ERROR_OCSP_OLD_RESPONSE * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE * Other errors are low-level problems (no memory, bad database, etc.). - */ + */ static SECStatus ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, - CERTCertDBHandle *handle, - CERTCertificate *signerCert, - PRTime producedAt) + CERTCertDBHandle *handle, + CERTCertificate *signerCert, + PRTime producedAt) { CERTOCSPCertID *certID = single->certID; PRTime now, thisUpdate, nextUpdate, tmstamp, tmp; SECStatus rv; - OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n", - ((single->nextUpdate) != 0))); + OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n", + ((single->nextUpdate) != 0))); /* * If all the responder said was that the given cert was unknown to it, * that is a valid response. Not very interesting to us, of course, @@ -4659,7 +4632,7 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, */ PORT_Assert(single->certStatus != NULL); if (single->certStatus->certStatusType == ocspCertStatus_unknown) - return SECSuccess; + return SECSuccess; /* * We need to extract "thisUpdate" for use below and to pass along @@ -4668,14 +4641,14 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, */ rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate); if (rv != SECSuccess) - return rv; + return rv; /* * First confirm that signerCert is authorized to give this status. */ if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID, - thisUpdate) != PR_TRUE) - return SECFailure; + thisUpdate) != PR_TRUE) + return SECFailure; /* * Now check the time stuff, as described above. @@ -4688,25 +4661,25 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, LL_ADD(tmstamp, tmp, now); /* add current time to it */ if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) { - PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE); - return SECFailure; + PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE); + return SECFailure; } if (single->nextUpdate != NULL) { - rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate); - if (rv != SECSuccess) - return rv; + rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate); + if (rv != SECSuccess) + return rv; - LL_ADD(tmp, tmp, nextUpdate); - if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate)) - return ocsp_HandleOldSingleResponse(single, now); - } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) { - return ocsp_HandleOldSingleResponse(single, now); + LL_ADD(tmp, tmp, nextUpdate); + if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate)) + return ocsp_HandleOldSingleResponse(single, now); + } + else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) { + return ocsp_HandleOldSingleResponse(single, now); } return SECSuccess; } - /* * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation * Get the value of the URI of the OCSP responder for the given cert. @@ -4721,7 +4694,7 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, * extension is not present or it does not contain an entry for OCSP, * SEC_ERROR_CERT_BAD_ACCESS_LOCATION will be set and a NULL returned. * Any other error will also result in a NULL being returned. - * + * * This result should be freed (via PORT_Free) when no longer in use. */ char * @@ -4743,13 +4716,13 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert) */ encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0); if (encodedAuthInfoAccess == NULL) - goto loser; + goto loser; rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS, - encodedAuthInfoAccess); + encodedAuthInfoAccess); if (rv == SECFailure) { - PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - goto loser; + PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + goto loser; } /* @@ -4760,16 +4733,16 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert) */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) - goto loser; + goto loser; authInfoAccess = CERT_DecodeAuthInfoAccessExtension(arena, - encodedAuthInfoAccess); + encodedAuthInfoAccess); if (authInfoAccess == NULL) - goto loser; + goto loser; for (i = 0; authInfoAccess[i] != NULL; i++) { - if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP) - locname = authInfoAccess[i]->location; + if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP) + locname = authInfoAccess[i]->location; } /* @@ -4780,8 +4753,8 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert) * not there at all. */ if (locname == NULL) { - PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - goto loser; + PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + goto loser; } /* @@ -4790,15 +4763,15 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert) */ location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE); if (location == NULL) { - /* - * XXX Appears that CERT_GetGeneralNameByType does not set an - * error if there is no name by that type. For lack of anything - * better, act as if the extension was not found. In the future - * this should probably be something more like the extension was - * badly formed. - */ - PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - goto loser; + /* + * XXX Appears that CERT_GetGeneralNameByType does not set an + * error if there is no name by that type. For lack of anything + * better, act as if the extension was not found. In the future + * this should probably be something more like the extension was + * badly formed. + */ + PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + goto loser; } /* @@ -4809,22 +4782,21 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert) */ locURI = PORT_Alloc(location->len + 1); if (locURI == NULL) { - goto loser; + goto loser; } PORT_Memcpy(locURI, location->data, location->len); locURI[location->len] = '\0'; loser: if (arena != NULL) - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); if (encodedAuthInfoAccess != NULL) - SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE); + SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE); return locURI; } - /* * Figure out where we should go to find out the status of the given cert * via OCSP. If allowed to use a default responder uri and a default @@ -4840,7 +4812,7 @@ loser: */ char * ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool canUseDefault, PRBool *isDefault) + PRBool canUseDefault, PRBool *isDefault) { ocspCheckingContext *ocspcx = NULL; char *ocspUrl = NULL; @@ -4849,15 +4821,15 @@ ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert, ocspcx = ocsp_GetCheckingContext(handle); } if (ocspcx != NULL && ocspcx->useDefaultResponder) { - /* - * A default responder wins out, if specified. - * XXX Someday this may be a more complicated determination based - * on the cert's issuer. (That is, we could have different default - * responders configured for different issuers.) - */ - PORT_Assert(ocspcx->defaultResponderURI != NULL); - *isDefault = PR_TRUE; - return (PORT_Strdup(ocspcx->defaultResponderURI)); + /* + * A default responder wins out, if specified. + * XXX Someday this may be a more complicated determination based + * on the cert's issuer. (That is, we could have different default + * responders configured for different issuers.) + */ + PORT_Assert(ocspcx->defaultResponderURI != NULL); + *isDefault = PR_TRUE; + return (PORT_Strdup(ocspcx->defaultResponderURI)); } /* @@ -4867,16 +4839,16 @@ ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert, *isDefault = PR_FALSE; ocspUrl = CERT_GetOCSPAuthorityInfoAccessLocation(cert); if (!ocspUrl) { - CERT_StringFromCertFcn altFcn; + CERT_StringFromCertFcn altFcn; - PR_EnterMonitor(OCSP_Global.monitor); - altFcn = OCSP_Global.alternateOCSPAIAFcn; - PR_ExitMonitor(OCSP_Global.monitor); - if (altFcn) { - ocspUrl = (*altFcn)(cert); - if (ocspUrl) - *isDefault = PR_TRUE; - } + PR_EnterMonitor(OCSP_Global.monitor); + altFcn = OCSP_Global.alternateOCSPAIAFcn; + PR_ExitMonitor(OCSP_Global.monitor); + if (altFcn) { + ocspUrl = (*altFcn)(cert); + if (ocspUrl) + *isDefault = PR_TRUE; + } } return ocspUrl; } @@ -4893,7 +4865,7 @@ ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time) rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime); if (rv != SECSuccess) - return rv; + return rv; /* * Set the error even if we will return success; someone might care. @@ -4901,7 +4873,7 @@ ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time) PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); if (LL_CMP(revokedTime, >, time)) - return SECSuccess; + return SECSuccess; return SECFailure; } @@ -4915,28 +4887,28 @@ ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time) { SECStatus rv; switch (status->certStatusType) { - case ocspCertStatus_good: - rv = SECSuccess; - break; - case ocspCertStatus_revoked: - rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time); - break; - case ocspCertStatus_unknown: - PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT); - rv = SECFailure; - break; - case ocspCertStatus_other: - default: - PORT_Assert(0); - PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); - rv = SECFailure; - break; + case ocspCertStatus_good: + rv = SECSuccess; + break; + case ocspCertStatus_revoked: + rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time); + break; + case ocspCertStatus_unknown: + PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT); + rv = SECFailure; + break; + case ocspCertStatus_other: + default: + PORT_Assert(0); + PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); + rv = SECFailure; + break; } return rv; } static SECStatus -ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single, +ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single, PRTime time) { return ocsp_CertHasGoodStatus(single->certStatus, time); @@ -4963,7 +4935,7 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, OCSPFreshness *cacheFreshness) { OCSPCacheItem *cacheItem = NULL; - + if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; @@ -4971,7 +4943,7 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, *rvOcsp = SECFailure; *missingResponseError = 0; *cacheFreshness = ocspMissing; - + PR_EnterMonitor(OCSP_Global.monitor); cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID); if (cacheItem) { @@ -4983,16 +4955,17 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, if (*rvOcsp != SECSuccess) { *missingResponseError = PORT_GetError(); } - } else { + } + else { /* * No status cached, the previous attempt failed. - * If OCSP is required, we never decide based on a failed attempt + * If OCSP is required, we never decide based on a failed attempt * However, if OCSP is optional, a recent OCSP failure is * an allowed good state. */ if (*cacheFreshness == ocspFresh && !ignoreGlobalOcspFailureSetting && - OCSP_Global.ocspFailureMode == + OCSP_Global.ocspFailureMode == ocspMode_FailureIsNotAVerificationFailure) { *rvOcsp = SECSuccess; } @@ -5064,10 +5037,10 @@ ocsp_FetchingFailureIsVerificationFailure(void) * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when * verifying the signer's cert, or low-level problems (error allocating * memory, error performing ASN.1 decoding, etc.). - */ -SECStatus + */ +SECStatus CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, - PRTime time, void *pwArg) + PRTime time, void *pwArg) { CERTOCSPCertID *certID; PRBool certIDWasConsumed = PR_FALSE; @@ -5075,10 +5048,10 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, SECStatus rvOcsp; SECErrorCodes cachedErrorCode; OCSPFreshness cachedResponseFreshness; - + OCSP_TRACE_CERT(cert); OCSP_TRACE_TIME("## requested validity time:", time); - + certID = CERT_CreateOCSPCertID(cert, time); if (!certID) return SECFailure; @@ -5098,16 +5071,17 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, } rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg, - &certIDWasConsumed, + &certIDWasConsumed, &rvOcsp); if (rv != SECSuccess) { PRErrorCode err = PORT_GetError(); if (ocsp_FetchingFailureIsVerificationFailure()) { PORT_SetError(err); rvOcsp = SECFailure; - } else if (cachedResponseFreshness == ocspStale && - (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT || - cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) { + } + else if (cachedResponseFreshness == ocspStale && + (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT || + cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) { /* If we couldn't get a response for a certificate that the OCSP * responder previously told us was bad, then assume it is still * bad until we hear otherwise, as it is very unlikely that the @@ -5117,7 +5091,8 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, */ PORT_SetError(cachedErrorCode); rvOcsp = SECFailure; - } else { + } + else { rvOcsp = SECSuccess; } } @@ -5157,10 +5132,10 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, */ SECStatus CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, - CERTCertificate *cert, - PRTime time, - const SECItem *encodedResponse, - void *pwArg) + CERTCertificate *cert, + PRTime time, + const SECItem *encodedResponse, + void *pwArg) { CERTOCSPCertID *certID = NULL; PRBool certIDWasConsumed = PR_FALSE; @@ -5235,17 +5210,17 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, * ocsp_CacheSingleResponse. */ rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert, - time, pwArg, - encodedResponse, - &decodedResponse, - &singleResponse); + time, pwArg, + encodedResponse, + &decodedResponse, + &singleResponse); if (rv == SECSuccess) { - rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time); - /* Cache any valid singleResponse, regardless of status. */ - ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed); + rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time); + /* Cache any valid singleResponse, regardless of status. */ + ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed); } if (decodedResponse) { - CERT_DestroyOCSPResponse(decodedResponse); + CERT_DestroyOCSPResponse(decodedResponse); } if (!certIDWasConsumed) { CERT_DestroyOCSPCertID(certID); @@ -5254,13 +5229,13 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, } /* - * Status in *certIDWasConsumed will always be correct, regardless of + * Status in *certIDWasConsumed will always be correct, regardless of * return value. */ static SECStatus -ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, - CERTOCSPCertID *certID, - CERTCertificate *cert, +ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, + CERTOCSPCertID *certID, + CERTCertificate *cert, PRTime time, void *pwArg, PRBool *certIDWasConsumed, @@ -5274,7 +5249,8 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, CERTOCSPResponse *decodedResponse = NULL; CERTOCSPSingleResponse *singleResponse = NULL; - enum { stageGET, stagePOST } currentStage; + enum { stageGET, + stagePOST } currentStage; PRBool retry = PR_FALSE; if (!certIDWasConsumed || !rv_ocsp) { @@ -5291,7 +5267,8 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, PR_EnterMonitor(OCSP_Global.monitor); if (OCSP_Global.forcePost) { currentStage = stagePOST; - } else { + } + else { currentStage = stageGET; } PR_ExitMonitor(OCSP_Global.monitor); @@ -5310,14 +5287,14 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, location = ocsp_GetResponderLocation(handle, cert, PR_TRUE, &locationIsDefault); if (location == NULL) { - int err = PORT_GetError(); - if (err == SEC_ERROR_EXTENSION_NOT_FOUND || - err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) { - PORT_SetError(0); - *rv_ocsp = SECSuccess; - return SECSuccess; - } - return SECFailure; + int err = PORT_GetError(); + if (err == SEC_ERROR_EXTENSION_NOT_FOUND || + err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) { + PORT_SetError(0); + *rv_ocsp = SECSuccess; + return SECSuccess; + } + return SECFailure; } /* @@ -5343,75 +5320,79 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, */ do { - const char *method; - PRBool validResponseWithAccurateInfo = PR_FALSE; - retry = PR_FALSE; - *rv_ocsp = SECFailure; - - if (currentStage == stageGET) { - method = "GET"; - } else { - PORT_Assert(currentStage == stagePOST); - method = "POST"; - } - - encodedResponse = - ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert, - location, method, - time, locationIsDefault, - pwArg, &request); - - if (encodedResponse) { - rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert, - time, pwArg, - encodedResponse, - &decodedResponse, - &singleResponse); - if (rv == SECSuccess) { - switch (singleResponse->certStatus->certStatusType) { - case ocspCertStatus_good: - case ocspCertStatus_revoked: - validResponseWithAccurateInfo = PR_TRUE; - break; - default: - break; - } - *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time); - } - } - - if (currentStage == stageGET) { - /* only accept GET response if good or revoked */ - if (validResponseWithAccurateInfo) { - ocsp_CacheSingleResponse(certID, singleResponse, - certIDWasConsumed); - } else { - retry = PR_TRUE; - currentStage = stagePOST; - } - } else { - /* cache the POST respone, regardless of status */ - if (!singleResponse) { - cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed); - } else { - ocsp_CacheSingleResponse(certID, singleResponse, - certIDWasConsumed); - } - } - - if (encodedResponse) { - SECITEM_FreeItem(encodedResponse, PR_TRUE); - encodedResponse = NULL; - } - if (request) { - CERT_DestroyOCSPRequest(request); - request = NULL; - } - if (decodedResponse) { - CERT_DestroyOCSPResponse(decodedResponse); - decodedResponse = NULL; - } - singleResponse = NULL; + const char *method; + PRBool validResponseWithAccurateInfo = PR_FALSE; + retry = PR_FALSE; + *rv_ocsp = SECFailure; + + if (currentStage == stageGET) { + method = "GET"; + } + else { + PORT_Assert(currentStage == stagePOST); + method = "POST"; + } + + encodedResponse = + ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert, + location, method, + time, locationIsDefault, + pwArg, &request); + + if (encodedResponse) { + rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert, + time, pwArg, + encodedResponse, + &decodedResponse, + &singleResponse); + if (rv == SECSuccess) { + switch (singleResponse->certStatus->certStatusType) { + case ocspCertStatus_good: + case ocspCertStatus_revoked: + validResponseWithAccurateInfo = PR_TRUE; + break; + default: + break; + } + *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time); + } + } + + if (currentStage == stageGET) { + /* only accept GET response if good or revoked */ + if (validResponseWithAccurateInfo) { + ocsp_CacheSingleResponse(certID, singleResponse, + certIDWasConsumed); + } + else { + retry = PR_TRUE; + currentStage = stagePOST; + } + } + else { + /* cache the POST respone, regardless of status */ + if (!singleResponse) { + cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed); + } + else { + ocsp_CacheSingleResponse(certID, singleResponse, + certIDWasConsumed); + } + } + + if (encodedResponse) { + SECITEM_FreeItem(encodedResponse, PR_TRUE); + encodedResponse = NULL; + } + if (request) { + CERT_DestroyOCSPRequest(request); + request = NULL; + } + if (decodedResponse) { + CERT_DestroyOCSPResponse(decodedResponse); + decodedResponse = NULL; + } + singleResponse = NULL; } while (retry); @@ -5454,25 +5435,25 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, */ static SECStatus ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle, - CERTOCSPCertID *certID, - CERTCertificate *cert, - PRTime time, - void *pwArg, - const SECItem *encodedResponse, - CERTOCSPResponse **pDecodedResponse, - CERTOCSPSingleResponse **pSingle) + CERTOCSPCertID *certID, + CERTCertificate *cert, + PRTime time, + void *pwArg, + const SECItem *encodedResponse, + CERTOCSPResponse **pDecodedResponse, + CERTOCSPSingleResponse **pSingle) { CERTCertificate *signerCert = NULL; CERTCertificate *issuerCert = NULL; SECStatus rv = SECFailure; if (!pSingle || !pDecodedResponse) { - return SECFailure; + return SECFailure; } *pSingle = NULL; *pDecodedResponse = CERT_DecodeOCSPResponse(encodedResponse); if (!*pDecodedResponse) { - return SECFailure; + return SECFailure; } /* @@ -5485,7 +5466,7 @@ ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle, * in the response. */ if (CERT_GetOCSPResponseStatus(*pDecodedResponse) != SECSuccess) { - goto loser; + goto loser; } /* @@ -5496,32 +5477,32 @@ ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle, rv = CERT_VerifyOCSPResponseSignature(*pDecodedResponse, handle, pwArg, &signerCert, issuerCert); if (rv != SECSuccess) { - goto loser; + goto loser; } - PORT_Assert(signerCert != NULL); /* internal consistency check */ + PORT_Assert(signerCert != NULL); /* internal consistency check */ /* XXX probably should set error, return failure if signerCert is null */ /* * Again, we are only doing one request for one cert. * XXX When we handle cert chains, the following code will obviously * have to be modified, in coordation with the code above that will - * have to determine how to make multiple requests, etc. + * have to determine how to make multiple requests, etc. */ - rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, certID, + rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, certID, signerCert, time, pSingle); loser: if (issuerCert != NULL) - CERT_DestroyCertificate(issuerCert); + CERT_DestroyCertificate(issuerCert); if (signerCert != NULL) - CERT_DestroyCertificate(signerCert); + CERT_DestroyCertificate(signerCert); return rv; } /* * FUNCTION: ocsp_CacheSingleResponse * This function requires that the caller has checked that the response - * is valid and verified. + * is valid and verified. * The (positive or negative) valid response will be used to update the cache. * INPUTS: * CERTOCSPCertID *certID @@ -5532,27 +5513,27 @@ loser: */ void ocsp_CacheSingleResponse(CERTOCSPCertID *certID, - CERTOCSPSingleResponse *single, - PRBool *certIDWasConsumed) + CERTOCSPSingleResponse *single, + PRBool *certIDWasConsumed) { if (single != NULL) { - PR_EnterMonitor(OCSP_Global.monitor); - if (OCSP_Global.maxCacheEntries >= 0) { - ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single, - certIDWasConsumed); - /* ignore cache update failures */ - } - PR_ExitMonitor(OCSP_Global.monitor); + PR_EnterMonitor(OCSP_Global.monitor); + if (OCSP_Global.maxCacheEntries >= 0) { + ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single, + certIDWasConsumed); + /* ignore cache update failures */ + } + PR_ExitMonitor(OCSP_Global.monitor); } } SECStatus -ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, - CERTOCSPResponse *response, - CERTOCSPCertID *certID, - CERTCertificate *signerCert, - PRTime time, - CERTOCSPSingleResponse +ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + PRTime time, + CERTOCSPSingleResponse **pSingleResponse) { SECStatus rv; @@ -5596,11 +5577,11 @@ loser: } SECStatus -CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, - CERTOCSPResponse *response, - CERTOCSPCertID *certID, - CERTCertificate *signerCert, - PRTime time) +CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + PRTime time) { /* * We do not update the cache, because: @@ -5612,17 +5593,17 @@ CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, * requires the ability to transfer ownership of the the given certID to * the cache. The external API doesn't allow us to prevent the caller from * destroying the certID. We don't have the original certificate available, - * therefore we are unable to produce another certID object (that could + * therefore we are unable to produce another certID object (that could * be stored in the cache). * * Should we ever implement code to produce a deep copy of certID, * then this could be changed to allow updating the cache. - * The duplication would have to be done in + * The duplication would have to be done in * cert_ProcessOCSPResponse, if the out parameter to indicate * a transfer of ownership is NULL. */ - return cert_ProcessOCSPResponse(handle, response, certID, - signerCert, time, + return cert_ProcessOCSPResponse(handle, response, certID, + signerCert, time, NULL, NULL); } @@ -5630,23 +5611,23 @@ CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, * The first 5 parameters match the definition of CERT_GetOCSPStatusForCertID. */ SECStatus -cert_ProcessOCSPResponse(CERTCertDBHandle *handle, - CERTOCSPResponse *response, - CERTOCSPCertID *certID, - CERTCertificate *signerCert, - PRTime time, - PRBool *certIDWasConsumed, - SECStatus *cacheUpdateStatus) +cert_ProcessOCSPResponse(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + PRTime time, + PRBool *certIDWasConsumed, + SECStatus *cacheUpdateStatus) { SECStatus rv; SECStatus rv_cache = SECSuccess; CERTOCSPSingleResponse *single = NULL; - rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID, + rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID, signerCert, time, &single); if (rv == SECSuccess) { /* - * Check whether the status says revoked, and if so + * Check whether the status says revoked, and if so * how that compares to the time value passed into this routine. */ rv = ocsp_SingleResponseCertHasGoodStatus(single, time); @@ -5654,15 +5635,15 @@ cert_ProcessOCSPResponse(CERTCertDBHandle *handle, if (certIDWasConsumed) { /* - * We don't have copy-of-certid implemented. In order to update - * the cache, the caller must supply an out variable + * We don't have copy-of-certid implemented. In order to update + * the cache, the caller must supply an out variable * certIDWasConsumed, allowing us to return ownership status. */ - + PR_EnterMonitor(OCSP_Global.monitor); if (OCSP_Global.maxCacheEntries >= 0) { /* single == NULL means: remember response failure */ - rv_cache = + rv_cache = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single, certIDWasConsumed); } @@ -5677,12 +5658,12 @@ cert_ProcessOCSPResponse(CERTCertDBHandle *handle, SECStatus cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, - PRBool *certIDWasConsumed) + PRBool *certIDWasConsumed) { SECStatus rv = SECSuccess; PR_EnterMonitor(OCSP_Global.monitor); if (OCSP_Global.maxCacheEntries >= 0) { - rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL, + rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL, certIDWasConsumed); } PR_ExitMonitor(OCSP_Global.monitor); @@ -5705,12 +5686,12 @@ ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig) statusContext = statusConfig->statusContext; PORT_Assert(statusContext != NULL); if (statusContext == NULL) - return SECFailure; + return SECFailure; if (statusContext->defaultResponderURI != NULL) - PORT_Free(statusContext->defaultResponderURI); + PORT_Free(statusContext->defaultResponderURI); if (statusContext->defaultResponderNickname != NULL) - PORT_Free(statusContext->defaultResponderNickname); + PORT_Free(statusContext->defaultResponderNickname); PORT_Free(statusContext); statusConfig->statusContext = NULL; @@ -5720,7 +5701,6 @@ ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig) return SECSuccess; } - /* * FUNCTION: CERT_DisableOCSPChecking * Turns off OCSP checking for the given certificate database. @@ -5743,22 +5723,22 @@ CERT_DisableOCSPChecking(CERTCertDBHandle *handle) ocspCheckingContext *statusContext; if (handle == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } statusConfig = CERT_GetStatusConfig(handle); statusContext = ocsp_GetCheckingContext(handle); if (statusContext == NULL) - return SECFailure; + return SECFailure; if (statusConfig->statusChecker != CERT_CheckOCSPStatus) { - /* - * Status configuration is present, but either not currently - * enabled or not for OCSP. - */ - PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); - return SECFailure; + /* + * Status configuration is present, but either not currently + * enabled or not for OCSP. + */ + PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); + return SECFailure; } /* cache no longer necessary */ @@ -5786,17 +5766,17 @@ ocsp_InitStatusChecking(CERTCertDBHandle *handle) PORT_Assert(CERT_GetStatusConfig(handle) == NULL); if (CERT_GetStatusConfig(handle) != NULL) { - /* XXX or call statusConfig->statusDestroy and continue? */ - return SECFailure; + /* XXX or call statusConfig->statusDestroy and continue? */ + return SECFailure; } statusConfig = PORT_ZNew(CERTStatusConfig); if (statusConfig == NULL) - goto loser; + goto loser; statusContext = PORT_ZNew(ocspCheckingContext); if (statusContext == NULL) - goto loser; + goto loser; statusConfig->statusDestroy = ocsp_DestroyStatusChecking; statusConfig->statusContext = statusContext; @@ -5807,11 +5787,10 @@ ocsp_InitStatusChecking(CERTCertDBHandle *handle) loser: if (statusConfig != NULL) - PORT_Free(statusConfig); + PORT_Free(statusConfig); return SECFailure; } - /* * FUNCTION: CERT_EnableOCSPChecking * Turns on OCSP checking for the given certificate database. @@ -5826,23 +5805,23 @@ SECStatus CERT_EnableOCSPChecking(CERTCertDBHandle *handle) { CERTStatusConfig *statusConfig; - + SECStatus rv; if (handle == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } statusConfig = CERT_GetStatusConfig(handle); if (statusConfig == NULL) { - rv = ocsp_InitStatusChecking(handle); - if (rv != SECSuccess) - return rv; + rv = ocsp_InitStatusChecking(handle); + if (rv != SECSuccess) + return rv; - /* Get newly established value */ - statusConfig = CERT_GetStatusConfig(handle); - PORT_Assert(statusConfig != NULL); + /* Get newly established value */ + statusConfig = CERT_GetStatusConfig(handle); + PORT_Assert(statusConfig != NULL); } /* @@ -5854,7 +5833,6 @@ CERT_EnableOCSPChecking(CERTCertDBHandle *handle) return SECSuccess; } - /* * FUNCTION: CERT_SetOCSPDefaultResponder * Specify the location and cert of the default responder. @@ -5881,7 +5859,7 @@ CERT_EnableOCSPChecking(CERTCertDBHandle *handle) */ SECStatus CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, - const char *url, const char *name) + const char *url, const char *name) { CERTCertificate *cert; ocspCheckingContext *statusContext; @@ -5890,12 +5868,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, SECStatus rv; if (handle == NULL || url == NULL || name == NULL) { - /* - * XXX When interface is exported, probably want better errors; - * perhaps different one for each parameter. - */ - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + /* + * XXX When interface is exported, probably want better errors; + * perhaps different one for each parameter. + */ + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } /* @@ -5905,15 +5883,15 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, * XXX Shouldn't need that cast if the FindCertByNickname interface * used const to convey that it does not modify the name. Maybe someday. */ - cert = CERT_FindCertByNickname(handle, (char *) name); + cert = CERT_FindCertByNickname(handle, (char *)name); if (cert == NULL) { - /* - * look for the cert on an external token. - */ - cert = PK11_FindCertFromNickname((char *)name, NULL); + /* + * look for the cert on an external token. + */ + cert = PK11_FindCertFromNickname((char *)name, NULL); } if (cert == NULL) - return SECFailure; + return SECFailure; /* * Make a copy of the url and nickname. @@ -5921,8 +5899,8 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, url_copy = PORT_Strdup(url); name_copy = PORT_Strdup(name); if (url_copy == NULL || name_copy == NULL) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } statusContext = ocsp_GetCheckingContext(handle); @@ -5931,12 +5909,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, * Allocate and init the context if it doesn't already exist. */ if (statusContext == NULL) { - rv = ocsp_InitStatusChecking(handle); - if (rv != SECSuccess) - goto loser; + rv = ocsp_InitStatusChecking(handle); + if (rv != SECSuccess) + goto loser; - statusContext = ocsp_GetCheckingContext(handle); - PORT_Assert(statusContext != NULL); /* extreme paranoia */ + statusContext = ocsp_GetCheckingContext(handle); + PORT_Assert(statusContext != NULL); /* extreme paranoia */ } /* @@ -5949,9 +5927,9 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, * Get rid of old url and name if there. */ if (statusContext->defaultResponderNickname != NULL) - PORT_Free(statusContext->defaultResponderNickname); + PORT_Free(statusContext->defaultResponderNickname); if (statusContext->defaultResponderURI != NULL) - PORT_Free(statusContext->defaultResponderURI); + PORT_Free(statusContext->defaultResponderURI); /* * And replace them with the new ones. @@ -5966,13 +5944,14 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, * enabled. */ if (statusContext->defaultResponderCert != NULL) { - CERT_DestroyCertificate(statusContext->defaultResponderCert); - statusContext->defaultResponderCert = cert; + CERT_DestroyCertificate(statusContext->defaultResponderCert); + statusContext->defaultResponderCert = cert; /*OCSP enabled, switching responder: clear cache*/ CERT_ClearOCSPCache(); - } else { - PORT_Assert(statusContext->useDefaultResponder == PR_FALSE); - CERT_DestroyCertificate(cert); + } + else { + PORT_Assert(statusContext->useDefaultResponder == PR_FALSE); + CERT_DestroyCertificate(cert); /*OCSP currently not enabled, no need to clear cache*/ } @@ -5981,13 +5960,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, loser: CERT_DestroyCertificate(cert); if (url_copy != NULL) - PORT_Free(url_copy); + PORT_Free(url_copy); if (name_copy != NULL) - PORT_Free(name_copy); + PORT_Free(name_copy); return rv; } - /* * FUNCTION: CERT_EnableOCSPDefaultResponder * Turns on use of a default responder when OCSP checking. @@ -6014,36 +5992,36 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle) SECCertificateUsage usage; if (handle == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } statusContext = ocsp_GetCheckingContext(handle); if (statusContext == NULL) { - /* - * Strictly speaking, the error already set is "correct", - * but cover over it with one more helpful in this context. - */ - PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); - return SECFailure; + /* + * Strictly speaking, the error already set is "correct", + * but cover over it with one more helpful in this context. + */ + PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); + return SECFailure; } if (statusContext->defaultResponderURI == NULL) { - PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); - return SECFailure; + PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); + return SECFailure; } if (statusContext->defaultResponderNickname == NULL) { - PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); - return SECFailure; + PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); + return SECFailure; } /* * Find the cert for the nickname. */ cert = CERT_FindCertByNickname(handle, - statusContext->defaultResponderNickname); + statusContext->defaultResponderNickname); if (cert == NULL) { cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname, NULL); @@ -6054,13 +6032,13 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle) */ PORT_Assert(cert != NULL); if (cert == NULL) - return SECFailure; + return SECFailure; - /* - * Supplied cert should at least have a signing capability in order for us - * to use it as a trusted responder cert. Ability to sign is guaranteed if - * cert is validated to have any set of the usages below. - */ + /* + * Supplied cert should at least have a signing capability in order for us + * to use it as a trusted responder cert. Ability to sign is guaranteed if + * cert is validated to have any set of the usages below. + */ rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE, certificateUsageCheckAllUsages, NULL, &usage); @@ -6071,8 +6049,8 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle) certificateUsageObjectSigner | certificateUsageStatusResponder | certificateUsageSSLCA)) == 0) { - PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID); - return SECFailure; + PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID); + return SECFailure; } /* @@ -6090,7 +6068,6 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle) return SECSuccess; } - /* * FUNCTION: CERT_DisableOCSPDefaultResponder * Turns off use of a default responder when OCSP checking. @@ -6111,23 +6088,23 @@ CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle) CERTCertificate *tmpCert; if (handle == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } statusConfig = CERT_GetStatusConfig(handle); if (statusConfig == NULL) - return SECSuccess; + return SECSuccess; statusContext = ocsp_GetCheckingContext(handle); PORT_Assert(statusContext != NULL); if (statusContext == NULL) - return SECFailure; + return SECFailure; tmpCert = statusContext->defaultResponderCert; if (tmpCert) { - statusContext->defaultResponderCert = NULL; - CERT_DestroyCertificate(tmpCert); + statusContext->defaultResponderCert = NULL; + CERT_DestroyCertificate(tmpCert); /* we don't allow a mix of cache entries from different responders */ CERT_ClearOCSPCache(); } @@ -6159,29 +6136,29 @@ CERT_GetOCSPResponseStatus(CERTOCSPResponse *response) { PORT_Assert(response); if (response->statusValue == ocspResponse_successful) - return SECSuccess; + return SECSuccess; switch (response->statusValue) { - case ocspResponse_malformedRequest: - PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); - break; - case ocspResponse_internalError: - PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); - break; - case ocspResponse_tryLater: - PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER); - break; - case ocspResponse_sigRequired: - /* XXX We *should* retry with a signature, if possible. */ - PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG); - break; - case ocspResponse_unauthorized: - PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST); - break; - case ocspResponse_unused: - default: - PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS); - break; + case ocspResponse_malformedRequest: + PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); + break; + case ocspResponse_internalError: + PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); + break; + case ocspResponse_tryLater: + PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER); + break; + case ocspResponse_sigRequired: + /* XXX We *should* retry with a signature, if possible. */ + PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG); + break; + case ocspResponse_unauthorized: + PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST); + break; + case ocspResponse_unused: + default: + PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS); + break; } return SECFailure; } diff --git a/lib/certhigh/ocsp.h b/lib/certhigh/ocsp.h index 75225eb03..ac9dd6465 100644 --- a/lib/certhigh/ocsp.h +++ b/lib/certhigh/ocsp.h @@ -9,7 +9,6 @@ #ifndef _OCSP_H_ #define _OCSP_H_ - #include "plarena.h" #include "seccomon.h" #include "secoidt.h" @@ -17,7 +16,6 @@ #include "certt.h" #include "ocspt.h" - /************************************************************************/ SEC_BEGIN_PROTOS @@ -134,7 +132,7 @@ CERT_DisableOCSPChecking(CERTCertDBHandle *handle); */ extern SECStatus CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, - const char *url, const char *name); + const char *url, const char *name); /* * FUNCTION: CERT_EnableOCSPDefaultResponder @@ -174,7 +172,7 @@ CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle); /* If forcePost is set, OCSP requests will only be sent using the HTTP POST * method. When forcePost is not set, OCSP requests will be sent using the * HTTP GET method, with a fallback to POST when we fail to receive a response - * and/or when we receive an uncacheable response like "Unknown." + * and/or when we receive an uncacheable response like "Unknown." * * The default is to use GET and fallback to POST. */ @@ -191,7 +189,7 @@ extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost); /* * FUNCTION: CERT_CreateOCSPRequest - * Creates a CERTOCSPRequest, requesting the status of the certs in + * Creates a CERTOCSPRequest, requesting the status of the certs in * the given list. * INPUTS: * CERTCertList *certList @@ -203,7 +201,7 @@ extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost); * to this routine), who knows about where the request(s) are being * sent and whether there are any trusted responders in place. * PRTime time - * Indicates the time for which the certificate status is to be + * Indicates the time for which the certificate status is to be * determined -- this may be used in the search for the cert's issuer * but has no effect on the request itself. * PRBool addServiceLocator @@ -221,9 +219,9 @@ extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost); * Other errors are low-level problems (no memory, bad database, etc.). */ extern CERTOCSPRequest * -CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, - PRBool addServiceLocator, - CERTCertificate *signerCert); +CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, + PRBool addServiceLocator, + CERTCertificate *signerCert); /* * FUNCTION: CERT_AddOCSPAcceptableResponses @@ -243,13 +241,13 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, */ extern SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, - SECOidTag responseType0, ...); + SECOidTag responseType0, ...); -/* +/* * FUNCTION: CERT_EncodeOCSPRequest * DER encodes an OCSP Request, possibly adding a signature as well. * XXX Signing is not yet supported, however; see comments in code. - * INPUTS: + * INPUTS: * PLArenaPool *arena * The return value is allocated from here. * If a NULL is passed in, allocation is done from the heap instead. @@ -264,8 +262,8 @@ CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, * (e.g. no memory). */ extern SECItem * -CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, - void *pwArg); +CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, + void *pwArg); /* * FUNCTION: CERT_DecodeOCSPRequest @@ -341,7 +339,7 @@ CERT_DestroyOCSPResponse(CERTOCSPResponse *response); * const char *location * The location of the OCSP responder (a URL). * PRTime time - * Indicates the time for which the certificate status is to be + * Indicates the time for which the certificate status is to be * determined -- this may be used in the search for the cert's issuer * but has no other bearing on the operation. * PRBool addServiceLocator @@ -369,10 +367,10 @@ CERT_DestroyOCSPResponse(CERTOCSPResponse *response); */ extern SECItem * CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, - const char *location, PRTime time, - PRBool addServiceLocator, - CERTCertificate *signerCert, void *pwArg, - CERTOCSPRequest **pRequest); + const char *location, PRTime time, + PRBool addServiceLocator, + CERTCertificate *signerCert, void *pwArg, + CERTOCSPRequest **pRequest); /* * FUNCTION: CERT_VerifyOCSPResponseSignature @@ -406,10 +404,10 @@ CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, * verifying the signer's cert, or low-level problems (no memory, etc.) */ extern SECStatus -CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, - CERTCertDBHandle *handle, void *pwArg, - CERTCertificate **pSignerCert, - CERTCertificate *issuerCert); +CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, + CERTCertDBHandle *handle, void *pwArg, + CERTCertificate **pSignerCert, + CERTCertificate *issuerCert); /* * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation @@ -425,7 +423,7 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, * extension is not present or it does not contain an entry for OCSP, * SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned. * Any other error will also result in a NULL being returned. - * + * * This result should be freed (via PORT_Free) when no longer in use. */ extern char * @@ -433,21 +431,21 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert); /* * FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack - * This function serves two purposes. - * 1) It registers the address of a callback function that will be - * called for certs that have no OCSP AIA extension, to see if the + * This function serves two purposes. + * 1) It registers the address of a callback function that will be + * called for certs that have no OCSP AIA extension, to see if the * callback wishes to supply an alternative URL for such an OCSP inquiry. - * 2) It outputs the previously registered function's address to the + * 2) It outputs the previously registered function's address to the * address supplied by the caller, unless that is NULL. - * The registered callback function returns NULL, or an allocated string + * The registered callback function returns NULL, or an allocated string * that may be subsequently freed by calling PORT_Free(). * RETURN: * SECSuccess or SECFailure (if the library is not yet intialized) */ extern SECStatus CERT_RegisterAlternateOCSPAIAInfoCallBack( - CERT_StringFromCertFcn newCallback, - CERT_StringFromCertFcn * oldCallback); + CERT_StringFromCertFcn newCallback, + CERT_StringFromCertFcn *oldCallback); /* * FUNCTION: CERT_ParseURL @@ -521,10 +519,10 @@ CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath); * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when * verifying the signer's cert, or low-level problems (error allocating * memory, error performing ASN.1 decoding, etc.). - */ -extern SECStatus + */ +extern SECStatus CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, - PRTime time, void *pwArg); + PRTime time, void *pwArg); /* * FUNCTION: CERT_CacheOCSPResponseFromSideChannel @@ -556,10 +554,10 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, */ extern SECStatus CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, - CERTCertificate *cert, - PRTime time, - const SECItem *encodedResponse, - void *pwArg); + CERTCertificate *cert, + PRTime time, + const SECItem *encodedResponse, + void *pwArg); /* * FUNCTION: CERT_GetOCSPStatusForCertID @@ -581,11 +579,11 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, * Return values are the same as those for CERT_CheckOCSPStatus */ extern SECStatus -CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, - CERTOCSPResponse *response, - CERTOCSPCertID *certID, - CERTCertificate *signerCert, - PRTime time); +CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + PRTime time); /* * FUNCTION CERT_GetOCSPResponseStatus @@ -619,10 +617,10 @@ CERT_GetOCSPResponseStatus(CERTOCSPResponse *response); * the issuing CA may be an older expired certificate. * RETURN: * A new copy of a CERTOCSPCertID*. The memory for this certID - * should be freed by calling CERT_DestroyOCSPCertID when the + * should be freed by calling CERT_DestroyOCSPCertID when the * certID is no longer necessary. */ -extern CERTOCSPCertID* +extern CERTOCSPCertID * CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time); /* @@ -630,7 +628,7 @@ CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time); * Frees the memory associated with the certID passed in. * INPUTS: * CERTOCSPCertID* certID - * The certID that the caller no longer needs and wants to + * The certID that the caller no longer needs and wants to * free the associated memory. * RETURN: * SECSuccess if freeing the memory was successful. Returns @@ -638,31 +636,30 @@ CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time); * a call to CERT_CreateOCSPCertID. */ extern SECStatus -CERT_DestroyOCSPCertID(CERTOCSPCertID* certID); - +CERT_DestroyOCSPCertID(CERTOCSPCertID *certID); -extern CERTOCSPSingleResponse* +extern CERTOCSPSingleResponse * CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena, CERTOCSPCertID *id, PRTime thisUpdate, const PRTime *nextUpdate); -extern CERTOCSPSingleResponse* +extern CERTOCSPSingleResponse * CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena, CERTOCSPCertID *id, PRTime thisUpdate, const PRTime *nextUpdate); -extern CERTOCSPSingleResponse* +extern CERTOCSPSingleResponse * CERT_CreateOCSPSingleResponseRevoked( PLArenaPool *arena, CERTOCSPCertID *id, PRTime thisUpdate, const PRTime *nextUpdate, PRTime revocationTime, - const CERTCRLEntryReasonCode* revocationReason); + const CERTCRLEntryReasonCode *revocationReason); -extern SECItem* +extern SECItem * CERT_CreateEncodedOCSPSuccessResponse( PLArenaPool *arena, CERTCertificate *responderCert, @@ -703,7 +700,7 @@ CERT_CreateEncodedOCSPSuccessResponse( * SEC_ERROR_INVALID_ARGS * Other errors are low-level problems (no memory, bad database, etc.). */ -extern SECItem* +extern SECItem * CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error); /* Sends an OCSP request using the HTTP POST method to the location addressed @@ -717,7 +714,7 @@ CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error); * SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an * internal HTTP client is used. */ -SECItem* CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, +SECItem *CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, const SECItem *encodedRequest); /************************************************************************/ diff --git a/lib/certhigh/ocspi.h b/lib/certhigh/ocspi.h index 01c20daec..c946d9f51 100644 --- a/lib/certhigh/ocspi.h +++ b/lib/certhigh/ocspi.h @@ -35,13 +35,15 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert, void *pwArg); CERTOCSPRequest * -cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, - CERTCertificate *singleCert, +cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, + CERTCertificate *singleCert, PRTime time, PRBool addServiceLocator, CERTCertificate *signerCert); -typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness; +typedef enum { ocspMissing, + ocspFresh, + ocspStale } OCSPFreshness; SECStatus ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, @@ -84,13 +86,13 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, */ SECStatus -cert_ProcessOCSPResponse(CERTCertDBHandle *handle, - CERTOCSPResponse *response, - CERTOCSPCertID *certID, - CERTCertificate *signerCert, - PRTime time, - PRBool *certIDWasConsumed, - SECStatus *cacheUpdateStatus); +cert_ProcessOCSPResponse(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + PRTime time, + PRBool *certIDWasConsumed, + SECStatus *cacheUpdateStatus); /* * FUNCTION: cert_RememberOCSPProcessingFailure @@ -109,7 +111,7 @@ cert_ProcessOCSPResponse(CERTCertDBHandle *handle, SECStatus cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, - PRBool *certIDWasConsumed); + PRBool *certIDWasConsumed); /* * FUNCTION: ocsp_GetResponderLocation @@ -146,11 +148,11 @@ size_t ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf); SECStatus -ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, - CERTOCSPResponse *response, - CERTOCSPCertID *certID, - CERTCertificate *signerCert, - PRTime time, +ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + PRTime time, CERTOCSPSingleResponse **pSingleResponse); SECStatus @@ -158,7 +160,7 @@ ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time); void ocsp_CacheSingleResponse(CERTOCSPCertID *certID, - CERTOCSPSingleResponse *single, - PRBool *certIDWasConsumed); + CERTOCSPSingleResponse *single, + PRBool *certIDWasConsumed); #endif /* _OCSPI_H_ */ diff --git a/lib/certhigh/ocspsig.c b/lib/certhigh/ocspsig.c index 232e247f3..958dee029 100644 --- a/lib/certhigh/ocspsig.c +++ b/lib/certhigh/ocspsig.c @@ -19,12 +19,11 @@ #include "ocspi.h" #include "pk11pub.h" - extern const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[]; extern const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[]; extern const SEC_ASN1Template ocsp_OCSPResponseTemplate[]; -ocspCertStatus* +ocspCertStatus * ocsp_CreateCertStatus(PLArenaPool *arena, ocspCertStatusType status, PRTime revocationTime) @@ -45,7 +44,7 @@ ocsp_CreateCertStatus(PLArenaPool *arena, PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } - + cs = PORT_ArenaZNew(arena, ocspCertStatus); if (!cs) return NULL; @@ -71,8 +70,9 @@ ocsp_CreateCertStatus(PLArenaPool *arena, if (!cs->certStatusInfo.revokedInfo->revocationReason) return NULL; if (DER_TimeToGeneralizedTimeArena(arena, - &cs->certStatusInfo.revokedInfo->revocationTime, - revocationTime) != SECSuccess) + &cs->certStatusInfo.revokedInfo->revocationTime, + revocationTime) != + SECSuccess) return NULL; break; default: @@ -91,11 +91,11 @@ static const SEC_ASN1Template mySEC_PointerToEnumeratedTemplate[] = { static const SEC_ASN1Template ocsp_EncodeRevokedInfoTemplate[] = { { SEC_ASN1_GENERALIZED_TIME, - offsetof(ocspRevokedInfo, revocationTime) }, + offsetof(ocspRevokedInfo, revocationTime) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC| 0, - offsetof(ocspRevokedInfo, revocationReason), - mySEC_PointerToEnumeratedTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(ocspRevokedInfo, revocationReason), + mySEC_PointerToEnumeratedTemplate }, { 0 } }; @@ -110,25 +110,25 @@ static const SEC_ASN1Template mySEC_NullTemplate[] = { static const SEC_ASN1Template ocsp_CertStatusTemplate[] = { { SEC_ASN1_CHOICE, offsetof(ocspCertStatus, certStatusType), - 0, sizeof(ocspCertStatus) }, + 0, sizeof(ocspCertStatus) }, { SEC_ASN1_CONTEXT_SPECIFIC | 0, - 0, mySEC_NullTemplate, ocspCertStatus_good }, + 0, mySEC_NullTemplate, ocspCertStatus_good }, { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | - SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(ocspCertStatus, certStatusInfo.revokedInfo), - ocsp_PointerToEncodeRevokedInfoTemplate, ocspCertStatus_revoked }, + SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(ocspCertStatus, certStatusInfo.revokedInfo), + ocsp_PointerToEncodeRevokedInfoTemplate, ocspCertStatus_revoked }, { SEC_ASN1_CONTEXT_SPECIFIC | 2, - 0, mySEC_NullTemplate, ocspCertStatus_unknown }, + 0, mySEC_NullTemplate, ocspCertStatus_unknown }, { 0 } }; static const SEC_ASN1Template mySECOID_AlgorithmIDTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(SECAlgorithmID) }, + 0, NULL, sizeof(SECAlgorithmID) }, { SEC_ASN1_OBJECT_ID, - offsetof(SECAlgorithmID,algorithm) }, + offsetof(SECAlgorithmID, algorithm) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, - offsetof(SECAlgorithmID,parameters) }, + offsetof(SECAlgorithmID, parameters) }, { 0 } }; @@ -153,7 +153,7 @@ static const SEC_ASN1Template mySEC_PointerToIntegerTemplate[] = { }; static const SEC_ASN1Template mySEC_GeneralizedTimeTemplate[] = { - { SEC_ASN1_GENERALIZED_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)} + { SEC_ASN1_GENERALIZED_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) } }; static const SEC_ASN1Template mySEC_PointerToGeneralizedTimeTemplate[] = { @@ -162,28 +162,28 @@ static const SEC_ASN1Template mySEC_PointerToGeneralizedTimeTemplate[] = { static const SEC_ASN1Template ocsp_myCertIDTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTOCSPCertID) }, + 0, NULL, sizeof(CERTOCSPCertID) }, { SEC_ASN1_INLINE, - offsetof(CERTOCSPCertID, hashAlgorithm), - mySECOID_AlgorithmIDTemplate }, + offsetof(CERTOCSPCertID, hashAlgorithm), + mySECOID_AlgorithmIDTemplate }, { SEC_ASN1_OCTET_STRING, - offsetof(CERTOCSPCertID, issuerNameHash) }, + offsetof(CERTOCSPCertID, issuerNameHash) }, { SEC_ASN1_OCTET_STRING, - offsetof(CERTOCSPCertID, issuerKeyHash) }, + offsetof(CERTOCSPCertID, issuerKeyHash) }, { SEC_ASN1_INTEGER, - offsetof(CERTOCSPCertID, serialNumber) }, + offsetof(CERTOCSPCertID, serialNumber) }, { 0 } }; static const SEC_ASN1Template myCERT_CertExtensionTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTCertExtension) }, + 0, NULL, sizeof(CERTCertExtension) }, { SEC_ASN1_OBJECT_ID, - offsetof(CERTCertExtension,id) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */ - offsetof(CERTCertExtension,critical) }, + offsetof(CERTCertExtension, id) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */ + offsetof(CERTCertExtension, critical) }, { SEC_ASN1_OCTET_STRING, - offsetof(CERTCertExtension,value) }, + offsetof(CERTCertExtension, value) }, { 0 } }; @@ -197,66 +197,65 @@ static const SEC_ASN1Template myCERT_PointerToSequenceOfCertExtensionTemplate[] static const SEC_ASN1Template ocsp_mySingleResponseTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTOCSPSingleResponse) }, + 0, NULL, sizeof(CERTOCSPSingleResponse) }, { SEC_ASN1_POINTER, - offsetof(CERTOCSPSingleResponse, certID), - ocsp_myCertIDTemplate }, + offsetof(CERTOCSPSingleResponse, certID), + ocsp_myCertIDTemplate }, { SEC_ASN1_ANY, - offsetof(CERTOCSPSingleResponse, derCertStatus) }, + offsetof(CERTOCSPSingleResponse, derCertStatus) }, { SEC_ASN1_GENERALIZED_TIME, - offsetof(CERTOCSPSingleResponse, thisUpdate) }, + offsetof(CERTOCSPSingleResponse, thisUpdate) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(CERTOCSPSingleResponse, nextUpdate), - mySEC_PointerToGeneralizedTimeTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(CERTOCSPSingleResponse, nextUpdate), + mySEC_PointerToGeneralizedTimeTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(CERTOCSPSingleResponse, singleExtensions), - myCERT_PointerToSequenceOfCertExtensionTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(CERTOCSPSingleResponse, singleExtensions), + myCERT_PointerToSequenceOfCertExtensionTemplate }, { 0 } }; static const SEC_ASN1Template ocsp_myResponseDataTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspResponseData) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(ocspResponseData, version), - mySEC_PointerToIntegerTemplate }, + 0, NULL, sizeof(ocspResponseData) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(ocspResponseData, version), + mySEC_PointerToIntegerTemplate }, { SEC_ASN1_ANY, - offsetof(ocspResponseData, derResponderID) }, + offsetof(ocspResponseData, derResponderID) }, { SEC_ASN1_GENERALIZED_TIME, - offsetof(ocspResponseData, producedAt) }, + offsetof(ocspResponseData, producedAt) }, { SEC_ASN1_SEQUENCE_OF, - offsetof(ocspResponseData, responses), - ocsp_mySingleResponseTemplate }, + offsetof(ocspResponseData, responses), + ocsp_mySingleResponseTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(ocspResponseData, responseExtensions), - myCERT_PointerToSequenceOfCertExtensionTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(ocspResponseData, responseExtensions), + myCERT_PointerToSequenceOfCertExtensionTemplate }, { 0 } }; - static const SEC_ASN1Template ocsp_EncodeBasicOCSPResponseTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(ocspBasicOCSPResponse) }, + 0, NULL, sizeof(ocspBasicOCSPResponse) }, { SEC_ASN1_POINTER, - offsetof(ocspBasicOCSPResponse, tbsResponseData), - ocsp_myResponseDataTemplate }, + offsetof(ocspBasicOCSPResponse, tbsResponseData), + ocsp_myResponseDataTemplate }, { SEC_ASN1_INLINE, - offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm), - mySECOID_AlgorithmIDTemplate }, + offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm), + mySECOID_AlgorithmIDTemplate }, { SEC_ASN1_BIT_STRING, - offsetof(ocspBasicOCSPResponse, responseSignature.signature) }, + offsetof(ocspBasicOCSPResponse, responseSignature.signature) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(ocspBasicOCSPResponse, responseSignature.derCerts), - mySEC_PointerToSequenceOfAnyTemplate }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(ocspBasicOCSPResponse, responseSignature.derCerts), + mySEC_PointerToSequenceOfAnyTemplate }, { 0 } }; -static CERTOCSPSingleResponse* +static CERTOCSPSingleResponse * ocsp_CreateSingleResponse(PLArenaPool *arena, CERTOCSPCertID *id, ocspCertStatus *status, PRTime thisUpdate, const PRTime *nextUpdate) @@ -274,25 +273,25 @@ ocsp_CreateSingleResponse(PLArenaPool *arena, sr->arena = arena; sr->certID = id; sr->certStatus = status; - if (DER_TimeToGeneralizedTimeArena(arena, &sr->thisUpdate, thisUpdate) - != SECSuccess) + if (DER_TimeToGeneralizedTimeArena(arena, &sr->thisUpdate, thisUpdate) != + SECSuccess) return NULL; sr->nextUpdate = NULL; if (nextUpdate) { sr->nextUpdate = SECITEM_AllocItem(arena, NULL, 0); if (!sr->nextUpdate) return NULL; - if (DER_TimeToGeneralizedTimeArena(arena, sr->nextUpdate, *nextUpdate) - != SECSuccess) + if (DER_TimeToGeneralizedTimeArena(arena, sr->nextUpdate, *nextUpdate) != + SECSuccess) return NULL; } - sr->singleExtensions = PORT_ArenaNewArray(arena, CERTCertExtension*, 1); + sr->singleExtensions = PORT_ArenaNewArray(arena, CERTCertExtension *, 1); if (!sr->singleExtensions) return NULL; sr->singleExtensions[0] = NULL; - + if (!SEC_ASN1EncodeItem(arena, &sr->derCertStatus, status, ocsp_CertStatusTemplate)) return NULL; @@ -300,13 +299,13 @@ ocsp_CreateSingleResponse(PLArenaPool *arena, return sr; } -CERTOCSPSingleResponse* +CERTOCSPSingleResponse * CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena, CERTOCSPCertID *id, PRTime thisUpdate, const PRTime *nextUpdate) { - ocspCertStatus * cs; + ocspCertStatus *cs; if (!arena) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; @@ -317,13 +316,13 @@ CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena, return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate); } -CERTOCSPSingleResponse* +CERTOCSPSingleResponse * CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena, CERTOCSPCertID *id, PRTime thisUpdate, const PRTime *nextUpdate) { - ocspCertStatus * cs; + ocspCertStatus *cs; if (!arena) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; @@ -334,16 +333,16 @@ CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena, return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate); } -CERTOCSPSingleResponse* +CERTOCSPSingleResponse * CERT_CreateOCSPSingleResponseRevoked( PLArenaPool *arena, CERTOCSPCertID *id, PRTime thisUpdate, const PRTime *nextUpdate, PRTime revocationTime, - const CERTCRLEntryReasonCode* revocationReason) + const CERTCRLEntryReasonCode *revocationReason) { - ocspCertStatus * cs; + ocspCertStatus *cs; /* revocationReason is not yet supported, so it must be NULL. */ if (!arena || revocationReason) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -357,7 +356,7 @@ CERT_CreateOCSPSingleResponseRevoked( /* responderCert == 0 means: * create a response with an invalid signature (for testing purposes) */ -SECItem* +SECItem * CERT_CreateEncodedOCSPSuccessResponse( PLArenaPool *arena, CERTCertificate *responderCert, @@ -373,12 +372,12 @@ CERT_CreateEncodedOCSPSuccessResponse( ocspBasicOCSPResponse *br = NULL; ocspResponseBytes *rb = NULL; CERTOCSPResponse *response = NULL; - + SECOidTag algID; SECOidData *od = NULL; SECKEYPrivateKey *privKey = NULL; SECItem *result = NULL; - + if (!arena || !responses) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; @@ -408,114 +407,114 @@ CERT_CreateEncodedOCSPSuccessResponse( response = PORT_ArenaZNew(tmpArena, CERTOCSPResponse); if (!response) goto done; - - rd->version.data=NULL; - rd->version.len=0; + + rd->version.data = NULL; + rd->version.len = 0; rd->responseExtensions = NULL; rd->responses = responses; - if (DER_TimeToGeneralizedTimeArena(tmpArena, &rd->producedAt, producedAt) - != SECSuccess) + if (DER_TimeToGeneralizedTimeArena(tmpArena, &rd->producedAt, producedAt) != + SECSuccess) goto done; if (!responderCert) { - /* use invalid signature for testing purposes */ - unsigned char dummyChar = 'd'; - SECItem dummy; - - dummy.len = 1; - dummy.data = &dummyChar; - - /* it's easier to produdce a keyHash out of nowhere, - * than to produce an encoded subject, - * so for our dummy response we always use byKey - */ - - rid->responderIDType = ocspResponderID_byKey; - if (!ocsp_DigestValue(tmpArena, SEC_OID_SHA1, &rid->responderIDValue.keyHash, - &dummy)) - goto done; - - if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid, - ocsp_ResponderIDByKeyTemplate)) - goto done; - - br->tbsResponseData = rd; - - if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData, - ocsp_myResponseDataTemplate)) - goto done; - - br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem*, 1); - if (!br->responseSignature.derCerts) - goto done; - br->responseSignature.derCerts[0] = NULL; - - algID = SEC_GetSignatureAlgorithmOidTag(rsaKey, SEC_OID_SHA1); - if (algID == SEC_OID_UNKNOWN) - goto done; - - /* match the regular signature code, which doesn't use the arena */ - if (!SECITEM_AllocItem(NULL, &br->responseSignature.signature, 1)) - goto done; - PORT_Memcpy(br->responseSignature.signature.data, &dummyChar, 1); - - /* convert len-in-bytes to len-in-bits */ - br->responseSignature.signature.len = br->responseSignature.signature.len << 3; + /* use invalid signature for testing purposes */ + unsigned char dummyChar = 'd'; + SECItem dummy; + + dummy.len = 1; + dummy.data = &dummyChar; + + /* it's easier to produdce a keyHash out of nowhere, + * than to produce an encoded subject, + * so for our dummy response we always use byKey + */ + + rid->responderIDType = ocspResponderID_byKey; + if (!ocsp_DigestValue(tmpArena, SEC_OID_SHA1, &rid->responderIDValue.keyHash, + &dummy)) + goto done; + + if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid, + ocsp_ResponderIDByKeyTemplate)) + goto done; + + br->tbsResponseData = rd; + + if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData, + ocsp_myResponseDataTemplate)) + goto done; + + br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem *, 1); + if (!br->responseSignature.derCerts) + goto done; + br->responseSignature.derCerts[0] = NULL; + + algID = SEC_GetSignatureAlgorithmOidTag(rsaKey, SEC_OID_SHA1); + if (algID == SEC_OID_UNKNOWN) + goto done; + + /* match the regular signature code, which doesn't use the arena */ + if (!SECITEM_AllocItem(NULL, &br->responseSignature.signature, 1)) + goto done; + PORT_Memcpy(br->responseSignature.signature.data, &dummyChar, 1); + + /* convert len-in-bytes to len-in-bits */ + br->responseSignature.signature.len = br->responseSignature.signature.len << 3; } else { - rid->responderIDType = responderIDType; - if (responderIDType == ocspResponderID_byName) { - responderIDTemplate = ocsp_ResponderIDByNameTemplate; - if (CERT_CopyName(tmpArena, &rid->responderIDValue.name, - &responderCert->subject) != SECSuccess) - goto done; - } - else { - responderIDTemplate = ocsp_ResponderIDByKeyTemplate; - if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert, - SEC_OID_SHA1, &rid->responderIDValue.keyHash)) - goto done; - } - - if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid, - responderIDTemplate)) - goto done; - - br->tbsResponseData = rd; - - if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData, - ocsp_myResponseDataTemplate)) - goto done; - - br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem*, 1); - if (!br->responseSignature.derCerts) - goto done; - br->responseSignature.derCerts[0] = NULL; - - privKey = PK11_FindKeyByAnyCert(responderCert, wincx); - if (!privKey) - goto done; - - algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, SEC_OID_SHA1); - if (algID == SEC_OID_UNKNOWN) - goto done; - - if (SEC_SignData(&br->responseSignature.signature, - br->tbsResponseDataDER.data, br->tbsResponseDataDER.len, - privKey, algID) - != SECSuccess) - goto done; - - /* convert len-in-bytes to len-in-bits */ - br->responseSignature.signature.len = br->responseSignature.signature.len << 3; - - /* br->responseSignature.signature wasn't allocated from arena, - * we must free it when done. */ + rid->responderIDType = responderIDType; + if (responderIDType == ocspResponderID_byName) { + responderIDTemplate = ocsp_ResponderIDByNameTemplate; + if (CERT_CopyName(tmpArena, &rid->responderIDValue.name, + &responderCert->subject) != SECSuccess) + goto done; + } + else { + responderIDTemplate = ocsp_ResponderIDByKeyTemplate; + if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert, + SEC_OID_SHA1, &rid->responderIDValue.keyHash)) + goto done; + } + + if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid, + responderIDTemplate)) + goto done; + + br->tbsResponseData = rd; + + if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData, + ocsp_myResponseDataTemplate)) + goto done; + + br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem *, 1); + if (!br->responseSignature.derCerts) + goto done; + br->responseSignature.derCerts[0] = NULL; + + privKey = PK11_FindKeyByAnyCert(responderCert, wincx); + if (!privKey) + goto done; + + algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, SEC_OID_SHA1); + if (algID == SEC_OID_UNKNOWN) + goto done; + + if (SEC_SignData(&br->responseSignature.signature, + br->tbsResponseDataDER.data, br->tbsResponseDataDER.len, + privKey, algID) != + SECSuccess) + goto done; + + /* convert len-in-bytes to len-in-bits */ + br->responseSignature.signature.len = br->responseSignature.signature.len << 3; + + /* br->responseSignature.signature wasn't allocated from arena, + * we must free it when done. */ } - if (SECOID_SetAlgorithmID(tmpArena, &br->responseSignature.signatureAlgorithm, algID, 0) - != SECSuccess) - goto done; + if (SECOID_SetAlgorithmID(tmpArena, &br->responseSignature.signatureAlgorithm, algID, 0) != + SECSuccess) + goto done; if (!SEC_ASN1EncodeItem(tmpArena, &rb->response, br, ocsp_EncodeBasicOCSPResponseTemplate)) @@ -552,15 +551,15 @@ done: static const SEC_ASN1Template ocsp_OCSPErrorResponseTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTOCSPResponse) }, + 0, NULL, sizeof(CERTOCSPResponse) }, { SEC_ASN1_ENUMERATED, - offsetof(CERTOCSPResponse, responseStatus) }, + offsetof(CERTOCSPResponse, responseStatus) }, { 0, 0, - mySEC_NullTemplate }, + mySEC_NullTemplate }, { 0 } }; -SECItem* +SECItem * CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error) { CERTOCSPResponse response; diff --git a/lib/certhigh/ocspt.h b/lib/certhigh/ocspt.h index 888fd32c7..db429ff05 100644 --- a/lib/certhigh/ocspt.h +++ b/lib/certhigh/ocspt.h @@ -46,8 +46,8 @@ typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse; * dependent, and should be opaque to the user. */ -typedef void * SEC_HTTP_SERVER_SESSION; -typedef void * SEC_HTTP_REQUEST_SESSION; +typedef void *SEC_HTTP_SERVER_SESSION; +typedef void *SEC_HTTP_REQUEST_SESSION; /* * This function creates a SEC_HTTP_SERVER_SESSION object. The implementer of a @@ -61,9 +61,9 @@ typedef void * SEC_HTTP_REQUEST_SESSION; * after processing is finished. */ typedef SECStatus (*SEC_HttpServer_CreateSessionFcn)( - const char *host, - PRUint16 portnum, - SEC_HTTP_SERVER_SESSION *pSession); + const char *host, + PRUint16 portnum, + SEC_HTTP_SERVER_SESSION *pSession); /* * This function is called to allow the implementation to attempt to keep @@ -77,10 +77,10 @@ typedef SECStatus (*SEC_HttpServer_CreateSessionFcn)( * SECWouldBlock and store a nonzero value at "pPollDesc". In that case * the caller may wait on the poll descriptor, and should call this function * again until SECSuccess (and a zero value at "pPollDesc") is obtained. - */ + */ typedef SECStatus (*SEC_HttpServer_KeepAliveSessionFcn)( - SEC_HTTP_SERVER_SESSION session, - PRPollDesc **pPollDesc); + SEC_HTTP_SERVER_SESSION session, + PRPollDesc **pPollDesc); /* * This function frees the client SEC_HTTP_SERVER_SESSION object, closes all @@ -88,9 +88,9 @@ typedef SECStatus (*SEC_HttpServer_KeepAliveSessionFcn)( * frees any memory that was allocated by the client, and invalidates any * response pointers that might have been returned by prior server or request * functions. - */ + */ typedef SECStatus (*SEC_HttpServer_FreeSessionFcn)( - SEC_HTTP_SERVER_SESSION session); + SEC_HTTP_SERVER_SESSION session); /* * This function creates a SEC_HTTP_REQUEST_SESSION object. The implementer of a @@ -111,30 +111,30 @@ typedef SECStatus (*SEC_HttpServer_FreeSessionFcn)( * after processing is finished. */ typedef SECStatus (*SEC_HttpRequest_CreateFcn)( - SEC_HTTP_SERVER_SESSION session, - const char *http_protocol_variant, /* usually "http" */ - const char *path_and_query_string, - const char *http_request_method, - const PRIntervalTime timeout, - SEC_HTTP_REQUEST_SESSION *pRequest); + SEC_HTTP_SERVER_SESSION session, + const char *http_protocol_variant, /* usually "http" */ + const char *path_and_query_string, + const char *http_request_method, + const PRIntervalTime timeout, + SEC_HTTP_REQUEST_SESSION *pRequest); /* * This function sets data to be sent to the server for an HTTP request - * of http_request_method == POST. If a particular implementation - * supports it, the details for the POST request can be set by calling + * of http_request_method == POST. If a particular implementation + * supports it, the details for the POST request can be set by calling * this function, prior to activating the request with TrySendAndReceiveFcn. * - * An implementation that does not support the POST method should + * An implementation that does not support the POST method should * implement a SetPostDataFcn function that returns immediately. * * Setting http_content_type is optional, the parameter may * by NULL or the empty string. - */ + */ typedef SECStatus (*SEC_HttpRequest_SetPostDataFcn)( - SEC_HTTP_REQUEST_SESSION request, - const char *http_data, - const PRUint32 http_data_len, - const char *http_content_type); + SEC_HTTP_REQUEST_SESSION request, + const char *http_data, + const PRUint32 http_data_len, + const char *http_content_type); /* * This function sets an additional HTTP protocol request header. @@ -144,11 +144,11 @@ typedef SECStatus (*SEC_HttpRequest_SetPostDataFcn)( * * An implementation that does not support setting additional headers * should implement an AddRequestHeaderFcn function that returns immediately. - */ + */ typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)( - SEC_HTTP_REQUEST_SESSION request, - const char *http_header_name, - const char *http_header_value); + SEC_HTTP_REQUEST_SESSION request, + const char *http_header_name, + const char *http_header_value); /* * This function initiates or continues an HTTP request. After @@ -180,10 +180,10 @@ typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)( * size, the function will return SECFailure. * http_response_data_len will be set to a value different from zero to * indicate the reason of the failure. - * An out value of "0" means, the failure was unrelated to the + * An out value of "0" means, the failure was unrelated to the * acceptable size. * An out value of "1" means, the result data is larger than the - * accpeptable size, but the real size is not yet known to the http client + * accpeptable size, but the real size is not yet known to the http client * implementation and it stopped retrieving it, * Any other out value combined with a return value of SECFailure * will indicate the actual size of the server data. @@ -195,64 +195,64 @@ typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)( * the completion of the operation. * * All returned pointers will be owned by the the HttpClient - * implementation and will remain valid until the call to + * implementation and will remain valid until the call to * SEC_HttpRequest_FreeFcn. - */ + */ typedef SECStatus (*SEC_HttpRequest_TrySendAndReceiveFcn)( - SEC_HTTP_REQUEST_SESSION request, - PRPollDesc **pPollDesc, - PRUint16 *http_response_code, - const char **http_response_content_type, - const char **http_response_headers, - const char **http_response_data, - PRUint32 *http_response_data_len); + SEC_HTTP_REQUEST_SESSION request, + PRPollDesc **pPollDesc, + PRUint16 *http_response_code, + const char **http_response_content_type, + const char **http_response_headers, + const char **http_response_data, + PRUint32 *http_response_data_len); /* * Calling CancelFcn asks for premature termination of the request. * * Future calls to SEC_HttpRequest_TrySendAndReceive should - * by avoided, but in this case the HttpClient implementation + * by avoided, but in this case the HttpClient implementation * is expected to return immediately with SECFailure. * - * After calling CancelFcn, a separate call to SEC_HttpRequest_FreeFcn + * After calling CancelFcn, a separate call to SEC_HttpRequest_FreeFcn * is still necessary to free resources. - */ + */ typedef SECStatus (*SEC_HttpRequest_CancelFcn)( - SEC_HTTP_REQUEST_SESSION request); + SEC_HTTP_REQUEST_SESSION request); /* * Before calling this function, it must be assured the request * has been completed, i.e. either SEC_HttpRequest_TrySendAndReceiveFcn has * returned SECSuccess, or the request has been canceled with * a call to SEC_HttpRequest_CancelFcn. - * - * This function frees the client state object, closes all sockets, - * discards all partial results, frees any memory that was allocated + * + * This function frees the client state object, closes all sockets, + * discards all partial results, frees any memory that was allocated * by the client, and invalidates all response pointers that might * have been returned by SEC_HttpRequest_TrySendAndReceiveFcn - */ + */ typedef SECStatus (*SEC_HttpRequest_FreeFcn)( - SEC_HTTP_REQUEST_SESSION request); + SEC_HTTP_REQUEST_SESSION request); typedef struct SEC_HttpClientFcnV1Struct { - SEC_HttpServer_CreateSessionFcn createSessionFcn; - SEC_HttpServer_KeepAliveSessionFcn keepAliveSessionFcn; - SEC_HttpServer_FreeSessionFcn freeSessionFcn; - SEC_HttpRequest_CreateFcn createFcn; - SEC_HttpRequest_SetPostDataFcn setPostDataFcn; - SEC_HttpRequest_AddHeaderFcn addHeaderFcn; - SEC_HttpRequest_TrySendAndReceiveFcn trySendAndReceiveFcn; - SEC_HttpRequest_CancelFcn cancelFcn; - SEC_HttpRequest_FreeFcn freeFcn; + SEC_HttpServer_CreateSessionFcn createSessionFcn; + SEC_HttpServer_KeepAliveSessionFcn keepAliveSessionFcn; + SEC_HttpServer_FreeSessionFcn freeSessionFcn; + SEC_HttpRequest_CreateFcn createFcn; + SEC_HttpRequest_SetPostDataFcn setPostDataFcn; + SEC_HttpRequest_AddHeaderFcn addHeaderFcn; + SEC_HttpRequest_TrySendAndReceiveFcn trySendAndReceiveFcn; + SEC_HttpRequest_CancelFcn cancelFcn; + SEC_HttpRequest_FreeFcn freeFcn; } SEC_HttpClientFcnV1; typedef struct SEC_HttpClientFcnStruct { - PRInt16 version; - union { - SEC_HttpClientFcnV1 ftable1; - /* SEC_HttpClientFcnV2 ftable2; */ - /* ... */ - } fcnTable; + PRInt16 version; + union { + SEC_HttpClientFcnV1 ftable1; + /* SEC_HttpClientFcnV2 ftable2; */ + /* ... */ + } fcnTable; } SEC_HttpClientFcn; /* @@ -293,7 +293,7 @@ typedef enum { */ typedef enum { - ocspResponderID_other = -1, /* unknown kind of responderID */ + ocspResponderID_other = -1, /* unknown kind of responderID */ ocspResponderID_byName = 1, ocspResponderID_byKey = 2 } CERTOCSPResponderIDType; diff --git a/lib/certhigh/ocspti.h b/lib/certhigh/ocspti.h index a2b3852f2..d9297dba6 100644 --- a/lib/certhigh/ocspti.h +++ b/lib/certhigh/ocspti.h @@ -16,7 +16,6 @@ #include "seccomon.h" #include "secoidt.h" - /* * Some notes about naming conventions... * @@ -49,7 +48,6 @@ * way around (reference before definition). */ - /* * Forward-declarations of internal-only data structures. * @@ -67,12 +65,11 @@ typedef struct ocspSingleRequestStr ocspSingleRequest; typedef struct ocspSingleResponseStr ocspSingleResponse; typedef struct ocspTBSRequestStr ocspTBSRequest; - /* * An OCSPRequest; this is what is sent (encoded) to an OCSP responder. */ struct CERTOCSPRequestStr { - PLArenaPool *arena; /* local; not part of encoding */ + PLArenaPool *arena; /* local; not part of encoding */ ocspTBSRequest *tbsRequest; ocspSignature *optionalSignature; }; @@ -92,12 +89,12 @@ struct CERTOCSPRequestStr { * in-progress extensions as they are optionally added to the request. */ struct ocspTBSRequestStr { - SECItem version; /* an INTEGER */ - SECItem *derRequestorName; /* encoded GeneralName; see above */ - CERTGeneralNameList *requestorName; /* local; not part of encoding */ + SECItem version; /* an INTEGER */ + SECItem *derRequestorName; /* encoded GeneralName; see above */ + CERTGeneralNameList *requestorName; /* local; not part of encoding */ ocspSingleRequest **requestList; CERTCertExtension **requestExtensions; - void *extensionHandle; /* local; not part of encoding */ + void *extensionHandle; /* local; not part of encoding */ }; /* @@ -124,12 +121,12 @@ struct ocspTBSRequestStr { */ struct ocspSignatureStr { SECAlgorithmID signatureAlgorithm; - SECItem signature; /* a BIT STRING */ - SECItem **derCerts; /* a SEQUENCE OF Certificate */ - CERTCertificate *cert; /* local; not part of encoding */ - PRBool wasChecked; /* local; not part of encoding */ - SECStatus status; /* local; not part of encoding */ - int failureReason; /* local; not part of encoding */ + SECItem signature; /* a BIT STRING */ + SECItem **derCerts; /* a SEQUENCE OF Certificate */ + CERTCertificate *cert; /* local; not part of encoding */ + PRBool wasChecked; /* local; not part of encoding */ + SECStatus status; /* local; not part of encoding */ + int failureReason; /* local; not part of encoding */ }; /* @@ -140,11 +137,11 @@ struct ocspSignatureStr { * but since that seemed confusing (vs. an OCSPRequest) and to be more * consistent with the parallel type "SingleResponse", I called it a * "SingleRequest". - * + * * XXX figure out how to get rid of that arena -- there must be a way */ struct ocspSingleRequestStr { - PLArenaPool *arena; /* just a copy of the response arena, + PLArenaPool *arena; /* just a copy of the response arena, * needed here for extension handling * routines, on creation only */ CERTOCSPCertID *reqCert; @@ -160,14 +157,14 @@ struct ocspSingleRequestStr { */ struct CERTOCSPCertIDStr { SECAlgorithmID hashAlgorithm; - SECItem issuerNameHash; /* an OCTET STRING */ - SECItem issuerKeyHash; /* an OCTET STRING */ - SECItem serialNumber; /* an INTEGER */ - SECItem issuerSHA1NameHash; /* keep other hashes around when */ - SECItem issuerMD5NameHash; /* we have them */ + SECItem issuerNameHash; /* an OCTET STRING */ + SECItem issuerKeyHash; /* an OCTET STRING */ + SECItem serialNumber; /* an INTEGER */ + SECItem issuerSHA1NameHash; /* keep other hashes around when */ + SECItem issuerMD5NameHash; /* we have them */ SECItem issuerMD2NameHash; - SECItem issuerSHA1KeyHash; /* keep other hashes around when */ - SECItem issuerMD5KeyHash; /* we have them */ + SECItem issuerSHA1KeyHash; /* keep other hashes around when */ + SECItem issuerMD5KeyHash; /* we have them */ SECItem issuerMD2KeyHash; PLArenaPool *poolp; }; @@ -209,10 +206,10 @@ typedef enum { * type ocspResponseStatus. */ struct CERTOCSPResponseStr { - PLArenaPool *arena; /* local; not part of encoding */ - SECItem responseStatus; /* an ENUMERATED, see above */ - ocspResponseStatus statusValue; /* local; not part of encoding */ - ocspResponseBytes *responseBytes; /* only when status is successful */ + PLArenaPool *arena; /* local; not part of encoding */ + SECItem responseStatus; /* an ENUMERATED, see above */ + ocspResponseStatus statusValue; /* local; not part of encoding */ + ocspResponseBytes *responseBytes; /* only when status is successful */ }; /* @@ -230,12 +227,12 @@ struct CERTOCSPResponseStr { * response types, just add them to the union. */ struct ocspResponseBytesStr { - SECItem responseType; /* an OBJECT IDENTIFIER */ - SECOidTag responseTypeTag; /* local; not part of encoding */ - SECItem response; /* an OCTET STRING */ + SECItem responseType; /* an OBJECT IDENTIFIER */ + SECOidTag responseTypeTag; /* local; not part of encoding */ + SECItem response; /* an OCTET STRING */ union { - ocspBasicOCSPResponse *basic; /* when type is id-pkix-ocsp-basic */ - } decodedResponse; /* local; not part of encoding */ + ocspBasicOCSPResponse *basic; /* when type is id-pkix-ocsp-basic */ + } decodedResponse; /* local; not part of encoding */ }; /* @@ -250,7 +247,7 @@ struct ocspResponseBytesStr { */ struct ocspBasicOCSPResponseStr { SECItem tbsResponseDataDER; - ocspResponseData *tbsResponseData; /* "tbs" == To Be Signed */ + ocspResponseData *tbsResponseData; /* "tbs" == To Be Signed */ ocspSignature responseSignature; }; @@ -260,38 +257,38 @@ struct ocspBasicOCSPResponseStr { * (a per-certificate status). */ struct ocspResponseDataStr { - SECItem version; /* an INTEGER */ + SECItem version; /* an INTEGER */ SECItem derResponderID; - ocspResponderID *responderID; /* local; not part of encoding */ - SECItem producedAt; /* a GeneralizedTime */ + ocspResponderID *responderID; /* local; not part of encoding */ + SECItem producedAt; /* a GeneralizedTime */ CERTOCSPSingleResponse **responses; CERTCertExtension **responseExtensions; }; struct ocspResponderIDStr { - CERTOCSPResponderIDType responderIDType;/* local; not part of encoding */ + CERTOCSPResponderIDType responderIDType; /* local; not part of encoding */ union { - CERTName name; /* when ocspResponderID_byName */ - SECItem keyHash; /* when ocspResponderID_byKey */ - SECItem other; /* when ocspResponderID_other */ + CERTName name; /* when ocspResponderID_byName */ + SECItem keyHash; /* when ocspResponderID_byKey */ + SECItem other; /* when ocspResponderID_other */ } responderIDValue; }; /* * The ResponseData in a BasicOCSPResponse contains a SEQUENCE OF * SingleResponse -- one for each certificate whose status is being supplied. - * + * * XXX figure out how to get rid of that arena -- there must be a way */ struct CERTOCSPSingleResponseStr { - PLArenaPool *arena; /* just a copy of the response arena, + PLArenaPool *arena; /* just a copy of the response arena, * needed here for extension handling * routines, on creation only */ CERTOCSPCertID *certID; SECItem derCertStatus; - ocspCertStatus *certStatus; /* local; not part of encoding */ - SECItem thisUpdate; /* a GeneralizedTime */ - SECItem *nextUpdate; /* a GeneralizedTime */ + ocspCertStatus *certStatus; /* local; not part of encoding */ + SECItem thisUpdate; /* a GeneralizedTime */ + SECItem *nextUpdate; /* a GeneralizedTime */ CERTCertExtension **singleExtensions; }; @@ -313,10 +310,10 @@ struct CERTOCSPSingleResponseStr { */ typedef enum { - ocspCertStatus_good, /* cert is not revoked */ - ocspCertStatus_revoked, /* cert is revoked */ - ocspCertStatus_unknown, /* cert was unknown to the responder */ - ocspCertStatus_other /* status was not an expected value */ + ocspCertStatus_good, /* cert is not revoked */ + ocspCertStatus_revoked, /* cert is revoked */ + ocspCertStatus_unknown, /* cert was unknown to the responder */ + ocspCertStatus_other /* status was not an expected value */ } ocspCertStatusType; /* @@ -327,13 +324,13 @@ typedef enum { * gives more detailed information.) */ struct ocspCertStatusStr { - ocspCertStatusType certStatusType; /* local; not part of encoding */ + ocspCertStatusType certStatusType; /* local; not part of encoding */ union { - SECItem *goodInfo; /* when ocspCertStatus_good */ - ocspRevokedInfo *revokedInfo; /* when ocspCertStatus_revoked */ - SECItem *unknownInfo; /* when ocspCertStatus_unknown */ - SECItem *otherInfo; /* when ocspCertStatus_other */ - } certStatusInfo; + SECItem *goodInfo; /* when ocspCertStatus_good */ + ocspRevokedInfo *revokedInfo; /* when ocspCertStatus_revoked */ + SECItem *unknownInfo; /* when ocspCertStatus_unknown */ + SECItem *otherInfo; /* when ocspCertStatus_other */ + } certStatusInfo; }; /* @@ -341,8 +338,8 @@ struct ocspCertStatusStr { * was revoked and why. */ struct ocspRevokedInfoStr { - SECItem revocationTime; /* a GeneralizedTime */ - SECItem *revocationReason; /* a CRLReason; ignored for now */ + SECItem revocationTime; /* a GeneralizedTime */ + SECItem *revocationReason; /* a CRLReason; ignored for now */ }; /* @@ -353,7 +350,7 @@ struct ocspRevokedInfoStr { */ struct ocspServiceLocatorStr { CERTName *issuer; - SECItem locator; /* DER encoded authInfoAccess extension from cert */ + SECItem locator; /* DER encoded authInfoAccess extension from cert */ }; #endif /* _OCSPTI_H_ */ diff --git a/lib/certhigh/xcrldist.c b/lib/certhigh/xcrldist.c index 291a9d888..4f74cdb25 100644 --- a/lib/certhigh/xcrldist.c +++ b/lib/certhigh/xcrldist.c @@ -12,203 +12,201 @@ SEC_ASN1_MKSUB(SEC_AnyTemplate) SEC_ASN1_MKSUB(SEC_BitStringTemplate) -extern void PrepareBitStringForEncoding (SECItem *bitMap, SECItem *value); +extern void PrepareBitStringForEncoding(SECItem *bitMap, SECItem *value); static const SEC_ASN1Template FullNameTemplate[] = { - {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0, - offsetof (CRLDistributionPoint,derFullName), - CERT_GeneralNamesTemplate} + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0, + offsetof(CRLDistributionPoint, derFullName), + CERT_GeneralNamesTemplate } }; static const SEC_ASN1Template RelativeNameTemplate[] = { - {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, - offsetof (CRLDistributionPoint,distPoint.relativeName), - CERT_RDNTemplate} + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, + offsetof(CRLDistributionPoint, distPoint.relativeName), + CERT_RDNTemplate } }; static const SEC_ASN1Template DistributionPointNameTemplate[] = { { SEC_ASN1_CHOICE, - offsetof(CRLDistributionPoint, distPointType), NULL, - sizeof(CRLDistributionPoint) }, + offsetof(CRLDistributionPoint, distPointType), NULL, + sizeof(CRLDistributionPoint) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0, - offsetof (CRLDistributionPoint, derFullName), - CERT_GeneralNamesTemplate, generalName }, - { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, - offsetof (CRLDistributionPoint, distPoint.relativeName), - CERT_RDNTemplate, relativeDistinguishedName }, + offsetof(CRLDistributionPoint, derFullName), + CERT_GeneralNamesTemplate, generalName }, + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, + offsetof(CRLDistributionPoint, distPoint.relativeName), + CERT_RDNTemplate, relativeDistinguishedName }, { 0 } }; static const SEC_ASN1Template CRLDistributionPointTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRLDistributionPoint) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | SEC_ASN1_XTRN | 0, - offsetof(CRLDistributionPoint,derDistPoint), - SEC_ASN1_SUB(SEC_AnyTemplate)}, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, - offsetof(CRLDistributionPoint,bitsmap), - SEC_ASN1_SUB(SEC_BitStringTemplate) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_CONSTRUCTED | 2, - offsetof(CRLDistributionPoint, derCrlIssuer), - CERT_GeneralNamesTemplate}, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | SEC_ASN1_XTRN | 0, + offsetof(CRLDistributionPoint, derDistPoint), + SEC_ASN1_SUB(SEC_AnyTemplate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, + offsetof(CRLDistributionPoint, bitsmap), + SEC_ASN1_SUB(SEC_BitStringTemplate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_CONSTRUCTED | 2, + offsetof(CRLDistributionPoint, derCrlIssuer), + CERT_GeneralNamesTemplate }, { 0 } }; const SEC_ASN1Template CERTCRLDistributionPointsTemplate[] = { - {SEC_ASN1_SEQUENCE_OF, 0, CRLDistributionPointTemplate} + { SEC_ASN1_SEQUENCE_OF, 0, CRLDistributionPointTemplate } }; SECStatus -CERT_EncodeCRLDistributionPoints (PLArenaPool *arena, - CERTCrlDistributionPoints *value, - SECItem *derValue) +CERT_EncodeCRLDistributionPoints(PLArenaPool *arena, + CERTCrlDistributionPoints *value, + SECItem *derValue) { CRLDistributionPoint **pointList, *point; PLArenaPool *ourPool = NULL; SECStatus rv = SECSuccess; - PORT_Assert (derValue); - PORT_Assert (value && value->distPoints); + PORT_Assert(derValue); + PORT_Assert(value && value->distPoints); do { - ourPool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE); - if (ourPool == NULL) { - rv = SECFailure; - break; - } - - pointList = value->distPoints; - while (*pointList) { - point = *pointList; - point->derFullName = NULL; - point->derDistPoint.data = NULL; - - switch (point->distPointType) { - case generalName: - point->derFullName = cert_EncodeGeneralNames - (ourPool, point->distPoint.fullName); - - if (!point->derFullName || - !SEC_ASN1EncodeItem (ourPool, &point->derDistPoint, - point, FullNameTemplate)) - rv = SECFailure; - break; - - case relativeDistinguishedName: - if (!SEC_ASN1EncodeItem(ourPool, &point->derDistPoint, - point, RelativeNameTemplate)) - rv = SECFailure; - break; - - default: - PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID); - rv = SECFailure; - break; - } - - if (rv != SECSuccess) - break; - - if (point->reasons.data) - PrepareBitStringForEncoding (&point->bitsmap, &point->reasons); - - if (point->crlIssuer) { - point->derCrlIssuer = cert_EncodeGeneralNames - (ourPool, point->crlIssuer); - if (!point->derCrlIssuer) { - rv = SECFailure; - break; - } - } - ++pointList; - } - if (rv != SECSuccess) - break; - if (!SEC_ASN1EncodeItem(arena, derValue, value, - CERTCRLDistributionPointsTemplate)) { - rv = SECFailure; - break; - } + ourPool = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (ourPool == NULL) { + rv = SECFailure; + break; + } + + pointList = value->distPoints; + while (*pointList) { + point = *pointList; + point->derFullName = NULL; + point->derDistPoint.data = NULL; + + switch (point->distPointType) { + case generalName: + point->derFullName = cert_EncodeGeneralNames(ourPool, point->distPoint.fullName); + + if (!point->derFullName || + !SEC_ASN1EncodeItem(ourPool, &point->derDistPoint, + point, FullNameTemplate)) + rv = SECFailure; + break; + + case relativeDistinguishedName: + if (!SEC_ASN1EncodeItem(ourPool, &point->derDistPoint, + point, RelativeNameTemplate)) + rv = SECFailure; + break; + + default: + PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID); + rv = SECFailure; + break; + } + + if (rv != SECSuccess) + break; + + if (point->reasons.data) + PrepareBitStringForEncoding(&point->bitsmap, &point->reasons); + + if (point->crlIssuer) { + point->derCrlIssuer = cert_EncodeGeneralNames(ourPool, point->crlIssuer); + if (!point->derCrlIssuer) { + rv = SECFailure; + break; + } + } + ++pointList; + } + if (rv != SECSuccess) + break; + if (!SEC_ASN1EncodeItem(arena, derValue, value, + CERTCRLDistributionPointsTemplate)) { + rv = SECFailure; + break; + } } while (0); - PORT_FreeArena (ourPool, PR_FALSE); + PORT_FreeArena(ourPool, PR_FALSE); return rv; } CERTCrlDistributionPoints * -CERT_DecodeCRLDistributionPoints (PLArenaPool *arena, SECItem *encodedValue) +CERT_DecodeCRLDistributionPoints(PLArenaPool *arena, SECItem *encodedValue) { - CERTCrlDistributionPoints *value = NULL; - CRLDistributionPoint **pointList, *point; - SECStatus rv = SECSuccess; - SECItem newEncodedValue; - - PORT_Assert (arena); - do { - value = PORT_ArenaZNew(arena, CERTCrlDistributionPoints); - if (value == NULL) { - rv = SECFailure; - break; - } + CERTCrlDistributionPoints *value = NULL; + CRLDistributionPoint **pointList, *point; + SECStatus rv = SECSuccess; + SECItem newEncodedValue; + + PORT_Assert(arena); + do { + value = PORT_ArenaZNew(arena, CERTCrlDistributionPoints); + if (value == NULL) { + rv = SECFailure; + break; + } /* copy the DER into the arena, since Quick DER returns data that points into the DER input, which may get freed by the caller */ rv = SECITEM_CopyItem(arena, &newEncodedValue, encodedValue); if (rv != SECSuccess) - break; - - rv = SEC_QuickDERDecodeItem(arena, &value->distPoints, - CERTCRLDistributionPointsTemplate, &newEncodedValue); - if (rv != SECSuccess) - break; - - pointList = value->distPoints; - while (NULL != (point = *pointList)) { - - /* get the data if the distributionPointName is not omitted */ - if (point->derDistPoint.data != NULL) { - rv = SEC_QuickDERDecodeItem(arena, point, - DistributionPointNameTemplate, &(point->derDistPoint)); - if (rv != SECSuccess) - break; - - switch (point->distPointType) { - case generalName: - point->distPoint.fullName = - cert_DecodeGeneralNames(arena, point->derFullName); - rv = point->distPoint.fullName ? SECSuccess : SECFailure; - break; - - case relativeDistinguishedName: - break; - - default: - PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID); - rv = SECFailure; - break; - } /* end switch */ - if (rv != SECSuccess) - break; - } /* end if */ - - /* Get the reason code if it's not omitted in the encoding */ - if (point->bitsmap.data != NULL) { - SECItem bitsmap = point->bitsmap; - DER_ConvertBitString(&bitsmap); - rv = SECITEM_CopyItem(arena, &point->reasons, &bitsmap); - if (rv != SECSuccess) - break; - } - - /* Get the crl issuer name if it's not omitted in the encoding */ - if (point->derCrlIssuer != NULL) { - point->crlIssuer = cert_DecodeGeneralNames(arena, - point->derCrlIssuer); - if (!point->crlIssuer) - break; - } - ++pointList; - } /* end while points remain */ - } while (0); - return (rv == SECSuccess ? value : NULL); + break; + + rv = SEC_QuickDERDecodeItem(arena, &value->distPoints, + CERTCRLDistributionPointsTemplate, &newEncodedValue); + if (rv != SECSuccess) + break; + + pointList = value->distPoints; + while (NULL != (point = *pointList)) { + + /* get the data if the distributionPointName is not omitted */ + if (point->derDistPoint.data != NULL) { + rv = SEC_QuickDERDecodeItem(arena, point, + DistributionPointNameTemplate, &(point->derDistPoint)); + if (rv != SECSuccess) + break; + + switch (point->distPointType) { + case generalName: + point->distPoint.fullName = + cert_DecodeGeneralNames(arena, point->derFullName); + rv = point->distPoint.fullName ? SECSuccess : SECFailure; + break; + + case relativeDistinguishedName: + break; + + default: + PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID); + rv = SECFailure; + break; + } /* end switch */ + if (rv != SECSuccess) + break; + } /* end if */ + + /* Get the reason code if it's not omitted in the encoding */ + if (point->bitsmap.data != NULL) { + SECItem bitsmap = point->bitsmap; + DER_ConvertBitString(&bitsmap); + rv = SECITEM_CopyItem(arena, &point->reasons, &bitsmap); + if (rv != SECSuccess) + break; + } + + /* Get the crl issuer name if it's not omitted in the encoding */ + if (point->derCrlIssuer != NULL) { + point->crlIssuer = cert_DecodeGeneralNames(arena, + point->derCrlIssuer); + if (!point->crlIssuer) + break; + } + ++pointList; + } /* end while points remain */ + } while (0); + return (rv == SECSuccess ? value : NULL); } |