summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFranziskus Kiefer <franziskuskiefer@gmail.com>2015-12-15 13:28:02 +0100
committerFranziskus Kiefer <franziskuskiefer@gmail.com>2015-12-15 13:28:02 +0100
commit95da51969b89add904c2b8928868d6ddad7202a8 (patch)
treebd0fff890c27dbbc3b556509b1dd0ef0b2f0a62a
parent37aa902bc92baf60ad47daf428194752d2c8e81d (diff)
downloadnss-hg-95da51969b89add904c2b8928868d6ddad7202a8.tar.gz
Bug 1229362 - clang format on lib/certhigh with minor manual corrections, r=kaie
Diffstat
-rw-r--r--lib/certhigh/certhigh.c1188
-rw-r--r--lib/certhigh/certhtml.c419
-rw-r--r--lib/certhigh/certreq.c193
-rw-r--r--lib/certhigh/certvfy.c2300
-rw-r--r--lib/certhigh/certvfypkix.c1400
-rw-r--r--lib/certhigh/crlv2.c100
-rw-r--r--lib/certhigh/ocsp.c2949
-rw-r--r--lib/certhigh/ocsp.h107
-rw-r--r--lib/certhigh/ocspi.h38
-rw-r--r--lib/certhigh/ocspsig.c365
-rw-r--r--lib/certhigh/ocspt.h128
-rw-r--r--lib/certhigh/ocspti.h113
-rw-r--r--lib/certhigh/xcrldist.c316
13 files changed, 4817 insertions, 4799 deletions
diff --git a/lib/certhigh/certhigh.c b/lib/certhigh/certhigh.c
index b06b7af33..2cb6b8c81 100644
--- a/lib/certhigh/certhigh.c
+++ b/lib/certhigh/certhigh.c
@@ -17,36 +17,37 @@
#include "pkitm.h"
#include "pki3hack.h"
-
PRBool
-CERT_MatchNickname(char *name1, char *name2) {
- char *nickname1= NULL;
+CERT_MatchNickname(char *name1, char *name2)
+{
+ char *nickname1 = NULL;
char *nickname2 = NULL;
char *token1;
char *token2;
/* first deal with the straight comparison */
if (PORT_Strcmp(name1, name2) == 0) {
- return PR_TRUE;
+ return PR_TRUE;
}
/* we need to handle the case where one name has an explicit token and the other
* doesn't */
- token1 = PORT_Strchr(name1,':');
- token2 = PORT_Strchr(name2,':');
+ token1 = PORT_Strchr(name1, ':');
+ token2 = PORT_Strchr(name2, ':');
if ((token1 && token2) || (!token1 && !token2)) {
- /* either both token names are specified or neither are, not match */
- return PR_FALSE;
+ /* either both token names are specified or neither are, not match */
+ return PR_FALSE;
}
if (token1) {
- nickname1=token1;
- nickname2=name2;
- } else {
- nickname1=token2;
- nickname2=name1;
+ nickname1 = token1;
+ nickname2 = name2;
+ }
+ else {
+ nickname1 = token2;
+ nickname2 = name1;
}
nickname1++;
- if (PORT_Strcmp(nickname1,nickname2) != 0) {
- return PR_FALSE;
+ if (PORT_Strcmp(nickname1, nickname2) != 0) {
+ return PR_FALSE;
}
/* Bug 1192443 - compare the other token with the internal slot here */
return PR_TRUE;
@@ -54,7 +55,7 @@ CERT_MatchNickname(char *name1, char *name2) {
/*
* Find all user certificates that match the given criteria.
- *
+ *
* "handle" - database to search
* "usage" - certificate usage to match
* "oneCertPerName" - if set then only return the "best" cert per
@@ -64,10 +65,10 @@ CERT_MatchNickname(char *name1, char *name2) {
*/
CERTCertList *
CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
- SECCertUsage usage,
- PRBool oneCertPerName,
- PRBool validOnly,
- void *proto_win)
+ SECCertUsage usage,
+ PRBool oneCertPerName,
+ PRBool validOnly,
+ void *proto_win)
{
CERTCertNicknames *nicknames = NULL;
char **nnptr;
@@ -79,29 +80,29 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
CERTCertListNode *node = NULL;
CERTCertListNode *freenode = NULL;
int n;
-
+
time = PR_Now();
-
+
nicknames = CERT_GetCertNicknames(handle, SEC_CERT_NICKNAMES_USER,
- proto_win);
-
- if ( ( nicknames == NULL ) || ( nicknames->numnicknames == 0 ) ) {
- goto loser;
+ proto_win);
+
+ if ((nicknames == NULL) || (nicknames->numnicknames == 0)) {
+ goto loser;
}
nnptr = nicknames->nicknames;
nn = nicknames->numnicknames;
- while ( nn > 0 ) {
- cert = NULL;
- /* use the pk11 call so that we pick up any certs on tokens,
+ while (nn > 0) {
+ cert = NULL;
+ /* use the pk11 call so that we pick up any certs on tokens,
* which may require login
*/
- if ( proto_win != NULL ) {
- cert = PK11_FindCertFromNickname(*nnptr,proto_win);
- }
+ if (proto_win != NULL) {
+ cert = PK11_FindCertFromNickname(*nnptr, proto_win);
+ }
- /* Sigh, It turns out if the cert is already in the temp db, because
+ /* Sigh, It turns out if the cert is already in the temp db, because
* it's in the perm db, then the nickname lookup doesn't work.
* since we already have the cert here, though, than we can just call
* CERT_CreateSubjectCertList directly. For those cases where we didn't
@@ -109,104 +110,105 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
* or because the nickname is for a peer, server, or CA cert, then we
* go look the cert up.
*/
- if (cert == NULL) {
- cert = CERT_FindCertByNickname(handle,*nnptr);
- }
-
- if ( cert != NULL ) {
- /* collect certs for this nickname, sorting them into the list */
- certList = CERT_CreateSubjectCertList(certList, handle,
- &cert->derSubject, time, validOnly);
-
- CERT_FilterCertListForUserCerts(certList);
-
- /* drop the extra reference */
- CERT_DestroyCertificate(cert);
- }
-
- nnptr++;
- nn--;
+ if (cert == NULL) {
+ cert = CERT_FindCertByNickname(handle, *nnptr);
+ }
+
+ if (cert != NULL) {
+ /* collect certs for this nickname, sorting them into the list */
+ certList = CERT_CreateSubjectCertList(certList, handle,
+ &cert->derSubject, time, validOnly);
+
+ CERT_FilterCertListForUserCerts(certList);
+
+ /* drop the extra reference */
+ CERT_DestroyCertificate(cert);
+ }
+
+ nnptr++;
+ nn--;
}
/* remove certs with incorrect usage */
rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
/* remove any extra certs for each name */
- if ( oneCertPerName ) {
- PRBool *flags;
-
- nn = nicknames->numnicknames;
- nnptr = nicknames->nicknames;
-
- flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn);
- if ( flags == NULL ) {
- goto loser;
- }
-
- node = CERT_LIST_HEAD(certList);
-
- /* treverse all certs in the list */
- while ( !CERT_LIST_END(node, certList) ) {
-
- /* find matching nickname index */
- for ( n = 0; n < nn; n++ ) {
- if ( CERT_MatchNickname(nnptr[n], node->cert->nickname) ) {
- /* We found a match. If this is the first one, then
+ if (oneCertPerName) {
+ PRBool *flags;
+
+ nn = nicknames->numnicknames;
+ nnptr = nicknames->nicknames;
+
+ flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn);
+ if (flags == NULL) {
+ goto loser;
+ }
+
+ node = CERT_LIST_HEAD(certList);
+
+ /* treverse all certs in the list */
+ while (!CERT_LIST_END(node, certList)) {
+
+ /* find matching nickname index */
+ for (n = 0; n < nn; n++) {
+ if (CERT_MatchNickname(nnptr[n], node->cert->nickname)) {
+ /* We found a match. If this is the first one, then
* set the flag and move on to the next cert. If this
* is not the first one then delete it from the list.
*/
- if ( flags[n] ) {
- /* We have already seen a cert with this nickname,
+ if (flags[n]) {
+ /* We have already seen a cert with this nickname,
* so delete this one.
*/
- freenode = node;
- node = CERT_LIST_NEXT(node);
- CERT_RemoveCertListNode(freenode);
- } else {
- /* keep the first cert for each nickname, but set the
+ freenode = node;
+ node = CERT_LIST_NEXT(node);
+ CERT_RemoveCertListNode(freenode);
+ }
+ else {
+ /* keep the first cert for each nickname, but set the
* flag so we know to delete any others with the same
* nickname.
*/
- flags[n] = PR_TRUE;
- node = CERT_LIST_NEXT(node);
- }
- break;
- }
- }
- if ( n == nn ) {
- /* if we get here it means that we didn't find a matching
+ flags[n] = PR_TRUE;
+ node = CERT_LIST_NEXT(node);
+ }
+ break;
+ }
+ }
+ if (n == nn) {
+ /* if we get here it means that we didn't find a matching
* nickname, which should not happen.
*/
- PORT_Assert(0);
- node = CERT_LIST_NEXT(node);
- }
- }
- PORT_Free(flags);
+ PORT_Assert(0);
+ node = CERT_LIST_NEXT(node);
+ }
+ }
+ PORT_Free(flags);
}
goto done;
-
+
loser:
- if ( certList != NULL ) {
- CERT_DestroyCertList(certList);
- certList = NULL;
+ if (certList != NULL) {
+ CERT_DestroyCertList(certList);
+ certList = NULL;
}
done:
- if ( nicknames != NULL ) {
- CERT_FreeNicknames(nicknames);
+ if (nicknames != NULL) {
+ CERT_FreeNicknames(nicknames);
}
- return(certList);
+ return (certList);
}
/*
* Find a user certificate that matchs the given criteria.
- *
+ *
* "handle" - database to search
* "nickname" - nickname to match
* "usage" - certificate usage to match
@@ -215,131 +217,129 @@ done:
*/
CERTCertificate *
CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
- const char *nickname,
- SECCertUsage usage,
- PRBool validOnly,
- void *proto_win)
+ const char *nickname,
+ SECCertUsage usage,
+ PRBool validOnly,
+ void *proto_win)
{
CERTCertificate *cert = NULL;
CERTCertList *certList = NULL;
SECStatus rv;
PRTime time;
-
+
time = PR_Now();
-
+
/* use the pk11 call so that we pick up any certs on tokens,
* which may require login
*/
/* XXX - why is this restricted? */
- if ( proto_win != NULL ) {
- cert = PK11_FindCertFromNickname(nickname,proto_win);
+ if (proto_win != NULL) {
+ cert = PK11_FindCertFromNickname(nickname, proto_win);
}
-
/* sigh, There are still problems find smart cards from the temp
* db. This will get smart cards working again. The real fix
* is to make sure we can search the temp db by their token nickname.
*/
if (cert == NULL) {
- cert = CERT_FindCertByNickname(handle,nickname);
+ cert = CERT_FindCertByNickname(handle, nickname);
}
- if ( cert != NULL ) {
- unsigned int requiredKeyUsage;
- unsigned int requiredCertType;
-
- rv = CERT_KeyUsageAndTypeForCertUsage(usage, PR_FALSE,
- &requiredKeyUsage, &requiredCertType);
- if ( rv != SECSuccess ) {
- /* drop the extra reference */
- CERT_DestroyCertificate(cert);
- cert = NULL;
- goto loser;
- }
- /* If we already found the right cert, just return it */
- if ( (!validOnly || CERT_CheckCertValidTimes(cert, time, PR_FALSE)
- == secCertTimeValid) &&
- (CERT_CheckKeyUsage(cert, requiredKeyUsage) == SECSuccess) &&
- (cert->nsCertType & requiredCertType) &&
- CERT_IsUserCert(cert) ) {
- return(cert);
- }
-
- /* collect certs for this nickname, sorting them into the list */
- certList = CERT_CreateSubjectCertList(certList, handle,
- &cert->derSubject, time, validOnly);
-
- CERT_FilterCertListForUserCerts(certList);
-
- /* drop the extra reference */
- CERT_DestroyCertificate(cert);
- cert = NULL;
+ if (cert != NULL) {
+ unsigned int requiredKeyUsage;
+ unsigned int requiredCertType;
+
+ rv = CERT_KeyUsageAndTypeForCertUsage(usage, PR_FALSE,
+ &requiredKeyUsage, &requiredCertType);
+ if (rv != SECSuccess) {
+ /* drop the extra reference */
+ CERT_DestroyCertificate(cert);
+ cert = NULL;
+ goto loser;
+ }
+ /* If we already found the right cert, just return it */
+ if ((!validOnly || CERT_CheckCertValidTimes(cert, time, PR_FALSE) ==
+ secCertTimeValid) &&
+ (CERT_CheckKeyUsage(cert, requiredKeyUsage) == SECSuccess) &&
+ (cert->nsCertType & requiredCertType) &&
+ CERT_IsUserCert(cert)) {
+ return (cert);
+ }
+
+ /* collect certs for this nickname, sorting them into the list */
+ certList = CERT_CreateSubjectCertList(certList, handle,
+ &cert->derSubject, time, validOnly);
+
+ CERT_FilterCertListForUserCerts(certList);
+
+ /* drop the extra reference */
+ CERT_DestroyCertificate(cert);
+ cert = NULL;
}
-
- if ( certList == NULL ) {
- goto loser;
+
+ if (certList == NULL) {
+ goto loser;
}
-
+
/* remove certs with incorrect usage */
rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
- if ( ! CERT_LIST_END(CERT_LIST_HEAD(certList), certList) ) {
- cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert);
+ if (!CERT_LIST_END(CERT_LIST_HEAD(certList), certList)) {
+ cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert);
}
-
+
loser:
- if ( certList != NULL ) {
- CERT_DestroyCertList(certList);
+ if (certList != NULL) {
+ CERT_DestroyCertList(certList);
}
- return(cert);
+ return (cert);
}
CERTCertList *
CERT_MatchUserCert(CERTCertDBHandle *handle,
- SECCertUsage usage,
- int nCANames, char **caNames,
- void *proto_win)
+ SECCertUsage usage,
+ int nCANames, char **caNames,
+ void *proto_win)
{
CERTCertList *certList = NULL;
SECStatus rv;
certList = CERT_FindUserCertsByUsage(handle, usage, PR_TRUE, PR_TRUE,
- proto_win);
- if ( certList == NULL ) {
- goto loser;
+ proto_win);
+ if (certList == NULL) {
+ goto loser;
}
-
+
rv = CERT_FilterCertListByCANames(certList, nCANames, caNames, usage);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
-
+
goto done;
-
+
loser:
- if ( certList != NULL ) {
- CERT_DestroyCertList(certList);
- certList = NULL;
+ if (certList != NULL) {
+ CERT_DestroyCertList(certList);
+ certList = NULL;
}
done:
- return(certList);
+ return (certList);
}
-
typedef struct stringNode {
struct stringNode *next;
char *string;
} stringNode;
-
+
static PRStatus
-CollectNicknames( NSSCertificate *c, void *data)
+CollectNicknames(NSSCertificate *c, void *data)
{
CERTCertNicknames *names;
PRBool saveit = PR_FALSE;
@@ -351,103 +351,104 @@ CollectNicknames( NSSCertificate *c, void *data)
#endif
char *stanNickname;
char *nickname = NULL;
-
+
names = (CERTCertNicknames *)data;
- stanNickname = nssCertificate_GetNickname(c,NULL);
-
- if ( stanNickname ) {
+ stanNickname = nssCertificate_GetNickname(c, NULL);
+
+ if (stanNickname) {
nss_ZFreeIf(stanNickname);
stanNickname = NULL;
- if (names->what == SEC_CERT_NICKNAMES_USER) {
- saveit = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL);
- }
+ if (names->what == SEC_CERT_NICKNAMES_USER) {
+ saveit = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL);
+ }
#ifdef notdef
- else {
- td = NSSCertificate_GetTrustDomain(c);
- if (!td) {
- return PR_SUCCESS;
- }
- trust = nssTrustDomain_FindTrustForCertificate(td,c);
-
- switch(names->what) {
- case SEC_CERT_NICKNAMES_ALL:
- if ((trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
- (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
- (trust->objectSigningFlags &
- (CERTDB_VALID_CA|CERTDB_VALID_PEER))) {
- saveit = PR_TRUE;
- }
-
- break;
- case SEC_CERT_NICKNAMES_SERVER:
- if ( trust->sslFlags & CERTDB_VALID_PEER ) {
- saveit = PR_TRUE;
- }
-
- break;
- case SEC_CERT_NICKNAMES_CA:
- if (((trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA)||
- ((trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA) ||
- ((trust->objectSigningFlags & CERTDB_VALID_CA )
- == CERTDB_VALID_CA)) {
- saveit = PR_TRUE;
- }
- break;
- }
- }
+ else {
+ td = NSSCertificate_GetTrustDomain(c);
+ if (!td) {
+ return PR_SUCCESS;
+ }
+ trust = nssTrustDomain_FindTrustForCertificate(td, c);
+
+ switch (names->what) {
+ case SEC_CERT_NICKNAMES_ALL:
+ if ((trust->sslFlags & (CERTDB_VALID_CA | CERTDB_VALID_PEER)) ||
+ (trust->emailFlags & (CERTDB_VALID_CA | CERTDB_VALID_PEER)) ||
+ (trust->objectSigningFlags &
+ (CERTDB_VALID_CA | CERTDB_VALID_PEER))) {
+ saveit = PR_TRUE;
+ }
+
+ break;
+ case SEC_CERT_NICKNAMES_SERVER:
+ if (trust->sslFlags & CERTDB_VALID_PEER) {
+ saveit = PR_TRUE;
+ }
+
+ break;
+ case SEC_CERT_NICKNAMES_CA:
+ if (((trust->sslFlags & CERTDB_VALID_CA) == CERTDB_VALID_CA) ||
+ ((trust->emailFlags & CERTDB_VALID_CA) == CERTDB_VALID_CA) ||
+ ((trust->objectSigningFlags & CERTDB_VALID_CA) ==
+ CERTDB_VALID_CA)) {
+ saveit = PR_TRUE;
+ }
+ break;
+ }
+ }
#endif
}
/* traverse the list of collected nicknames and make sure we don't make
* a duplicate
*/
- if ( saveit ) {
- nickname = STAN_GetCERTCertificateName(NULL, c);
- /* nickname can only be NULL here if we are having memory
+ if (saveit) {
+ nickname = STAN_GetCERTCertificateName(NULL, c);
+ /* nickname can only be NULL here if we are having memory
* alloc problems */
- if (nickname == NULL) {
- return PR_FAILURE;
- }
- node = (stringNode *)names->head;
- while ( node != NULL ) {
- if ( PORT_Strcmp(nickname, node->string) == 0 ) {
- /* if the string matches, then don't save this one */
- saveit = PR_FALSE;
- break;
- }
- node = node->next;
- }
+ if (nickname == NULL) {
+ return PR_FAILURE;
+ }
+ node = (stringNode *)names->head;
+ while (node != NULL) {
+ if (PORT_Strcmp(nickname, node->string) == 0) {
+ /* if the string matches, then don't save this one */
+ saveit = PR_FALSE;
+ break;
+ }
+ node = node->next;
+ }
}
- if ( saveit ) {
-
- /* allocate the node */
- node = (stringNode*)PORT_ArenaAlloc(names->arena, sizeof(stringNode));
- if ( node == NULL ) {
- PORT_Free(nickname);
- return PR_FAILURE;
- }
-
- /* copy the string */
- len = PORT_Strlen(nickname) + 1;
- node->string = (char*)PORT_ArenaAlloc(names->arena, len);
- if ( node->string == NULL ) {
- PORT_Free(nickname);
- return PR_FAILURE;
- }
- PORT_Memcpy(node->string, nickname, len);
-
- /* link it into the list */
- node->next = (stringNode *)names->head;
- names->head = (void *)node;
-
- /* bump the count */
- names->numnicknames++;
+ if (saveit) {
+
+ /* allocate the node */
+ node = (stringNode *)PORT_ArenaAlloc(names->arena, sizeof(stringNode));
+ if (node == NULL) {
+ PORT_Free(nickname);
+ return PR_FAILURE;
+ }
+
+ /* copy the string */
+ len = PORT_Strlen(nickname) + 1;
+ node->string = (char *)PORT_ArenaAlloc(names->arena, len);
+ if (node->string == NULL) {
+ PORT_Free(nickname);
+ return PR_FAILURE;
+ }
+ PORT_Memcpy(node->string, nickname, len);
+
+ /* link it into the list */
+ node->next = (stringNode *)names->head;
+ names->head = (void *)node;
+
+ /* bump the count */
+ names->numnicknames++;
}
-
- if (nickname) PORT_Free(nickname);
- return(PR_SUCCESS);
+
+ if (nickname)
+ PORT_Free(nickname);
+ return (PR_SUCCESS);
}
CERTCertNicknames *
@@ -457,16 +458,16 @@ CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx)
CERTCertNicknames *names;
int i;
stringNode *node;
-
+
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( arena == NULL ) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return(NULL);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (NULL);
}
-
+
names = (CERTCertNicknames *)PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
- if ( names == NULL ) {
- goto loser;
+ if (names == NULL) {
+ goto loser;
}
names->arena = arena;
@@ -477,43 +478,44 @@ CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx)
names->totallen = 0;
/* make sure we are logged in */
- (void) pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, wincx);
-
+ (void)pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, wincx);
+
NSSTrustDomain_TraverseCertificates(handle,
- CollectNicknames, (void *)names);
- if ( names->numnicknames ) {
- names->nicknames = (char**)PORT_ArenaAlloc(arena,
- names->numnicknames * sizeof(char *));
-
- if ( names->nicknames == NULL ) {
- goto loser;
- }
-
- node = (stringNode *)names->head;
-
- for ( i = 0; i < names->numnicknames; i++ ) {
- PORT_Assert(node != NULL);
-
- names->nicknames[i] = node->string;
- names->totallen += PORT_Strlen(node->string);
- node = node->next;
- }
-
- PORT_Assert(node == NULL);
+ CollectNicknames, (void *)names);
+ if (names->numnicknames) {
+ names->nicknames = (char **)PORT_ArenaAlloc(arena,
+ names->numnicknames *
+ sizeof(char *));
+
+ if (names->nicknames == NULL) {
+ goto loser;
+ }
+
+ node = (stringNode *)names->head;
+
+ for (i = 0; i < names->numnicknames; i++) {
+ PORT_Assert(node != NULL);
+
+ names->nicknames[i] = node->string;
+ names->totallen += PORT_Strlen(node->string);
+ node = node->next;
+ }
+
+ PORT_Assert(node == NULL);
}
- return(names);
-
+ return (names);
+
loser:
PORT_FreeArena(arena, PR_FALSE);
- return(NULL);
+ return (NULL);
}
void
CERT_FreeNicknames(CERTCertNicknames *nicknames)
{
PORT_FreeArena(nicknames->arena, PR_FALSE);
-
+
return;
}
@@ -528,53 +530,53 @@ void
CERT_FreeDistNames(CERTDistNames *names)
{
PORT_FreeArena(names->arena, PR_FALSE);
-
+
return;
}
static SECStatus
-CollectDistNames( CERTCertificate *cert, SECItem *k, void *data)
+CollectDistNames(CERTCertificate *cert, SECItem *k, void *data)
{
CERTDistNames *names;
PRBool saveit = PR_FALSE;
CERTCertTrust trust;
dnameNode *node;
int len;
-
+
names = (CERTDistNames *)data;
-
- if ( CERT_GetCertTrust(cert, &trust) == SECSuccess ) {
- /* only collect names of CAs trusted for issuing SSL clients */
- if ( trust.sslFlags & CERTDB_TRUSTED_CLIENT_CA ) {
- saveit = PR_TRUE;
- }
+
+ if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
+ /* only collect names of CAs trusted for issuing SSL clients */
+ if (trust.sslFlags & CERTDB_TRUSTED_CLIENT_CA) {
+ saveit = PR_TRUE;
+ }
}
- if ( saveit ) {
- /* allocate the node */
- node = (dnameNode*)PORT_ArenaAlloc(names->arena, sizeof(dnameNode));
- if ( node == NULL ) {
- return(SECFailure);
- }
-
- /* copy the name */
- node->name.len = len = cert->derSubject.len;
- node->name.type = siBuffer;
- node->name.data = (unsigned char*)PORT_ArenaAlloc(names->arena, len);
- if ( node->name.data == NULL ) {
- return(SECFailure);
- }
- PORT_Memcpy(node->name.data, cert->derSubject.data, len);
-
- /* link it into the list */
- node->next = (dnameNode *)names->head;
- names->head = (void *)node;
-
- /* bump the count */
- names->nnames++;
+ if (saveit) {
+ /* allocate the node */
+ node = (dnameNode *)PORT_ArenaAlloc(names->arena, sizeof(dnameNode));
+ if (node == NULL) {
+ return (SECFailure);
+ }
+
+ /* copy the name */
+ node->name.len = len = cert->derSubject.len;
+ node->name.type = siBuffer;
+ node->name.data = (unsigned char *)PORT_ArenaAlloc(names->arena, len);
+ if (node->name.data == NULL) {
+ return (SECFailure);
+ }
+ PORT_Memcpy(node->name.data, cert->derSubject.data, len);
+
+ /* link it into the list */
+ node->next = (dnameNode *)names->head;
+ names->head = (void *)node;
+
+ /* bump the count */
+ names->nnames++;
}
-
- return(SECSuccess);
+
+ return (SECSuccess);
}
/*
@@ -587,18 +589,18 @@ CERT_DupDistNames(CERTDistNames *orig)
CERTDistNames *names;
int i;
SECStatus rv;
-
+
/* allocate an arena to use */
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return(NULL);
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (NULL);
}
-
+
/* allocate the header structure */
names = (CERTDistNames *)PORT_ArenaAlloc(arena, sizeof(CERTDistNames));
if (names == NULL) {
- goto loser;
+ goto loser;
}
/* initialize the header struct */
@@ -606,26 +608,26 @@ CERT_DupDistNames(CERTDistNames *orig)
names->head = NULL;
names->nnames = orig->nnames;
names->names = NULL;
-
+
/* construct the array from the list */
if (orig->nnames) {
- names->names = (SECItem*)PORT_ArenaNewArray(arena, SECItem,
- orig->nnames);
- if (names->names == NULL) {
- goto loser;
- }
- for (i = 0; i < orig->nnames; i++) {
+ names->names = (SECItem *)PORT_ArenaNewArray(arena, SECItem,
+ orig->nnames);
+ if (names->names == NULL) {
+ goto loser;
+ }
+ for (i = 0; i < orig->nnames; i++) {
rv = SECITEM_CopyItem(arena, &names->names[i], &orig->names[i]);
if (rv != SECSuccess) {
goto loser;
}
}
}
- return(names);
-
+ return (names);
+
loser:
PORT_FreeArena(arena, PR_FALSE);
- return(NULL);
+ return (NULL);
}
CERTDistNames *
@@ -636,18 +638,18 @@ CERT_GetSSLCACerts(CERTCertDBHandle *handle)
int i;
SECStatus rv;
dnameNode *node;
-
+
/* allocate an arena to use */
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( arena == NULL ) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return(NULL);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (NULL);
}
-
+
/* allocate the header structure */
names = (CERTDistNames *)PORT_ArenaAlloc(arena, sizeof(CERTDistNames));
- if ( names == NULL ) {
- goto loser;
+ if (names == NULL) {
+ goto loser;
}
/* initialize the header struct */
@@ -655,48 +657,48 @@ CERT_GetSSLCACerts(CERTCertDBHandle *handle)
names->head = NULL;
names->nnames = 0;
names->names = NULL;
-
+
/* collect the names from the database */
rv = PK11_TraverseSlotCerts(CollectDistNames, (void *)names, NULL);
- if ( rv ) {
- goto loser;
+ if (rv) {
+ goto loser;
}
/* construct the array from the list */
- if ( names->nnames ) {
- names->names = (SECItem*)PORT_ArenaAlloc(arena, names->nnames * sizeof(SECItem));
-
- if ( names->names == NULL ) {
- goto loser;
- }
-
- node = (dnameNode *)names->head;
-
- for ( i = 0; i < names->nnames; i++ ) {
- PORT_Assert(node != NULL);
-
- names->names[i] = node->name;
- node = node->next;
- }
-
- PORT_Assert(node == NULL);
+ if (names->nnames) {
+ names->names = (SECItem *)PORT_ArenaAlloc(arena, names->nnames * sizeof(SECItem));
+
+ if (names->names == NULL) {
+ goto loser;
+ }
+
+ node = (dnameNode *)names->head;
+
+ for (i = 0; i < names->nnames; i++) {
+ PORT_Assert(node != NULL);
+
+ names->names[i] = node->name;
+ node = node->next;
+ }
+
+ PORT_Assert(node == NULL);
}
- return(names);
-
+ return (names);
+
loser:
PORT_FreeArena(arena, PR_FALSE);
- return(NULL);
+ return (NULL);
}
CERTDistNames *
CERT_DistNamesFromCertList(CERTCertList *certList)
{
- CERTDistNames * dnames = NULL;
- PLArenaPool * arena;
+ CERTDistNames *dnames = NULL;
+ PLArenaPool *arena;
CERTCertListNode *node = NULL;
- SECItem * names = NULL;
- int listLen = 0, i = 0;
+ SECItem *names = NULL;
+ int listLen = 0, i = 0;
if (certList == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -704,23 +706,26 @@ CERT_DistNamesFromCertList(CERTCertList *certList)
}
node = CERT_LIST_HEAD(certList);
- while ( ! CERT_LIST_END(node, certList) ) {
+ while (!CERT_LIST_END(node, certList)) {
listLen += 1;
node = CERT_LIST_NEXT(node);
}
-
+
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL) goto loser;
+ if (arena == NULL)
+ goto loser;
dnames = PORT_ArenaZNew(arena, CERTDistNames);
- if (dnames == NULL) goto loser;
+ if (dnames == NULL)
+ goto loser;
dnames->arena = arena;
dnames->nnames = listLen;
dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, listLen);
- if (names == NULL) goto loser;
+ if (names == NULL)
+ goto loser;
node = CERT_LIST_HEAD(certList);
- while ( ! CERT_LIST_END(node, certList) ) {
+ while (!CERT_LIST_END(node, certList)) {
CERTCertificate *cert = node->cert;
SECStatus rv = SECITEM_CopyItem(arena, &names[i++], &cert->derSubject);
if (rv == SECFailure) {
@@ -738,38 +743,43 @@ loser:
CERTDistNames *
CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames,
- int nnames)
+ int nnames)
{
CERTDistNames *dnames = NULL;
PLArenaPool *arena;
int i, rv;
SECItem *names = NULL;
CERTCertificate *cert = NULL;
-
+
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL) goto loser;
+ if (arena == NULL)
+ goto loser;
dnames = PORT_ArenaZNew(arena, CERTDistNames);
- if (dnames == NULL) goto loser;
+ if (dnames == NULL)
+ goto loser;
dnames->arena = arena;
dnames->nnames = nnames;
dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, nnames);
- if (names == NULL) goto loser;
-
+ if (names == NULL)
+ goto loser;
+
for (i = 0; i < nnames; i++) {
- cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]);
- if (cert == NULL) goto loser;
- rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject);
- if (rv == SECFailure) goto loser;
- CERT_DestroyCertificate(cert);
+ cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]);
+ if (cert == NULL)
+ goto loser;
+ rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject);
+ if (rv == SECFailure)
+ goto loser;
+ CERT_DestroyCertificate(cert);
}
return dnames;
-
+
loser:
if (cert != NULL)
- CERT_DestroyCertificate(cert);
+ CERT_DestroyCertificate(cert);
if (arena != NULL)
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
return NULL;
}
@@ -784,36 +794,36 @@ CERT_FindCertByNameString(CERTCertDBHandle *handle, char *nameStr)
SECItem *nameItem;
CERTCertificate *cert = NULL;
PLArenaPool *arena = NULL;
-
+
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-
- if ( arena == NULL ) {
- goto loser;
+
+ if (arena == NULL) {
+ goto loser;
}
-
+
name = CERT_AsciiToName(nameStr);
-
- if ( name ) {
- nameItem = SEC_ASN1EncodeItem (arena, NULL, (void *)name,
- CERT_NameTemplate);
- if ( nameItem != NULL ) {
+
+ if (name) {
+ nameItem = SEC_ASN1EncodeItem(arena, NULL, (void *)name,
+ CERT_NameTemplate);
+ if (nameItem != NULL) {
cert = CERT_FindCertByName(handle, nameItem);
- }
- CERT_DestroyName(name);
+ }
+ CERT_DestroyName(name);
}
loser:
- if ( arena ) {
- PORT_FreeArena(arena, PR_FALSE);
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
}
-
- return(cert);
+
+ return (cert);
}
/* From certv3.c */
CERTCrlDistributionPoints *
-CERT_FindCRLDistributionPoints (CERTCertificate *cert)
+CERT_FindCRLDistributionPoints(CERTCertificate *cert)
{
SECItem encodedExtenValue;
SECStatus rv;
@@ -823,9 +833,9 @@ CERT_FindCRLDistributionPoints (CERTCertificate *cert)
encodedExtenValue.len = 0;
rv = cert_FindExtension(cert->extensions, SEC_OID_X509_CRL_DIST_POINTS,
- &encodedExtenValue);
- if ( rv != SECSuccess ) {
- return (NULL);
+ &encodedExtenValue);
+ if (rv != SECSuccess) {
+ return (NULL);
}
dps = CERT_DecodeCRLDistributionPoints(cert->arena, &encodedExtenValue);
@@ -836,13 +846,13 @@ CERT_FindCRLDistributionPoints (CERTCertificate *cert)
}
/* From crl.c */
-CERTSignedCrl * CERT_ImportCRL
- (CERTCertDBHandle *handle, SECItem *derCRL, char *url, int type, void *wincx)
+CERTSignedCrl *
+CERT_ImportCRL(CERTCertDBHandle *handle, SECItem *derCRL, char *url, int type, void *wincx)
{
- CERTSignedCrl* retCrl = NULL;
- PK11SlotInfo* slot = PK11_GetInternalKeySlot();
+ CERTSignedCrl *retCrl = NULL;
+ PK11SlotInfo *slot = PK11_GetInternalKeySlot();
retCrl = PK11_ImportCRL(slot, derCRL, url, type, wincx,
- CRL_IMPORT_DEFAULT_OPTIONS, NULL, CRL_DECODE_DEFAULT_OPTIONS);
+ CRL_IMPORT_DEFAULT_OPTIONS, NULL, CRL_DECODE_DEFAULT_OPTIONS);
PK11_FreeSlot(slot);
return retCrl;
@@ -861,110 +871,111 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool
PRBool isca;
char *nickname;
unsigned int certtype;
-
+
handle = CERT_GetDefaultCertDB();
-
+
while (numcerts--) {
- derCert = certs;
- certs++;
-
- /* decode my certificate */
- /* This use is ok -- only looks at decoded parts, calls NewTemp later */
- newcert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
- if ( newcert == NULL ) {
- goto loser;
- }
-
- if (!trusted) {
- /* make sure that cert is valid */
- rv = CERT_CertTimesValid(newcert);
- if ( rv == SECFailure ) {
- goto endloop;
- }
- }
-
- /* does it have the CA extension */
-
- /*
+ derCert = certs;
+ certs++;
+
+ /* decode my certificate */
+ /* This use is ok -- only looks at decoded parts, calls NewTemp later */
+ newcert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+ if (newcert == NULL) {
+ goto loser;
+ }
+
+ if (!trusted) {
+ /* make sure that cert is valid */
+ rv = CERT_CertTimesValid(newcert);
+ if (rv == SECFailure) {
+ goto endloop;
+ }
+ }
+
+ /* does it have the CA extension */
+
+ /*
* Make sure that if this is an intermediate CA in the chain that
* it was given permission by its signer to be a CA.
*/
- isca = CERT_IsCACert(newcert, &certtype);
-
- if ( !isca ) {
- if (!trusted) {
- goto endloop;
- }
- trust.sslFlags = CERTDB_VALID_CA;
- trust.emailFlags = CERTDB_VALID_CA;
- trust.objectSigningFlags = CERTDB_VALID_CA;
- } else {
- /* SSL ca's must have the ssl bit set */
- if ( ( certUsage == certUsageSSLCA ) &&
- (( certtype & NS_CERT_TYPE_SSL_CA ) != NS_CERT_TYPE_SSL_CA )) {
- goto endloop;
- }
-
- /* it passed all of the tests, so lets add it to the database */
- /* mark it as a CA */
- PORT_Memset((void *)&trust, 0, sizeof(trust));
- switch ( certUsage ) {
- case certUsageSSLCA:
- trust.sslFlags = CERTDB_VALID_CA;
- break;
- case certUsageUserCertImport:
- if ((certtype & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
- trust.sslFlags = CERTDB_VALID_CA;
- }
- if ((certtype & NS_CERT_TYPE_EMAIL_CA)
- == NS_CERT_TYPE_EMAIL_CA ) {
- trust.emailFlags = CERTDB_VALID_CA;
- }
- if ( ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) ==
- NS_CERT_TYPE_OBJECT_SIGNING_CA ) {
- trust.objectSigningFlags = CERTDB_VALID_CA;
- }
- break;
- default:
- PORT_Assert(0);
- break;
- }
- }
-
- cert = CERT_NewTempCertificate(handle, derCert, NULL,
- PR_FALSE, PR_FALSE);
- if ( cert == NULL ) {
- goto loser;
- }
-
- /* if the cert is temp, make it perm; otherwise we're done */
- if (cert->istemp) {
- /* get a default nickname for it */
- nickname = CERT_MakeCANickname(cert);
-
- rv = CERT_AddTempCertToPerm(cert, nickname, &trust);
-
- /* free the nickname */
- if ( nickname ) {
- PORT_Free(nickname);
- }
- } else {
- rv = SECSuccess;
- }
-
- CERT_DestroyCertificate(cert);
- cert = NULL;
-
- if ( rv != SECSuccess ) {
- goto loser;
- }
-
-endloop:
- if ( newcert ) {
- CERT_DestroyCertificate(newcert);
- newcert = NULL;
- }
-
+ isca = CERT_IsCACert(newcert, &certtype);
+
+ if (!isca) {
+ if (!trusted) {
+ goto endloop;
+ }
+ trust.sslFlags = CERTDB_VALID_CA;
+ trust.emailFlags = CERTDB_VALID_CA;
+ trust.objectSigningFlags = CERTDB_VALID_CA;
+ }
+ else {
+ /* SSL ca's must have the ssl bit set */
+ if ((certUsage == certUsageSSLCA) &&
+ ((certtype & NS_CERT_TYPE_SSL_CA) != NS_CERT_TYPE_SSL_CA)) {
+ goto endloop;
+ }
+
+ /* it passed all of the tests, so lets add it to the database */
+ /* mark it as a CA */
+ PORT_Memset((void *)&trust, 0, sizeof(trust));
+ switch (certUsage) {
+ case certUsageSSLCA:
+ trust.sslFlags = CERTDB_VALID_CA;
+ break;
+ case certUsageUserCertImport:
+ if ((certtype & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
+ trust.sslFlags = CERTDB_VALID_CA;
+ }
+ if ((certtype & NS_CERT_TYPE_EMAIL_CA) ==
+ NS_CERT_TYPE_EMAIL_CA) {
+ trust.emailFlags = CERTDB_VALID_CA;
+ }
+ if ((certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA) ==
+ NS_CERT_TYPE_OBJECT_SIGNING_CA) {
+ trust.objectSigningFlags = CERTDB_VALID_CA;
+ }
+ break;
+ default:
+ PORT_Assert(0);
+ break;
+ }
+ }
+
+ cert = CERT_NewTempCertificate(handle, derCert, NULL,
+ PR_FALSE, PR_FALSE);
+ if (cert == NULL) {
+ goto loser;
+ }
+
+ /* if the cert is temp, make it perm; otherwise we're done */
+ if (cert->istemp) {
+ /* get a default nickname for it */
+ nickname = CERT_MakeCANickname(cert);
+
+ rv = CERT_AddTempCertToPerm(cert, nickname, &trust);
+
+ /* free the nickname */
+ if (nickname) {
+ PORT_Free(nickname);
+ }
+ }
+ else {
+ rv = SECSuccess;
+ }
+
+ CERT_DestroyCertificate(cert);
+ cert = NULL;
+
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ endloop:
+ if (newcert) {
+ CERT_DestroyCertificate(newcert);
+ newcert = NULL;
+ }
}
rv = SECSuccess;
@@ -972,18 +983,18 @@ endloop:
loser:
rv = SECFailure;
done:
-
- if ( newcert ) {
- CERT_DestroyCertificate(newcert);
- newcert = NULL;
+
+ if (newcert) {
+ CERT_DestroyCertificate(newcert);
+ newcert = NULL;
}
-
- if ( cert ) {
- CERT_DestroyCertificate(cert);
- cert = NULL;
+
+ if (cert) {
+ CERT_DestroyCertificate(cert);
+ cert = NULL;
}
-
- return(rv);
+
+ return (rv);
}
SECStatus
@@ -993,7 +1004,8 @@ CERT_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage)
}
SECStatus
-CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage) {
+CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage)
+{
return cert_ImportCAChain(certs, numcerts, certUsage, PR_TRUE);
}
@@ -1014,7 +1026,7 @@ typedef struct certNode {
CERTCertificateList *
CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
- PRBool includeRoot)
+ PRBool includeRoot)
{
CERTCertificateList *chain = NULL;
NSSCertificate **stanChain;
@@ -1022,7 +1034,7 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
PLArenaPool *arena;
NSSUsage nssUsage;
int i, len;
- NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+ NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
NSSCryptoContext *cc = STAN_GetDefaultCryptoContext();
stanCert = STAN_GetNSSCertificate(cert);
@@ -1034,55 +1046,58 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
nssUsage.nss3usage = usage;
nssUsage.nss3lookingForCA = PR_FALSE;
stanChain = NSSCertificate_BuildChain(stanCert, NULL, &nssUsage, NULL, NULL,
- CERT_MAX_CERT_CHAIN, NULL, NULL, td, cc);
+ CERT_MAX_CERT_CHAIN, NULL, NULL, td, cc);
if (!stanChain) {
- PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
- return NULL;
+ PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+ return NULL;
}
len = 0;
stanCert = stanChain[0];
while (stanCert) {
- stanCert = stanChain[++len];
+ stanCert = stanChain[++len];
}
arena = PORT_NewArena(4096);
if (arena == NULL) {
- goto loser;
+ goto loser;
}
- chain = (CERTCertificateList *)PORT_ArenaAlloc(arena,
- sizeof(CERTCertificateList));
- if (!chain) goto loser;
- chain->certs = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
- if (!chain->certs) goto loser;
+ chain = (CERTCertificateList *)PORT_ArenaAlloc(arena,
+ sizeof(CERTCertificateList));
+ if (!chain)
+ goto loser;
+ chain->certs = (SECItem *)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
+ if (!chain->certs)
+ goto loser;
i = 0;
stanCert = stanChain[i];
while (stanCert) {
- SECItem derCert;
- CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
- if (!cCert) {
- goto loser;
- }
- derCert.len = (unsigned int)stanCert->encoding.size;
- derCert.data = (unsigned char *)stanCert->encoding.data;
- derCert.type = siBuffer;
- SECITEM_CopyItem(arena, &chain->certs[i], &derCert);
- stanCert = stanChain[++i];
- if (!stanCert && !cCert->isRoot) {
- /* reached the end of the chain, but the final cert is
+ SECItem derCert;
+ CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
+ if (!cCert) {
+ goto loser;
+ }
+ derCert.len = (unsigned int)stanCert->encoding.size;
+ derCert.data = (unsigned char *)stanCert->encoding.data;
+ derCert.type = siBuffer;
+ SECITEM_CopyItem(arena, &chain->certs[i], &derCert);
+ stanCert = stanChain[++i];
+ if (!stanCert && !cCert->isRoot) {
+ /* reached the end of the chain, but the final cert is
* not a root. Don't discard it.
*/
- includeRoot = PR_TRUE;
- }
- CERT_DestroyCertificate(cCert);
+ includeRoot = PR_TRUE;
+ }
+ CERT_DestroyCertificate(cCert);
}
- if ( !includeRoot && len > 1) {
- chain->len = len - 1;
- } else {
- chain->len = len;
+ if (!includeRoot && len > 1) {
+ chain->len = len - 1;
}
-
+ else {
+ chain->len = len;
+ }
+
chain->arena = arena;
nss_ZFreeIf(stanChain);
return chain;
@@ -1090,15 +1105,15 @@ loser:
i = 0;
stanCert = stanChain[i];
while (stanCert) {
- CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
- if (cCert) {
- CERT_DestroyCertificate(cCert);
- }
- stanCert = stanChain[++i];
+ CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
+ if (cCert) {
+ CERT_DestroyCertificate(cCert);
+ }
+ stanCert = stanChain[++i];
}
nss_ZFreeIf(stanChain);
if (arena) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
@@ -1115,15 +1130,19 @@ CERT_CertListFromCert(CERTCertificate *cert)
/* arena for SecCertificateList */
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL) goto no_memory;
+ if (arena == NULL)
+ goto no_memory;
/* build the CERTCertificateList */
chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
- if (chain == NULL) goto no_memory;
- chain->certs = (SECItem*)PORT_ArenaAlloc(arena, 1 * sizeof(SECItem));
- if (chain->certs == NULL) goto no_memory;
+ if (chain == NULL)
+ goto no_memory;
+ chain->certs = (SECItem *)PORT_ArenaAlloc(arena, 1 * sizeof(SECItem));
+ if (chain->certs == NULL)
+ goto no_memory;
rv = SECITEM_CopyItem(arena, chain->certs, &(cert->derCert));
- if (rv < 0) goto loser;
+ if (rv < 0)
+ goto loser;
chain->len = 1;
chain->arena = arena;
@@ -1133,41 +1152,41 @@ no_memory:
PORT_SetError(SEC_ERROR_NO_MEMORY);
loser:
if (arena != NULL) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
CERTCertificateList *
-CERT_DupCertList(const CERTCertificateList * oldList)
+CERT_DupCertList(const CERTCertificateList *oldList)
{
CERTCertificateList *newList = NULL;
- PLArenaPool *arena = NULL;
- SECItem *newItem;
- SECItem *oldItem;
- int len = oldList->len;
- int rv;
+ PLArenaPool *arena = NULL;
+ SECItem *newItem;
+ SECItem *oldItem;
+ int len = oldList->len;
+ int rv;
/* arena for SecCertificateList */
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL)
- goto no_memory;
+ if (arena == NULL)
+ goto no_memory;
/* now build the CERTCertificateList */
newList = PORT_ArenaNew(arena, CERTCertificateList);
- if (newList == NULL)
- goto no_memory;
+ if (newList == NULL)
+ goto no_memory;
newList->arena = arena;
- newItem = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
- if (newItem == NULL)
- goto no_memory;
+ newItem = (SECItem *)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
+ if (newItem == NULL)
+ goto no_memory;
newList->certs = newItem;
- newList->len = len;
+ newList->len = len;
for (oldItem = oldList->certs; len > 0; --len, ++newItem, ++oldItem) {
- rv = SECITEM_CopyItem(arena, newItem, oldItem);
- if (rv < 0)
- goto loser;
+ rv = SECITEM_CopyItem(arena, newItem, oldItem);
+ if (rv < 0)
+ goto loser;
}
return newList;
@@ -1175,7 +1194,7 @@ no_memory:
PORT_SetError(SEC_ERROR_NO_MEMORY);
loser:
if (arena != NULL) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
@@ -1185,4 +1204,3 @@ CERT_DestroyCertificateList(CERTCertificateList *list)
{
PORT_FreeArena(list->arena, PR_FALSE);
}
-
diff --git a/lib/certhigh/certhtml.c b/lib/certhigh/certhtml.c
index aad66b0ec..a522f6925 100644
--- a/lib/certhigh/certhtml.c
+++ b/lib/certhigh/certhtml.c
@@ -22,31 +22,33 @@ static char *hex = "0123456789ABCDEF";
/*
** Convert a der-encoded integer to a hex printable string form
*/
-char *CERT_Hexify (SECItem *i, int do_colon)
+char *
+CERT_Hexify(SECItem *i, int do_colon)
{
unsigned char *cp, *end;
char *rv, *o;
if (!i->len) {
- return PORT_Strdup("00");
+ return PORT_Strdup("00");
}
- rv = o = (char*) PORT_Alloc(i->len * 3);
- if (!rv) return rv;
+ rv = o = (char *)PORT_Alloc(i->len * 3);
+ if (!rv)
+ return rv;
cp = i->data;
end = cp + i->len;
while (cp < end) {
- unsigned char ch = *cp++;
- *o++ = hex[(ch >> 4) & 0xf];
- *o++ = hex[ch & 0xf];
- if (cp != end) {
- if (do_colon) {
- *o++ = ':';
- }
- }
+ unsigned char ch = *cp++;
+ *o++ = hex[(ch >> 4) & 0xf];
+ *o++ = hex[ch & 0xf];
+ if (cp != end) {
+ if (do_colon) {
+ *o++ = ':';
+ }
+ }
}
- *o = 0; /* Null terminate the string */
+ *o = 0; /* Null terminate the string */
return rv;
}
@@ -58,132 +60,132 @@ char *CERT_Hexify (SECItem *i, int do_colon)
#define MAX_OUS 20
#define MAX_DC MAX_OUS
-
-char *CERT_FormatName (CERTName *name)
+char *
+CERT_FormatName(CERTName *name)
{
- CERTRDN** rdns;
- CERTRDN * rdn;
- CERTAVA** avas;
- CERTAVA* ava;
- char * buf = 0;
- char * tmpbuf = 0;
- SECItem * cn = 0;
- SECItem * email = 0;
- SECItem * org = 0;
- SECItem * loc = 0;
- SECItem * state = 0;
- SECItem * country = 0;
- SECItem * dq = 0;
+ CERTRDN **rdns;
+ CERTRDN *rdn;
+ CERTAVA **avas;
+ CERTAVA *ava;
+ char *buf = 0;
+ char *tmpbuf = 0;
+ SECItem *cn = 0;
+ SECItem *email = 0;
+ SECItem *org = 0;
+ SECItem *loc = 0;
+ SECItem *state = 0;
+ SECItem *country = 0;
+ SECItem *dq = 0;
- unsigned len = 0;
- int tag;
- int i;
- int ou_count = 0;
- int dc_count = 0;
- PRBool first;
- SECItem * orgunit[MAX_OUS];
- SECItem * dc[MAX_DC];
+ unsigned len = 0;
+ int tag;
+ int i;
+ int ou_count = 0;
+ int dc_count = 0;
+ PRBool first;
+ SECItem *orgunit[MAX_OUS];
+ SECItem *dc[MAX_DC];
/* Loop over name components and gather the interesting ones */
rdns = name->rdns;
while ((rdn = *rdns++) != 0) {
- avas = rdn->avas;
- while ((ava = *avas++) != 0) {
- tag = CERT_GetAVATag(ava);
- switch(tag) {
- case SEC_OID_AVA_COMMON_NAME:
- if (cn) {
- break;
- }
- cn = CERT_DecodeAVAValue(&ava->value);
- if (!cn) {
- goto loser;
- }
- len += cn->len;
- break;
- case SEC_OID_AVA_COUNTRY_NAME:
- if (country) {
- break;
- }
- country = CERT_DecodeAVAValue(&ava->value);
- if (!country) {
- goto loser;
- }
- len += country->len;
- break;
- case SEC_OID_AVA_LOCALITY:
- if (loc) {
- break;
- }
- loc = CERT_DecodeAVAValue(&ava->value);
- if (!loc) {
- goto loser;
- }
- len += loc->len;
- break;
- case SEC_OID_AVA_STATE_OR_PROVINCE:
- if (state) {
- break;
- }
- state = CERT_DecodeAVAValue(&ava->value);
- if (!state) {
- goto loser;
- }
- len += state->len;
- break;
- case SEC_OID_AVA_ORGANIZATION_NAME:
- if (org) {
- break;
- }
- org = CERT_DecodeAVAValue(&ava->value);
- if (!org) {
- goto loser;
- }
- len += org->len;
- break;
- case SEC_OID_AVA_DN_QUALIFIER:
- if (dq) {
- break;
- }
- dq = CERT_DecodeAVAValue(&ava->value);
- if (!dq) {
- goto loser;
- }
- len += dq->len;
- break;
- case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
- if (ou_count < MAX_OUS) {
- orgunit[ou_count] = CERT_DecodeAVAValue(&ava->value);
- if (!orgunit[ou_count]) {
- goto loser;
+ avas = rdn->avas;
+ while ((ava = *avas++) != 0) {
+ tag = CERT_GetAVATag(ava);
+ switch (tag) {
+ case SEC_OID_AVA_COMMON_NAME:
+ if (cn) {
+ break;
+ }
+ cn = CERT_DecodeAVAValue(&ava->value);
+ if (!cn) {
+ goto loser;
+ }
+ len += cn->len;
+ break;
+ case SEC_OID_AVA_COUNTRY_NAME:
+ if (country) {
+ break;
+ }
+ country = CERT_DecodeAVAValue(&ava->value);
+ if (!country) {
+ goto loser;
+ }
+ len += country->len;
+ break;
+ case SEC_OID_AVA_LOCALITY:
+ if (loc) {
+ break;
+ }
+ loc = CERT_DecodeAVAValue(&ava->value);
+ if (!loc) {
+ goto loser;
+ }
+ len += loc->len;
+ break;
+ case SEC_OID_AVA_STATE_OR_PROVINCE:
+ if (state) {
+ break;
+ }
+ state = CERT_DecodeAVAValue(&ava->value);
+ if (!state) {
+ goto loser;
+ }
+ len += state->len;
+ break;
+ case SEC_OID_AVA_ORGANIZATION_NAME:
+ if (org) {
+ break;
+ }
+ org = CERT_DecodeAVAValue(&ava->value);
+ if (!org) {
+ goto loser;
+ }
+ len += org->len;
+ break;
+ case SEC_OID_AVA_DN_QUALIFIER:
+ if (dq) {
+ break;
+ }
+ dq = CERT_DecodeAVAValue(&ava->value);
+ if (!dq) {
+ goto loser;
+ }
+ len += dq->len;
+ break;
+ case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
+ if (ou_count < MAX_OUS) {
+ orgunit[ou_count] = CERT_DecodeAVAValue(&ava->value);
+ if (!orgunit[ou_count]) {
+ goto loser;
+ }
+ len += orgunit[ou_count++]->len;
+ }
+ break;
+ case SEC_OID_AVA_DC:
+ if (dc_count < MAX_DC) {
+ dc[dc_count] = CERT_DecodeAVAValue(&ava->value);
+ if (!dc[dc_count]) {
+ goto loser;
}
- len += orgunit[ou_count++]->len;
- }
- break;
- case SEC_OID_AVA_DC:
- if (dc_count < MAX_DC) {
- dc[dc_count] = CERT_DecodeAVAValue(&ava->value);
- if (!dc[dc_count]) {
- goto loser;
- }
- len += dc[dc_count++]->len;
- }
- break;
- case SEC_OID_PKCS9_EMAIL_ADDRESS:
- case SEC_OID_RFC1274_MAIL:
- if (email) {
- break;
- }
- email = CERT_DecodeAVAValue(&ava->value);
- if (!email) {
- goto loser;
- }
- len += email->len;
- break;
- default:
- break;
- }
- }
+ len += dc[dc_count++]->len;
+ }
+ break;
+ case SEC_OID_PKCS9_EMAIL_ADDRESS:
+ case SEC_OID_RFC1274_MAIL:
+ if (email) {
+ break;
+ }
+ email = CERT_DecodeAVAValue(&ava->value);
+ if (!email) {
+ goto loser;
+ }
+ len += email->len;
+ break;
+ default:
+ break;
+ }
+ }
}
/* XXX - add some for formatting */
@@ -191,109 +193,108 @@ char *CERT_FormatName (CERTName *name)
/* allocate buffer */
buf = (char *)PORT_Alloc(len);
- if ( !buf ) {
- goto loser;
+ if (!buf) {
+ goto loser;
}
tmpbuf = buf;
-
- if ( cn ) {
- PORT_Memcpy(tmpbuf, cn->data, cn->len);
- tmpbuf += cn->len;
- PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
- tmpbuf += BREAKLEN;
+
+ if (cn) {
+ PORT_Memcpy(tmpbuf, cn->data, cn->len);
+ tmpbuf += cn->len;
+ PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+ tmpbuf += BREAKLEN;
}
- if ( email ) {
- PORT_Memcpy(tmpbuf, email->data, email->len);
- tmpbuf += ( email->len );
- PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
- tmpbuf += BREAKLEN;
+ if (email) {
+ PORT_Memcpy(tmpbuf, email->data, email->len);
+ tmpbuf += (email->len);
+ PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+ tmpbuf += BREAKLEN;
}
- for (i=ou_count-1; i >= 0; i--) {
- PORT_Memcpy(tmpbuf, orgunit[i]->data, orgunit[i]->len);
- tmpbuf += ( orgunit[i]->len );
- PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
- tmpbuf += BREAKLEN;
+ for (i = ou_count - 1; i >= 0; i--) {
+ PORT_Memcpy(tmpbuf, orgunit[i]->data, orgunit[i]->len);
+ tmpbuf += (orgunit[i]->len);
+ PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+ tmpbuf += BREAKLEN;
}
- if ( dq ) {
- PORT_Memcpy(tmpbuf, dq->data, dq->len);
- tmpbuf += ( dq->len );
- PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
- tmpbuf += BREAKLEN;
+ if (dq) {
+ PORT_Memcpy(tmpbuf, dq->data, dq->len);
+ tmpbuf += (dq->len);
+ PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+ tmpbuf += BREAKLEN;
}
- if ( org ) {
- PORT_Memcpy(tmpbuf, org->data, org->len);
- tmpbuf += ( org->len );
- PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
- tmpbuf += BREAKLEN;
+ if (org) {
+ PORT_Memcpy(tmpbuf, org->data, org->len);
+ tmpbuf += (org->len);
+ PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+ tmpbuf += BREAKLEN;
}
- for (i=dc_count-1; i >= 0; i--) {
- PORT_Memcpy(tmpbuf, dc[i]->data, dc[i]->len);
- tmpbuf += ( dc[i]->len );
- PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
- tmpbuf += BREAKLEN;
+ for (i = dc_count - 1; i >= 0; i--) {
+ PORT_Memcpy(tmpbuf, dc[i]->data, dc[i]->len);
+ tmpbuf += (dc[i]->len);
+ PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+ tmpbuf += BREAKLEN;
}
first = PR_TRUE;
- if ( loc ) {
- PORT_Memcpy(tmpbuf, loc->data, loc->len);
- tmpbuf += ( loc->len );
- first = PR_FALSE;
+ if (loc) {
+ PORT_Memcpy(tmpbuf, loc->data, loc->len);
+ tmpbuf += (loc->len);
+ first = PR_FALSE;
}
- if ( state ) {
- if ( !first ) {
- PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
- tmpbuf += COMMALEN;
- }
- PORT_Memcpy(tmpbuf, state->data, state->len);
- tmpbuf += ( state->len );
- first = PR_FALSE;
+ if (state) {
+ if (!first) {
+ PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
+ tmpbuf += COMMALEN;
+ }
+ PORT_Memcpy(tmpbuf, state->data, state->len);
+ tmpbuf += (state->len);
+ first = PR_FALSE;
}
- if ( country ) {
- if ( !first ) {
- PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
- tmpbuf += COMMALEN;
- }
- PORT_Memcpy(tmpbuf, country->data, country->len);
- tmpbuf += ( country->len );
- first = PR_FALSE;
+ if (country) {
+ if (!first) {
+ PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
+ tmpbuf += COMMALEN;
+ }
+ PORT_Memcpy(tmpbuf, country->data, country->len);
+ tmpbuf += (country->len);
+ first = PR_FALSE;
}
- if ( !first ) {
- PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
- tmpbuf += BREAKLEN;
+ if (!first) {
+ PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+ tmpbuf += BREAKLEN;
}
*tmpbuf = 0;
- /* fall through and clean */
+/* fall through and clean */
loser:
- if ( cn ) {
- SECITEM_FreeItem(cn, PR_TRUE);
+ if (cn) {
+ SECITEM_FreeItem(cn, PR_TRUE);
}
- if ( email ) {
- SECITEM_FreeItem(email, PR_TRUE);
+ if (email) {
+ SECITEM_FreeItem(email, PR_TRUE);
}
- for (i=ou_count-1; i >= 0; i--) {
- SECITEM_FreeItem(orgunit[i], PR_TRUE);
+ for (i = ou_count - 1; i >= 0; i--) {
+ SECITEM_FreeItem(orgunit[i], PR_TRUE);
}
- if ( dq ) {
- SECITEM_FreeItem(dq, PR_TRUE);
+ if (dq) {
+ SECITEM_FreeItem(dq, PR_TRUE);
}
- if ( org ) {
- SECITEM_FreeItem(org, PR_TRUE);
+ if (org) {
+ SECITEM_FreeItem(org, PR_TRUE);
}
- for (i=dc_count-1; i >= 0; i--) {
- SECITEM_FreeItem(dc[i], PR_TRUE);
+ for (i = dc_count - 1; i >= 0; i--) {
+ SECITEM_FreeItem(dc[i], PR_TRUE);
}
- if ( loc ) {
- SECITEM_FreeItem(loc, PR_TRUE);
+ if (loc) {
+ SECITEM_FreeItem(loc, PR_TRUE);
}
- if ( state ) {
- SECITEM_FreeItem(state, PR_TRUE);
+ if (state) {
+ SECITEM_FreeItem(state, PR_TRUE);
}
- if ( country ) {
- SECITEM_FreeItem(country, PR_TRUE);
+ if (country) {
+ SECITEM_FreeItem(country, PR_TRUE);
}
- return(buf);
+ return (buf);
}
-
diff --git a/lib/certhigh/certreq.c b/lib/certhigh/certreq.c
index f5098a0dd..4087bc978 100644
--- a/lib/certhigh/certreq.c
+++ b/lib/certhigh/certreq.c
@@ -14,10 +14,10 @@ SEC_ASN1_MKSUB(SEC_AnyTemplate)
const SEC_ASN1Template CERT_AttributeTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTAttribute) },
+ 0, NULL, sizeof(CERTAttribute) },
{ SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) },
{ SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(CERTAttribute, attrValue),
- SEC_ASN1_SUB(SEC_AnyTemplate) },
+ SEC_ASN1_SUB(SEC_AnyTemplate) },
{ 0 }
};
@@ -27,18 +27,18 @@ const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = {
const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTCertificateRequest) },
+ 0, NULL, sizeof(CERTCertificateRequest) },
{ SEC_ASN1_INTEGER,
- offsetof(CERTCertificateRequest,version) },
+ offsetof(CERTCertificateRequest, version) },
{ SEC_ASN1_INLINE,
- offsetof(CERTCertificateRequest,subject),
- CERT_NameTemplate },
+ offsetof(CERTCertificateRequest, subject),
+ CERT_NameTemplate },
{ SEC_ASN1_INLINE,
- offsetof(CERTCertificateRequest,subjectPublicKeyInfo),
- CERT_SubjectPublicKeyInfoTemplate },
+ offsetof(CERTCertificateRequest, subjectPublicKeyInfo),
+ CERT_SubjectPublicKeyInfoTemplate },
{ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(CERTCertificateRequest,attributes),
- CERT_SetOfAttributeTemplate },
+ offsetof(CERTCertificateRequest, attributes),
+ CERT_SetOfAttributeTemplate },
{ 0 }
};
@@ -46,25 +46,25 @@ SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate)
CERTCertificate *
CERT_CreateCertificate(unsigned long serialNumber,
- CERTName *issuer,
- CERTValidity *validity,
- CERTCertificateRequest *req)
+ CERTName *issuer,
+ CERTValidity *validity,
+ CERTCertificateRequest *req)
{
CERTCertificate *c;
int rv;
PLArenaPool *arena;
-
+
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-
- if ( !arena ) {
- return(0);
+
+ if (!arena) {
+ return (0);
}
c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
-
+
if (!c) {
- PORT_FreeArena(arena, PR_FALSE);
- return 0;
+ PORT_FreeArena(arena, PR_FALSE);
+ return 0;
}
c->referenceCount = 1;
@@ -75,44 +75,50 @@ CERT_CreateCertificate(unsigned long serialNumber,
* If extensions are added, it will get changed as appropriate.
*/
rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1);
- if (rv) goto loser;
+ if (rv)
+ goto loser;
rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber);
- if (rv) goto loser;
+ if (rv)
+ goto loser;
rv = CERT_CopyName(arena, &c->issuer, issuer);
- if (rv) goto loser;
+ if (rv)
+ goto loser;
rv = CERT_CopyValidity(arena, &c->validity, validity);
- if (rv) goto loser;
+ if (rv)
+ goto loser;
rv = CERT_CopyName(arena, &c->subject, &req->subject);
- if (rv) goto loser;
+ if (rv)
+ goto loser;
rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo,
- &req->subjectPublicKeyInfo);
- if (rv) goto loser;
+ &req->subjectPublicKeyInfo);
+ if (rv)
+ goto loser;
return c;
- loser:
+loser:
CERT_DestroyCertificate(c);
return 0;
}
/************************************************************************/
-/* It's clear from the comments that the original author of this
+/* It's clear from the comments that the original author of this
* function expected the template for certificate requests to treat
- * the attributes as a SET OF ANY. This function expected to be
+ * the attributes as a SET OF ANY. This function expected to be
* passed an array of SECItems each of which contained an already encoded
- * Attribute. But the cert request template does not treat the
+ * Attribute. But the cert request template does not treat the
* Attributes as a SET OF ANY, and AFAIK never has. Instead the template
* encodes attributes as a SET OF xxxxxxx. That is, it expects to encode
- * each of the Attributes, not have them pre-encoded. Consequently an
- * array of SECItems containing encoded Attributes is of no value to this
+ * each of the Attributes, not have them pre-encoded. Consequently an
+ * array of SECItems containing encoded Attributes is of no value to this
* function. But we cannot change the signature of this public function.
* It must continue to take SECItems.
*
- * I have recoded this function so that each SECItem contains an
+ * I have recoded this function so that each SECItem contains an
* encoded cert extension. The encoded cert extensions form the list for the
* single attribute of the cert request. In this implementation there is at most
* one attribute and it is always of type SEC_OID_PKCS9_EXTENSION_REQUEST.
@@ -120,95 +126,95 @@ CERT_CreateCertificate(unsigned long serialNumber,
CERTCertificateRequest *
CERT_CreateCertificateRequest(CERTName *subject,
- CERTSubjectPublicKeyInfo *spki,
- SECItem **attributes)
+ CERTSubjectPublicKeyInfo *spki,
+ SECItem **attributes)
{
CERTCertificateRequest *certreq;
PLArenaPool *arena;
- CERTAttribute * attribute;
- SECOidData * oidData;
+ CERTAttribute *attribute;
+ SECOidData *oidData;
SECStatus rv;
int i = 0;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( arena == NULL ) {
- return NULL;
+ if (arena == NULL) {
+ return NULL;
}
-
+
certreq = PORT_ArenaZNew(arena, CERTCertificateRequest);
if (!certreq) {
- PORT_FreeArena(arena, PR_FALSE);
- return NULL;
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
}
/* below here it is safe to goto loser */
certreq->arena = arena;
-
+
rv = DER_SetUInteger(arena, &certreq->version,
- SEC_CERTIFICATE_REQUEST_VERSION);
+ SEC_CERTIFICATE_REQUEST_VERSION);
if (rv != SECSuccess)
- goto loser;
+ goto loser;
rv = CERT_CopyName(arena, &certreq->subject, subject);
if (rv != SECSuccess)
- goto loser;
+ goto loser;
rv = SECKEY_CopySubjectPublicKeyInfo(arena,
- &certreq->subjectPublicKeyInfo,
- spki);
+ &certreq->subjectPublicKeyInfo,
+ spki);
if (rv != SECSuccess)
- goto loser;
+ goto loser;
- certreq->attributes = PORT_ArenaZNewArray(arena, CERTAttribute*, 2);
- if(!certreq->attributes)
- goto loser;
+ certreq->attributes = PORT_ArenaZNewArray(arena, CERTAttribute *, 2);
+ if (!certreq->attributes)
+ goto loser;
/* Copy over attribute information */
if (!attributes || !attributes[0]) {
- /*
+ /*
** Invent empty attribute information. According to the
** pkcs#10 spec, attributes has this ASN.1 type:
**
** attributes [0] IMPLICIT Attributes
- **
+ **
** Which means, we should create a NULL terminated list
** with the first entry being NULL;
*/
- certreq->attributes[0] = NULL;
- return certreq;
- }
+ certreq->attributes[0] = NULL;
+ return certreq;
+ }
/* allocate space for attributes */
attribute = PORT_ArenaZNew(arena, CERTAttribute);
- if (!attribute)
- goto loser;
+ if (!attribute)
+ goto loser;
- oidData = SECOID_FindOIDByTag( SEC_OID_PKCS9_EXTENSION_REQUEST );
+ oidData = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
PORT_Assert(oidData);
if (!oidData)
- goto loser;
+ goto loser;
rv = SECITEM_CopyItem(arena, &attribute->attrType, &oidData->oid);
if (rv != SECSuccess)
- goto loser;
+ goto loser;
- for (i = 0; attributes[i] != NULL ; i++)
- ;
- attribute->attrValue = PORT_ArenaZNewArray(arena, SECItem *, i+1);
- if (!attribute->attrValue)
- goto loser;
+ for (i = 0; attributes[i] != NULL; i++)
+ ;
+ attribute->attrValue = PORT_ArenaZNewArray(arena, SECItem *, i + 1);
+ if (!attribute->attrValue)
+ goto loser;
/* copy attributes */
for (i = 0; attributes[i]; i++) {
- /*
+ /*
** Attributes are a SetOf Attribute which implies
** lexigraphical ordering. It is assumes that the
** attributes are passed in sorted. If we need to
** add functionality to sort them, there is an
** example in the PKCS 7 code.
*/
- attribute->attrValue[i] = SECITEM_ArenaDupItem(arena, attributes[i]);
- if(!attribute->attrValue[i])
- goto loser;
+ attribute->attrValue[i] = SECITEM_ArenaDupItem(arena, attributes[i]);
+ if (!attribute->attrValue[i])
+ goto loser;
}
certreq->attributes[0] = attribute;
@@ -224,7 +230,7 @@ void
CERT_DestroyCertificateRequest(CERTCertificateRequest *req)
{
if (req && req->arena) {
- PORT_FreeArena(req->arena, PR_FALSE);
+ PORT_FreeArena(req->arena, PR_FALSE);
}
return;
}
@@ -241,11 +247,11 @@ setCRExt(void *o, CERTCertExtension **exts)
** attribute list by CERT_FinishCRAttributes().
*/
extern void *cert_StartExtensions(void *owner, PLArenaPool *ownerArena,
- void (*setExts)(void *object, CERTCertExtension **exts));
+ void (*setExts)(void *object, CERTCertExtension **exts));
void *
CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req)
{
- return (cert_StartExtensions ((void *)req, req->arena, setCRExt));
+ return (cert_StartExtensions((void *)req, req->arena, setCRExt));
}
/*
@@ -257,38 +263,39 @@ CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req)
*/
SECStatus
CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req)
-{ SECItem *extlist;
+{
+ SECItem *extlist;
SECOidData *oidrec;
CERTAttribute *attribute;
-
+
if (!req || !req->arena) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (req->attributes == NULL || req->attributes[0] == NULL)
return SECSuccess;
extlist = SEC_ASN1EncodeItem(req->arena, NULL, &req->attributes,
- SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate));
+ SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate));
if (extlist == NULL)
- return(SECFailure);
+ return (SECFailure);
oidrec = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
if (oidrec == NULL)
- return SECFailure;
+ return SECFailure;
/* now change the list of cert extensions into a list of attributes
*/
- req->attributes = PORT_ArenaZNewArray(req->arena, CERTAttribute*, 2);
+ req->attributes = PORT_ArenaZNewArray(req->arena, CERTAttribute *, 2);
attribute = PORT_ArenaZNew(req->arena, CERTAttribute);
-
+
if (req->attributes == NULL || attribute == NULL ||
SECITEM_CopyItem(req->arena, &attribute->attrType, &oidrec->oid) != 0) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
+ return SECFailure;
}
- attribute->attrValue = PORT_ArenaZNewArray(req->arena, SECItem*, 2);
+ attribute->attrValue = PORT_ArenaZNewArray(req->arena, SECItem *, 2);
if (attribute->attrValue == NULL)
return SECFailure;
@@ -303,22 +310,22 @@ CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req)
SECStatus
CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
- CERTCertExtension ***exts)
+ CERTCertExtension ***exts)
{
if (req == NULL || exts == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
-
+
if (req->attributes == NULL || *req->attributes == NULL)
return SECSuccess;
-
+
if ((*req->attributes)->attrValue == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
- return(SEC_ASN1DecodeItem(req->arena, exts,
- SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate),
- (*req->attributes)->attrValue[0]));
+ return (SEC_ASN1DecodeItem(req->arena, exts,
+ SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate),
+ (*req->attributes)->attrValue[0]));
}
diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c
index d5dcbe8a1..cb23ab374 100644
--- a/lib/certhigh/certvfy.c
+++ b/lib/certhigh/certvfy.c
@@ -16,7 +16,6 @@
/*#include "pkix_sample_modules.h" */
#include "pkix_pl_cert.h"
-
#include "nsspki.h"
#include "pkitm.h"
#include "pkim.h"
@@ -34,9 +33,10 @@ CERT_CertTimesValid(CERTCertificate *c)
return (valid == secCertTimeValid) ? SECSuccess : SECFailure;
}
-SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key)
+SECStatus
+checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key)
{
- SECStatus rv;
+ SECStatus rv;
SECOidTag sigAlg;
SECOidTag curve;
PRUint32 policyFlags = 0;
@@ -44,81 +44,83 @@ SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicK
sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm);
- switch(sigAlg) {
+ switch (sigAlg) {
case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
- case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
- case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
- case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
- case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
- if (key->keyType != ecKey) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
+ case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
+ case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+ case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
+ case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
+ if (key->keyType != ecKey) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
curve = SECKEY_GetECCOid(&key->u.ec.DEREncodedParams);
- if (curve != 0) {
- if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure ||
- !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
- PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- return SECFailure;
- } else {
- return SECSuccess;
+ if (curve != 0) {
+ if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure ||
+ !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+ PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ return SECFailure;
}
- } else {
- PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
- return SECFailure;
- }
+ else {
+ return SECSuccess;
+ }
+ }
+ else {
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ return SECFailure;
+ }
return SECSuccess;
- case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
- case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
- case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
- case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
- case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
- case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
- case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
- case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
- if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+ case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
+ case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
+ if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
len = 8 * key->u.rsa.modulus.len;
rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minLen);
if (rv != SECSuccess) {
return SECFailure;
- }
+ }
if (len < minLen) {
return SECFailure;
- }
+ }
return SECSuccess;
- case SEC_OID_ANSIX9_DSA_SIGNATURE:
- case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
- case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
- case SEC_OID_SDN702_DSA_SIGNATURE:
- case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
- case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
- if (key->keyType != dsaKey) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return SECFailure;
- }
+ case SEC_OID_ANSIX9_DSA_SIGNATURE:
+ case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+ case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+ case SEC_OID_SDN702_DSA_SIGNATURE:
+ case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
+ case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
+ if (key->keyType != dsaKey) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
len = 8 * key->u.dsa.params.prime.len;
rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minLen);
if (rv != SECSuccess) {
return SECFailure;
- }
+ }
if (len < minLen) {
return SECFailure;
- }
+ }
return SECSuccess;
- default:
- return SECSuccess;
+ default:
+ return SECSuccess;
}
}
@@ -128,38 +130,38 @@ SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicK
SECStatus
CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
SECKEYPublicKey *pubKey,
- void *wincx)
+ void *wincx)
{
- SECStatus rv;
- SECItem sig;
- SECOidTag hashAlg = SEC_OID_UNKNOWN;
+ SECStatus rv;
+ SECItem sig;
+ SECOidTag hashAlg = SEC_OID_UNKNOWN;
- if ( !pubKey || !sd ) {
- PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
- return SECFailure;
+ if (!pubKey || !sd) {
+ PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+ return SECFailure;
}
/* check the signature */
sig = sd->signature;
/* convert sig->len from bit counts to byte count. */
DER_ConvertBitString(&sig);
- rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey,
- &sig, &sd->signatureAlgorithm, &hashAlg, wincx);
+ rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey,
+ &sig, &sd->signatureAlgorithm, &hashAlg, wincx);
if (rv == SECSuccess) {
/* Are we honoring signatures for this algorithm? */
- PRUint32 policyFlags = 0;
- rv = checkKeyParams(&sd->signatureAlgorithm, pubKey);
- if (rv != SECSuccess) {
- PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- return SECFailure;
- }
-
- rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags);
- if (rv == SECSuccess &&
- !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
- PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- return SECFailure;
- }
+ PRUint32 policyFlags = 0;
+ rv = checkKeyParams(&sd->signatureAlgorithm, pubKey);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ return SECFailure;
+ }
+
+ rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags);
+ if (rv == SECSuccess &&
+ !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+ PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ return SECFailure;
+ }
}
return rv;
}
@@ -168,18 +170,18 @@ CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
* verify the signature of a signed data object with the given DER publickey
*/
SECStatus
-CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
+CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
CERTSubjectPublicKeyInfo *pubKeyInfo,
- void *wincx)
+ void *wincx)
{
SECKEYPublicKey *pubKey;
- SECStatus rv = SECFailure;
+ SECStatus rv = SECFailure;
/* get cert's public key */
pubKey = SECKEY_ExtractPublicKey(pubKeyInfo);
if (pubKey) {
- rv = CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx);
- SECKEY_DestroyPublicKey(pubKey);
+ rv = CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx);
+ SECKEY_DestroyPublicKey(pubKey);
}
return rv;
}
@@ -189,31 +191,30 @@ CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
*/
SECStatus
CERT_VerifySignedData(CERTSignedData *sd, CERTCertificate *cert,
- PRTime t, void *wincx)
+ PRTime t, void *wincx)
{
SECKEYPublicKey *pubKey = 0;
- SECStatus rv = SECFailure;
+ SECStatus rv = SECFailure;
SECCertTimeValidity validity;
/* check the certificate's validity */
validity = CERT_CheckCertValidTimes(cert, t, PR_FALSE);
- if ( validity != secCertTimeValid ) {
- return rv;
+ if (validity != secCertTimeValid) {
+ return rv;
}
/* get cert's public key */
pubKey = CERT_ExtractPublicKey(cert);
if (pubKey) {
- rv = CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx);
- SECKEY_DestroyPublicKey(pubKey);
+ rv = CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx);
+ SECKEY_DestroyPublicKey(pubKey);
}
return rv;
}
-
SECStatus
-SEC_CheckCRL(CERTCertDBHandle *handle,CERTCertificate *cert,
- CERTCertificate *caCert, PRTime t, void * wincx)
+SEC_CheckCRL(CERTCertDBHandle *handle, CERTCertificate *cert,
+ CERTCertificate *caCert, PRTime t, void *wincx)
{
return CERT_CheckCRL(cert, caCert, NULL, t, wincx);
}
@@ -235,33 +236,33 @@ CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage)
me = STAN_GetNSSCertificate(cert);
if (!me) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
- return NULL;
+ return NULL;
}
nssTime = NSSTime_SetPRTime(NULL, validTime);
nssUsage.anyUsage = PR_FALSE;
nssUsage.nss3usage = usage;
nssUsage.nss3lookingForCA = PR_TRUE;
- memset(chain, 0, 3*sizeof(NSSCertificate *));
- td = STAN_GetDefaultTrustDomain();
+ memset(chain, 0, 3 * sizeof(NSSCertificate *));
+ td = STAN_GetDefaultTrustDomain();
cc = STAN_GetDefaultCryptoContext();
- (void)NSSCertificate_BuildChain(me, nssTime, &nssUsage, NULL,
+ (void)NSSCertificate_BuildChain(me, nssTime, &nssUsage, NULL,
chain, 2, NULL, &status, td, cc);
nss_ZFreeIf(nssTime);
if (status == PR_SUCCESS) {
- PORT_Assert(me == chain[0]);
- /* if it's a root, the chain will only have one cert */
- if (!chain[1]) {
- /* already has a reference from the call to BuildChain */
- return cert;
- }
- NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */
- return STAN_GetCERTCertificate(chain[1]); /* return the 2nd */
- }
+ PORT_Assert(me == chain[0]);
+ /* if it's a root, the chain will only have one cert */
+ if (!chain[1]) {
+ /* already has a reference from the call to BuildChain */
+ return cert;
+ }
+ NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */
+ return STAN_GetCERTCertificate(chain[1]); /* return the 2nd */
+ }
if (chain[0]) {
- PORT_Assert(me == chain[0]);
- NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */
+ PORT_Assert(me == chain[0]);
+ NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */
}
- PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
+ PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
return NULL;
}
@@ -270,136 +271,140 @@ CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage)
*/
SECStatus
CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
- unsigned int *retFlags,
- SECTrustType *retTrustType)
+ unsigned int *retFlags,
+ SECTrustType *retTrustType)
{
unsigned int requiredFlags;
SECTrustType trustType;
- switch ( usage ) {
- case certUsageSSLClient:
- requiredFlags = CERTDB_TRUSTED_CLIENT_CA;
- trustType = trustSSL;
- break;
- case certUsageSSLServer:
- case certUsageSSLCA:
- requiredFlags = CERTDB_TRUSTED_CA;
- trustType = trustSSL;
- break;
- case certUsageSSLServerWithStepUp:
- requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
- trustType = trustSSL;
- break;
- case certUsageEmailSigner:
- case certUsageEmailRecipient:
- requiredFlags = CERTDB_TRUSTED_CA;
- trustType = trustEmail;
- break;
- case certUsageObjectSigner:
- requiredFlags = CERTDB_TRUSTED_CA;
- trustType = trustObjectSigning;
- break;
- case certUsageVerifyCA:
- case certUsageAnyCA:
- case certUsageStatusResponder:
- requiredFlags = CERTDB_TRUSTED_CA;
- trustType = trustTypeNone;
- break;
- default:
- PORT_Assert(0);
- goto loser;
- }
- if ( retFlags != NULL ) {
- *retFlags = requiredFlags;
- }
- if ( retTrustType != NULL ) {
- *retTrustType = trustType;
- }
-
- return(SECSuccess);
+ switch (usage) {
+ case certUsageSSLClient:
+ requiredFlags = CERTDB_TRUSTED_CLIENT_CA;
+ trustType = trustSSL;
+ break;
+ case certUsageSSLServer:
+ case certUsageSSLCA:
+ requiredFlags = CERTDB_TRUSTED_CA;
+ trustType = trustSSL;
+ break;
+ case certUsageSSLServerWithStepUp:
+ requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
+ trustType = trustSSL;
+ break;
+ case certUsageEmailSigner:
+ case certUsageEmailRecipient:
+ requiredFlags = CERTDB_TRUSTED_CA;
+ trustType = trustEmail;
+ break;
+ case certUsageObjectSigner:
+ requiredFlags = CERTDB_TRUSTED_CA;
+ trustType = trustObjectSigning;
+ break;
+ case certUsageVerifyCA:
+ case certUsageAnyCA:
+ case certUsageStatusResponder:
+ requiredFlags = CERTDB_TRUSTED_CA;
+ trustType = trustTypeNone;
+ break;
+ default:
+ PORT_Assert(0);
+ goto loser;
+ }
+ if (retFlags != NULL) {
+ *retFlags = requiredFlags;
+ }
+ if (retTrustType != NULL) {
+ *retTrustType = trustType;
+ }
+
+ return (SECSuccess);
loser:
- return(SECFailure);
+ return (SECFailure);
}
void
cert_AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, long error,
- unsigned int depth, void *arg)
+ unsigned int depth, void *arg)
{
CERTVerifyLogNode *node, *tnode;
PORT_Assert(log != NULL);
-
+
node = (CERTVerifyLogNode *)PORT_ArenaAlloc(log->arena,
- sizeof(CERTVerifyLogNode));
- if ( node != NULL ) {
- node->cert = CERT_DupCertificate(cert);
- node->error = error;
- node->depth = depth;
- node->arg = arg;
-
- if ( log->tail == NULL ) {
- /* empty list */
- log->head = log->tail = node;
- node->prev = NULL;
- node->next = NULL;
- } else if ( depth >= log->tail->depth ) {
- /* add to tail */
- node->prev = log->tail;
- log->tail->next = node;
- log->tail = node;
- node->next = NULL;
- } else if ( depth < log->head->depth ) {
- /* add at head */
- node->prev = NULL;
- node->next = log->head;
- log->head->prev = node;
- log->head = node;
- } else {
- /* add in middle */
- tnode = log->tail;
- while ( tnode != NULL ) {
- if ( depth >= tnode->depth ) {
- /* insert after tnode */
- node->prev = tnode;
- node->next = tnode->next;
- tnode->next->prev = node;
- tnode->next = node;
- break;
- }
-
- tnode = tnode->prev;
- }
- }
-
- log->count++;
+ sizeof(CERTVerifyLogNode));
+ if (node != NULL) {
+ node->cert = CERT_DupCertificate(cert);
+ node->error = error;
+ node->depth = depth;
+ node->arg = arg;
+
+ if (log->tail == NULL) {
+ /* empty list */
+ log->head = log->tail = node;
+ node->prev = NULL;
+ node->next = NULL;
+ }
+ else if (depth >= log->tail->depth) {
+ /* add to tail */
+ node->prev = log->tail;
+ log->tail->next = node;
+ log->tail = node;
+ node->next = NULL;
+ }
+ else if (depth < log->head->depth) {
+ /* add at head */
+ node->prev = NULL;
+ node->next = log->head;
+ log->head->prev = node;
+ log->head = node;
+ }
+ else {
+ /* add in middle */
+ tnode = log->tail;
+ while (tnode != NULL) {
+ if (depth >= tnode->depth) {
+ /* insert after tnode */
+ node->prev = tnode;
+ node->next = tnode->next;
+ tnode->next->prev = node;
+ tnode->next = node;
+ break;
+ }
+
+ tnode = tnode->prev;
+ }
+ }
+
+ log->count++;
}
return;
}
#define EXIT_IF_NOT_LOGGING(log) \
- if ( log == NULL ) { \
- goto loser; \
+ if (log == NULL) { \
+ goto loser; \
}
-#define LOG_ERROR_OR_EXIT(log,cert,depth,arg) \
- if ( log != NULL ) { \
- cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
- (void *)(PRWord)arg); \
- } else { \
- goto loser; \
+#define LOG_ERROR_OR_EXIT(log, cert, depth, arg) \
+ if (log != NULL) { \
+ cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
+ (void *)(PRWord)arg); \
+ } \
+ else { \
+ goto loser; \
}
-#define LOG_ERROR(log,cert,depth,arg) \
- if ( log != NULL ) { \
- cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
- (void *)(PRWord)arg); \
+#define LOG_ERROR(log, cert, depth, arg) \
+ if (log != NULL) { \
+ cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
+ (void *)(PRWord)arg); \
}
static SECStatus
cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool checkSig, PRBool* sigerror,
- SECCertUsage certUsage, PRTime t, void *wincx,
- CERTVerifyLog *log, PRBool* revoked)
+ PRBool checkSig, PRBool *sigerror,
+ SECCertUsage certUsage, PRTime t, void *wincx,
+ CERTVerifyLog *log, PRBool *revoked)
{
SECTrustType trustType;
CERTBasicConstraints basicConstraint;
@@ -417,7 +422,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
unsigned int requiredFlags;
PLArenaPool *arena = NULL;
CERTGeneralName *namesList = NULL;
- CERTCertificate **certsList = NULL;
+ CERTCertificate **certsList = NULL;
int certsListLen = 16;
int namesCount = 0;
PRBool subjectCertIsSelfIssued;
@@ -428,177 +433,180 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
}
if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
- &requiredCAKeyUsage,
- &caCertType)
- != SECSuccess ) {
- PORT_Assert(0);
- EXIT_IF_NOT_LOGGING(log);
- requiredCAKeyUsage = 0;
- caCertType = 0;
- }
-
- switch ( certUsage ) {
- case certUsageSSLClient:
- case certUsageSSLServer:
- case certUsageSSLCA:
- case certUsageSSLServerWithStepUp:
- case certUsageEmailSigner:
- case certUsageEmailRecipient:
- case certUsageObjectSigner:
- case certUsageVerifyCA:
- case certUsageAnyCA:
- case certUsageStatusResponder:
- if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
- &trustType) != SECSuccess ) {
- PORT_Assert(0);
- EXIT_IF_NOT_LOGGING(log);
- /* XXX continuing with requiredFlags = 0 seems wrong. It'll
- * cause the following test to be true incorrectly:
- * flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
- * if (( flags & requiredFlags ) == requiredFlags) {
- * rv = rvFinal;
- * goto done;
- * }
- * There are three other instances of this problem.
- */
- requiredFlags = 0;
- trustType = trustSSL;
- }
- break;
- default:
- PORT_Assert(0);
- EXIT_IF_NOT_LOGGING(log);
- requiredFlags = 0;
- trustType = trustSSL;/* This used to be 0, but we need something
+ &requiredCAKeyUsage,
+ &caCertType) !=
+ SECSuccess) {
+ PORT_Assert(0);
+ EXIT_IF_NOT_LOGGING(log);
+ requiredCAKeyUsage = 0;
+ caCertType = 0;
+ }
+
+ switch (certUsage) {
+ case certUsageSSLClient:
+ case certUsageSSLServer:
+ case certUsageSSLCA:
+ case certUsageSSLServerWithStepUp:
+ case certUsageEmailSigner:
+ case certUsageEmailRecipient:
+ case certUsageObjectSigner:
+ case certUsageVerifyCA:
+ case certUsageAnyCA:
+ case certUsageStatusResponder:
+ if (CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
+ &trustType) != SECSuccess) {
+ PORT_Assert(0);
+ EXIT_IF_NOT_LOGGING(log);
+ /* XXX continuing with requiredFlags = 0 seems wrong. It'll
+ * cause the following test to be true incorrectly:
+ * flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+ * if (( flags & requiredFlags ) == requiredFlags) {
+ * rv = rvFinal;
+ * goto done;
+ * }
+ * There are three other instances of this problem.
+ */
+ requiredFlags = 0;
+ trustType = trustSSL;
+ }
+ break;
+ default:
+ PORT_Assert(0);
+ EXIT_IF_NOT_LOGGING(log);
+ requiredFlags = 0;
+ trustType = trustSSL; /* This used to be 0, but we need something
* that matches the enumeration type.
*/
- caCertType = 0;
+ caCertType = 0;
}
-
+
subjectCert = CERT_DupCertificate(cert);
- if ( subjectCert == NULL ) {
- goto loser;
+ if (subjectCert == NULL) {
+ goto loser;
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
- goto loser;
+ goto loser;
}
certsList = PORT_ZNewArray(CERTCertificate *, certsListLen);
if (certsList == NULL)
- goto loser;
+ goto loser;
/* RFC 3280 says that the name constraints will apply to the names
** in the leaf (EE) cert, whether it is self issued or not, so
** we pretend that it is not.
*/
subjectCertIsSelfIssued = PR_FALSE;
- for ( count = 0; count < CERT_MAX_CERT_CHAIN; count++ ) {
- PRBool validCAOverride = PR_FALSE;
-
- /* Construct a list of names for the current and all previous
- * certifcates (except leaf (EE) certs, root CAs, and self-issued
- * intermediate CAs) to be verified against the name constraints
- * extension of the issuer certificate.
- */
- if (subjectCertIsSelfIssued == PR_FALSE) {
- CERTGeneralName *subjectNameList;
- int subjectNameListLen;
- int i;
- PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);
- subjectNameList =
- CERT_GetConstrainedCertificateNames(subjectCert, arena,
- getSubjectCN);
- if (!subjectNameList)
- goto loser;
- subjectNameListLen = CERT_GetNamesLength(subjectNameList);
- if (!subjectNameListLen)
- goto loser;
- if (certsListLen <= namesCount + subjectNameListLen) {
- CERTCertificate **tmpCertsList;
- certsListLen = (namesCount + subjectNameListLen) * 2;
- tmpCertsList =
- (CERTCertificate **)PORT_Realloc(certsList,
- certsListLen * sizeof(CERTCertificate *));
- if (tmpCertsList == NULL) {
- goto loser;
- }
- certsList = tmpCertsList;
- }
- for (i = 0; i < subjectNameListLen; i++) {
- certsList[namesCount + i] = subjectCert;
- }
- namesCount += subjectNameListLen;
- namesList = cert_CombineNamesLists(namesList, subjectNameList);
- }
+ for (count = 0; count < CERT_MAX_CERT_CHAIN; count++) {
+ PRBool validCAOverride = PR_FALSE;
+
+ /* Construct a list of names for the current and all previous
+ * certifcates (except leaf (EE) certs, root CAs, and self-issued
+ * intermediate CAs) to be verified against the name constraints
+ * extension of the issuer certificate.
+ */
+ if (subjectCertIsSelfIssued == PR_FALSE) {
+ CERTGeneralName *subjectNameList;
+ int subjectNameListLen;
+ int i;
+ PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);
+ subjectNameList =
+ CERT_GetConstrainedCertificateNames(subjectCert, arena,
+ getSubjectCN);
+ if (!subjectNameList)
+ goto loser;
+ subjectNameListLen = CERT_GetNamesLength(subjectNameList);
+ if (!subjectNameListLen)
+ goto loser;
+ if (certsListLen <= namesCount + subjectNameListLen) {
+ CERTCertificate **tmpCertsList;
+ certsListLen = (namesCount + subjectNameListLen) * 2;
+ tmpCertsList =
+ (CERTCertificate **)PORT_Realloc(certsList,
+ certsListLen *
+ sizeof(CERTCertificate *));
+ if (tmpCertsList == NULL) {
+ goto loser;
+ }
+ certsList = tmpCertsList;
+ }
+ for (i = 0; i < subjectNameListLen; i++) {
+ certsList[namesCount + i] = subjectCert;
+ }
+ namesCount += subjectNameListLen;
+ namesList = cert_CombineNamesLists(namesList, subjectNameList);
+ }
/* check if the cert has an unsupported critical extension */
- if ( subjectCert->options.bits.hasUnsupportedCriticalExt ) {
- PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
- LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
- }
-
- /* find the certificate of the issuer */
- issuerCert = CERT_FindCertIssuer(subjectCert, t, certUsage);
- if ( ! issuerCert ) {
- PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
- LOG_ERROR(log,subjectCert,count,0);
- goto loser;
- }
-
- /* verify the signature on the cert */
- if ( checkSig ) {
- rv = CERT_VerifySignedData(&subjectCert->signatureWrap,
- issuerCert, t, wincx);
-
- if ( rv != SECSuccess ) {
+ if (subjectCert->options.bits.hasUnsupportedCriticalExt) {
+ PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
+ LOG_ERROR_OR_EXIT(log, subjectCert, count, 0);
+ }
+
+ /* find the certificate of the issuer */
+ issuerCert = CERT_FindCertIssuer(subjectCert, t, certUsage);
+ if (!issuerCert) {
+ PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+ LOG_ERROR(log, subjectCert, count, 0);
+ goto loser;
+ }
+
+ /* verify the signature on the cert */
+ if (checkSig) {
+ rv = CERT_VerifySignedData(&subjectCert->signatureWrap,
+ issuerCert, t, wincx);
+
+ if (rv != SECSuccess) {
if (sigerror) {
*sigerror = PR_TRUE;
}
- if ( PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE ) {
- PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
- LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
- } else {
- if (PORT_GetError() !=
- SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- }
- LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
- }
- }
- }
-
- /* If the basicConstraint extension is included in an immediate CA
- * certificate, make sure that the isCA flag is on. If the
- * pathLenConstraint component exists, it must be greater than the
- * number of CA certificates we have seen so far. If the extension
- * is omitted, we will assume that this is a CA certificate with
- * an unlimited pathLenConstraint (since it already passes the
- * netscape-cert-type extension checking).
- */
-
- rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint);
- if ( rv != SECSuccess ) {
- if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
- LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
- }
- pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
- /* no basic constraints found, we aren't (yet) a CA. */
- isca = PR_FALSE;
- } else {
- if ( basicConstraint.isCA == PR_FALSE ) {
- PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
- LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
- }
- pathLengthLimit = basicConstraint.pathLenConstraint;
- isca = PR_TRUE;
- }
- /* make sure that the path len constraint is properly set.*/
- if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) {
- PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
- LOG_ERROR_OR_EXIT(log, issuerCert, count+1, pathLengthLimit);
- }
+ if (PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE) {
+ PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
+ LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
+ }
+ else {
+ if (PORT_GetError() !=
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ }
+ LOG_ERROR_OR_EXIT(log, subjectCert, count, 0);
+ }
+ }
+ }
+
+ /* If the basicConstraint extension is included in an immediate CA
+ * certificate, make sure that the isCA flag is on. If the
+ * pathLenConstraint component exists, it must be greater than the
+ * number of CA certificates we have seen so far. If the extension
+ * is omitted, we will assume that this is a CA certificate with
+ * an unlimited pathLenConstraint (since it already passes the
+ * netscape-cert-type extension checking).
+ */
+
+ rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
+ LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
+ }
+ pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
+ /* no basic constraints found, we aren't (yet) a CA. */
+ isca = PR_FALSE;
+ }
+ else {
+ if (basicConstraint.isCA == PR_FALSE) {
+ PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
+ LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
+ }
+ pathLengthLimit = basicConstraint.pathLenConstraint;
+ isca = PR_TRUE;
+ }
+ /* make sure that the path len constraint is properly set.*/
+ if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) {
+ PORT_SetError(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
+ LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, pathLengthLimit);
+ }
/* make sure that the entire chain is within the name space of the
* current issuer certificate.
@@ -611,17 +619,18 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
goto loser;
}
- /* XXX - the error logging may need to go down into CRL stuff at some
- * point
- */
- /* check revoked list (issuer) */
+ /* XXX - the error logging may need to go down into CRL stuff at some
+ * point
+ */
+ /* check revoked list (issuer) */
rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx);
if (rv == SECFailure) {
if (revoked) {
*revoked = PR_TRUE;
}
- LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
- } else if (rv == SECWouldBlock) {
+ LOG_ERROR_OR_EXIT(log, subjectCert, count, 0);
+ }
+ else if (rv == SECWouldBlock) {
/* We found something fishy, so we intend to issue an
* error to the user, but the user may wish to continue
* processing, in which case we better make sure nothing
@@ -630,163 +639,167 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
if (revoked) {
*revoked = PR_TRUE;
}
- LOG_ERROR(log,subjectCert,count,0);
- }
-
- if ( CERT_GetCertTrust(issuerCert, &issuerTrust) == SECSuccess) {
- /* we have some trust info, but this does NOT imply that this
- * cert is actually trusted for any purpose. The cert may be
- * explicitly UNtrusted. We won't know until we examine the
- * trust bits.
- */
- unsigned int flags;
-
- if (certUsage != certUsageAnyCA &&
- certUsage != certUsageStatusResponder) {
-
- /*
- * XXX This choice of trustType seems arbitrary.
- */
- if ( certUsage == certUsageVerifyCA ) {
- if ( subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA ) {
- trustType = trustEmail;
- } else if ( subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
- trustType = trustSSL;
- } else {
- trustType = trustObjectSigning;
- }
- }
-
- flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
- if (( flags & requiredFlags ) == requiredFlags) {
- /* we found a trusted one, so return */
- rv = rvFinal;
- goto done;
- }
- if (flags & CERTDB_VALID_CA) {
- validCAOverride = PR_TRUE;
- }
- /* is it explicitly distrusted? */
- if ((flags & CERTDB_TERMINAL_RECORD) &&
- ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0)) {
- /* untrusted -- the cert is explicitly untrusted, not
- * just that it doesn't chain to a trusted cert */
- PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
- LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
- }
- } else {
+ LOG_ERROR(log, subjectCert, count, 0);
+ }
+
+ if (CERT_GetCertTrust(issuerCert, &issuerTrust) == SECSuccess) {
+ /* we have some trust info, but this does NOT imply that this
+ * cert is actually trusted for any purpose. The cert may be
+ * explicitly UNtrusted. We won't know until we examine the
+ * trust bits.
+ */
+ unsigned int flags;
+
+ if (certUsage != certUsageAnyCA &&
+ certUsage != certUsageStatusResponder) {
+
+ /*
+ * XXX This choice of trustType seems arbitrary.
+ */
+ if (certUsage == certUsageVerifyCA) {
+ if (subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) {
+ trustType = trustEmail;
+ }
+ else if (subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
+ trustType = trustSSL;
+ }
+ else {
+ trustType = trustObjectSigning;
+ }
+ }
+
+ flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
+ if ((flags & requiredFlags) == requiredFlags) {
+ /* we found a trusted one, so return */
+ rv = rvFinal;
+ goto done;
+ }
+ if (flags & CERTDB_VALID_CA) {
+ validCAOverride = PR_TRUE;
+ }
+ /* is it explicitly distrusted? */
+ if ((flags & CERTDB_TERMINAL_RECORD) &&
+ ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) {
+ /* untrusted -- the cert is explicitly untrusted, not
+ * just that it doesn't chain to a trusted cert */
+ PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
+ LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, flags);
+ }
+ }
+ else {
/* Check if we have any valid trust when cheching for
* certUsageAnyCA or certUsageStatusResponder. */
for (trustType = trustSSL; trustType < trustTypeNone;
trustType++) {
flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
if ((flags & requiredFlags) == requiredFlags) {
- rv = rvFinal;
- goto done;
+ rv = rvFinal;
+ goto done;
}
if (flags & CERTDB_VALID_CA)
validCAOverride = PR_TRUE;
}
- /* We have 2 separate loops because we want any single trust
- * bit to allow this usage to return trusted. Only if none of
- * the trust bits are on do we check to see if the cert is
- * untrusted */
+ /* We have 2 separate loops because we want any single trust
+ * bit to allow this usage to return trusted. Only if none of
+ * the trust bits are on do we check to see if the cert is
+ * untrusted */
for (trustType = trustSSL; trustType < trustTypeNone;
trustType++) {
flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
- /* is it explicitly distrusted? */
- if ((flags & CERTDB_TERMINAL_RECORD) &&
- ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0)) {
- /* untrusted -- the cert is explicitly untrusted, not
- * just that it doesn't chain to a trusted cert */
- PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
- LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
- }
+ /* is it explicitly distrusted? */
+ if ((flags & CERTDB_TERMINAL_RECORD) &&
+ ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) {
+ /* untrusted -- the cert is explicitly untrusted, not
+ * just that it doesn't chain to a trusted cert */
+ PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
+ LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, flags);
+ }
}
}
}
- if (!validCAOverride) {
- /*
- * Make sure that if this is an intermediate CA in the chain that
- * it was given permission by its signer to be a CA.
- */
- /*
- * if basicConstraints says it is a ca, then we check the
- * nsCertType. If the nsCertType has any CA bits set, then
- * it must have the right one.
- */
- if (!isca || (issuerCert->nsCertType & NS_CERT_TYPE_CA)) {
- isca = (issuerCert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
- }
-
- if ( !isca ) {
- PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
- LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
- }
-
- /* make sure key usage allows cert signing */
- if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
- PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
- LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage);
- }
- }
-
- /* make sure that the issuer is not self signed. If it is, then
- * stop here to prevent looping.
- */
- if (issuerCert->isRoot) {
- PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
- LOG_ERROR(log, issuerCert, count+1, 0);
- goto loser;
- }
- /* The issuer cert will be the subject cert in the next loop.
- * A cert is self-issued if its subject and issuer are equal and
- * both are of non-zero length.
- */
- subjectCertIsSelfIssued = (PRBool)
- SECITEM_ItemsAreEqual(&issuerCert->derIssuer,
- &issuerCert->derSubject) &&
- issuerCert->derSubject.len > 0;
- if (subjectCertIsSelfIssued == PR_FALSE) {
- /* RFC 3280 says only non-self-issued intermediate CA certs
- * count in path length.
- */
- ++currentPathLen;
- }
-
- CERT_DestroyCertificate(subjectCert);
- subjectCert = issuerCert;
- issuerCert = NULL;
+ if (!validCAOverride) {
+ /*
+ * Make sure that if this is an intermediate CA in the chain that
+ * it was given permission by its signer to be a CA.
+ */
+ /*
+ * if basicConstraints says it is a ca, then we check the
+ * nsCertType. If the nsCertType has any CA bits set, then
+ * it must have the right one.
+ */
+ if (!isca || (issuerCert->nsCertType & NS_CERT_TYPE_CA)) {
+ isca = (issuerCert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
+ }
+
+ if (!isca) {
+ PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
+ LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
+ }
+
+ /* make sure key usage allows cert signing */
+ if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
+ PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+ LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, requiredCAKeyUsage);
+ }
+ }
+
+ /* make sure that the issuer is not self signed. If it is, then
+ * stop here to prevent looping.
+ */
+ if (issuerCert->isRoot) {
+ PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
+ LOG_ERROR(log, issuerCert, count + 1, 0);
+ goto loser;
+ }
+ /* The issuer cert will be the subject cert in the next loop.
+ * A cert is self-issued if its subject and issuer are equal and
+ * both are of non-zero length.
+ */
+ subjectCertIsSelfIssued = (PRBool)
+ SECITEM_ItemsAreEqual(&issuerCert->derIssuer,
+ &issuerCert->derSubject) &&
+ issuerCert->derSubject.len >
+ 0;
+ if (subjectCertIsSelfIssued == PR_FALSE) {
+ /* RFC 3280 says only non-self-issued intermediate CA certs
+ * count in path length.
+ */
+ ++currentPathLen;
+ }
+
+ CERT_DestroyCertificate(subjectCert);
+ subjectCert = issuerCert;
+ issuerCert = NULL;
}
PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
- LOG_ERROR(log,subjectCert,count,0);
+ LOG_ERROR(log, subjectCert, count, 0);
loser:
rv = SECFailure;
done:
if (certsList != NULL) {
- PORT_Free(certsList);
+ PORT_Free(certsList);
}
- if ( issuerCert ) {
- CERT_DestroyCertificate(issuerCert);
+ if (issuerCert) {
+ CERT_DestroyCertificate(issuerCert);
}
-
- if ( subjectCert ) {
- CERT_DestroyCertificate(subjectCert);
+
+ if (subjectCert) {
+ CERT_DestroyCertificate(subjectCert);
}
- if ( arena != NULL ) {
- PORT_FreeArena(arena, PR_FALSE);
+ if (arena != NULL) {
+ PORT_FreeArena(arena, PR_FALSE);
}
return rv;
}
SECStatus
cert_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool checkSig, PRBool* sigerror,
+ PRBool checkSig, PRBool *sigerror,
SECCertUsage certUsage, PRTime t, void *wincx,
- CERTVerifyLog *log, PRBool* revoked)
+ CERTVerifyLog *log, PRBool *revoked)
{
if (CERT_GetUsePKIXForValidation()) {
return cert_VerifyCertChainPkix(cert, checkSig, certUsage, t,
@@ -798,11 +811,11 @@ cert_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
SECStatus
CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool checkSig, SECCertUsage certUsage, PRTime t,
- void *wincx, CERTVerifyLog *log)
+ PRBool checkSig, SECCertUsage certUsage, PRTime t,
+ void *wincx, CERTVerifyLog *log)
{
return cert_VerifyCertChain(handle, cert, checkSig, NULL, certUsage, t,
- wincx, log, NULL);
+ wincx, log, NULL);
}
/*
@@ -810,8 +823,8 @@ CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
*/
SECStatus
CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool checkSig, SECCertUsage certUsage, PRTime t,
- void *wincx, CERTVerifyLog *log)
+ PRBool checkSig, SECCertUsage certUsage, PRTime t,
+ void *wincx, CERTVerifyLog *log)
{
SECTrustType trustType;
CERTBasicConstraints basicConstraint;
@@ -826,44 +839,43 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
CERTCertificate *issuerCert;
CERTCertTrust certTrust;
-
if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
- &requiredCAKeyUsage,
- &caCertType) != SECSuccess ) {
- PORT_Assert(0);
- EXIT_IF_NOT_LOGGING(log);
- requiredCAKeyUsage = 0;
- caCertType = 0;
- }
-
- switch ( certUsage ) {
- case certUsageSSLClient:
- case certUsageSSLServer:
- case certUsageSSLCA:
- case certUsageSSLServerWithStepUp:
- case certUsageEmailSigner:
- case certUsageEmailRecipient:
- case certUsageObjectSigner:
- case certUsageVerifyCA:
- case certUsageStatusResponder:
- if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
- &trustType) != SECSuccess ) {
- PORT_Assert(0);
- EXIT_IF_NOT_LOGGING(log);
- requiredFlags = 0;
- trustType = trustSSL;
- }
- break;
- default:
- PORT_Assert(0);
- EXIT_IF_NOT_LOGGING(log);
- requiredFlags = 0;
- trustType = trustSSL;/* This used to be 0, but we need something
- * that matches the enumeration type.
- */
- caCertType = 0;
+ &requiredCAKeyUsage,
+ &caCertType) != SECSuccess) {
+ PORT_Assert(0);
+ EXIT_IF_NOT_LOGGING(log);
+ requiredCAKeyUsage = 0;
+ caCertType = 0;
+ }
+
+ switch (certUsage) {
+ case certUsageSSLClient:
+ case certUsageSSLServer:
+ case certUsageSSLCA:
+ case certUsageSSLServerWithStepUp:
+ case certUsageEmailSigner:
+ case certUsageEmailRecipient:
+ case certUsageObjectSigner:
+ case certUsageVerifyCA:
+ case certUsageStatusResponder:
+ if (CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
+ &trustType) != SECSuccess) {
+ PORT_Assert(0);
+ EXIT_IF_NOT_LOGGING(log);
+ requiredFlags = 0;
+ trustType = trustSSL;
+ }
+ break;
+ default:
+ PORT_Assert(0);
+ EXIT_IF_NOT_LOGGING(log);
+ requiredFlags = 0;
+ trustType = trustSSL; /* This used to be 0, but we need something
+ * that matches the enumeration type.
+ */
+ caCertType = 0;
}
-
+
/* If the basicConstraint extension is included in an intermmediate CA
* certificate, make sure that the isCA flag is on. If the
* pathLenConstraint component exists, it must be greater than the
@@ -874,133 +886,137 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
*/
rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
- if ( rv != SECSuccess ) {
- if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
- LOG_ERROR_OR_EXIT(log,cert,0,0);
- }
- /* no basic constraints found, we aren't (yet) a CA. */
- isca = PR_FALSE;
- } else {
- if ( basicConstraint.isCA == PR_FALSE ) {
- PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
- LOG_ERROR_OR_EXIT(log,cert,0,0);
- }
-
- /* can't check path length if we don't know the previous path */
- isca = PR_TRUE;
- }
-
- if ( CERT_GetCertTrust(cert, &certTrust) == SECSuccess ) {
- /* we have some trust info, but this does NOT imply that this
- * cert is actually trusted for any purpose. The cert may be
- * explicitly UNtrusted. We won't know until we examine the
- * trust bits.
- */
+ if (rv != SECSuccess) {
+ if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
+ LOG_ERROR_OR_EXIT(log, cert, 0, 0);
+ }
+ /* no basic constraints found, we aren't (yet) a CA. */
+ isca = PR_FALSE;
+ }
+ else {
+ if (basicConstraint.isCA == PR_FALSE) {
+ PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
+ LOG_ERROR_OR_EXIT(log, cert, 0, 0);
+ }
+
+ /* can't check path length if we don't know the previous path */
+ isca = PR_TRUE;
+ }
+
+ if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
+ /* we have some trust info, but this does NOT imply that this
+ * cert is actually trusted for any purpose. The cert may be
+ * explicitly UNtrusted. We won't know until we examine the
+ * trust bits.
+ */
if (certUsage == certUsageStatusResponder) {
- /* Check the special case of certUsageStatusResponder */
+ /* Check the special case of certUsageStatusResponder */
issuerCert = CERT_FindCertIssuer(cert, t, certUsage);
if (issuerCert) {
- if (SEC_CheckCRL(handle, cert, issuerCert, t, wincx)
- != SECSuccess) {
+ if (SEC_CheckCRL(handle, cert, issuerCert, t, wincx) !=
+ SECSuccess) {
PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
CERT_DestroyCertificate(issuerCert);
goto loser;
}
CERT_DestroyCertificate(issuerCert);
}
- /* XXX We have NOT determined that this cert is trusted.
- * For years, NSS has treated this as trusted,
- * but it seems incorrect.
- */
- rv = rvFinal;
- goto done;
- }
-
- /*
- * check the trust params of the issuer
- */
- flags = SEC_GET_TRUST_FLAGS(&certTrust, trustType);
- if ( ( flags & requiredFlags ) == requiredFlags) {
- /* we found a trusted one, so return */
- rv = rvFinal;
- goto done;
- }
- if (flags & CERTDB_VALID_CA) {
- validCAOverride = PR_TRUE;
- }
- /* is it explicitly distrusted? */
- if ((flags & CERTDB_TERMINAL_RECORD) &&
- ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0)) {
- /* untrusted -- the cert is explicitly untrusted, not
- * just that it doesn't chain to a trusted cert */
- PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
- LOG_ERROR_OR_EXIT(log,cert,0,flags);
- }
+ /* XXX We have NOT determined that this cert is trusted.
+ * For years, NSS has treated this as trusted,
+ * but it seems incorrect.
+ */
+ rv = rvFinal;
+ goto done;
+ }
+
+ /*
+ * check the trust params of the issuer
+ */
+ flags = SEC_GET_TRUST_FLAGS(&certTrust, trustType);
+ if ((flags & requiredFlags) == requiredFlags) {
+ /* we found a trusted one, so return */
+ rv = rvFinal;
+ goto done;
+ }
+ if (flags & CERTDB_VALID_CA) {
+ validCAOverride = PR_TRUE;
+ }
+ /* is it explicitly distrusted? */
+ if ((flags & CERTDB_TERMINAL_RECORD) &&
+ ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) {
+ /* untrusted -- the cert is explicitly untrusted, not
+ * just that it doesn't chain to a trusted cert */
+ PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+ LOG_ERROR_OR_EXIT(log, cert, 0, flags);
+ }
}
if (!validCAOverride) {
- /*
- * Make sure that if this is an intermediate CA in the chain that
- * it was given permission by its signer to be a CA.
- */
- /*
- * if basicConstraints says it is a ca, then we check the
- * nsCertType. If the nsCertType has any CA bits set, then
- * it must have the right one.
- */
- if (!isca || (cert->nsCertType & NS_CERT_TYPE_CA)) {
- isca = (cert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
- }
-
- if (!isca) {
- PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
- LOG_ERROR_OR_EXIT(log,cert,0,0);
- }
-
- /* make sure key usage allows cert signing */
- if (CERT_CheckKeyUsage(cert, requiredCAKeyUsage) != SECSuccess) {
- PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
- LOG_ERROR_OR_EXIT(log,cert,0,requiredCAKeyUsage);
- }
+ /*
+ * Make sure that if this is an intermediate CA in the chain that
+ * it was given permission by its signer to be a CA.
+ */
+ /*
+ * if basicConstraints says it is a ca, then we check the
+ * nsCertType. If the nsCertType has any CA bits set, then
+ * it must have the right one.
+ */
+ if (!isca || (cert->nsCertType & NS_CERT_TYPE_CA)) {
+ isca = (cert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
+ }
+
+ if (!isca) {
+ PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
+ LOG_ERROR_OR_EXIT(log, cert, 0, 0);
+ }
+
+ /* make sure key usage allows cert signing */
+ if (CERT_CheckKeyUsage(cert, requiredCAKeyUsage) != SECSuccess) {
+ PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+ LOG_ERROR_OR_EXIT(log, cert, 0, requiredCAKeyUsage);
+ }
}
/* make sure that the issuer is not self signed. If it is, then
* stop here to prevent looping.
*/
if (cert->isRoot) {
- PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
- LOG_ERROR(log, cert, 0, 0);
- goto loser;
+ PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
+ LOG_ERROR(log, cert, 0, 0);
+ goto loser;
}
- return CERT_VerifyCertChain(handle, cert, checkSig, certUsage, t,
- wincx, log);
+ return CERT_VerifyCertChain(handle, cert, checkSig, certUsage, t,
+ wincx, log);
loser:
rv = SECFailure;
done:
return rv;
}
-#define NEXT_USAGE() { \
- i*=2; \
- certUsage++; \
- continue; \
-}
+#define NEXT_USAGE() \
+ { \
+ i *= 2; \
+ certUsage++; \
+ continue; \
+ }
-#define VALID_USAGE() { \
- NEXT_USAGE(); \
-}
+#define VALID_USAGE() \
+ { \
+ NEXT_USAGE(); \
+ }
-#define INVALID_USAGE() { \
- if (returnedUsages) { \
- *returnedUsages &= (~i); \
- } \
- if (PR_TRUE == requiredUsage) { \
- valid = SECFailure; \
- } \
- NEXT_USAGE(); \
-}
+#define INVALID_USAGE() \
+ { \
+ if (returnedUsages) { \
+ *returnedUsages &= (~i); \
+ } \
+ if (PR_TRUE == requiredUsage) { \
+ valid = SECFailure; \
+ } \
+ NEXT_USAGE(); \
+ }
/*
- * check the leaf cert against trust and usage.
+ * check the leaf cert against trust and usage.
* returns success if the cert is not distrusted. If the cert is
* trusted, then the trusted bool will be true.
* returns failure if the cert is distrusted. If failure, flags
@@ -1008,141 +1024,143 @@ done:
*/
SECStatus
cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
- unsigned int *failedFlags, PRBool *trusted)
+ unsigned int *failedFlags, PRBool *trusted)
{
unsigned int flags;
CERTCertTrust trust;
*failedFlags = 0;
*trusted = PR_FALSE;
-
+
/* check trust flags to see if this cert is directly trusted */
- if ( CERT_GetCertTrust(cert, &trust) == SECSuccess ) {
- switch ( certUsage ) {
- case certUsageSSLClient:
- case certUsageSSLServer:
- flags = trust.sslFlags;
-
- /* is the cert directly trusted or not trusted ? */
- if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
- * authoritative */
- if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
- *trusted = PR_TRUE;
- return SECSuccess;
- } else { /* don't trust this cert */
- *failedFlags = flags;
- return SECFailure;
- }
- }
- break;
- case certUsageSSLServerWithStepUp:
- /* XXX - step up certs can't be directly trusted, only distrust */
- flags = trust.sslFlags;
- if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
- * authoritative */
- if (( flags & CERTDB_TRUSTED ) == 0) {
- /* don't trust this cert */
- *failedFlags = flags;
- return SECFailure;
- }
- }
- break;
- case certUsageSSLCA:
- flags = trust.sslFlags;
- if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
+ if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
+ switch (certUsage) {
+ case certUsageSSLClient:
+ case certUsageSSLServer:
+ flags = trust.sslFlags;
+
+ /* is the cert directly trusted or not trusted ? */
+ if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
- if (( flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA) ) == 0) {
- /* don't trust this cert */
- *failedFlags = flags;
- return SECFailure;
- }
- }
- break;
- case certUsageEmailSigner:
- case certUsageEmailRecipient:
- flags = trust.emailFlags;
- if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
- * authoritative */
- if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
- *trusted = PR_TRUE;
- return SECSuccess;
- }
- else { /* don't trust this cert */
- *failedFlags = flags;
- return SECFailure;
- }
- }
-
- break;
- case certUsageObjectSigner:
- flags = trust.objectSigningFlags;
-
- if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
- * authoritative */
- if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
- *trusted = PR_TRUE;
- return SECSuccess;
- } else { /* don't trust this cert */
- *failedFlags = flags;
- return SECFailure;
- }
- }
- break;
- case certUsageVerifyCA:
- case certUsageStatusResponder:
- flags = trust.sslFlags;
- /* is the cert directly trusted or not trusted ? */
- if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
- ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
- *trusted = PR_TRUE;
- return SECSuccess;
- }
- flags = trust.emailFlags;
- /* is the cert directly trusted or not trusted ? */
- if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
- ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
- *trusted = PR_TRUE;
- return SECSuccess;
- }
- flags = trust.objectSigningFlags;
- /* is the cert directly trusted or not trusted ? */
- if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
- ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
- *trusted = PR_TRUE;
- return SECSuccess;
- }
- /* fall through to test distrust */
- case certUsageAnyCA:
- case certUsageUserCertImport:
- /* do we distrust these certs explicitly */
- flags = trust.sslFlags;
- if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
- * authoritative */
- if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
- *failedFlags = flags;
- return SECFailure;
- }
- }
- flags = trust.emailFlags;
- if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
+ if (flags & CERTDB_TRUSTED) { /* trust this cert */
+ *trusted = PR_TRUE;
+ return SECSuccess;
+ }
+ else { /* don't trust this cert */
+ *failedFlags = flags;
+ return SECFailure;
+ }
+ }
+ break;
+ case certUsageSSLServerWithStepUp:
+ /* XXX - step up certs can't be directly trusted, only distrust */
+ flags = trust.sslFlags;
+ if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
+ * authoritative */
+ if ((flags & CERTDB_TRUSTED) == 0) {
+ /* don't trust this cert */
+ *failedFlags = flags;
+ return SECFailure;
+ }
+ }
+ break;
+ case certUsageSSLCA:
+ flags = trust.sslFlags;
+ if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
+ * authoritative */
+ if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
+ /* don't trust this cert */
+ *failedFlags = flags;
+ return SECFailure;
+ }
+ }
+ break;
+ case certUsageEmailSigner:
+ case certUsageEmailRecipient:
+ flags = trust.emailFlags;
+ if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
+ * authoritative */
+ if (flags & CERTDB_TRUSTED) { /* trust this cert */
+ *trusted = PR_TRUE;
+ return SECSuccess;
+ }
+ else { /* don't trust this cert */
+ *failedFlags = flags;
+ return SECFailure;
+ }
+ }
+
+ break;
+ case certUsageObjectSigner:
+ flags = trust.objectSigningFlags;
+
+ if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
+ * authoritative */
+ if (flags & CERTDB_TRUSTED) { /* trust this cert */
+ *trusted = PR_TRUE;
+ return SECSuccess;
+ }
+ else { /* don't trust this cert */
+ *failedFlags = flags;
+ return SECFailure;
+ }
+ }
+ break;
+ case certUsageVerifyCA:
+ case certUsageStatusResponder:
+ flags = trust.sslFlags;
+ /* is the cert directly trusted or not trusted ? */
+ if ((flags & (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) ==
+ (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) {
+ *trusted = PR_TRUE;
+ return SECSuccess;
+ }
+ flags = trust.emailFlags;
+ /* is the cert directly trusted or not trusted ? */
+ if ((flags & (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) ==
+ (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) {
+ *trusted = PR_TRUE;
+ return SECSuccess;
+ }
+ flags = trust.objectSigningFlags;
+ /* is the cert directly trusted or not trusted ? */
+ if ((flags & (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) ==
+ (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) {
+ *trusted = PR_TRUE;
+ return SECSuccess;
+ }
+ /* fall through to test distrust */
+ case certUsageAnyCA:
+ case certUsageUserCertImport:
+ /* do we distrust these certs explicitly */
+ flags = trust.sslFlags;
+ if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
- if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
- *failedFlags = flags;
- return SECFailure;
- }
- }
- /* fall through */
- case certUsageProtectedObjectSigner:
- flags = trust.objectSigningFlags;
- if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
+ if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
+ *failedFlags = flags;
+ return SECFailure;
+ }
+ }
+ flags = trust.emailFlags;
+ if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
- if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
- *failedFlags = flags;
- return SECFailure;
- }
- }
- break;
- }
+ if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
+ *failedFlags = flags;
+ return SECFailure;
+ }
+ }
+ /* fall through */
+ case certUsageProtectedObjectSigner:
+ flags = trust.objectSigningFlags;
+ if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
+ * authoritative */
+ if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
+ *failedFlags = flags;
+ return SECFailure;
+ }
+ }
+ break;
+ }
}
return SECSuccess;
}
@@ -1161,8 +1179,8 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
*/
SECStatus
CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool checkSig, SECCertificateUsage requiredUsages, PRTime t,
- void *wincx, CERTVerifyLog *log, SECCertificateUsage* returnedUsages)
+ PRBool checkSig, SECCertificateUsage requiredUsages, PRTime t,
+ void *wincx, CERTVerifyLog *log, SECCertificateUsage *returnedUsages)
{
SECStatus rv;
SECStatus valid;
@@ -1170,7 +1188,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
unsigned int requiredCertType;
unsigned int flags;
unsigned int certType;
- PRBool allowOverride;
+ PRBool allowOverride;
SECCertTimeValidity validity;
CERTStatusConfig *statusConfig;
PRInt32 i;
@@ -1189,28 +1207,29 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
if (returnedUsages) {
*returnedUsages = 0;
- } else {
+ }
+ else {
/* we don't have a place to return status for all usages,
so we can skip checks for usages that aren't required */
checkAllUsages = PR_FALSE;
}
- valid = SECSuccess ; /* start off assuming cert is valid */
-
+ valid = SECSuccess; /* start off assuming cert is valid */
+
/* make sure that the cert is valid at time t */
allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
(requiredUsages & certificateUsageSSLServerWithStepUp));
validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
- if ( validity != secCertTimeValid ) {
+ if (validity != secCertTimeValid) {
valid = SECFailure;
- LOG_ERROR_OR_EXIT(log,cert,0,validity);
+ LOG_ERROR_OR_EXIT(log, cert, 0, validity);
}
/* check key usage and netscape cert type */
cert_GetCertType(cert);
certType = cert->nsCertType;
- for (i=1; i<=certificateUsageHighest &&
- (SECSuccess == valid || returnedUsages || log) ; ) {
+ for (i = 1; i <= certificateUsageHighest &&
+ (SECSuccess == valid || returnedUsages || log);) {
PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;
if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {
NEXT_USAGE();
@@ -1218,74 +1237,75 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
if (returnedUsages) {
*returnedUsages |= i; /* start off assuming this usage is valid */
}
- switch ( certUsage ) {
- case certUsageSSLClient:
- case certUsageSSLServer:
- case certUsageSSLServerWithStepUp:
- case certUsageSSLCA:
- case certUsageEmailSigner:
- case certUsageEmailRecipient:
- case certUsageObjectSigner:
- case certUsageStatusResponder:
- rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
- &requiredKeyUsage,
- &requiredCertType);
- if ( rv != SECSuccess ) {
+ switch (certUsage) {
+ case certUsageSSLClient:
+ case certUsageSSLServer:
+ case certUsageSSLServerWithStepUp:
+ case certUsageSSLCA:
+ case certUsageEmailSigner:
+ case certUsageEmailRecipient:
+ case certUsageObjectSigner:
+ case certUsageStatusResponder:
+ rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
+ &requiredKeyUsage,
+ &requiredCertType);
+ if (rv != SECSuccess) {
+ PORT_Assert(0);
+ /* EXIT_IF_NOT_LOGGING(log); XXX ??? */
+ requiredKeyUsage = 0;
+ requiredCertType = 0;
+ INVALID_USAGE();
+ }
+ break;
+
+ case certUsageAnyCA:
+ case certUsageProtectedObjectSigner:
+ case certUsageUserCertImport:
+ case certUsageVerifyCA:
+ /* these usages cannot be verified */
+ NEXT_USAGE();
+
+ default:
PORT_Assert(0);
- /* EXIT_IF_NOT_LOGGING(log); XXX ??? */
requiredKeyUsage = 0;
requiredCertType = 0;
INVALID_USAGE();
- }
- break;
-
- case certUsageAnyCA:
- case certUsageProtectedObjectSigner:
- case certUsageUserCertImport:
- case certUsageVerifyCA:
- /* these usages cannot be verified */
- NEXT_USAGE();
-
- default:
- PORT_Assert(0);
- requiredKeyUsage = 0;
- requiredCertType = 0;
- INVALID_USAGE();
}
- if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) {
+ if (CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess) {
if (PR_TRUE == requiredUsage) {
PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
}
- LOG_ERROR(log,cert,0,requiredKeyUsage);
+ LOG_ERROR(log, cert, 0, requiredKeyUsage);
INVALID_USAGE();
}
- if ( !( certType & requiredCertType ) ) {
+ if (!(certType & requiredCertType)) {
if (PR_TRUE == requiredUsage) {
PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
}
- LOG_ERROR(log,cert,0,requiredCertType);
+ LOG_ERROR(log, cert, 0, requiredCertType);
INVALID_USAGE();
}
- rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);
- if (rv == SECFailure) {
- if (PR_TRUE == requiredUsage) {
- PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
- }
- LOG_ERROR(log, cert, 0, flags);
- INVALID_USAGE();
- } else if (trusted) {
- VALID_USAGE();
- }
+ rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);
+ if (rv == SECFailure) {
+ if (PR_TRUE == requiredUsage) {
+ PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+ }
+ LOG_ERROR(log, cert, 0, flags);
+ INVALID_USAGE();
+ }
+ else if (trusted) {
+ VALID_USAGE();
+ }
- if (PR_TRUE == revoked || PR_TRUE == sigerror) {
- INVALID_USAGE();
- }
+ if (PR_TRUE == revoked || PR_TRUE == sigerror) {
+ INVALID_USAGE();
+ }
rv = cert_VerifyCertChain(handle, cert,
- checkSig, &sigerror,
- certUsage, t, wincx, log,
- &revoked);
+ checkSig, &sigerror,
+ certUsage, t, wincx, log,
+ &revoked);
if (rv != SECSuccess) {
/* EXIT_IF_NOT_LOGGING(log); XXX ???? */
@@ -1306,10 +1326,10 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
if (requiredUsages != certificateUsageStatusResponder &&
statusConfig != NULL) {
if (statusConfig->statusChecker != NULL) {
- rv = (* statusConfig->statusChecker)(handle, cert,
- t, wincx);
+ rv = (*statusConfig->statusChecker)(handle, cert,
+ t, wincx);
if (rv != SECSuccess) {
- LOG_ERROR(log,cert,0,0);
+ LOG_ERROR(log, cert, 0, 0);
revoked = PR_TRUE;
INVALID_USAGE();
}
@@ -1319,15 +1339,15 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
NEXT_USAGE();
}
-
+
loser:
- return(valid);
+ return (valid);
}
SECStatus
CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool checkSig, SECCertUsage certUsage, PRTime t,
- void *wincx, CERTVerifyLog *log)
+ PRBool checkSig, SECCertUsage certUsage, PRTime t,
+ void *wincx, CERTVerifyLog *log)
{
return cert_VerifyCertWithFlags(handle, cert, checkSig, certUsage, t,
CERT_VERIFYCERT_USE_DEFAULTS, wincx, log);
@@ -1343,86 +1363,86 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
unsigned int requiredCertType;
unsigned int failedFlags;
unsigned int certType;
- PRBool trusted;
- PRBool allowOverride;
+ PRBool trusted;
+ PRBool allowOverride;
SECCertTimeValidity validity;
CERTStatusConfig *statusConfig;
-
-#ifdef notdef
+
+#ifdef notdef
/* check if this cert is in the Evil list */
rv = CERT_CheckForEvilCert(cert);
- if ( rv != SECSuccess ) {
- PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
- LOG_ERROR_OR_EXIT(log,cert,0,0);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+ LOG_ERROR_OR_EXIT(log, cert, 0, 0);
}
#endif
-
+
/* make sure that the cert is valid at time t */
allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
(certUsage == certUsageSSLServerWithStepUp));
validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
- if ( validity != secCertTimeValid ) {
- LOG_ERROR_OR_EXIT(log,cert,0,validity);
+ if (validity != secCertTimeValid) {
+ LOG_ERROR_OR_EXIT(log, cert, 0, validity);
}
/* check key usage and netscape cert type */
cert_GetCertType(cert);
certType = cert->nsCertType;
- switch ( certUsage ) {
- case certUsageSSLClient:
- case certUsageSSLServer:
- case certUsageSSLServerWithStepUp:
- case certUsageSSLCA:
- case certUsageEmailSigner:
- case certUsageEmailRecipient:
- case certUsageObjectSigner:
- case certUsageStatusResponder:
- rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
- &requiredKeyUsage,
- &requiredCertType);
- if ( rv != SECSuccess ) {
- PORT_Assert(0);
- EXIT_IF_NOT_LOGGING(log);
- requiredKeyUsage = 0;
- requiredCertType = 0;
- }
- break;
- case certUsageVerifyCA:
- case certUsageAnyCA:
- requiredKeyUsage = KU_KEY_CERT_SIGN;
- requiredCertType = NS_CERT_TYPE_CA;
- if ( ! ( certType & NS_CERT_TYPE_CA ) ) {
- certType |= NS_CERT_TYPE_CA;
- }
- break;
- default:
- PORT_Assert(0);
- EXIT_IF_NOT_LOGGING(log);
- requiredKeyUsage = 0;
- requiredCertType = 0;
- }
- if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) {
- PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
- LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage);
- }
- if ( !( certType & requiredCertType ) ) {
- PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
- LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
+ switch (certUsage) {
+ case certUsageSSLClient:
+ case certUsageSSLServer:
+ case certUsageSSLServerWithStepUp:
+ case certUsageSSLCA:
+ case certUsageEmailSigner:
+ case certUsageEmailRecipient:
+ case certUsageObjectSigner:
+ case certUsageStatusResponder:
+ rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
+ &requiredKeyUsage,
+ &requiredCertType);
+ if (rv != SECSuccess) {
+ PORT_Assert(0);
+ EXIT_IF_NOT_LOGGING(log);
+ requiredKeyUsage = 0;
+ requiredCertType = 0;
+ }
+ break;
+ case certUsageVerifyCA:
+ case certUsageAnyCA:
+ requiredKeyUsage = KU_KEY_CERT_SIGN;
+ requiredCertType = NS_CERT_TYPE_CA;
+ if (!(certType & NS_CERT_TYPE_CA)) {
+ certType |= NS_CERT_TYPE_CA;
+ }
+ break;
+ default:
+ PORT_Assert(0);
+ EXIT_IF_NOT_LOGGING(log);
+ requiredKeyUsage = 0;
+ requiredCertType = 0;
+ }
+ if (CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess) {
+ PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+ LOG_ERROR_OR_EXIT(log, cert, 0, requiredKeyUsage);
+ }
+ if (!(certType & requiredCertType)) {
+ PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
+ LOG_ERROR_OR_EXIT(log, cert, 0, requiredCertType);
}
rv = cert_CheckLeafTrust(cert, certUsage, &failedFlags, &trusted);
- if (rv == SECFailure) {
- PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
- LOG_ERROR_OR_EXIT(log, cert, 0, failedFlags);
- } else if (trusted) {
- goto done;
+ if (rv == SECFailure) {
+ PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+ LOG_ERROR_OR_EXIT(log, cert, 0, failedFlags);
+ }
+ else if (trusted) {
+ goto done;
}
-
rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
- t, wincx, log);
+ t, wincx, log);
if (rv != SECSuccess) {
- EXIT_IF_NOT_LOGGING(log);
+ EXIT_IF_NOT_LOGGING(log);
}
/*
@@ -1434,27 +1454,27 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
* code.
*/
if (!(flags & CERT_VERIFYCERT_SKIP_OCSP) &&
- certUsage != certUsageStatusResponder) {
- statusConfig = CERT_GetStatusConfig(handle);
- if (statusConfig && statusConfig->statusChecker) {
- rv = (* statusConfig->statusChecker)(handle, cert,
- t, wincx);
- if (rv != SECSuccess) {
- LOG_ERROR_OR_EXIT(log,cert,0,0);
- }
- }
+ certUsage != certUsageStatusResponder) {
+ statusConfig = CERT_GetStatusConfig(handle);
+ if (statusConfig && statusConfig->statusChecker) {
+ rv = (*statusConfig->statusChecker)(handle, cert,
+ t, wincx);
+ if (rv != SECSuccess) {
+ LOG_ERROR_OR_EXIT(log, cert, 0, 0);
+ }
+ }
}
done:
if (log && log->head) {
- return SECFailure;
+ return SECFailure;
}
- return(SECSuccess);
+ return (SECSuccess);
loser:
rv = SECFailure;
-
- return(rv);
+
+ return (rv);
}
/*
@@ -1463,23 +1483,22 @@ loser:
*/
SECStatus
CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool checkSig, SECCertificateUsage requiredUsages,
- void *wincx, SECCertificateUsage* returnedUsages)
+ PRBool checkSig, SECCertificateUsage requiredUsages,
+ void *wincx, SECCertificateUsage *returnedUsages)
{
- return(CERT_VerifyCertificate(handle, cert, checkSig,
- requiredUsages, PR_Now(), wincx, NULL, returnedUsages));
+ return (CERT_VerifyCertificate(handle, cert, checkSig,
+ requiredUsages, PR_Now(), wincx, NULL, returnedUsages));
}
/* obsolete, do not use for new code */
SECStatus
CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool checkSig, SECCertUsage certUsage, void *wincx)
+ PRBool checkSig, SECCertUsage certUsage, void *wincx)
{
- return(CERT_VerifyCert(handle, cert, checkSig,
- certUsage, PR_Now(), wincx, NULL));
+ return (CERT_VerifyCert(handle, cert, checkSig,
+ certUsage, PR_Now(), wincx, NULL));
}
-
/* [ FROM pcertdb.c ] */
/*
* Supported usage values and types:
@@ -1493,8 +1512,8 @@ CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
CERTCertificate *
CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
- CERTCertOwner owner, SECCertUsage usage,
- PRBool preferTrusted, PRTime validTime, PRBool validOnly)
+ CERTCertOwner owner, SECCertUsage usage,
+ PRBool preferTrusted, PRTime validTime, PRBool validOnly)
{
CERTCertList *certList = NULL;
CERTCertificate *cert = NULL;
@@ -1502,94 +1521,94 @@ CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
unsigned int requiredTrustFlags;
SECTrustType requiredTrustType;
unsigned int flags;
-
+
PRBool lookingForCA = PR_FALSE;
SECStatus rv;
CERTCertListNode *node;
CERTCertificate *saveUntrustedCA = NULL;
-
+
/* if preferTrusted is set, must be a CA cert */
- PORT_Assert( ! ( preferTrusted && ( owner != certOwnerCA ) ) );
-
- if ( owner == certOwnerCA ) {
- lookingForCA = PR_TRUE;
- if ( preferTrusted ) {
- rv = CERT_TrustFlagsForCACertUsage(usage, &requiredTrustFlags,
- &requiredTrustType);
- if ( rv != SECSuccess ) {
- goto loser;
- }
- requiredTrustFlags |= CERTDB_VALID_CA;
- }
+ PORT_Assert(!(preferTrusted && (owner != certOwnerCA)));
+
+ if (owner == certOwnerCA) {
+ lookingForCA = PR_TRUE;
+ if (preferTrusted) {
+ rv = CERT_TrustFlagsForCACertUsage(usage, &requiredTrustFlags,
+ &requiredTrustType);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ requiredTrustFlags |= CERTDB_VALID_CA;
+ }
}
certList = CERT_CreateSubjectCertList(NULL, handle, derName, validTime,
- validOnly);
- if ( certList != NULL ) {
- rv = CERT_FilterCertListByUsage(certList, usage, lookingForCA);
- if ( rv != SECSuccess ) {
- goto loser;
- }
-
- node = CERT_LIST_HEAD(certList);
-
- while ( !CERT_LIST_END(node, certList) ) {
- cert = node->cert;
-
- /* looking for a trusted CA cert */
- if ( ( owner == certOwnerCA ) && preferTrusted &&
- ( requiredTrustType != trustTypeNone ) ) {
-
- if ( CERT_GetCertTrust(cert, &certTrust) != SECSuccess ) {
- flags = 0;
- } else {
- flags = SEC_GET_TRUST_FLAGS(&certTrust, requiredTrustType);
- }
-
- if ( ( flags & requiredTrustFlags ) != requiredTrustFlags ) {
- /* cert is not trusted */
- /* if this is the first cert to get this far, then save
+ validOnly);
+ if (certList != NULL) {
+ rv = CERT_FilterCertListByUsage(certList, usage, lookingForCA);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ node = CERT_LIST_HEAD(certList);
+
+ while (!CERT_LIST_END(node, certList)) {
+ cert = node->cert;
+
+ /* looking for a trusted CA cert */
+ if ((owner == certOwnerCA) && preferTrusted &&
+ (requiredTrustType != trustTypeNone)) {
+
+ if (CERT_GetCertTrust(cert, &certTrust) != SECSuccess) {
+ flags = 0;
+ }
+ else {
+ flags = SEC_GET_TRUST_FLAGS(&certTrust, requiredTrustType);
+ }
+
+ if ((flags & requiredTrustFlags) != requiredTrustFlags) {
+ /* cert is not trusted */
+ /* if this is the first cert to get this far, then save
* it, so we can use it if we can't find a trusted one
*/
- if ( saveUntrustedCA == NULL ) {
- saveUntrustedCA = cert;
- }
- goto endloop;
- }
- }
- /* if we got this far, then this cert meets all criteria */
- break;
-
-endloop:
- node = CERT_LIST_NEXT(node);
- cert = NULL;
- }
-
- /* use the saved one if we have it */
- if ( cert == NULL ) {
- cert = saveUntrustedCA;
- }
-
- /* if we found one then bump the ref count before freeing the list */
- if ( cert != NULL ) {
- /* bump the ref count */
- cert = CERT_DupCertificate(cert);
- }
-
- CERT_DestroyCertList(certList);
- }
-
- return(cert);
+ if (saveUntrustedCA == NULL) {
+ saveUntrustedCA = cert;
+ }
+ goto endloop;
+ }
+ }
+ /* if we got this far, then this cert meets all criteria */
+ break;
+
+ endloop:
+ node = CERT_LIST_NEXT(node);
+ cert = NULL;
+ }
+
+ /* use the saved one if we have it */
+ if (cert == NULL) {
+ cert = saveUntrustedCA;
+ }
+
+ /* if we found one then bump the ref count before freeing the list */
+ if (cert != NULL) {
+ /* bump the ref count */
+ cert = CERT_DupCertificate(cert);
+ }
+
+ CERT_DestroyCertList(certList);
+ }
+
+ return (cert);
loser:
- if ( certList != NULL ) {
- CERT_DestroyCertList(certList);
+ if (certList != NULL) {
+ CERT_DestroyCertList(certList);
}
- return(NULL);
+ return (NULL);
}
-
/* [ From certdb.c ] */
/*
* Filter a list of certificates, removing those certs that do not have
@@ -1603,7 +1622,7 @@ loser:
*/
SECStatus
CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
- char **caNames, SECCertUsage usage)
+ char **caNames, SECCertUsage usage)
{
CERTCertificate *issuerCert = NULL;
CERTCertificate *subjectCert;
@@ -1613,65 +1632,65 @@ CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
char **names;
PRBool found;
PRTime time;
-
- if ( nCANames <= 0 ) {
- return(SECSuccess);
+
+ if (nCANames <= 0) {
+ return (SECSuccess);
}
time = PR_Now();
-
+
node = CERT_LIST_HEAD(certList);
-
- while ( ! CERT_LIST_END(node, certList) ) {
- cert = node->cert;
-
- subjectCert = CERT_DupCertificate(cert);
-
- /* traverse the CA certs for this cert */
- found = PR_FALSE;
- while ( subjectCert != NULL ) {
- n = nCANames;
- names = caNames;
-
- if (subjectCert->issuerName != NULL) {
- while ( n > 0 ) {
- if ( PORT_Strcmp(*names, subjectCert->issuerName) == 0 ) {
- found = PR_TRUE;
- break;
- }
-
- n--;
- names++;
+
+ while (!CERT_LIST_END(node, certList)) {
+ cert = node->cert;
+
+ subjectCert = CERT_DupCertificate(cert);
+
+ /* traverse the CA certs for this cert */
+ found = PR_FALSE;
+ while (subjectCert != NULL) {
+ n = nCANames;
+ names = caNames;
+
+ if (subjectCert->issuerName != NULL) {
+ while (n > 0) {
+ if (PORT_Strcmp(*names, subjectCert->issuerName) == 0) {
+ found = PR_TRUE;
+ break;
+ }
+
+ n--;
+ names++;
}
- }
-
- if ( found ) {
- break;
- }
-
- issuerCert = CERT_FindCertIssuer(subjectCert, time, usage);
- if ( issuerCert == subjectCert ) {
- CERT_DestroyCertificate(issuerCert);
- issuerCert = NULL;
- break;
- }
- CERT_DestroyCertificate(subjectCert);
- subjectCert = issuerCert;
-
- }
- CERT_DestroyCertificate(subjectCert);
- if ( !found ) {
- /* CA was not found, so remove this cert from the list */
- freenode = node;
- node = CERT_LIST_NEXT(node);
- CERT_RemoveCertListNode(freenode);
- } else {
- /* CA was found, so leave it in the list */
- node = CERT_LIST_NEXT(node);
- }
- }
-
- return(SECSuccess);
+ }
+
+ if (found) {
+ break;
+ }
+
+ issuerCert = CERT_FindCertIssuer(subjectCert, time, usage);
+ if (issuerCert == subjectCert) {
+ CERT_DestroyCertificate(issuerCert);
+ issuerCert = NULL;
+ break;
+ }
+ CERT_DestroyCertificate(subjectCert);
+ subjectCert = issuerCert;
+ }
+ CERT_DestroyCertificate(subjectCert);
+ if (!found) {
+ /* CA was not found, so remove this cert from the list */
+ freenode = node;
+ node = CERT_LIST_NEXT(node);
+ CERT_RemoveCertListNode(freenode);
+ }
+ else {
+ /* CA was found, so leave it in the list */
+ node = CERT_LIST_NEXT(node);
+ }
+ }
+
+ return (SECSuccess);
}
/*
@@ -1689,61 +1708,66 @@ CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
*/
char *
CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert,
- char *expiredString, char *notYetGoodString)
+ char *expiredString, char *notYetGoodString)
{
SECCertTimeValidity validity;
char *nickname = NULL, *tmpstr = NULL;
-
+
validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE);
/* if the cert is good, then just use the nickname directly */
- if ( validity == secCertTimeValid ) {
- if ( arena == NULL ) {
- nickname = PORT_Strdup(cert->nickname);
- } else {
- nickname = PORT_ArenaStrdup(arena, cert->nickname);
- }
-
- if ( nickname == NULL ) {
- goto loser;
- }
- } else {
-
- /* if the cert is not valid, then tack one of the strings on the
- * end
- */
- if ( validity == secCertTimeExpired ) {
- tmpstr = PR_smprintf("%s%s", cert->nickname,
- expiredString);
- } else if ( validity == secCertTimeNotValidYet ) {
- /* not yet valid */
- tmpstr = PR_smprintf("%s%s", cert->nickname,
- notYetGoodString);
- } else {
+ if (validity == secCertTimeValid) {
+ if (arena == NULL) {
+ nickname = PORT_Strdup(cert->nickname);
+ }
+ else {
+ nickname = PORT_ArenaStrdup(arena, cert->nickname);
+ }
+
+ if (nickname == NULL) {
+ goto loser;
+ }
+ }
+ else {
+
+ /* if the cert is not valid, then tack one of the strings on the
+ * end
+ */
+ if (validity == secCertTimeExpired) {
+ tmpstr = PR_smprintf("%s%s", cert->nickname,
+ expiredString);
+ }
+ else if (validity == secCertTimeNotValidYet) {
+ /* not yet valid */
+ tmpstr = PR_smprintf("%s%s", cert->nickname,
+ notYetGoodString);
+ }
+ else {
/* undetermined */
- tmpstr = PR_smprintf("%s",
- "(NULL) (Validity Unknown)");
- }
-
- if ( tmpstr == NULL ) {
- goto loser;
- }
-
- if ( arena ) {
- /* copy the string into the arena and free the malloc'd one */
- nickname = PORT_ArenaStrdup(arena, tmpstr);
- PORT_Free(tmpstr);
- } else {
- nickname = tmpstr;
- }
- if ( nickname == NULL ) {
- goto loser;
- }
- }
- return(nickname);
+ tmpstr = PR_smprintf("%s",
+ "(NULL) (Validity Unknown)");
+ }
+
+ if (tmpstr == NULL) {
+ goto loser;
+ }
+
+ if (arena) {
+ /* copy the string into the arena and free the malloc'd one */
+ nickname = PORT_ArenaStrdup(arena, tmpstr);
+ PORT_Free(tmpstr);
+ }
+ else {
+ nickname = tmpstr;
+ }
+ if (nickname == NULL) {
+ goto loser;
+ }
+ }
+ return (nickname);
loser:
- return(NULL);
+ return (NULL);
}
/*
@@ -1757,23 +1781,23 @@ loser:
*/
CERTCertNicknames *
CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
- char *notYetGoodString)
+ char *notYetGoodString)
{
CERTCertNicknames *names;
PLArenaPool *arena;
CERTCertListNode *node;
char **nn;
-
+
/* allocate an arena */
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( arena == NULL ) {
- return(NULL);
+ if (arena == NULL) {
+ return (NULL);
}
-
+
/* allocate the structure */
names = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
- if ( names == NULL ) {
- goto loser;
+ if (names == NULL) {
+ goto loser;
}
/* init the structure */
@@ -1785,49 +1809,49 @@ CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
/* count the certs in the list */
node = CERT_LIST_HEAD(certList);
- while ( ! CERT_LIST_END(node, certList) ) {
- names->numnicknames++;
- node = CERT_LIST_NEXT(node);
+ while (!CERT_LIST_END(node, certList)) {
+ names->numnicknames++;
+ node = CERT_LIST_NEXT(node);
}
-
+
/* allocate nicknames array */
names->nicknames = PORT_ArenaAlloc(arena,
- sizeof(char *) * names->numnicknames);
- if ( names->nicknames == NULL ) {
- goto loser;
+ sizeof(char *) * names->numnicknames);
+ if (names->nicknames == NULL) {
+ goto loser;
}
/* just in case printf can't deal with null strings */
- if (expiredString == NULL ) {
- expiredString = "";
+ if (expiredString == NULL) {
+ expiredString = "";
}
- if ( notYetGoodString == NULL ) {
- notYetGoodString = "";
+ if (notYetGoodString == NULL) {
+ notYetGoodString = "";
}
-
+
/* traverse the list of certs and collect the nicknames */
nn = names->nicknames;
node = CERT_LIST_HEAD(certList);
- while ( ! CERT_LIST_END(node, certList) ) {
- *nn = CERT_GetCertNicknameWithValidity(arena, node->cert,
- expiredString,
- notYetGoodString);
- if ( *nn == NULL ) {
- goto loser;
- }
+ while (!CERT_LIST_END(node, certList)) {
+ *nn = CERT_GetCertNicknameWithValidity(arena, node->cert,
+ expiredString,
+ notYetGoodString);
+ if (*nn == NULL) {
+ goto loser;
+ }
+
+ names->totallen += PORT_Strlen(*nn);
- names->totallen += PORT_Strlen(*nn);
-
- nn++;
- node = CERT_LIST_NEXT(node);
+ nn++;
+ node = CERT_LIST_NEXT(node);
}
- return(names);
+ return (names);
loser:
PORT_FreeArena(arena, PR_FALSE);
- return(NULL);
+ return (NULL);
}
/*
@@ -1844,54 +1868,54 @@ loser:
*/
char *
CERT_ExtractNicknameString(char *namestring, char *expiredString,
- char *notYetGoodString)
+ char *notYetGoodString)
{
int explen, nyglen, namelen;
int retlen;
char *retstr;
-
+
namelen = PORT_Strlen(namestring);
explen = PORT_Strlen(expiredString);
nyglen = PORT_Strlen(notYetGoodString);
-
- if ( namelen > explen ) {
- if ( PORT_Strcmp(expiredString, &namestring[namelen-explen]) == 0 ) {
- retlen = namelen - explen;
- retstr = (char *)PORT_Alloc(retlen+1);
- if ( retstr == NULL ) {
- goto loser;
- }
-
- PORT_Memcpy(retstr, namestring, retlen);
- retstr[retlen] = '\0';
- goto done;
- }
- }
-
- if ( namelen > nyglen ) {
- if ( PORT_Strcmp(notYetGoodString, &namestring[namelen-nyglen]) == 0) {
- retlen = namelen - nyglen;
- retstr = (char *)PORT_Alloc(retlen+1);
- if ( retstr == NULL ) {
- goto loser;
- }
-
- PORT_Memcpy(retstr, namestring, retlen);
- retstr[retlen] = '\0';
- goto done;
- }
+
+ if (namelen > explen) {
+ if (PORT_Strcmp(expiredString, &namestring[namelen - explen]) == 0) {
+ retlen = namelen - explen;
+ retstr = (char *)PORT_Alloc(retlen + 1);
+ if (retstr == NULL) {
+ goto loser;
+ }
+
+ PORT_Memcpy(retstr, namestring, retlen);
+ retstr[retlen] = '\0';
+ goto done;
+ }
+ }
+
+ if (namelen > nyglen) {
+ if (PORT_Strcmp(notYetGoodString, &namestring[namelen - nyglen]) == 0) {
+ retlen = namelen - nyglen;
+ retstr = (char *)PORT_Alloc(retlen + 1);
+ if (retstr == NULL) {
+ goto loser;
+ }
+
+ PORT_Memcpy(retstr, namestring, retlen);
+ retstr[retlen] = '\0';
+ goto done;
+ }
}
/* if name string is shorter than either invalid string, then it must
* be a raw nickname
*/
retstr = PORT_Strdup(namestring);
-
+
done:
- return(retstr);
+ return (retstr);
loser:
- return(NULL);
+ return (NULL);
}
CERTCertList *
@@ -1903,7 +1927,7 @@ CERT_GetCertChainFromCert(CERTCertificate *cert, PRTime time, SECCertUsage usage
if (NULL == cert) {
return NULL;
}
-
+
cert = CERT_DupCertificate(cert);
if (NULL == cert) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
@@ -1917,18 +1941,18 @@ CERT_GetCertChainFromCert(CERTCertificate *cert, PRTime time, SECCertUsage usage
}
while (cert != NULL && ++count <= CERT_MAX_CERT_CHAIN) {
- if (SECSuccess != CERT_AddCertToListTail(chain, cert)) {
+ if (SECSuccess != CERT_AddCertToListTail(chain, cert)) {
/* return partial chain */
PORT_SetError(SEC_ERROR_NO_MEMORY);
return chain;
}
- if (cert->isRoot) {
+ if (cert->isRoot) {
/* return complete chain */
- return chain;
- }
+ return chain;
+ }
- cert = CERT_FindCertIssuer(cert, time, usage);
+ cert = CERT_FindCertIssuer(cert, time, usage);
}
/* return partial chain */
diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c
index b89fe215f..7ae10b0c1 100644
--- a/lib/certhigh/certvfypkix.c
+++ b/lib/certhigh/certvfypkix.c
@@ -12,7 +12,7 @@
*/
#include "prerror.h"
#include "prprf.h"
-
+
#include "nspr.h"
#include "pk11func.h"
#include "certdb.h"
@@ -38,7 +38,6 @@ pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
PRInt32 parallelFnInvocationCount;
#endif /* PKIX_OBJECT_LEAK_TEST */
-
static PRBool usePKIXValidationEngine = PR_FALSE;
/*
@@ -104,7 +103,7 @@ CERT_GetUsePKIXForValidation()
* Returns NULL if the function succeeds.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_NssKeyUsagesToPkix(
PRUint32 nssKeyUsage,
PKIX_UInt32 *pPkixKeyUsage,
@@ -120,7 +119,7 @@ cert_NssKeyUsagesToPkix(
if (nssKeyUsage & KU_DIGITAL_SIGNATURE) {
pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE;
}
-
+
if (nssKeyUsage & KU_NON_REPUDIATION) {
pkixKeyUsage |= PKIX_NON_REPUDIATION;
}
@@ -128,19 +127,19 @@ cert_NssKeyUsagesToPkix(
if (nssKeyUsage & KU_KEY_ENCIPHERMENT) {
pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT;
}
-
+
if (nssKeyUsage & KU_DATA_ENCIPHERMENT) {
pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT;
}
-
+
if (nssKeyUsage & KU_KEY_AGREEMENT) {
pkixKeyUsage |= PKIX_KEY_AGREEMENT;
}
-
+
if (nssKeyUsage & KU_KEY_CERT_SIGN) {
pkixKeyUsage |= PKIX_KEY_CERT_SIGN;
}
-
+
if (nssKeyUsage & KU_CRL_SIGN) {
pkixKeyUsage |= PKIX_CRL_SIGN;
}
@@ -148,7 +147,7 @@ cert_NssKeyUsagesToPkix(
if (nssKeyUsage & KU_ENCIPHER_ONLY) {
pkixKeyUsage |= PKIX_ENCIPHER_ONLY;
}
-
+
/* Not supported. XXX we should support this once it is
* fixed in NSS */
/* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */
@@ -176,17 +175,17 @@ typedef struct {
} SECCertUsageToEku;
const SECCertUsageToEku certUsageEkuStringMap[] = {
- {certUsageSSLClient, ekuIndexSSLClient},
- {certUsageSSLServer, ekuIndexSSLServer},
- {certUsageSSLCA, ekuIndexSSLServer},
- {certUsageEmailSigner, ekuIndexEmail},
- {certUsageEmailRecipient, ekuIndexEmail},
- {certUsageObjectSigner, ekuIndexCodeSigner},
- {certUsageUserCertImport, ekuIndexUnknown},
- {certUsageVerifyCA, ekuIndexUnknown},
- {certUsageProtectedObjectSigner, ekuIndexUnknown},
- {certUsageStatusResponder, ekuIndexStatusResponder},
- {certUsageAnyCA, ekuIndexUnknown},
+ { certUsageSSLClient, ekuIndexSSLClient },
+ { certUsageSSLServer, ekuIndexSSLServer },
+ { certUsageSSLCA, ekuIndexSSLServer },
+ { certUsageEmailSigner, ekuIndexEmail },
+ { certUsageEmailRecipient, ekuIndexEmail },
+ { certUsageObjectSigner, ekuIndexCodeSigner },
+ { certUsageUserCertImport, ekuIndexUnknown },
+ { certUsageVerifyCA, ekuIndexUnknown },
+ { certUsageProtectedObjectSigner, ekuIndexUnknown },
+ { certUsageStatusResponder, ekuIndexStatusResponder },
+ { certUsageAnyCA, ekuIndexUnknown },
};
/*
@@ -200,15 +199,15 @@ const SECCertUsageToEku certUsageEkuStringMap[] = {
* "cert"
* Pointer to CERTCertificate structure of validating cert.
* "requiredCertUsages"
- * Required usage that will be converted to pkix eku and ku.
+ * Required usage that will be converted to pkix eku and ku.
* "requiredKeyUsage",
* Additional key usages impose to cert.
* "isCA",
- * it true, convert usages for cert that is a CA cert.
+ * it true, convert usages for cert that is a CA cert.
* "ppkixEKUList"
* Returned address of a list of pkix extended key usages.
* "ppkixKU"
- * Returned address of pkix required key usages bit field.
+ * Returned address of pkix required key usages bit field.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
@@ -218,29 +217,29 @@ const SECCertUsageToEku certUsageEkuStringMap[] = {
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_NssCertificateUsageToPkixKUAndEKU(
CERTCertificate *cert,
- SECCertUsage requiredCertUsage,
- PRUint32 requiredKeyUsages,
- PRBool isCA,
- PKIX_List **ppkixEKUList,
- PKIX_UInt32 *ppkixKU,
- void *plContext)
+ SECCertUsage requiredCertUsage,
+ PRUint32 requiredKeyUsages,
+ PRBool isCA,
+ PKIX_List **ppkixEKUList,
+ PKIX_UInt32 *ppkixKU,
+ void *plContext)
{
- PKIX_List *ekuOidsList = NULL;
- PKIX_PL_OID *ekuOid = NULL;
- int i = 0;
- int ekuIndex = ekuIndexUnknown;
+ PKIX_List *ekuOidsList = NULL;
+ PKIX_PL_OID *ekuOid = NULL;
+ int i = 0;
+ int ekuIndex = ekuIndexUnknown;
PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku");
PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU);
-
+
PKIX_CHECK(
PKIX_List_Create(&ekuOidsList, plContext),
PKIX_LISTCREATEFAILED);
- for (;i < PR_ARRAY_SIZE(certUsageEkuStringMap);i++) {
+ for (; i < PR_ARRAY_SIZE(certUsageEkuStringMap); i++) {
const SECCertUsageToEku *usageToEkuElem =
&certUsageEkuStringMap[i];
if (usageToEkuElem->certUsage == requiredCertUsage) {
@@ -249,25 +248,25 @@ cert_NssCertificateUsageToPkixKUAndEKU(
}
}
if (ekuIndex != ekuIndexUnknown) {
- PRUint32 reqKeyUsage = 0;
- PRUint32 reqCertType = 0;
+ PRUint32 reqKeyUsage = 0;
+ PRUint32 reqCertType = 0;
CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA,
&reqKeyUsage,
&reqCertType);
-
+
requiredKeyUsages |= reqKeyUsage;
-
+
PKIX_CHECK(
PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid,
plContext),
PKIX_OIDCREATEFAILED);
-
+
PKIX_CHECK(
PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid,
plContext),
PKIX_LISTAPPENDITEMFAILED);
-
+
PKIX_DECREF(ekuOid);
}
@@ -279,7 +278,7 @@ cert_NssCertificateUsageToPkixKUAndEKU(
ekuOidsList = NULL;
cleanup:
-
+
PKIX_DECREF(ekuOid);
PKIX_DECREF(ekuOidsList);
@@ -313,37 +312,36 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_ProcessingParamsSetKeyAndCertUsage(
PKIX_ProcessingParams *procParams,
- SECCertUsage requiredCertUsage,
- PRUint32 requiredKeyUsages,
- void *plContext)
+ SECCertUsage requiredCertUsage,
+ PRUint32 requiredKeyUsages,
+ void *plContext)
{
- PKIX_CertSelector *certSelector = NULL;
+ PKIX_CertSelector *certSelector = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
- PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext*)plContext;
-
+ PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext;
+
PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage");
PKIX_NULLCHECK_TWO(procParams, nssContext);
-
+
PKIX_CHECK(
pkix_pl_NssContext_SetCertUsage(
- ((SECCertificateUsage)1) << requiredCertUsage, nssContext),
- PKIX_NSSCONTEXTSETCERTUSAGEFAILED);
+ ((SECCertificateUsage)1) << requiredCertUsage, nssContext),
+ PKIX_NSSCONTEXTSETCERTUSAGEFAILED);
if (requiredKeyUsages) {
PKIX_CHECK(
PKIX_ProcessingParams_GetTargetCertConstraints(procParams,
&certSelector, plContext),
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
-
+
PKIX_CHECK(
PKIX_CertSelector_GetCommonCertSelectorParams(certSelector,
&certSelParams, plContext),
PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
-
-
+
PKIX_CHECK(
PKIX_ComCertSelParams_SetKeyUsage(certSelParams, requiredKeyUsages,
plContext),
@@ -357,7 +355,7 @@ cleanup:
}
/*
- * Unused parameters:
+ * Unused parameters:
*
* CERTCertList *initialChain,
* CERTCertStores certStores,
@@ -398,44 +396,44 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_CreatePkixProcessingParams(
- CERTCertificate *cert,
- PRBool checkSig, /* not used yet. See bug 391476 */
- PRTime time,
- void *wincx,
- PRBool useArena,
- PRBool disableOCSPRemoteFetching,
+ CERTCertificate *cert,
+ PRBool checkSig, /* not used yet. See bug 391476 */
+ PRTime time,
+ void *wincx,
+ PRBool useArena,
+ PRBool disableOCSPRemoteFetching,
PKIX_ProcessingParams **pprocParams,
- void **pplContext)
+ void **pplContext)
{
- PKIX_List *anchors = NULL;
- PKIX_PL_Cert *targetCert = NULL;
- PKIX_PL_Date *date = NULL;
+ PKIX_List *anchors = NULL;
+ PKIX_PL_Cert *targetCert = NULL;
+ PKIX_PL_Date *date = NULL;
PKIX_ProcessingParams *procParams = NULL;
- PKIX_CertSelector *certSelector = NULL;
+ PKIX_CertSelector *certSelector = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
- PKIX_CertStore *certStore = NULL;
- PKIX_List *certStores = NULL;
+ PKIX_CertStore *certStore = NULL;
+ PKIX_List *certStores = NULL;
PKIX_RevocationChecker *revChecker = NULL;
- PKIX_UInt32 methodFlags = 0;
- void *plContext = NULL;
- CERTStatusConfig *statusConfig = NULL;
-
+ PKIX_UInt32 methodFlags = 0;
+ void *plContext = NULL;
+ CERTStatusConfig *statusConfig = NULL;
+
PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams");
PKIX_NULLCHECK_TWO(cert, pprocParams);
-
+
PKIX_CHECK(
PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext),
PKIX_NSSCONTEXTCREATEFAILED);
*pplContext = plContext;
-#ifdef PKIX_NOTDEF
+#ifdef PKIX_NOTDEF
/* Functions should be implemented in patch for 390532 */
PKIX_CHECK(
pkix_pl_NssContext_SetCertSignatureCheck(checkSig,
- (PKIX_PL_NssContext*)plContext),
+ (PKIX_PL_NssContext *)plContext),
PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED);
#endif /* PKIX_NOTDEF */
@@ -443,11 +441,11 @@ cert_CreatePkixProcessingParams(
PKIX_CHECK(
PKIX_ProcessingParams_Create(&procParams, plContext),
PKIX_PROCESSINGPARAMSCREATEFAILED);
-
+
PKIX_CHECK(
PKIX_ComCertSelParams_Create(&certSelParams, plContext),
PKIX_COMCERTSELPARAMSCREATEFAILED);
-
+
PKIX_CHECK(
PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext),
PKIX_CERTCREATEWITHNSSCERTFAILED);
@@ -456,16 +454,16 @@ cert_CreatePkixProcessingParams(
PKIX_ComCertSelParams_SetCertificate(certSelParams,
targetCert, plContext),
PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED);
-
+
PKIX_CHECK(
PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext),
PKIX_COULDNOTCREATECERTSELECTOROBJECT);
-
+
PKIX_CHECK(
PKIX_CertSelector_SetCommonCertSelectorParams(certSelector,
certSelParams, plContext),
PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
-
+
PKIX_CHECK(
PKIX_ProcessingParams_SetTargetCertConstraints(procParams,
certSelector, plContext),
@@ -482,11 +480,11 @@ cert_CreatePkixProcessingParams(
PKIX_CHECK(
PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
PKIX_PK11CERTSTORECREATEFAILED);
-
+
PKIX_CHECK(
PKIX_List_Create(&certStores, plContext),
PKIX_UNABLETOCREATELIST);
-
+
PKIX_CHECK(
PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore,
plContext),
@@ -507,11 +505,11 @@ cert_CreatePkixProcessingParams(
PKIX_CHECK(
PKIX_RevocationChecker_Create(
- PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
- PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
- PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
- PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
- &revChecker, plContext),
+ PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
+ PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
+ PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
+ PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
+ &revChecker, plContext),
PKIX_REVOCATIONCHECKERCREATEFAILED);
PKIX_CHECK(
@@ -520,27 +518,27 @@ cert_CreatePkixProcessingParams(
PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED);
/* CRL method flags */
- methodFlags =
+ methodFlags =
PKIX_REV_M_TEST_USING_THIS_METHOD |
PKIX_REV_M_FORBID_NETWORK_FETCHING |
- PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
- PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
+ PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
+ PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
/* add CRL revocation method to check the leaf certificate */
PKIX_CHECK(
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- PKIX_RevocationMethod_CRL, methodFlags,
- 0, NULL, PKIX_TRUE, plContext),
+ PKIX_RevocationMethod_CRL, methodFlags,
+ 0, NULL, PKIX_TRUE, plContext),
PKIX_REVOCATIONCHECKERADDMETHODFAILED);
/* add CRL revocation method for other certs in the chain. */
PKIX_CHECK(
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- PKIX_RevocationMethod_CRL, methodFlags,
- 0, NULL, PKIX_FALSE, plContext),
+ PKIX_RevocationMethod_CRL, methodFlags,
+ 0, NULL, PKIX_FALSE, plContext),
PKIX_REVOCATIONCHECKERADDMETHODFAILED);
-
+
/* For compatibility with the old code, need to check that
* statusConfig is set in the db handle and status checker
* is defined befor allow ocsp status check on the leaf cert.*/
@@ -551,30 +549,30 @@ cert_CreatePkixProcessingParams(
/* OCSP method flags */
methodFlags =
PKIX_REV_M_TEST_USING_THIS_METHOD |
- PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */
- PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */
- PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
- PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
+ PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */
+ PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */
+ PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
+ PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
-
+
/* Disabling ocsp fetching when checking the status
* of ocsp response signer. Here and in the next if,
* adjust flags for ocsp signer cert validation case. */
if (disableOCSPRemoteFetching) {
methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
}
-
- if (ocsp_FetchingFailureIsVerificationFailure()
- && !disableOCSPRemoteFetching) {
+
+ if (ocsp_FetchingFailureIsVerificationFailure() &&
+ !disableOCSPRemoteFetching) {
methodFlags |=
PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
}
-
+
/* add OCSP revocation method to check only the leaf certificate.*/
PKIX_CHECK(
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- PKIX_RevocationMethod_OCSP, methodFlags,
- 1, NULL, PKIX_TRUE, plContext),
+ PKIX_RevocationMethod_OCSP, methodFlags,
+ 1, NULL, PKIX_TRUE, plContext),
PKIX_REVOCATIONCHECKERADDMETHODFAILED);
}
@@ -585,14 +583,14 @@ cert_CreatePkixProcessingParams(
PKIX_CHECK(
PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE,
- plContext),
+ plContext),
PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED);
PKIX_CHECK(
PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, PR_FALSE,
plContext),
PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED);
-
+
*pprocParams = procParams;
procParams = NULL;
@@ -615,10 +613,10 @@ cleanup:
* DESCRIPTION:
*
* Converts pkix cert list into nss cert list.
- *
+ *
* PARAMETERS:
* "pkixCertChain"
- * Pkix certificate list.
+ * Pkix certificate list.
* "pvalidChain"
* An address of returned nss certificate list.
* "plContext"
@@ -630,18 +628,18 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_PkixToNssCertsChain(
- PKIX_List *pkixCertChain,
- CERTCertList **pvalidChain,
+ PKIX_List *pkixCertChain,
+ CERTCertList **pvalidChain,
void *plContext)
{
- PLArenaPool *arena = NULL;
+ PLArenaPool *arena = NULL;
CERTCertificate *nssCert = NULL;
- CERTCertList *validChain = NULL;
- PKIX_PL_Object *certItem = NULL;
- PKIX_UInt32 length = 0;
- PKIX_UInt32 i = 0;
+ CERTCertList *validChain = NULL;
+ PKIX_PL_Object *certItem = NULL;
+ PKIX_UInt32 length = 0;
+ PKIX_UInt32 i = 0;
PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain");
PKIX_NULLCHECK_ONE(pvalidChain);
@@ -653,7 +651,7 @@ cert_PkixToNssCertsChain(
if (arena == NULL) {
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
- validChain = (CERTCertList*)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
+ validChain = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
if (validChain == NULL) {
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
@@ -665,22 +663,22 @@ cert_PkixToNssCertsChain(
PKIX_List_GetLength(pkixCertChain, &length, plContext),
PKIX_LISTGETLENGTHFAILED);
- for (i = 0; i < length; i++){
+ for (i = 0; i < length; i++) {
CERTCertListNode *node = NULL;
PKIX_CHECK(
PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext),
PKIX_LISTGETITEMFAILED);
-
+
PKIX_CHECK(
- PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert*)certItem, &nssCert,
- plContext),
+ PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert *)certItem, &nssCert,
+ plContext),
PKIX_CERTGETCERTCERTIFICATEFAILED);
-
+
node =
(CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena,
sizeof(CERTCertListNode));
- if ( node == NULL ) {
+ if (node == NULL) {
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
@@ -695,10 +693,11 @@ cert_PkixToNssCertsChain(
*pvalidChain = validChain;
cleanup:
- if (PKIX_ERROR_RECEIVED){
+ if (PKIX_ERROR_RECEIVED) {
if (validChain) {
CERT_DestroyCertList(validChain);
- } else if (arena) {
+ }
+ else if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
if (nssCert) {
@@ -710,7 +709,6 @@ cleanup:
PKIX_RETURN(CERTVFYPKIX);
}
-
/*
* FUNCTION: cert_BuildAndValidateChain
* DESCRIPTION:
@@ -738,7 +736,7 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_BuildAndValidateChain(
PKIX_ProcessingParams *procParams,
PKIX_BuildResult **pResult,
@@ -746,19 +744,19 @@ cert_BuildAndValidateChain(
void *plContext)
{
PKIX_BuildResult *result = NULL;
- PKIX_VerifyNode *verifyNode = NULL;
- void *nbioContext = NULL;
- void *state = NULL;
-
+ PKIX_VerifyNode *verifyNode = NULL;
+ void *nbioContext = NULL;
+ void *state = NULL;
+
PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain");
PKIX_NULLCHECK_TWO(procParams, pResult);
-
+
do {
if (nbioContext && state) {
/* PKIX-XXX: need to test functionality of NBIO handling in libPkix.
* See bug 391180 */
PRInt32 filesReady = 0;
- PRPollDesc *pollDesc = (PRPollDesc*)nbioContext;
+ PRPollDesc *pollDesc = (PRPollDesc *)nbioContext;
filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT);
if (filesReady <= 0) {
PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM);
@@ -769,7 +767,7 @@ cert_BuildAndValidateChain(
PKIX_BuildChain(procParams, &nbioContext, &state,
&result, &verifyNode, plContext),
PKIX_UNABLETOBUILDCHAIN);
-
+
} while (nbioContext && state);
*pResult = result;
@@ -782,7 +780,6 @@ cleanup:
PKIX_RETURN(CERTVFYPKIX);
}
-
/*
* FUNCTION: cert_PkixErrorToNssCode
* DESCRIPTION:
@@ -817,16 +814,17 @@ cert_PkixErrorToNssCode(
PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode");
PKIX_NULLCHECK_TWO(error, pNssErr);
-
+
/* Loop until we find at least one error with non-null
* plErr code, that is going to be nss error code. */
while (errPtr) {
if (errPtr->plErr && !nssErr) {
nssErr = errPtr->plErr;
- if (!pkixLog) break;
+ if (!pkixLog)
+ break;
}
if (pkixLog) {
-#ifdef PKIX_ERROR_DESCRIPTION
+#ifdef PKIX_ERROR_DESCRIPTION
PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel,
PKIX_ErrorText[errPtr->errCode]));
#else
@@ -835,12 +833,13 @@ cert_PkixErrorToNssCode(
#endif /* PKIX_ERROR_DESCRIPTION */
}
errPtr = errPtr->cause;
- errLevel += 1;
+ errLevel += 1;
}
PORT_Assert(nssErr);
if (!nssErr) {
*pNssErr = SEC_ERROR_LIBPKIX_INTERNAL;
- } else {
+ }
+ else {
*pNssErr = nssErr;
}
@@ -856,7 +855,7 @@ cert_PkixErrorToNssCode(
*
* PARAMETERS:
* "log"
- * Pointed to already allocated CERTVerifyLog structure.
+ * Pointed to already allocated CERTVerifyLog structure.
* "node"
* A node of PKIX_VerifyNode tree.
* "plContext"
@@ -874,7 +873,7 @@ cert_GetLogFromVerifyNode(
PKIX_VerifyNode *node,
void *plContext)
{
- PKIX_List *children = NULL;
+ PKIX_List *children = NULL;
PKIX_VerifyNode *childNode = NULL;
PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode");
@@ -894,26 +893,27 @@ cert_GetLogFromVerifyNode(
cert_PkixErrorToNssCode(node->error, &nssErrorCode,
plContext),
PKIX_GETPKIXERRORCODEFAILED);
-
+
cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL);
}
}
PKIX_RETURN(CERTVFYPKIX);
- } else {
- PRUint32 i = 0;
- PKIX_UInt32 length = 0;
+ }
+ else {
+ PRUint32 i = 0;
+ PKIX_UInt32 length = 0;
PKIX_CHECK(
PKIX_List_GetLength(children, &length, plContext),
PKIX_LISTGETLENGTHFAILED);
-
- for (i = 0; i < length; i++){
+
+ for (i = 0; i < length; i++) {
PKIX_CHECK(
- PKIX_List_GetItem(children, i, (PKIX_PL_Object**)&childNode,
+ PKIX_List_GetItem(children, i, (PKIX_PL_Object **)&childNode,
plContext),
PKIX_LISTGETITEMFAILED);
-
+
PKIX_CHECK(
cert_GetLogFromVerifyNode(log, childNode, plContext),
PKIX_ERRORINRECURSIVEEQUALSCALL);
@@ -943,7 +943,7 @@ cleanup:
* In case of failure it will convert:
* * pkix error to PR error code(will set it with PORT_SetError)
* * pkix validation log to nss CERTVerifyLog
- *
+ *
* PARAMETERS:
* "buildResult"
* Build results returned by PKIX_BuildChain.
@@ -968,23 +968,23 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_GetBuildResults(
PKIX_BuildResult *buildResult,
- PKIX_VerifyNode *verifyNode,
- PKIX_Error *error,
- CERTVerifyLog *log,
+ PKIX_VerifyNode *verifyNode,
+ PKIX_Error *error,
+ CERTVerifyLog *log,
CERTCertificate **ptrustedRoot,
- CERTCertList **pvalidChain,
- void *plContext)
+ CERTCertList **pvalidChain,
+ void *plContext)
{
PKIX_ValidateResult *validResult = NULL;
- CERTCertList *validChain = NULL;
- CERTCertificate *trustedRoot = NULL;
- PKIX_TrustAnchor *trustAnchor = NULL;
- PKIX_PL_Cert *trustedCert = NULL;
- PKIX_List *pkixCertChain = NULL;
-
+ CERTCertList *validChain = NULL;
+ CERTCertificate *trustedRoot = NULL;
+ PKIX_TrustAnchor *trustAnchor = NULL;
+ PKIX_PL_Cert *trustedCert = NULL;
+ PKIX_List *pkixCertChain = NULL;
+
PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults");
if (buildResult == NULL && error == NULL) {
PKIX_ERROR(PKIX_NULLARGUMENT);
@@ -1036,7 +1036,7 @@ cert_GetBuildResults(
plContext),
PKIX_CERTGETCERTCERTIFICATEFAILED);
}
-
+
PORT_Assert(!PKIX_ERROR_RECEIVED);
if (trustedRoot) {
@@ -1062,7 +1062,7 @@ cleanup:
PKIX_DECREF(error);
PKIX_DECREF(verifyNode);
PKIX_DECREF(buildResult);
-
+
PKIX_RETURN(CERTVFYPKIX);
}
@@ -1103,27 +1103,27 @@ cleanup:
SECStatus
cert_VerifyCertChainPkix(
CERTCertificate *cert,
- PRBool checkSig,
- SECCertUsage requiredUsage,
- PRTime time,
- void *wincx,
- CERTVerifyLog *log,
- PRBool *pSigerror,
- PRBool *pRevoked)
+ PRBool checkSig,
+ SECCertUsage requiredUsage,
+ PRTime time,
+ void *wincx,
+ CERTVerifyLog *log,
+ PRBool *pSigerror,
+ PRBool *pRevoked)
{
PKIX_ProcessingParams *procParams = NULL;
- PKIX_BuildResult *result = NULL;
- PKIX_VerifyNode *verifyNode = NULL;
- PKIX_Error *error = NULL;
+ PKIX_BuildResult *result = NULL;
+ PKIX_VerifyNode *verifyNode = NULL;
+ PKIX_Error *error = NULL;
- SECStatus rv = SECFailure;
- void *plContext = NULL;
+ SECStatus rv = SECFailure;
+ void *plContext = NULL;
#ifdef PKIX_OBJECT_LEAK_TEST
- int leakedObjNum = 0;
- int memLeakLoopCount = 0;
- int objCountTable[PKIX_NUMTYPES];
- int fnInvLocalCount = 0;
+ int leakedObjNum = 0;
+ int memLeakLoopCount = 0;
+ int objCountTable[PKIX_NUMTYPES];
+ int fnInvLocalCount = 0;
PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
if (usePKIXValidationEngine) {
@@ -1136,93 +1136,95 @@ cert_VerifyCertChainPkix(
testStartFnStackPosition = 2;
fnStackNameArr[0] = "cert_VerifyCertChainPkix";
fnStackInvCountArr[0] = 0;
- PKIX_Boolean abortOnLeak =
+ PKIX_Boolean abortOnLeak =
(PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
- PKIX_FALSE : PKIX_TRUE;
+ PKIX_FALSE
+ : PKIX_TRUE;
runningLeakTest = PKIX_TRUE;
/* Prevent multi-threaded run of object leak test */
fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
PORT_Assert(fnInvLocalCount == 1);
-do {
- rv = SECFailure;
- plContext = NULL;
- procParams = NULL;
- result = NULL;
- verifyNode = NULL;
- error = NULL;
- errorGenerated = PKIX_FALSE;
- stackPosition = 0;
-
- if (leakedObjNum) {
- pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
- }
- memLeakLoopCount += 1;
+ do {
+ rv = SECFailure;
+ plContext = NULL;
+ procParams = NULL;
+ result = NULL;
+ verifyNode = NULL;
+ error = NULL;
+ errorGenerated = PKIX_FALSE;
+ stackPosition = 0;
+
+ if (leakedObjNum) {
+ pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
+ }
+ memLeakLoopCount += 1;
#endif /* PKIX_OBJECT_LEAK_TEST */
- error =
- cert_CreatePkixProcessingParams(cert, checkSig, time, wincx,
- PR_FALSE/*use arena*/,
- requiredUsage == certUsageStatusResponder,
- &procParams, &plContext);
- if (error) {
- goto cleanup;
- }
+ error =
+ cert_CreatePkixProcessingParams(cert, checkSig, time, wincx,
+ PR_FALSE /*use arena*/,
+ requiredUsage == certUsageStatusResponder,
+ &procParams, &plContext);
+ if (error) {
+ goto cleanup;
+ }
- error =
- cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0,
- plContext);
- if (error) {
- goto cleanup;
- }
+ error =
+ cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0,
+ plContext);
+ if (error) {
+ goto cleanup;
+ }
- error =
- cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext);
- if (error) {
- goto cleanup;
- }
-
- if (pRevoked) {
- /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
- *pRevoked = PR_FALSE;
- }
- if (pSigerror) {
- /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
- *pSigerror = PR_FALSE;
- }
- rv = SECSuccess;
+ error =
+ cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext);
+ if (error) {
+ goto cleanup;
+ }
-cleanup:
- error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL,
- plContext);
- if (error) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- }
- if (procParams) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
- }
- if (plContext) {
- PKIX_PL_NssContext_Destroy(plContext);
- }
+ if (pRevoked) {
+ /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
+ *pRevoked = PR_FALSE;
+ }
+ if (pSigerror) {
+ /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
+ *pSigerror = PR_FALSE;
+ }
+ rv = SECSuccess;
+
+ cleanup:
+ error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL,
+ plContext);
+ if (error) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ }
+ if (procParams) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
+ }
+ if (plContext) {
+ PKIX_PL_NssContext_Destroy(plContext);
+ }
#ifdef PKIX_OBJECT_LEAK_TEST
- leakedObjNum =
- pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
-
- if (pkixLog && leakedObjNum) {
- PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
- "Stack %s\n", memLeakLoopCount, errorFnStackString));
- }
- PR_Free(errorFnStackString);
- errorFnStackString = NULL;
- if (abortOnLeak) {
- PORT_Assert(leakedObjNum == 0);
- }
+ leakedObjNum =
+ pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
-} while (errorGenerated);
+ if (pkixLog && leakedObjNum) {
+ PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
+ "Stack %s\n",
+ memLeakLoopCount, errorFnStackString));
+ }
+ PR_Free(errorFnStackString);
+ errorFnStackString = NULL;
+ if (abortOnLeak) {
+ PORT_Assert(leakedObjNum == 0);
+ }
+
+ } while (errorGenerated);
- runningLeakTest = PKIX_FALSE;
+ runningLeakTest = PKIX_FALSE;
PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
@@ -1231,50 +1233,55 @@ cleanup:
}
PKIX_CertSelector *
-cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext)
+cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext)
{
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
- PKIX_CertSelector *r= NULL;
+ PKIX_CertSelector *r = NULL;
PKIX_PL_Cert *eeCert = NULL;
PKIX_Error *error = NULL;
error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_ComCertSelParams_Create(&certSelParams, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_ComCertSelParams_SetCertificate(
- certSelParams, eeCert, plContext);
- if (error != NULL) goto cleanup;
+ certSelParams, eeCert, plContext);
+ if (error != NULL)
+ goto cleanup;
- error = PKIX_CertSelector_SetCommonCertSelectorParams
- (certSelector, certSelParams, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext);
+ if (error != NULL)
+ goto cleanup;
error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext);
- if (error == NULL) r = certSelector;
+ if (error == NULL)
+ r = certSelector;
cleanup:
- if (certSelParams != NULL)
+ if (certSelParams != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext);
- if (eeCert != NULL)
+ if (eeCert != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext);
- if (certSelector != NULL)
+ if (certSelector != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
if (error != NULL) {
- SECErrorCodes nssErr;
+ SECErrorCodes nssErr;
- cert_PkixErrorToNssCode(error, &nssErr, plContext);
+ cert_PkixErrorToNssCode(error, &nssErr, plContext);
PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- PORT_SetError(nssErr);
+ PORT_SetError(nssErr);
}
return r;
@@ -1289,39 +1296,42 @@ cert_GetCertStores(void *plContext)
PKIX_Error *error = NULL;
error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_List_Create(&certStores, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
- error = PKIX_List_AppendItem( certStores,
- (PKIX_PL_Object *)certStore, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_List_AppendItem(certStores,
+ (PKIX_PL_Object *)certStore, plContext);
+ if (error != NULL)
+ goto cleanup;
error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext);
- if (error == NULL) r = certStores;
+ if (error == NULL)
+ r = certStores;
cleanup:
- if (certStores != NULL)
+ if (certStores != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
- if (certStore != NULL)
+ if (certStore != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext);
if (error != NULL) {
- SECErrorCodes nssErr;
+ SECErrorCodes nssErr;
- cert_PkixErrorToNssCode(error, &nssErr, plContext);
+ cert_PkixErrorToNssCode(error, &nssErr, plContext);
PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- PORT_SetError(nssErr);
+ PORT_SetError(nssErr);
}
return r;
}
-
struct fake_PKIX_PL_CertStruct {
- CERTCertificate *nssCert;
+ CERTCertificate *nssCert;
};
/* This needs to be part of the PKIX_PL_* */
@@ -1332,12 +1342,13 @@ cert_NSSCertFromPKIXCert(const PKIX_PL_Cert *pkix_cert)
{
struct fake_PKIX_PL_CertStruct *fcert = NULL;
- fcert = (struct fake_PKIX_PL_CertStruct*)pkix_cert;
+ fcert = (struct fake_PKIX_PL_CertStruct *)pkix_cert;
return CERT_DupCertificate(fcert->nssCert);
}
-PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext)
+PKIX_List *
+cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext)
{
PKIX_List *r = NULL;
PKIX_List *policyList = NULL;
@@ -1347,16 +1358,16 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon
error = PKIX_List_Create(&policyList, plContext);
if (error != NULL) {
- goto cleanup;
+ goto cleanup;
}
- for (i=0; i<oidCount; i++) {
+ for (i = 0; i < oidCount; i++) {
error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext);
if (error) {
goto cleanup;
}
- error = PKIX_List_AppendItem(policyList,
- (PKIX_PL_Object *)policyOID, plContext);
+ error = PKIX_List_AppendItem(policyList,
+ (PKIX_PL_Object *)policyOID, plContext);
if (error != NULL) {
goto cleanup;
}
@@ -1365,19 +1376,21 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon
}
error = PKIX_List_SetImmutable(policyList, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext);
- if (error == NULL) r = policyList;
+ if (error == NULL)
+ r = policyList;
cleanup:
- if (policyOID != NULL) {
+ if (policyOID != NULL) {
PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
}
- if (policyList != NULL) {
+ if (policyList != NULL) {
PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext);
}
- if (error != NULL) {
+ if (error != NULL) {
PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
}
@@ -1393,14 +1406,13 @@ cert_pkix_FindOutputParam(CERTValOutParam *params, const CERTValParamOutType t)
}
for (i = params; i->type != cert_po_end; i++) {
if (i->type == t) {
- return i;
+ return i;
}
}
return NULL;
}
-
-static PKIX_Error*
+static PKIX_Error *
setRevocationMethod(PKIX_RevocationChecker *revChecker,
PKIX_ProcessingParams *procParams,
const CERTRevocationTests *revTest,
@@ -1413,14 +1425,14 @@ setRevocationMethod(PKIX_RevocationChecker *revChecker,
PKIX_UInt32 methodFlags = 0;
PKIX_Error *error = NULL;
PKIX_UInt32 priority = 0;
-
+
if (revTest->number_of_defined_methods <= (PRUint32)certRevMethod) {
return NULL;
}
if (revTest->preferred_methods) {
unsigned int i = 0;
- for (;i < revTest->number_of_preferred_methods;i++) {
- if (revTest->preferred_methods[i] == certRevMethod)
+ for (; i < revTest->number_of_preferred_methods; i++) {
+ if (revTest->preferred_methods[i] == certRevMethod)
break;
}
priority = i;
@@ -1432,19 +1444,18 @@ setRevocationMethod(PKIX_RevocationChecker *revChecker,
}
error =
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- pkixRevMethod, methodFlags,
- priority, NULL,
- isLeafTest, plContext);
+ pkixRevMethod, methodFlags,
+ priority, NULL,
+ isLeafTest, plContext);
return error;
}
-
SECStatus
-cert_pkixSetParam(PKIX_ProcessingParams *procParams,
- const CERTValInParam *param, void *plContext)
+cert_pkixSetParam(PKIX_ProcessingParams *procParams,
+ const CERTValInParam *param, void *plContext)
{
- PKIX_Error * error = NULL;
- SECStatus r=SECSuccess;
+ PKIX_Error *error = NULL;
+ SECStatus r = SECSuccess;
PKIX_PL_Date *date = NULL;
PKIX_List *policyOIDList = NULL;
PKIX_List *certListPkix = NULL;
@@ -1465,22 +1476,22 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
/* needed? */
error = PKIX_ProcessingParams_SetExplicitPolicyRequired(
- procParams, PKIX_TRUE, plContext);
+ procParams, PKIX_TRUE, plContext);
- if (error != NULL) {
+ if (error != NULL) {
break;
}
policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids,
- param->value.arraySize,plContext);
- if (policyOIDList == NULL) {
- r = SECFailure;
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- break;
- }
+ param->value.arraySize, plContext);
+ if (policyOIDList == NULL) {
+ r = SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ break;
+ }
error = PKIX_ProcessingParams_SetInitialPolicies(
- procParams,policyOIDList,plContext);
+ procParams, policyOIDList, plContext);
break;
case cert_pi_date:
@@ -1490,9 +1501,10 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
errCode = SEC_ERROR_INVALID_TIME;
break;
}
- } else {
+ }
+ else {
error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time,
- &date, plContext);
+ &date, plContext);
if (error != NULL) {
errCode = SEC_ERROR_INVALID_TIME;
break;
@@ -1505,8 +1517,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
}
break;
- case cert_pi_revocationFlags:
- {
+ case cert_pi_revocationFlags: {
PKIX_UInt32 leafIMFlags = 0;
PKIX_UInt32 chainIMFlags = 0;
PKIX_Boolean validatingResponderCert = PKIX_FALSE;
@@ -1518,7 +1529,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
break;
}
- leafIMFlags =
+ leafIMFlags =
flags->leafTests.cert_rev_method_independent_flags;
chainIMFlags =
flags->chainTests.cert_rev_method_independent_flags;
@@ -1532,12 +1543,12 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
error =
PKIX_ProcessingParams_SetRevocationChecker(procParams,
- revChecker, plContext);
+ revChecker, plContext);
if (error) {
break;
}
- if (((PKIX_PL_NssContext*)plContext)->certificateUsage &
+ if (((PKIX_PL_NssContext *)plContext)->certificateUsage &
certificateUsageStatusResponder) {
validatingResponderCert = PKIX_TRUE;
}
@@ -1582,8 +1593,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
break;
}
- }
- break;
+ } break;
case cert_pi_trustAnchors:
certList = param->value.pointer.chain;
@@ -1596,10 +1606,10 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
if (error != NULL) {
break;
}
- for(node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
- node = CERT_LIST_NEXT(node) ) {
+ for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
+ node = CERT_LIST_NEXT(node)) {
error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert,
- &certPkix, plContext);
+ &certPkix, plContext);
if (error) {
break;
}
@@ -1609,8 +1619,8 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
break;
}
error = PKIX_List_AppendItem(certListPkix,
- (PKIX_PL_Object*)trustAnchor, plContext);
- if (error) {
+ (PKIX_PL_Object *)trustAnchor, plContext);
+ if (error) {
break;
}
PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
@@ -1626,12 +1636,12 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
case cert_pi_useAIACertFetch:
error =
PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
- (PRBool)(param->value.scalar.b != 0),
+ (PRBool)(param->value.scalar.b !=
+ 0),
plContext);
break;
- case cert_pi_chainVerifyCallback:
- {
+ case cert_pi_chainVerifyCallback: {
const CERTChainVerifyCallback *chainVerifyCallback =
param->value.pointer.chainVerifyCallback;
if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) {
@@ -1641,13 +1651,13 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
}
nssContext->chainVerifyCallback = *chainVerifyCallback;
- }
- break;
+ } break;
case cert_pi_useOnlyTrustAnchors:
error =
PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams,
- (PRBool)(param->value.scalar.b != 0),
+ (PRBool)(param->value.scalar.b !=
+ 0),
plContext);
break;
@@ -1660,19 +1670,19 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
if (policyOIDList != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext);
- if (date != NULL)
+ if (date != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext);
- if (revChecker != NULL)
+ if (revChecker != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext);
- if (certListPkix)
+ if (certListPkix)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext);
- if (trustAnchor)
+ if (trustAnchor)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
- if (certPkix)
+ if (certPkix)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
if (error != NULL) {
@@ -1681,8 +1691,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
r = SECFailure;
}
- return r;
-
+ return r;
}
void
@@ -1695,207 +1704,188 @@ cert_pkixDestroyValOutParam(CERTValOutParam *params)
}
for (i = params; i->type != cert_po_end; i++) {
switch (i->type) {
- case cert_po_trustAnchor:
- if (i->value.pointer.cert) {
- CERT_DestroyCertificate(i->value.pointer.cert);
- i->value.pointer.cert = NULL;
- }
- break;
+ case cert_po_trustAnchor:
+ if (i->value.pointer.cert) {
+ CERT_DestroyCertificate(i->value.pointer.cert);
+ i->value.pointer.cert = NULL;
+ }
+ break;
- case cert_po_certList:
- if (i->value.pointer.chain) {
- CERT_DestroyCertList(i->value.pointer.chain);
- i->value.pointer.chain = NULL;
- }
- break;
+ case cert_po_certList:
+ if (i->value.pointer.chain) {
+ CERT_DestroyCertList(i->value.pointer.chain);
+ i->value.pointer.chain = NULL;
+ }
+ break;
- default:
- break;
+ default:
+ break;
}
}
}
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- CERT_REV_M_TEST_USING_THIS_METHOD
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ CERT_REV_M_TEST_USING_THIS_METHOD
};
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0
};
-static CERTRevocationMethodIndex
-certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = {
- cert_revocation_method_crl
-};
+static CERTRevocationMethodIndex
+ certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = {
+ cert_revocation_method_crl
+ };
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy = {
- {
- /* leafTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags,
- 1,
- &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
+ { /* leafTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags,
+ 1,
+ &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference,
+ 0 },
+ { /* chainTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
+ 0,
+ 0,
+ 0 }
};
-extern const CERTRevocationFlags*
+extern const CERTRevocationFlags *
CERT_GetClassicOCSPEnabledSoftFailurePolicy()
{
return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy;
}
-
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
};
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0
};
-static CERTRevocationMethodIndex
-certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = {
- cert_revocation_method_crl
-};
+static CERTRevocationMethodIndex
+ certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = {
+ cert_revocation_method_crl
+ };
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy = {
- {
- /* leafTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags,
- 1,
- &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
+ { /* leafTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags,
+ 1,
+ &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference,
+ 0 },
+ { /* chainTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
+ 0,
+ 0,
+ 0 }
};
-extern const CERTRevocationFlags*
+extern const CERTRevocationFlags *
CERT_GetClassicOCSPEnabledHardFailurePolicy()
{
return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy;
}
-
static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0
};
static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0
};
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Disabled_Policy = {
- {
- /* leafTests */
- 2,
- certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags,
- 0,
- 0,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
+ { /* leafTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags,
+ 0,
+ 0,
+ 0 },
+ { /* chainTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags,
+ 0,
+ 0,
+ 0 }
};
-extern const CERTRevocationFlags*
+extern const CERTRevocationFlags *
CERT_GetClassicOCSPDisabledPolicy()
{
return &certRev_NSS_3_11_Ocsp_Disabled_Policy;
}
-
static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
- | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
+ CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
+ /* ocsp */
+ 0
};
static PRUint64 certRev_PKIX_Verify_Nist_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
- | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
+ CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
+ /* ocsp */
+ 0
};
static const CERTRevocationFlags certRev_PKIX_Verify_Nist_Policy = {
- {
- /* leafTests */
- 2,
- certRev_PKIX_Verify_Nist_Policy_LeafFlags,
- 0,
- 0,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_PKIX_Verify_Nist_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
+ { /* leafTests */
+ 2,
+ certRev_PKIX_Verify_Nist_Policy_LeafFlags,
+ 0,
+ 0,
+ 0 },
+ { /* chainTests */
+ 2,
+ certRev_PKIX_Verify_Nist_Policy_ChainFlags,
+ 0,
+ 0,
+ 0 }
};
-extern const CERTRevocationFlags*
+extern const CERTRevocationFlags *
CERT_GetPKIXVerifyNistRevocationPolicy()
{
return &certRev_PKIX_Verify_Nist_Policy;
@@ -1907,56 +1897,57 @@ CERT_AllocCERTRevocationFlags(
PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods)
{
CERTRevocationFlags *flags;
-
+
flags = PORT_New(CERTRevocationFlags);
if (!flags)
- return(NULL);
-
+ return (NULL);
+
flags->leafTests.number_of_defined_methods = number_leaf_methods;
- flags->leafTests.cert_rev_flags_per_method =
+ flags->leafTests.cert_rev_flags_per_method =
PORT_NewArray(PRUint64, number_leaf_methods);
flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods;
- flags->leafTests.preferred_methods =
+ flags->leafTests.preferred_methods =
PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods);
flags->chainTests.number_of_defined_methods = number_chain_methods;
- flags->chainTests.cert_rev_flags_per_method =
+ flags->chainTests.cert_rev_flags_per_method =
PORT_NewArray(PRUint64, number_chain_methods);
flags->chainTests.number_of_preferred_methods = number_chain_pref_methods;
- flags->chainTests.preferred_methods =
+ flags->chainTests.preferred_methods =
PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods);
-
- if (!flags->leafTests.cert_rev_flags_per_method
- || !flags->leafTests.preferred_methods
- || !flags->chainTests.cert_rev_flags_per_method
- || !flags->chainTests.preferred_methods) {
+
+ if (!flags->leafTests.cert_rev_flags_per_method ||
+ !flags->leafTests.preferred_methods ||
+ !flags->chainTests.cert_rev_flags_per_method ||
+ !flags->chainTests.preferred_methods) {
CERT_DestroyCERTRevocationFlags(flags);
return (NULL);
}
-
+
return flags;
}
-void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
+void
+CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
{
if (!flags)
- return;
-
+ return;
+
if (flags->leafTests.cert_rev_flags_per_method)
PORT_Free(flags->leafTests.cert_rev_flags_per_method);
if (flags->leafTests.preferred_methods)
PORT_Free(flags->leafTests.preferred_methods);
-
+
if (flags->chainTests.cert_rev_flags_per_method)
PORT_Free(flags->chainTests.cert_rev_flags_per_method);
if (flags->chainTests.preferred_methods)
PORT_Free(flags->chainTests.preferred_methods);
- PORT_Free(flags);
+ PORT_Free(flags);
}
/*
@@ -1984,36 +1975,37 @@ void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
*
* CERT_PKIXVerifyCert(cert, &output, args
*/
-SECStatus CERT_PKIXVerifyCert(
- CERTCertificate *cert,
- SECCertificateUsage usages,
- CERTValInParam *paramsIn,
- CERTValOutParam *paramsOut,
- void *wincx)
+SECStatus
+CERT_PKIXVerifyCert(
+ CERTCertificate *cert,
+ SECCertificateUsage usages,
+ CERTValInParam *paramsIn,
+ CERTValOutParam *paramsOut,
+ void *wincx)
{
- SECStatus r = SECFailure;
- PKIX_Error * error = NULL;
+ SECStatus r = SECFailure;
+ PKIX_Error *error = NULL;
PKIX_ProcessingParams *procParams = NULL;
- PKIX_BuildResult * buildResult = NULL;
- void * nbioContext = NULL; /* for non-blocking IO */
- void * buildState = NULL; /* for non-blocking IO */
- PKIX_CertSelector * certSelector = NULL;
- PKIX_List * certStores = NULL;
- PKIX_ValidateResult * valResult = NULL;
- PKIX_VerifyNode * verifyNode = NULL;
- PKIX_TrustAnchor * trustAnchor = NULL;
- PKIX_PL_Cert * trustAnchorCert = NULL;
- PKIX_List * builtCertList = NULL;
- CERTValOutParam * oparam = NULL;
- int i=0;
+ PKIX_BuildResult *buildResult = NULL;
+ void *nbioContext = NULL; /* for non-blocking IO */
+ void *buildState = NULL; /* for non-blocking IO */
+ PKIX_CertSelector *certSelector = NULL;
+ PKIX_List *certStores = NULL;
+ PKIX_ValidateResult *valResult = NULL;
+ PKIX_VerifyNode *verifyNode = NULL;
+ PKIX_TrustAnchor *trustAnchor = NULL;
+ PKIX_PL_Cert *trustAnchorCert = NULL;
+ PKIX_List *builtCertList = NULL;
+ CERTValOutParam *oparam = NULL;
+ int i = 0;
void *plContext = NULL;
#ifdef PKIX_OBJECT_LEAK_TEST
- int leakedObjNum = 0;
- int memLeakLoopCount = 0;
- int objCountTable[PKIX_NUMTYPES];
- int fnInvLocalCount = 0;
+ int leakedObjNum = 0;
+ int memLeakLoopCount = 0;
+ int objCountTable[PKIX_NUMTYPES];
+ int fnInvLocalCount = 0;
PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
if (usePKIXValidationEngine) {
@@ -2026,227 +2018,231 @@ SECStatus CERT_PKIXVerifyCert(
testStartFnStackPosition = 1;
fnStackNameArr[0] = "CERT_PKIXVerifyCert";
fnStackInvCountArr[0] = 0;
- PKIX_Boolean abortOnLeak =
+ PKIX_Boolean abortOnLeak =
(PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
- PKIX_FALSE : PKIX_TRUE;
+ PKIX_FALSE
+ : PKIX_TRUE;
runningLeakTest = PKIX_TRUE;
/* Prevent multi-threaded run of object leak test */
fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
PORT_Assert(fnInvLocalCount == 1);
-do {
- r = SECFailure;
- error = NULL;
- procParams = NULL;
- buildResult = NULL;
- nbioContext = NULL; /* for non-blocking IO */
- buildState = NULL; /* for non-blocking IO */
- certSelector = NULL;
- certStores = NULL;
- valResult = NULL;
- verifyNode = NULL;
- trustAnchor = NULL;
- trustAnchorCert = NULL;
- builtCertList = NULL;
- oparam = NULL;
- i=0;
- errorGenerated = PKIX_FALSE;
- stackPosition = 0;
-
- if (leakedObjNum) {
- pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
- }
- memLeakLoopCount += 1;
+ do {
+ r = SECFailure;
+ error = NULL;
+ procParams = NULL;
+ buildResult = NULL;
+ nbioContext = NULL; /* for non-blocking IO */
+ buildState = NULL; /* for non-blocking IO */
+ certSelector = NULL;
+ certStores = NULL;
+ valResult = NULL;
+ verifyNode = NULL;
+ trustAnchor = NULL;
+ trustAnchorCert = NULL;
+ builtCertList = NULL;
+ oparam = NULL;
+ i = 0;
+ errorGenerated = PKIX_FALSE;
+ stackPosition = 0;
+
+ if (leakedObjNum) {
+ pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
+ }
+ memLeakLoopCount += 1;
#endif /* PKIX_OBJECT_LEAK_TEST */
- error = PKIX_PL_NssContext_Create(
+ error = PKIX_PL_NssContext_Create(
0, PR_FALSE /*use arena*/, wincx, &plContext);
- if (error != NULL) { /* need pkix->nss error map */
- PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
- goto cleanup;
- }
+ if (error != NULL) { /* need pkix->nss error map */
+ PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
+ goto cleanup;
+ }
- error = pkix_pl_NssContext_SetCertUsage(usages, plContext);
- if (error != NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto cleanup;
- }
+ error = pkix_pl_NssContext_SetCertUsage(usages, plContext);
+ if (error != NULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
+ }
- error = PKIX_ProcessingParams_Create(&procParams, plContext);
- if (error != NULL) { /* need pkix->nss error map */
- PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
- goto cleanup;
- }
+ error = PKIX_ProcessingParams_Create(&procParams, plContext);
+ if (error != NULL) { /* need pkix->nss error map */
+ PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
+ goto cleanup;
+ }
- /* local cert store should be set into procParams before
- * filling in revocation settings. */
- certStores = cert_GetCertStores(plContext);
- if (certStores == NULL) {
- goto cleanup;
- }
- error = PKIX_ProcessingParams_SetCertStores
- (procParams, certStores, plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ /* local cert store should be set into procParams before
+ * filling in revocation settings. */
+ certStores = cert_GetCertStores(plContext);
+ if (certStores == NULL) {
+ goto cleanup;
+ }
+ error = PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- /* now process the extensible input parameters structure */
- if (paramsIn != NULL) {
- i=0;
- while (paramsIn[i].type != cert_pi_end) {
- if (paramsIn[i].type >= cert_pi_max) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto cleanup;
- }
- if (cert_pkixSetParam(procParams,
- &paramsIn[i],plContext) != SECSuccess) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto cleanup;
+ /* now process the extensible input parameters structure */
+ if (paramsIn != NULL) {
+ i = 0;
+ while (paramsIn[i].type != cert_pi_end) {
+ if (paramsIn[i].type >= cert_pi_max) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
+ }
+ if (cert_pkixSetParam(procParams,
+ &paramsIn[i], plContext) !=
+ SECSuccess) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
+ }
+ i++;
}
- i++;
}
- }
- certSelector = cert_GetTargetCertConstraints(cert, plContext);
- if (certSelector == NULL) {
- goto cleanup;
- }
- error = PKIX_ProcessingParams_SetTargetCertConstraints
- (procParams, certSelector, plContext);
- if (error != NULL) {
- goto cleanup;
- }
-
- error = PKIX_BuildChain( procParams, &nbioContext,
- &buildState, &buildResult, &verifyNode,
- plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ certSelector = cert_GetTargetCertConstraints(cert, plContext);
+ if (certSelector == NULL) {
+ goto cleanup;
+ }
+ error = PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- error = PKIX_BuildResult_GetValidateResult( buildResult, &valResult,
- plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ error = PKIX_BuildChain(procParams, &nbioContext,
+ &buildState, &buildResult, &verifyNode,
+ plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- error = PKIX_ValidateResult_GetTrustAnchor( valResult, &trustAnchor,
- plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ error = PKIX_BuildResult_GetValidateResult(buildResult, &valResult,
+ plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- if (trustAnchor != NULL) {
- error = PKIX_TrustAnchor_GetTrustedCert( trustAnchor, &trustAnchorCert,
- plContext);
+ error = PKIX_ValidateResult_GetTrustAnchor(valResult, &trustAnchor,
+ plContext);
if (error != NULL) {
goto cleanup;
}
- }
+
+ if (trustAnchor != NULL) {
+ error = PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustAnchorCert,
+ plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
+ }
#ifdef PKIX_OBJECT_LEAK_TEST
- /* Can not continue if error was generated but not returned.
- * Jumping to cleanup. */
- if (errorGenerated) goto cleanup;
+ /* Can not continue if error was generated but not returned.
+ * Jumping to cleanup. */
+ if (errorGenerated)
+ goto cleanup;
#endif /* PKIX_OBJECT_LEAK_TEST */
- oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor);
- if (oparam != NULL) {
- if (trustAnchorCert != NULL) {
- oparam->value.pointer.cert =
+ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor);
+ if (oparam != NULL) {
+ if (trustAnchorCert != NULL) {
+ oparam->value.pointer.cert =
cert_NSSCertFromPKIXCert(trustAnchorCert);
- } else {
- oparam->value.pointer.cert = NULL;
+ }
+ else {
+ oparam->value.pointer.cert = NULL;
+ }
}
- }
- error = PKIX_BuildResult_GetCertChain( buildResult, &builtCertList,
- plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ error = PKIX_BuildResult_GetCertChain(buildResult, &builtCertList,
+ plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList);
- if (oparam != NULL) {
- error = cert_PkixToNssCertsChain(builtCertList,
- &oparam->value.pointer.chain,
- plContext);
- if (error) goto cleanup;
- }
+ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList);
+ if (oparam != NULL) {
+ error = cert_PkixToNssCertsChain(builtCertList,
+ &oparam->value.pointer.chain,
+ plContext);
+ if (error)
+ goto cleanup;
+ }
- r = SECSuccess;
+ r = SECSuccess;
-cleanup:
- if (verifyNode) {
- /* Return validation log only upon error. */
- oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog);
+ cleanup:
+ if (verifyNode) {
+ /* Return validation log only upon error. */
+ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog);
#ifdef PKIX_OBJECT_LEAK_TEST
- if (!errorGenerated)
+ if (!errorGenerated)
#endif /* PKIX_OBJECT_LEAK_TEST */
- if (r && oparam != NULL) {
- PKIX_Error *tmpError =
- cert_GetLogFromVerifyNode(oparam->value.pointer.log,
- verifyNode, plContext);
- if (tmpError) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
- }
+ if (r && oparam != NULL) {
+ PKIX_Error *tmpError =
+ cert_GetLogFromVerifyNode(oparam->value.pointer.log,
+ verifyNode, plContext);
+ if (tmpError) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
+ }
+ }
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext);
}
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext);
- }
- if (procParams != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
+ if (procParams != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
- if (trustAnchorCert != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext);
+ if (trustAnchorCert != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext);
- if (trustAnchor != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
+ if (trustAnchor != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
- if (valResult != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext);
+ if (valResult != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext);
- if (buildResult != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext);
+ if (buildResult != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext);
- if (certStores != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
+ if (certStores != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
- if (certSelector != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
+ if (certSelector != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
- if (builtCertList != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
+ if (builtCertList != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
- if (error != NULL) {
- SECErrorCodes nssErrorCode = 0;
+ if (error != NULL) {
+ SECErrorCodes nssErrorCode = 0;
- cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
- cert_pkixDestroyValOutParam(paramsOut);
- PORT_SetError(nssErrorCode);
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- }
+ cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
+ cert_pkixDestroyValOutParam(paramsOut);
+ PORT_SetError(nssErrorCode);
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ }
- PKIX_PL_NssContext_Destroy(plContext);
+ PKIX_PL_NssContext_Destroy(plContext);
#ifdef PKIX_OBJECT_LEAK_TEST
- leakedObjNum =
- pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
+ leakedObjNum =
+ pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
- if (pkixLog && leakedObjNum) {
- PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
- "Stack %s\n", memLeakLoopCount, errorFnStackString));
- }
- PR_Free(errorFnStackString);
- errorFnStackString = NULL;
- if (abortOnLeak) {
- PORT_Assert(leakedObjNum == 0);
- }
-
-} while (errorGenerated);
+ if (pkixLog && leakedObjNum) {
+ PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
+ "Stack %s\n",
+ memLeakLoopCount, errorFnStackString));
+ }
+ PR_Free(errorFnStackString);
+ errorFnStackString = NULL;
+ if (abortOnLeak) {
+ PORT_Assert(leakedObjNum == 0);
+ }
+
+ } while (errorGenerated);
- runningLeakTest = PKIX_FALSE;
+ runningLeakTest = PKIX_FALSE;
PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
diff --git a/lib/certhigh/crlv2.c b/lib/certhigh/crlv2.c
index 7d8dbb9fa..beb90cbe2 100644
--- a/lib/certhigh/crlv2.c
+++ b/lib/certhigh/crlv2.c
@@ -17,17 +17,15 @@
SECStatus
CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid, SECItem *value)
{
- return (cert_FindExtensionByOID (crl->extensions, oid, value));
+ return (cert_FindExtensionByOID(crl->extensions, oid, value));
}
-
SECStatus
CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value)
{
- return (cert_FindExtension (crl->extensions, tag, value));
+ return (cert_FindExtension(crl->extensions, tag, value));
}
-
/* Callback to set extensions and adjust verison */
static void
SetCrlExts(void *object, CERTCertExtension **exts)
@@ -35,13 +33,13 @@ SetCrlExts(void *object, CERTCertExtension **exts)
CERTCrl *crl = (CERTCrl *)object;
crl->extensions = exts;
- DER_SetUInteger (crl->arena, &crl->version, SEC_CRL_VERSION_2);
+ DER_SetUInteger(crl->arena, &crl->version, SEC_CRL_VERSION_2);
}
void *
CERT_StartCRLExtensions(CERTCrl *crl)
{
- return (cert_StartExtensions ((void *)crl, crl->arena, SetCrlExts));
+ return (cert_StartExtensions((void *)crl, crl->arena, SetCrlExts));
}
static void
@@ -55,11 +53,12 @@ SetCrlEntryExts(void *object, CERTCertExtension **exts)
void *
CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry)
{
- return (cert_StartExtensions (entry, crl->arena, SetCrlEntryExts));
+ return (cert_StartExtensions(entry, crl->arena, SetCrlEntryExts));
}
-SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl,
- SECItem *value)
+SECStatus
+CERT_FindCRLNumberExten(PLArenaPool *arena, CERTCrl *crl,
+ SECItem *value)
{
SECItem encodedExtenValue;
SECItem *tmpItem = NULL;
@@ -70,91 +69,94 @@ SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl,
encodedExtenValue.len = 0;
rv = cert_FindExtension(crl->extensions, SEC_OID_X509_CRL_NUMBER,
- &encodedExtenValue);
- if ( rv != SECSuccess )
- return (rv);
+ &encodedExtenValue);
+ if (rv != SECSuccess)
+ return (rv);
mark = PORT_ArenaMark(arena);
tmpItem = SECITEM_ArenaDupItem(arena, &encodedExtenValue);
if (tmpItem) {
- rv = SEC_QuickDERDecodeItem (arena, value,
- SEC_ASN1_GET(SEC_IntegerTemplate),
- tmpItem);
- } else {
+ rv = SEC_QuickDERDecodeItem(arena, value,
+ SEC_ASN1_GET(SEC_IntegerTemplate),
+ tmpItem);
+ }
+ else {
rv = SECFailure;
}
- PORT_Free (encodedExtenValue.data);
+ PORT_Free(encodedExtenValue.data);
if (rv == SECFailure) {
PORT_ArenaRelease(arena, mark);
- } else {
+ }
+ else {
PORT_ArenaUnmark(arena, mark);
}
return (rv);
}
-SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
- CERTCRLEntryReasonCode *value)
+SECStatus
+CERT_FindCRLEntryReasonExten(CERTCrlEntry *crlEntry,
+ CERTCRLEntryReasonCode *value)
{
- SECItem wrapperItem = {siBuffer,0};
- SECItem tmpItem = {siBuffer,0};
+ SECItem wrapperItem = { siBuffer, 0 };
+ SECItem tmpItem = { siBuffer, 0 };
SECStatus rv;
PLArenaPool *arena = NULL;
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( ! arena ) {
- return(SECFailure);
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (!arena) {
+ return (SECFailure);
}
-
- rv = cert_FindExtension(crlEntry->extensions, SEC_OID_X509_REASON_CODE,
+
+ rv = cert_FindExtension(crlEntry->extensions, SEC_OID_X509_REASON_CODE,
&wrapperItem);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, &tmpItem,
SEC_ASN1_GET(SEC_EnumeratedTemplate),
&wrapperItem);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
- *value = (CERTCRLEntryReasonCode) DER_GetInteger(&tmpItem);
+ *value = (CERTCRLEntryReasonCode)DER_GetInteger(&tmpItem);
loser:
- if ( arena ) {
- PORT_FreeArena(arena, PR_FALSE);
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
}
-
- if ( wrapperItem.data ) {
- PORT_Free(wrapperItem.data);
+
+ if (wrapperItem.data) {
+ PORT_Free(wrapperItem.data);
}
return (rv);
}
-SECStatus CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value)
+SECStatus
+CERT_FindInvalidDateExten(CERTCrl *crl, PRTime *value)
{
SECItem encodedExtenValue;
- SECItem decodedExtenValue = {siBuffer,0};
+ SECItem decodedExtenValue = { siBuffer, 0 };
SECStatus rv;
encodedExtenValue.data = decodedExtenValue.data = NULL;
encodedExtenValue.len = decodedExtenValue.len = 0;
- rv = cert_FindExtension
- (crl->extensions, SEC_OID_X509_INVALID_DATE, &encodedExtenValue);
- if ( rv != SECSuccess )
- return (rv);
+ rv = cert_FindExtension(crl->extensions, SEC_OID_X509_INVALID_DATE, &encodedExtenValue);
+ if (rv != SECSuccess)
+ return (rv);
- rv = SEC_ASN1DecodeItem (NULL, &decodedExtenValue,
- SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
- &encodedExtenValue);
+ rv = SEC_ASN1DecodeItem(NULL, &decodedExtenValue,
+ SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
+ &encodedExtenValue);
if (rv == SECSuccess)
- rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue);
- PORT_Free (decodedExtenValue.data);
- PORT_Free (encodedExtenValue.data);
+ rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue);
+ PORT_Free(decodedExtenValue.data);
+ PORT_Free(encodedExtenValue.data);
return (rv);
}
diff --git a/lib/certhigh/ocsp.c b/lib/certhigh/ocsp.c
index 86ae0a063..e6c9c219e 100644
--- a/lib/certhigh/ocsp.c
+++ b/lib/certhigh/ocsp.c
@@ -33,13 +33,13 @@
#include "ocspi.h"
#include "genname.h"
#include "certxutl.h"
-#include "pk11func.h" /* for PK11_HashBuf */
+#include "pk11func.h" /* for PK11_HashBuf */
#include <stdarg.h>
#include <plhash.h>
#define DEFAULT_OCSP_CACHE_SIZE 1000
-#define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1*60*60L
-#define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24*60*60L
+#define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1 * 60 * 60L
+#define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24 * 60 * 60L
#define DEFAULT_OSCP_TIMEOUT_SECONDS 60
#define MICROSECONDS_PER_SECOND 1000000L
@@ -89,48 +89,45 @@ static struct OCSPGlobalStruct {
SEC_OcspFailureMode ocspFailureMode;
CERT_StringFromCertFcn alternateOCSPAIAFcn;
PRBool forcePost;
-} OCSP_Global = { NULL,
- NULL,
- DEFAULT_OCSP_CACHE_SIZE,
+} OCSP_Global = { NULL,
+ NULL,
+ DEFAULT_OCSP_CACHE_SIZE,
DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT,
DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT,
DEFAULT_OSCP_TIMEOUT_SECONDS,
- {NULL, 0, NULL, NULL},
+ { NULL, 0, NULL, NULL },
ocspMode_FailureIsVerificationFailure,
NULL,
- PR_FALSE
- };
-
-
+ PR_FALSE };
/* Forward declarations */
static SECItem *
-ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
+ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
CERTOCSPRequest *request,
const char *location,
- const char *method,
- PRTime time,
+ const char *method,
+ PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest);
static SECStatus
-ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
- PRTime time,
+ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
void *pwArg,
PRBool *certIDWasConsumed,
SECStatus *rv_ocsp);
static SECStatus
ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
- PRTime time,
- void *pwArg,
- const SECItem *encodedResponse,
- CERTOCSPResponse **pDecodedResponse,
- CERTOCSPSingleResponse **pSingle);
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
+ void *pwArg,
+ const SECItem *encodedResponse,
+ CERTOCSPResponse **pDecodedResponse,
+ CERTOCSPSingleResponse **pSingle);
static SECStatus
ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time);
@@ -149,12 +146,13 @@ cert_DupOCSPCertID(const CERTOCSPCertID *src);
#define OCSP_TRACE_CERT(cert) dumpCertificate(cert)
#define OCSP_TRACE_CERTID(certid) dumpCertID(certid)
-#if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) \
- || defined(XP_MACOSX)
+#if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) || \
+ defined(XP_MACOSX)
#define NSS_HAVE_GETENV 1
#endif
-static PRBool wantOcspTrace(void)
+static PRBool
+wantOcspTrace(void)
{
static PRBool firstTime = PR_TRUE;
static PRBool wantTrace = PR_FALSE;
@@ -176,7 +174,7 @@ ocsp_Trace(const char *format, ...)
{
char buf[2000];
va_list args;
-
+
if (!wantOcspTrace())
return;
va_start(args, format);
@@ -208,7 +206,8 @@ printHexString(const char *prefix, SECItem *hexval)
for (i = 0; i < hexval->len; i++) {
if (i != hexval->len - 1) {
hexbuf = PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]);
- } else {
+ }
+ else {
hexbuf = PR_sprintf_append(hexbuf, "%02x", hexval->data[i]);
}
}
@@ -235,10 +234,10 @@ dumpCertificate(CERTCertificate *cert)
DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter);
PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable);
PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable);
- rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y",
- &beforePrintable);
- rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y",
- &afterPrintable);
+ rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y",
+ &beforePrintable);
+ rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y",
+ &afterPrintable);
ocsp_Trace("OCSP ## VALIDITY: %s to %s\n", rv1 ? beforestr : "",
rv2 ? afterstr : "");
}
@@ -261,27 +260,27 @@ SECStatus
SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable)
{
if (!OCSP_Global.monitor) {
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return SECFailure;
}
-
+
PR_EnterMonitor(OCSP_Global.monitor);
OCSP_Global.defaultHttpClientFcn = fcnTable;
PR_ExitMonitor(OCSP_Global.monitor);
-
+
return SECSuccess;
}
SECStatus
CERT_RegisterAlternateOCSPAIAInfoCallBack(
- CERT_StringFromCertFcn newCallback,
- CERT_StringFromCertFcn * oldCallback)
+ CERT_StringFromCertFcn newCallback,
+ CERT_StringFromCertFcn *oldCallback)
{
CERT_StringFromCertFcn old;
if (!OCSP_Global.monitor) {
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return SECFailure;
}
PR_EnterMonitor(OCSP_Global.monitor);
@@ -289,7 +288,7 @@ CERT_RegisterAlternateOCSPAIAInfoCallBack(
OCSP_Global.alternateOCSPAIAFcn = newCallback;
PR_ExitMonitor(OCSP_Global.monitor);
if (oldCallback)
- *oldCallback = old;
+ *oldCallback = old;
return SECSuccess;
}
@@ -300,18 +299,18 @@ ocsp_CacheKeyHashFunction(const void *key)
PLHashNumber hash = 0;
unsigned int i;
unsigned char *walk;
-
+
/* a very simple hash calculation for the initial coding phase */
- walk = (unsigned char*)cid->issuerNameHash.data;
- for (i=0; i < cid->issuerNameHash.len; ++i, ++walk) {
+ walk = (unsigned char *)cid->issuerNameHash.data;
+ for (i = 0; i < cid->issuerNameHash.len; ++i, ++walk) {
hash += *walk;
}
- walk = (unsigned char*)cid->issuerKeyHash.data;
- for (i=0; i < cid->issuerKeyHash.len; ++i, ++walk) {
+ walk = (unsigned char *)cid->issuerKeyHash.data;
+ for (i = 0; i < cid->issuerKeyHash.len; ++i, ++walk) {
hash += *walk;
}
- walk = (unsigned char*)cid->serialNumber.data;
- for (i=0; i < cid->serialNumber.len; ++i, ++walk) {
+ walk = (unsigned char *)cid->serialNumber.data;
+ for (i = 0; i < cid->serialNumber.len; ++i, ++walk) {
hash += *walk;
}
return hash;
@@ -322,13 +321,13 @@ ocsp_CacheKeyCompareFunction(const void *v1, const void *v2)
{
CERTOCSPCertID *cid1 = (CERTOCSPCertID *)v1;
CERTOCSPCertID *cid2 = (CERTOCSPCertID *)v2;
-
- return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash,
- &cid2->issuerNameHash)
- && SECEqual == SECITEM_CompareItem(&cid1->issuerKeyHash,
- &cid2->issuerKeyHash)
- && SECEqual == SECITEM_CompareItem(&cid1->serialNumber,
- &cid2->serialNumber));
+
+ return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash,
+ &cid2->issuerNameHash) &&
+ SECEqual == SECITEM_CompareItem(&cid1->issuerKeyHash,
+ &cid2->issuerKeyHash) &&
+ SECEqual == SECITEM_CompareItem(&cid1->serialNumber,
+ &cid2->serialNumber));
}
static SECStatus
@@ -337,32 +336,33 @@ ocsp_CopyRevokedInfo(PLArenaPool *arena, ocspCertStatus *dest,
{
SECStatus rv = SECFailure;
void *mark;
-
+
mark = PORT_ArenaMark(arena);
-
- dest->certStatusInfo.revokedInfo =
- (ocspRevokedInfo *) PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo));
+
+ dest->certStatusInfo.revokedInfo =
+ (ocspRevokedInfo *)PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo));
if (!dest->certStatusInfo.revokedInfo) {
goto loser;
}
-
- rv = SECITEM_CopyItem(arena,
- &dest->certStatusInfo.revokedInfo->revocationTime,
+
+ rv = SECITEM_CopyItem(arena,
+ &dest->certStatusInfo.revokedInfo->revocationTime,
&src->revocationTime);
if (rv != SECSuccess) {
goto loser;
}
-
+
if (src->revocationReason) {
- dest->certStatusInfo.revokedInfo->revocationReason =
+ dest->certStatusInfo.revokedInfo->revocationReason =
SECITEM_ArenaDupItem(arena, src->revocationReason);
if (!dest->certStatusInfo.revokedInfo->revocationReason) {
goto loser;
}
- } else {
+ }
+ else {
dest->certStatusInfo.revokedInfo->revocationReason = NULL;
}
-
+
PORT_ArenaUnmark(arena, mark);
return SECSuccess;
@@ -373,39 +373,39 @@ loser:
static SECStatus
ocsp_CopyCertStatus(PLArenaPool *arena, ocspCertStatus *dest,
- ocspCertStatus*src)
+ ocspCertStatus *src)
{
SECStatus rv = SECFailure;
dest->certStatusType = src->certStatusType;
-
+
switch (src->certStatusType) {
- case ocspCertStatus_good:
- dest->certStatusInfo.goodInfo =
- SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo);
- if (dest->certStatusInfo.goodInfo != NULL) {
- rv = SECSuccess;
- }
- break;
- case ocspCertStatus_revoked:
- rv = ocsp_CopyRevokedInfo(arena, dest,
- src->certStatusInfo.revokedInfo);
- break;
- case ocspCertStatus_unknown:
- dest->certStatusInfo.unknownInfo =
- SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo);
- if (dest->certStatusInfo.unknownInfo != NULL) {
- rv = SECSuccess;
- }
- break;
- case ocspCertStatus_other:
- default:
- PORT_Assert(src->certStatusType == ocspCertStatus_other);
- dest->certStatusInfo.otherInfo =
- SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo);
- if (dest->certStatusInfo.otherInfo != NULL) {
- rv = SECSuccess;
- }
- break;
+ case ocspCertStatus_good:
+ dest->certStatusInfo.goodInfo =
+ SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo);
+ if (dest->certStatusInfo.goodInfo != NULL) {
+ rv = SECSuccess;
+ }
+ break;
+ case ocspCertStatus_revoked:
+ rv = ocsp_CopyRevokedInfo(arena, dest,
+ src->certStatusInfo.revokedInfo);
+ break;
+ case ocspCertStatus_unknown:
+ dest->certStatusInfo.unknownInfo =
+ SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo);
+ if (dest->certStatusInfo.unknownInfo != NULL) {
+ rv = SECSuccess;
+ }
+ break;
+ case ocspCertStatus_other:
+ default:
+ PORT_Assert(src->certStatusType == ocspCertStatus_other);
+ dest->certStatusInfo.otherInfo =
+ SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo);
+ if (dest->certStatusInfo.otherInfo != NULL) {
+ rv = SECSuccess;
+ }
+ break;
}
return rv;
}
@@ -453,7 +453,7 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item)
}
PORT_Assert(cache->numberOfEntries > 1);
-
+
if (item == cache->LRUitem) {
PORT_Assert(item != cache->MRUitem);
PORT_Assert(item->lessRecent == NULL);
@@ -468,7 +468,8 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item)
PORT_Assert(item->lessRecent->moreRecent == item);
cache->MRUitem = item->lessRecent;
cache->MRUitem->moreRecent = NULL;
- } else {
+ }
+ else {
/* remove an entry in the middle of the list */
PORT_Assert(item->moreRecent != NULL);
PORT_Assert(item->lessRecent != NULL);
@@ -487,7 +488,7 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item)
static void
ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, OCSPCacheItem *new_most_recent)
{
- OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n",
+ OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n",
PR_GetCurrentThread()));
PR_EnterMonitor(OCSP_Global.monitor);
if (cache->MRUitem == new_most_recent) {
@@ -504,7 +505,7 @@ ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, OCSPCacheItem *new_most_rece
static PRBool
ocsp_IsCacheDisabled(void)
{
- /*
+ /*
* maxCacheEntries == 0 means unlimited cache entries
* maxCacheEntries < 0 means cache is disabled
*/
@@ -524,12 +525,12 @@ ocsp_FindCacheEntry(OCSPCacheData *cache, CERTOCSPCertID *certID)
PR_EnterMonitor(OCSP_Global.monitor);
if (ocsp_IsCacheDisabled())
goto loser;
-
+
found_ocsp_item = (OCSPCacheItem *)PL_HashTableLookup(
- cache->entries, certID);
+ cache->entries, certID);
if (!found_ocsp_item)
goto loser;
-
+
OCSP_TRACE(("OCSP ocsp_FindCacheEntry FOUND!\n"));
ocsp_MakeCacheEntryMostRecent(cache, found_ocsp_item);
@@ -556,7 +557,7 @@ ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item)
{
/* The item we're removing could be either the least recently used item,
* or it could be an item that couldn't get updated with newer status info
- * because of an allocation failure, or it could get removed because we're
+ * because of an allocation failure, or it could get removed because we're
* cleaning up.
*/
OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread()));
@@ -586,8 +587,8 @@ ocsp_CheckCacheSize(OCSPCacheData *cache)
/* Cache is not disabled. Number of cache entries is limited.
* The monitor ensures that maxCacheEntries remains positive.
*/
- while (cache->numberOfEntries >
- (PRUint32)OCSP_Global.maxCacheEntries) {
+ while (cache->numberOfEntries >
+ (PRUint32)OCSP_Global.maxCacheEntries) {
ocsp_RemoveCacheItem(cache, cache->LRUitem);
}
}
@@ -600,7 +601,7 @@ CERT_ClearOCSPCache(void)
OCSP_TRACE(("OCSP CERT_ClearOCSPCache\n"));
PR_EnterMonitor(OCSP_Global.monitor);
while (OCSP_Global.cache.numberOfEntries > 0) {
- ocsp_RemoveCacheItem(&OCSP_Global.cache,
+ ocsp_RemoveCacheItem(&OCSP_Global.cache,
OCSP_Global.cache.LRUitem);
}
PR_ExitMonitor(OCSP_Global.monitor);
@@ -609,30 +610,30 @@ CERT_ClearOCSPCache(void)
static SECStatus
ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache,
- CERTOCSPCertID *certID,
+ CERTOCSPCertID *certID,
OCSPCacheItem **pCacheItem)
{
PLArenaPool *arena;
void *mark;
PLHashEntry *new_hash_entry;
OCSPCacheItem *item;
-
+
PORT_Assert(pCacheItem != NULL);
*pCacheItem = NULL;
PR_EnterMonitor(OCSP_Global.monitor);
arena = certID->poolp;
mark = PORT_ArenaMark(arena);
-
+
/* ZAlloc will init all Bools to False and all Pointers to NULL
and all error codes to zero/good. */
- item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp,
+ item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp,
sizeof(OCSPCacheItem));
if (!item) {
- goto loser;
+ goto loser;
}
item->certID = certID;
- new_hash_entry = PL_HashTableAdd(cache->entries, item->certID,
+ new_hash_entry = PL_HashTableAdd(cache->entries, item->certID,
item);
if (!new_hash_entry) {
goto loser;
@@ -644,7 +645,7 @@ ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache,
PR_ExitMonitor(OCSP_Global.monitor);
return SECSuccess;
-
+
loser:
PORT_ArenaRelease(arena, mark);
PR_ExitMonitor(OCSP_Global.monitor);
@@ -666,7 +667,7 @@ ocsp_SetCacheItemResponse(OCSPCacheItem *item,
if (item->certStatusArena == NULL) {
return SECFailure;
}
- rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus,
+ rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus,
response->certStatus);
if (rv != SECSuccess) {
PORT_FreeArena(item->certStatusArena, PR_FALSE);
@@ -674,14 +675,15 @@ ocsp_SetCacheItemResponse(OCSPCacheItem *item,
return rv;
}
item->missingResponseError = 0;
- rv = DER_GeneralizedTimeToTime(&item->thisUpdate,
+ rv = DER_GeneralizedTimeToTime(&item->thisUpdate,
&response->thisUpdate);
item->haveThisUpdate = (rv == SECSuccess);
if (response->nextUpdate) {
- rv = DER_GeneralizedTimeToTime(&item->nextUpdate,
+ rv = DER_GeneralizedTimeToTime(&item->nextUpdate,
response->nextUpdate);
item->haveNextUpdate = (rv == SECSuccess);
- } else {
+ }
+ else {
item->haveNextUpdate = PR_FALSE;
}
}
@@ -694,60 +696,61 @@ ocsp_FreshenCacheItemNextFetchAttemptTime(OCSPCacheItem *cacheItem)
PRTime now;
PRTime earliestAllowedNextFetchAttemptTime;
PRTime latestTimeWhenResponseIsConsideredFresh;
-
+
OCSP_TRACE(("OCSP ocsp_FreshenCacheItemNextFetchAttemptTime\n"));
PR_EnterMonitor(OCSP_Global.monitor);
-
+
now = PR_Now();
OCSP_TRACE_TIME("now:", now);
-
+
if (cacheItem->haveThisUpdate) {
OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate);
latestTimeWhenResponseIsConsideredFresh = cacheItem->thisUpdate +
- OCSP_Global.maximumSecondsToNextFetchAttempt *
- MICROSECONDS_PER_SECOND;
- OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:",
+ OCSP_Global.maximumSecondsToNextFetchAttempt *
+ MICROSECONDS_PER_SECOND;
+ OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:",
latestTimeWhenResponseIsConsideredFresh);
- } else {
+ }
+ else {
latestTimeWhenResponseIsConsideredFresh = now +
- OCSP_Global.minimumSecondsToNextFetchAttempt *
- MICROSECONDS_PER_SECOND;
+ OCSP_Global.minimumSecondsToNextFetchAttempt *
+ MICROSECONDS_PER_SECOND;
OCSP_TRACE_TIME("no thisUpdate, "
- "latestTimeWhenResponseIsConsideredFresh:",
+ "latestTimeWhenResponseIsConsideredFresh:",
latestTimeWhenResponseIsConsideredFresh);
}
-
+
if (cacheItem->haveNextUpdate) {
OCSP_TRACE_TIME("have nextUpdate:", cacheItem->nextUpdate);
}
-
+
if (cacheItem->haveNextUpdate &&
cacheItem->nextUpdate < latestTimeWhenResponseIsConsideredFresh) {
latestTimeWhenResponseIsConsideredFresh = cacheItem->nextUpdate;
OCSP_TRACE_TIME("nextUpdate is smaller than latestFresh, setting "
- "latestTimeWhenResponseIsConsideredFresh:",
+ "latestTimeWhenResponseIsConsideredFresh:",
latestTimeWhenResponseIsConsideredFresh);
}
-
+
earliestAllowedNextFetchAttemptTime = now +
- OCSP_Global.minimumSecondsToNextFetchAttempt *
- MICROSECONDS_PER_SECOND;
- OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:",
+ OCSP_Global.minimumSecondsToNextFetchAttempt *
+ MICROSECONDS_PER_SECOND;
+ OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:",
earliestAllowedNextFetchAttemptTime);
-
- if (latestTimeWhenResponseIsConsideredFresh <
+
+ if (latestTimeWhenResponseIsConsideredFresh <
earliestAllowedNextFetchAttemptTime) {
- latestTimeWhenResponseIsConsideredFresh =
+ latestTimeWhenResponseIsConsideredFresh =
earliestAllowedNextFetchAttemptTime;
- OCSP_TRACE_TIME("latest < earliest, setting latest to:",
+ OCSP_TRACE_TIME("latest < earliest, setting latest to:",
latestTimeWhenResponseIsConsideredFresh);
}
-
- cacheItem->nextFetchAttemptTime =
+
+ cacheItem->nextFetchAttemptTime =
latestTimeWhenResponseIsConsideredFresh;
- OCSP_TRACE_TIME("nextFetchAttemptTime",
- latestTimeWhenResponseIsConsideredFresh);
+ OCSP_TRACE_TIME("nextFetchAttemptTime",
+ latestTimeWhenResponseIsConsideredFresh);
PR_ExitMonitor(OCSP_Global.monitor);
}
@@ -776,14 +779,14 @@ ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem)
}
/*
- * Status in *certIDWasConsumed will always be correct, regardless of
+ * Status in *certIDWasConsumed will always be correct, regardless of
* return value.
* If the caller is unable to transfer ownership of certID,
* then the caller must set certIDWasConsumed to NULL,
* and this function will potentially duplicate the certID object.
*/
static SECStatus
-ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
+ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
CERTOCSPCertID *certID,
CERTOCSPSingleResponse *single,
PRBool *certIDWasConsumed)
@@ -791,13 +794,13 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
SECStatus rv;
OCSPCacheItem *cacheItem;
OCSP_TRACE(("OCSP ocsp_CreateOrUpdateCacheEntry\n"));
-
+
if (certIDWasConsumed)
*certIDWasConsumed = PR_FALSE;
-
+
PR_EnterMonitor(OCSP_Global.monitor);
PORT_Assert(OCSP_Global.maxCacheEntries >= 0);
-
+
cacheItem = ocsp_FindCacheEntry(cache, certID);
/* Don't replace an unknown or revoked entry with an error entry, even if
@@ -817,7 +820,8 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
if (certIDWasConsumed) {
myCertID = certID;
*certIDWasConsumed = PR_TRUE;
- } else {
+ }
+ else {
myCertID = cert_DupOCSPCertID(certID);
if (!myCertID) {
PR_ExitMonitor(OCSP_Global.monitor);
@@ -845,11 +849,13 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
PR_ExitMonitor(OCSP_Global.monitor);
return rv;
}
- } else {
+ }
+ else {
OCSP_TRACE(("Not caching response because the response is not "
"newer than the cache"));
}
- } else {
+ }
+ else {
cacheItem->missingResponseError = PORT_GetError();
if (cacheItem->certStatusArena) {
PORT_FreeArena(cacheItem->certStatusArena, PR_FALSE);
@@ -867,12 +873,12 @@ extern SECStatus
CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode)
{
switch (ocspFailureMode) {
- case ocspMode_FailureIsVerificationFailure:
- case ocspMode_FailureIsNotAVerificationFailure:
- break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ case ocspMode_FailureIsVerificationFailure:
+ case ocspMode_FailureIsNotAVerificationFailure:
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
PR_EnterMonitor(OCSP_Global.monitor);
@@ -886,39 +892,41 @@ CERT_OCSPCacheSettings(PRInt32 maxCacheEntries,
PRUint32 minimumSecondsToNextFetchAttempt,
PRUint32 maximumSecondsToNextFetchAttempt)
{
- if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt
- || maxCacheEntries < -1) {
+ if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt ||
+ maxCacheEntries < -1) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
-
+
PR_EnterMonitor(OCSP_Global.monitor);
-
+
if (maxCacheEntries < 0) {
OCSP_Global.maxCacheEntries = -1; /* disable cache */
- } else if (maxCacheEntries == 0) {
+ }
+ else if (maxCacheEntries == 0) {
OCSP_Global.maxCacheEntries = 0; /* unlimited cache entries */
- } else {
+ }
+ else {
OCSP_Global.maxCacheEntries = maxCacheEntries;
}
-
- if (minimumSecondsToNextFetchAttempt <
- OCSP_Global.minimumSecondsToNextFetchAttempt
- || maximumSecondsToNextFetchAttempt <
+
+ if (minimumSecondsToNextFetchAttempt <
+ OCSP_Global.minimumSecondsToNextFetchAttempt ||
+ maximumSecondsToNextFetchAttempt <
OCSP_Global.maximumSecondsToNextFetchAttempt) {
/*
- * Ensure our existing cache entries are not used longer than the
+ * Ensure our existing cache entries are not used longer than the
* new settings allow, we're lazy and just clear the cache
*/
CERT_ClearOCSPCache();
}
-
- OCSP_Global.minimumSecondsToNextFetchAttempt =
+
+ OCSP_Global.minimumSecondsToNextFetchAttempt =
minimumSecondsToNextFetchAttempt;
- OCSP_Global.maximumSecondsToNextFetchAttempt =
+ OCSP_Global.maximumSecondsToNextFetchAttempt =
maximumSecondsToNextFetchAttempt;
ocsp_CheckCacheSize(&OCSP_Global.cache);
-
+
PR_ExitMonitor(OCSP_Global.monitor);
return SECSuccess;
}
@@ -932,7 +940,8 @@ CERT_SetOCSPTimeout(PRUint32 seconds)
}
/* this function is called at NSS initialization time */
-SECStatus OCSP_InitGlobal(void)
+SECStatus
+OCSP_InitGlobal(void)
{
SECStatus rv = SECFailure;
@@ -944,18 +953,19 @@ SECStatus OCSP_InitGlobal(void)
PR_EnterMonitor(OCSP_Global.monitor);
if (!OCSP_Global.cache.entries) {
- OCSP_Global.cache.entries =
- PL_NewHashTable(0,
- ocsp_CacheKeyHashFunction,
- ocsp_CacheKeyCompareFunction,
- PL_CompareValues,
- NULL,
+ OCSP_Global.cache.entries =
+ PL_NewHashTable(0,
+ ocsp_CacheKeyHashFunction,
+ ocsp_CacheKeyCompareFunction,
+ PL_CompareValues,
+ NULL,
NULL);
OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure;
OCSP_Global.cache.numberOfEntries = 0;
OCSP_Global.cache.MRUitem = NULL;
OCSP_Global.cache.LRUitem = NULL;
- } else {
+ }
+ else {
/*
* NSS might call this function twice while attempting to init.
* But it's not allowed to call this again after any activity.
@@ -969,7 +979,8 @@ SECStatus OCSP_InitGlobal(void)
return rv;
}
-SECStatus OCSP_ShutdownGlobal(void)
+SECStatus
+OCSP_ShutdownGlobal(void)
{
if (!OCSP_Global.monitor)
return SECSuccess;
@@ -986,12 +997,12 @@ SECStatus OCSP_ShutdownGlobal(void)
OCSP_Global.defaultHttpClientFcn = NULL;
OCSP_Global.maxCacheEntries = DEFAULT_OCSP_CACHE_SIZE;
- OCSP_Global.minimumSecondsToNextFetchAttempt =
- DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
+ OCSP_Global.minimumSecondsToNextFetchAttempt =
+ DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
OCSP_Global.maximumSecondsToNextFetchAttempt =
- DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
+ DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
OCSP_Global.ocspFailureMode =
- ocspMode_FailureIsVerificationFailure;
+ ocspMode_FailureIsVerificationFailure;
PR_ExitMonitor(OCSP_Global.monitor);
PR_DestroyMonitor(OCSP_Global.monitor);
@@ -1000,22 +1011,23 @@ SECStatus OCSP_ShutdownGlobal(void)
}
/*
- * A return value of NULL means:
+ * A return value of NULL means:
* The application did not register it's own HTTP client.
*/
-const SEC_HttpClientFcn *SEC_GetRegisteredHttpClient(void)
+const SEC_HttpClientFcn *
+SEC_GetRegisteredHttpClient(void)
{
const SEC_HttpClientFcn *retval;
if (!OCSP_Global.monitor) {
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
- return NULL;
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return NULL;
}
PR_EnterMonitor(OCSP_Global.monitor);
retval = OCSP_Global.defaultHttpClientFcn;
PR_ExitMonitor(OCSP_Global.monitor);
-
+
return retval;
}
@@ -1057,7 +1069,6 @@ extern const SEC_ASN1Template ocsp_SingleRequestTemplate[];
extern const SEC_ASN1Template ocsp_SingleResponseTemplate[];
extern const SEC_ASN1Template ocsp_TBSRequestTemplate[];
-
/*
* Request-related templates...
*/
@@ -1069,14 +1080,14 @@ extern const SEC_ASN1Template ocsp_TBSRequestTemplate[];
*/
static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPRequest) },
+ 0, NULL, sizeof(CERTOCSPRequest) },
{ SEC_ASN1_POINTER,
- offsetof(CERTOCSPRequest, tbsRequest),
- ocsp_TBSRequestTemplate },
+ offsetof(CERTOCSPRequest, tbsRequest),
+ ocsp_TBSRequestTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(CERTOCSPRequest, optionalSignature),
- ocsp_PointerToSignatureTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(CERTOCSPRequest, optionalSignature),
+ ocsp_PointerToSignatureTemplate },
{ 0 }
};
@@ -1095,22 +1106,22 @@ static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = {
*/
const SEC_ASN1Template ocsp_TBSRequestTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspTBSRequest) },
- { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspTBSRequest, version),
- SEC_ASN1_SUB(SEC_IntegerTemplate) },
+ 0, NULL, sizeof(ocspTBSRequest) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(ocspTBSRequest, version),
+ SEC_ASN1_SUB(SEC_IntegerTemplate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
- offsetof(ocspTBSRequest, derRequestorName),
- SEC_ASN1_SUB(SEC_PointerToAnyTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+ offsetof(ocspTBSRequest, derRequestorName),
+ SEC_ASN1_SUB(SEC_PointerToAnyTemplate) },
{ SEC_ASN1_SEQUENCE_OF,
- offsetof(ocspTBSRequest, requestList),
- ocsp_SingleRequestTemplate },
+ offsetof(ocspTBSRequest, requestList),
+ ocsp_SingleRequestTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
- offsetof(ocspTBSRequest, requestExtensions),
- CERT_SequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+ offsetof(ocspTBSRequest, requestExtensions),
+ CERT_SequenceOfCertExtensionTemplate },
{ 0 }
};
@@ -1122,16 +1133,16 @@ const SEC_ASN1Template ocsp_TBSRequestTemplate[] = {
*/
static const SEC_ASN1Template ocsp_SignatureTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspSignature) },
+ 0, NULL, sizeof(ocspSignature) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
- offsetof(ocspSignature, signatureAlgorithm),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ offsetof(ocspSignature, signatureAlgorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_BIT_STRING,
- offsetof(ocspSignature, signature) },
+ offsetof(ocspSignature, signature) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspSignature, derCerts),
- SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(ocspSignature, derCerts),
+ SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
{ 0 }
};
@@ -1157,19 +1168,18 @@ const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = {
* is the only way it will compile.
*/
const SEC_ASN1Template ocsp_SingleRequestTemplate[] = {
- { SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspSingleRequest) },
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(ocspSingleRequest) },
{ SEC_ASN1_POINTER,
- offsetof(ocspSingleRequest, reqCert),
- ocsp_CertIDTemplate },
+ offsetof(ocspSingleRequest, reqCert),
+ ocsp_CertIDTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(ocspSingleRequest, singleRequestExtensions),
- CERT_SequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(ocspSingleRequest, singleRequestExtensions),
+ CERT_SequenceOfCertExtensionTemplate },
{ 0 }
};
-
/*
* This data structure and template (CertID) is used by both OCSP
* requests and responses. It is the only one that is shared.
@@ -1187,21 +1197,20 @@ const SEC_ASN1Template ocsp_SingleRequestTemplate[] = {
* is the only way it will compile.
*/
const SEC_ASN1Template ocsp_CertIDTemplate[] = {
- { SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPCertID) },
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(CERTOCSPCertID) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
- offsetof(CERTOCSPCertID, hashAlgorithm),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ offsetof(CERTOCSPCertID, hashAlgorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_OCTET_STRING,
- offsetof(CERTOCSPCertID, issuerNameHash) },
+ offsetof(CERTOCSPCertID, issuerNameHash) },
{ SEC_ASN1_OCTET_STRING,
- offsetof(CERTOCSPCertID, issuerKeyHash) },
- { SEC_ASN1_INTEGER,
- offsetof(CERTOCSPCertID, serialNumber) },
+ offsetof(CERTOCSPCertID, issuerKeyHash) },
+ { SEC_ASN1_INTEGER,
+ offsetof(CERTOCSPCertID, serialNumber) },
{ 0 }
};
-
/*
* Response-related templates...
*/
@@ -1212,14 +1221,14 @@ const SEC_ASN1Template ocsp_CertIDTemplate[] = {
* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
*/
const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
- { SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPResponse) },
- { SEC_ASN1_ENUMERATED,
- offsetof(CERTOCSPResponse, responseStatus) },
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(CERTOCSPResponse) },
+ { SEC_ASN1_ENUMERATED,
+ offsetof(CERTOCSPResponse, responseStatus) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(CERTOCSPResponse, responseBytes),
- ocsp_PointerToResponseBytesTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(CERTOCSPResponse, responseBytes),
+ ocsp_PointerToResponseBytesTemplate },
{ 0 }
};
@@ -1230,11 +1239,11 @@ const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
*/
const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspResponseBytes) },
+ 0, NULL, sizeof(ocspResponseBytes) },
{ SEC_ASN1_OBJECT_ID,
- offsetof(ocspResponseBytes, responseType) },
+ offsetof(ocspResponseBytes, responseType) },
{ SEC_ASN1_OCTET_STRING,
- offsetof(ocspResponseBytes, response) },
+ offsetof(ocspResponseBytes, response) },
{ 0 }
};
@@ -1259,21 +1268,21 @@ const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = {
*/
static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspBasicOCSPResponse) },
+ 0, NULL, sizeof(ocspBasicOCSPResponse) },
{ SEC_ASN1_ANY | SEC_ASN1_SAVE,
- offsetof(ocspBasicOCSPResponse, tbsResponseDataDER) },
+ offsetof(ocspBasicOCSPResponse, tbsResponseDataDER) },
{ SEC_ASN1_POINTER,
- offsetof(ocspBasicOCSPResponse, tbsResponseData),
- ocsp_ResponseDataTemplate },
+ offsetof(ocspBasicOCSPResponse, tbsResponseData),
+ ocsp_ResponseDataTemplate },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
- offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_BIT_STRING,
- offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
+ offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
- SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
+ SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
{ 0 }
};
@@ -1291,22 +1300,22 @@ static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = {
*/
const SEC_ASN1Template ocsp_ResponseDataTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspResponseData) },
- { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspResponseData, version),
- SEC_ASN1_SUB(SEC_IntegerTemplate) },
+ 0, NULL, sizeof(ocspResponseData) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(ocspResponseData, version),
+ SEC_ASN1_SUB(SEC_IntegerTemplate) },
{ SEC_ASN1_ANY,
- offsetof(ocspResponseData, derResponderID) },
+ offsetof(ocspResponseData, derResponderID) },
{ SEC_ASN1_GENERALIZED_TIME,
- offsetof(ocspResponseData, producedAt) },
+ offsetof(ocspResponseData, producedAt) },
{ SEC_ASN1_SEQUENCE_OF,
- offsetof(ocspResponseData, responses),
- ocsp_SingleResponseTemplate },
+ offsetof(ocspResponseData, responses),
+ ocsp_SingleResponseTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(ocspResponseData, responseExtensions),
- CERT_SequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+ offsetof(ocspResponseData, responseExtensions),
+ CERT_SequenceOfCertExtensionTemplate },
{ 0 }
};
@@ -1327,24 +1336,25 @@ const SEC_ASN1Template ocsp_ResponseDataTemplate[] = {
*/
const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = {
{ SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(ocspResponderID, responderIDValue.name),
- CERT_NameTemplate }
+ offsetof(ocspResponderID, responderIDValue.name),
+ CERT_NameTemplate }
};
const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = {
{ SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
- SEC_ASN1_XTRN | 2,
- offsetof(ocspResponderID, responderIDValue.keyHash),
- SEC_ASN1_SUB(SEC_OctetStringTemplate) }
+ SEC_ASN1_XTRN | 2,
+ offsetof(ocspResponderID, responderIDValue.keyHash),
+ SEC_ASN1_SUB(SEC_OctetStringTemplate) }
};
static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = {
{ SEC_ASN1_ANY,
- offsetof(ocspResponderID, responderIDValue.other) }
+ offsetof(ocspResponderID, responderIDValue.other) }
};
/* Decode choice container, but leave x509 name object encoded */
static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = {
{ SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
- SEC_ASN1_XTRN | 1, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
+ SEC_ASN1_XTRN | 1,
+ 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
};
/*
@@ -1361,22 +1371,22 @@ static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = {
*/
const SEC_ASN1Template ocsp_SingleResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPSingleResponse) },
+ 0, NULL, sizeof(CERTOCSPSingleResponse) },
{ SEC_ASN1_POINTER,
- offsetof(CERTOCSPSingleResponse, certID),
- ocsp_CertIDTemplate },
+ offsetof(CERTOCSPSingleResponse, certID),
+ ocsp_CertIDTemplate },
{ SEC_ASN1_ANY,
- offsetof(CERTOCSPSingleResponse, derCertStatus) },
+ offsetof(CERTOCSPSingleResponse, derCertStatus) },
{ SEC_ASN1_GENERALIZED_TIME,
- offsetof(CERTOCSPSingleResponse, thisUpdate) },
+ offsetof(CERTOCSPSingleResponse, thisUpdate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(CERTOCSPSingleResponse, nextUpdate),
- SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(CERTOCSPSingleResponse, nextUpdate),
+ SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(CERTOCSPSingleResponse, singleExtensions),
- CERT_SequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+ offsetof(CERTOCSPSingleResponse, singleExtensions),
+ CERT_SequenceOfCertExtensionTemplate },
{ 0 }
};
@@ -1395,23 +1405,23 @@ const SEC_ASN1Template ocsp_SingleResponseTemplate[] = {
*/
static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = {
{ SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspCertStatus, certStatusInfo.goodInfo),
- SEC_ASN1_SUB(SEC_NullTemplate) }
+ offsetof(ocspCertStatus, certStatusInfo.goodInfo),
+ SEC_ASN1_SUB(SEC_NullTemplate) }
};
static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = {
- { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
- ocsp_RevokedInfoTemplate }
+ { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+ offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
+ ocsp_RevokedInfoTemplate }
};
static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = {
{ SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
- offsetof(ocspCertStatus, certStatusInfo.unknownInfo),
- SEC_ASN1_SUB(SEC_NullTemplate) }
+ offsetof(ocspCertStatus, certStatusInfo.unknownInfo),
+ SEC_ASN1_SUB(SEC_NullTemplate) }
};
static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = {
{ SEC_ASN1_POINTER | SEC_ASN1_XTRN,
- offsetof(ocspCertStatus, certStatusInfo.otherInfo),
- SEC_ASN1_SUB(SEC_AnyTemplate) }
+ offsetof(ocspCertStatus, certStatusInfo.otherInfo),
+ SEC_ASN1_SUB(SEC_AnyTemplate) }
};
/*
@@ -1425,18 +1435,17 @@ static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = {
*/
const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspRevokedInfo) },
+ 0, NULL, sizeof(ocspRevokedInfo) },
{ SEC_ASN1_GENERALIZED_TIME,
- offsetof(ocspRevokedInfo, revocationTime) },
+ offsetof(ocspRevokedInfo, revocationTime) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
- SEC_ASN1_XTRN | 0,
- offsetof(ocspRevokedInfo, revocationReason),
- SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+ SEC_ASN1_XTRN | 0,
+ offsetof(ocspRevokedInfo, revocationReason),
+ SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate) },
{ 0 }
};
-
/*
* OCSP-specific extension templates:
*/
@@ -1448,25 +1457,24 @@ const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = {
*/
static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspServiceLocator) },
+ 0, NULL, sizeof(ocspServiceLocator) },
{ SEC_ASN1_POINTER,
- offsetof(ocspServiceLocator, issuer),
- CERT_NameTemplate },
+ offsetof(ocspServiceLocator, issuer),
+ CERT_NameTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
- offsetof(ocspServiceLocator, locator) },
+ offsetof(ocspServiceLocator, locator) },
{ 0 }
};
-
/*
* REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy):
*/
-/*
+/*
* FUNCTION: CERT_EncodeOCSPRequest
* DER encodes an OCSP Request, possibly adding a signature as well.
* XXX Signing is not yet supported, however; see comments in code.
- * INPUTS:
+ * INPUTS:
* PLArenaPool *arena
* The return value is allocated from here.
* If a NULL is passed in, allocation is done from the heap instead.
@@ -1482,7 +1490,7 @@ static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = {
*/
SECItem *
CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
- void *pwArg)
+ void *pwArg)
{
SECStatus rv;
@@ -1491,10 +1499,10 @@ CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
PORT_Assert(request->tbsRequest);
if (request->tbsRequest->extensionHandle != NULL) {
- rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
- request->tbsRequest->extensionHandle = NULL;
- if (rv != SECSuccess)
- return NULL;
+ rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
+ request->tbsRequest->extensionHandle = NULL;
+ if (rv != SECSuccess)
+ return NULL;
}
/*
@@ -1510,7 +1518,6 @@ CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate);
}
-
/*
* FUNCTION: CERT_DecodeOCSPRequest
* Decode a DER encoded OCSP Request.
@@ -1533,27 +1540,27 @@ CERT_DecodeOCSPRequest(const SECItem *src)
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
- goto loser;
+ goto loser;
}
- dest = (CERTOCSPRequest *) PORT_ArenaZAlloc(arena,
- sizeof(CERTOCSPRequest));
+ dest = (CERTOCSPRequest *)PORT_ArenaZAlloc(arena,
+ sizeof(CERTOCSPRequest));
if (dest == NULL) {
- goto loser;
+ goto loser;
}
dest->arena = arena;
/* copy the DER into the arena, since Quick DER returns data that points
into the DER input, which may get freed by the caller */
rv = SECITEM_CopyItem(arena, &newSrc, src);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, dest, ocsp_OCSPRequestTemplate, &newSrc);
if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
- goto loser;
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ goto loser;
}
/*
@@ -1561,24 +1568,24 @@ CERT_DecodeOCSPRequest(const SECItem *src)
* of doing this copying of the arena pointer.
*/
for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) {
- dest->tbsRequest->requestList[i]->arena = arena;
+ dest->tbsRequest->requestList[i]->arena = arena;
}
return dest;
loser:
if (arena != NULL) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
SECStatus
-CERT_DestroyOCSPCertID(CERTOCSPCertID* certID)
+CERT_DestroyOCSPCertID(CERTOCSPCertID *certID)
{
if (certID && certID->poolp) {
- PORT_FreeArena(certID->poolp, PR_FALSE);
- return SECSuccess;
+ PORT_FreeArena(certID->poolp, PR_FALSE);
+ return SECSuccess;
}
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
@@ -1593,7 +1600,7 @@ CERT_DestroyOCSPCertID(CERTOCSPCertID* certID)
*/
SECItem *
-ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
+ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
SECItem *fill, const SECItem *src)
{
const SECHashObject *digestObject;
@@ -1601,27 +1608,28 @@ ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
void *mark = NULL;
void *digestBuff = NULL;
- if ( arena != NULL ) {
+ if (arena != NULL) {
mark = PORT_ArenaMark(arena);
}
digestObject = HASH_GetHashObjectByOidTag(digestAlg);
- if ( digestObject == NULL ) {
+ if (digestObject == NULL) {
goto loser;
}
if (fill == NULL || fill->data == NULL) {
- result = SECITEM_AllocItem(arena, fill, digestObject->length);
- if ( result == NULL ) {
- goto loser;
- }
- digestBuff = result->data;
- } else {
- if (fill->len < digestObject->length) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto loser;
- }
- digestBuff = fill->data;
+ result = SECITEM_AllocItem(arena, fill, digestObject->length);
+ if (result == NULL) {
+ goto loser;
+ }
+ digestBuff = result->data;
+ }
+ else {
+ if (fill->len < digestObject->length) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto loser;
+ }
+ digestBuff = fill->data;
}
if (PK11_HashBuf(digestAlg, digestBuff,
@@ -1629,7 +1637,7 @@ ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
goto loser;
}
- if ( arena != NULL ) {
+ if (arena != NULL) {
PORT_ArenaUnmark(arena, mark);
}
@@ -1641,12 +1649,13 @@ ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
loser:
if (arena != NULL) {
PORT_ArenaRelease(arena, mark);
- } else {
+ }
+ else {
if (result != NULL) {
SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE);
}
}
- return(NULL);
+ return (NULL);
}
/*
@@ -1713,18 +1722,18 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time)
certID = PORT_ArenaZNew(arena, CERTOCSPCertID);
if (certID == NULL) {
- goto loser;
+ goto loser;
}
rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1,
- NULL);
+ NULL);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
if (issuerCert == NULL) {
- goto loser;
+ goto loser;
}
if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1,
@@ -1745,29 +1754,28 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time)
}
if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1,
- &certID->issuerKeyHash) == NULL) {
- goto loser;
+ &certID->issuerKeyHash) == NULL) {
+ goto loser;
}
certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
/* cache the other two hash algorithms as well */
if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5,
- &certID->issuerMD5KeyHash) == NULL) {
- goto loser;
+ &certID->issuerMD5KeyHash) == NULL) {
+ goto loser;
}
if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2,
- &certID->issuerMD2KeyHash) == NULL) {
- goto loser;
+ &certID->issuerMD2KeyHash) == NULL) {
+ goto loser;
}
-
/* now we are done with issuerCert */
CERT_DestroyCertificate(issuerCert);
issuerCert = NULL;
rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
PORT_ArenaUnmark(arena, mark);
@@ -1775,25 +1783,25 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time)
loser:
if (issuerCert != NULL) {
- CERT_DestroyCertificate(issuerCert);
+ CERT_DestroyCertificate(issuerCert);
}
PORT_ArenaRelease(arena, mark);
return NULL;
}
-CERTOCSPCertID*
+CERTOCSPCertID *
CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time)
{
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTOCSPCertID *certID;
PORT_Assert(arena != NULL);
if (!arena)
- return NULL;
-
+ return NULL;
+
certID = ocsp_CreateCertID(arena, cert, time);
if (!certID) {
- PORT_FreeArena(arena, PR_FALSE);
- return NULL;
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
}
certID->poolp = arena;
return certID;
@@ -1818,11 +1826,11 @@ cert_DupOCSPCertID(const CERTOCSPCertID *src)
if (!dest)
goto loser;
-#define DUPHELP(element) \
- if (src->element.data && \
- SECITEM_CopyItem(arena, &dest->element, &src->element) \
- != SECSuccess) { \
- goto loser; \
+#define DUPHELP(element) \
+ if (src->element.data && \
+ SECITEM_CopyItem(arena, &dest->element, &src->element) != \
+ SECSuccess) { \
+ goto loser; \
}
DUPHELP(hashAlgorithm.algorithm)
@@ -1850,12 +1858,13 @@ loser:
/*
* Callback to set Extensions in request object
*/
-void SetSingleReqExts(void *object, CERTCertExtension **exts)
+void
+SetSingleReqExts(void *object, CERTCertExtension **exts)
{
- ocspSingleRequest *singleRequest =
- (ocspSingleRequest *)object;
+ ocspSingleRequest *singleRequest =
+ (ocspSingleRequest *)object;
- singleRequest->singleRequestExtensions = exts;
+ singleRequest->singleRequestExtensions = exts;
}
/*
@@ -1866,7 +1875,7 @@ void SetSingleReqExts(void *object, CERTCertExtension **exts)
*/
static SECStatus
ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
- CERTCertificate *cert)
+ CERTCertificate *cert)
{
ocspServiceLocator *serviceLocator = NULL;
void *extensionHandle = NULL;
@@ -1874,7 +1883,7 @@ ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
serviceLocator = PORT_ZNew(ocspServiceLocator);
if (serviceLocator == NULL)
- goto loser;
+ goto loser;
/*
* Normally it would be a bad idea to do a direct reference like
@@ -1886,10 +1895,10 @@ ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
serviceLocator->issuer = &cert->issuer;
rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
- &serviceLocator->locator);
+ &serviceLocator->locator);
if (rv != SECSuccess) {
- if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
- goto loser;
+ if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
+ goto loser;
}
/* prepare for following loser gotos */
@@ -1897,33 +1906,33 @@ ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
PORT_SetError(0);
extensionHandle = cert_StartExtensions(singleRequest,
- singleRequest->arena, SetSingleReqExts);
+ singleRequest->arena, SetSingleReqExts);
if (extensionHandle == NULL)
- goto loser;
+ goto loser;
rv = CERT_EncodeAndAddExtension(extensionHandle,
- SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
- serviceLocator, PR_FALSE,
- ocsp_ServiceLocatorTemplate);
+ SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
+ serviceLocator, PR_FALSE,
+ ocsp_ServiceLocatorTemplate);
loser:
if (extensionHandle != NULL) {
- /*
+ /*
* Either way we have to finish out the extension context (so it gets
* freed). But careful not to override any already-set bad status.
*/
- SECStatus tmprv = CERT_FinishExtensions(extensionHandle);
- if (rv == SECSuccess)
- rv = tmprv;
+ SECStatus tmprv = CERT_FinishExtensions(extensionHandle);
+ if (rv == SECSuccess)
+ rv = tmprv;
}
/*
* Finally, free the serviceLocator structure itself and we are done.
*/
if (serviceLocator != NULL) {
- if (serviceLocator->locator.data != NULL)
- SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE);
- PORT_Free(serviceLocator);
+ if (serviceLocator->locator.data != NULL)
+ SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE);
+ PORT_Free(serviceLocator);
}
return rv;
@@ -1949,18 +1958,18 @@ ocsp_CreateSingleRequestList(PLArenaPool *arena, CERTCertList *certList,
CERTCertListNode *node = NULL;
int i, count;
void *mark = PORT_ArenaMark(arena);
-
+
node = CERT_LIST_HEAD(certList);
for (count = 0; !CERT_LIST_END(node, certList); count++) {
node = CERT_LIST_NEXT(node);
}
if (count == 0)
- goto loser;
+ goto loser;
requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1);
if (requestList == NULL)
- goto loser;
+ goto loser;
node = CERT_LIST_HEAD(certList);
for (i = 0; !CERT_LIST_END(node, certList); i++) {
@@ -1998,7 +2007,7 @@ loser:
static ocspSingleRequest **
ocsp_CreateRequestFromCert(PLArenaPool *arena,
- CERTOCSPCertID *certID,
+ CERTOCSPCertID *certID,
CERTCertificate *singleCert,
PRTime time,
PRBool includeLocator)
@@ -2016,7 +2025,7 @@ ocsp_CreateRequestFromCert(PLArenaPool *arena,
goto loser;
requestList[0]->arena = arena;
/* certID will live longer than the request */
- requestList[0]->reqCert = certID;
+ requestList[0]->reqCert = certID;
if (includeLocator == PR_TRUE) {
SECStatus rv;
@@ -2067,8 +2076,8 @@ loser:
}
CERTOCSPRequest *
-cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
- CERTCertificate *singleCert,
+cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
+ CERTCertificate *singleCert,
PRTime time,
PRBool addServiceLocator,
CERTCertificate *signerCert)
@@ -2091,8 +2100,8 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
* Version 1 is the default, so we need not fill in a version number.
* Now create the list of single requests, one for each cert.
*/
- request->tbsRequest->requestList =
- ocsp_CreateRequestFromCert(request->arena,
+ request->tbsRequest->requestList =
+ ocsp_CreateRequestFromCert(request->arena,
certID,
singleCert,
time,
@@ -2106,7 +2115,7 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
/*
* FUNCTION: CERT_CreateOCSPRequest
- * Creates a CERTOCSPRequest, requesting the status of the certs in
+ * Creates a CERTOCSPRequest, requesting the status of the certs in
* the given list.
* INPUTS:
* CERTCertList *certList
@@ -2118,7 +2127,7 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
* to this routine), who knows about where the request(s) are being
* sent and whether there are any trusted responders in place.
* PRTime time
- * Indicates the time for which the certificate status is to be
+ * Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* but has no effect on the request itself.
* PRBool addServiceLocator
@@ -2137,8 +2146,8 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
*/
CERTOCSPRequest *
CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
- PRBool addServiceLocator,
- CERTCertificate *signerCert)
+ PRBool addServiceLocator,
+ CERTCertificate *signerCert)
{
CERTOCSPRequest *request = NULL;
@@ -2147,7 +2156,7 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
return NULL;
}
/*
- * XXX When we are prepared to put signing of requests back in,
+ * XXX When we are prepared to put signing of requests back in,
* we will need to allocate a signature
* structure for the request, fill in the "derCerts" field in it,
* save the signerCert there, as well as fill in the "requestorName"
@@ -2163,8 +2172,8 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
/*
* Now create the list of single requests, one for each cert.
*/
- request->tbsRequest->requestList =
- ocsp_CreateSingleRequestList(request->arena,
+ request->tbsRequest->requestList =
+ ocsp_CreateSingleRequestList(request->arena,
certList,
time,
addServiceLocator);
@@ -2192,16 +2201,17 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
* All errors are internal or low-level problems (e.g. no memory).
*/
-void SetRequestExts(void *object, CERTCertExtension **exts)
+void
+SetRequestExts(void *object, CERTCertExtension **exts)
{
- CERTOCSPRequest *request = (CERTOCSPRequest *)object;
+ CERTOCSPRequest *request = (CERTOCSPRequest *)object;
- request->tbsRequest->requestExtensions = exts;
+ request->tbsRequest->requestExtensions = exts;
}
SECStatus
CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
- SECOidTag responseType0, ...)
+ SECOidTag responseType0, ...)
{
void *extHandle;
va_list ap;
@@ -2213,60 +2223,59 @@ CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
extHandle = request->tbsRequest->extensionHandle;
if (extHandle == NULL) {
- extHandle = cert_StartExtensions(request, request->arena, SetRequestExts);
- if (extHandle == NULL)
- goto loser;
+ extHandle = cert_StartExtensions(request, request->arena, SetRequestExts);
+ if (extHandle == NULL)
+ goto loser;
}
/* Count number of OIDS going into the extension value. */
count = 1;
if (responseType0 != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) {
- va_start(ap, responseType0);
- do {
- count++;
- responseType = va_arg(ap, SECOidTag);
- } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
- va_end(ap);
+ va_start(ap, responseType0);
+ do {
+ count++;
+ responseType = va_arg(ap, SECOidTag);
+ } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+ va_end(ap);
}
acceptableResponses = PORT_NewArray(SECItem *, count + 1);
if (acceptableResponses == NULL)
- goto loser;
+ goto loser;
i = 0;
responseOid = SECOID_FindOIDByTag(responseType0);
acceptableResponses[i++] = &(responseOid->oid);
if (count > 1) {
- va_start(ap, responseType0);
- for ( ; i < count; i++) {
- responseType = va_arg(ap, SECOidTag);
- responseOid = SECOID_FindOIDByTag(responseType);
- acceptableResponses[i] = &(responseOid->oid);
- }
- va_end(ap);
+ va_start(ap, responseType0);
+ for (; i < count; i++) {
+ responseType = va_arg(ap, SECOidTag);
+ responseOid = SECOID_FindOIDByTag(responseType);
+ acceptableResponses[i] = &(responseOid->oid);
+ }
+ va_end(ap);
}
acceptableResponses[i] = NULL;
rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE,
- &acceptableResponses, PR_FALSE,
- SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate));
+ &acceptableResponses, PR_FALSE,
+ SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate));
if (rv != SECSuccess)
- goto loser;
+ goto loser;
PORT_Free(acceptableResponses);
if (request->tbsRequest->extensionHandle == NULL)
- request->tbsRequest->extensionHandle = extHandle;
+ request->tbsRequest->extensionHandle = extHandle;
return SECSuccess;
loser:
if (acceptableResponses != NULL)
- PORT_Free(acceptableResponses);
+ PORT_Free(acceptableResponses);
if (extHandle != NULL)
- (void) CERT_FinishExtensions(extHandle);
+ (void)CERT_FinishExtensions(extHandle);
return rv;
}
-
/*
* FUNCTION: CERT_DestroyOCSPRequest
* Frees an OCSP Request structure.
@@ -2280,20 +2289,20 @@ void
CERT_DestroyOCSPRequest(CERTOCSPRequest *request)
{
if (request == NULL)
- return;
+ return;
if (request->tbsRequest != NULL) {
- if (request->tbsRequest->requestorName != NULL)
- CERT_DestroyGeneralNameList(request->tbsRequest->requestorName);
- if (request->tbsRequest->extensionHandle != NULL)
- (void) CERT_FinishExtensions(request->tbsRequest->extensionHandle);
+ if (request->tbsRequest->requestorName != NULL)
+ CERT_DestroyGeneralNameList(request->tbsRequest->requestorName);
+ if (request->tbsRequest->extensionHandle != NULL)
+ (void)CERT_FinishExtensions(request->tbsRequest->extensionHandle);
}
if (request->optionalSignature != NULL) {
- if (request->optionalSignature->cert != NULL)
- CERT_DestroyCertificate(request->optionalSignature->cert);
+ if (request->optionalSignature->cert != NULL)
+ CERT_DestroyCertificate(request->optionalSignature->cert);
- /*
+ /*
* XXX Need to free derCerts? Or do they come out of arena?
* (Currently we never fill in derCerts, which is why the
* answer is not obvious. Once we do, add any necessary code
@@ -2308,10 +2317,9 @@ CERT_DestroyOCSPRequest(CERTOCSPRequest *request)
*/
PORT_Assert(request->arena != NULL);
if (request->arena != NULL)
- PORT_FreeArena(request->arena, PR_FALSE);
+ PORT_FreeArena(request->arena, PR_FALSE);
}
-
/*
* RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy):
*/
@@ -2326,17 +2334,17 @@ ocsp_ResponderIDTemplateByType(CERTOCSPResponderIDType responderIDType)
const SEC_ASN1Template *responderIDTemplate;
switch (responderIDType) {
- case ocspResponderID_byName:
- responderIDTemplate = ocsp_ResponderIDByNameTemplate;
- break;
- case ocspResponderID_byKey:
- responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
- break;
- case ocspResponderID_other:
- default:
- PORT_Assert(responderIDType == ocspResponderID_other);
- responderIDTemplate = ocsp_ResponderIDOtherTemplate;
- break;
+ case ocspResponderID_byName:
+ responderIDTemplate = ocsp_ResponderIDByNameTemplate;
+ break;
+ case ocspResponderID_byKey:
+ responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
+ break;
+ case ocspResponderID_other:
+ default:
+ PORT_Assert(responderIDType == ocspResponderID_other);
+ responderIDTemplate = ocsp_ResponderIDOtherTemplate;
+ break;
}
return responderIDTemplate;
@@ -2352,20 +2360,20 @@ ocsp_CertStatusTemplateByType(ocspCertStatusType certStatusType)
const SEC_ASN1Template *certStatusTemplate;
switch (certStatusType) {
- case ocspCertStatus_good:
- certStatusTemplate = ocsp_CertStatusGoodTemplate;
- break;
- case ocspCertStatus_revoked:
- certStatusTemplate = ocsp_CertStatusRevokedTemplate;
- break;
- case ocspCertStatus_unknown:
- certStatusTemplate = ocsp_CertStatusUnknownTemplate;
- break;
- case ocspCertStatus_other:
- default:
- PORT_Assert(certStatusType == ocspCertStatus_other);
- certStatusTemplate = ocsp_CertStatusOtherTemplate;
- break;
+ case ocspCertStatus_good:
+ certStatusTemplate = ocsp_CertStatusGoodTemplate;
+ break;
+ case ocspCertStatus_revoked:
+ certStatusTemplate = ocsp_CertStatusRevokedTemplate;
+ break;
+ case ocspCertStatus_unknown:
+ certStatusTemplate = ocsp_CertStatusUnknownTemplate;
+ break;
+ case ocspCertStatus_other:
+ default:
+ PORT_Assert(certStatusType == ocspCertStatus_other);
+ certStatusTemplate = ocsp_CertStatusOtherTemplate;
+ break;
}
return certStatusTemplate;
@@ -2381,18 +2389,18 @@ ocsp_CertStatusTypeByTag(int derTag)
ocspCertStatusType certStatusType;
switch (derTag) {
- case 0:
- certStatusType = ocspCertStatus_good;
- break;
- case 1:
- certStatusType = ocspCertStatus_revoked;
- break;
- case 2:
- certStatusType = ocspCertStatus_unknown;
- break;
- default:
- certStatusType = ocspCertStatus_other;
- break;
+ case 0:
+ certStatusType = ocspCertStatus_good;
+ break;
+ case 1:
+ certStatusType = ocspCertStatus_revoked;
+ break;
+ case 2:
+ certStatusType = ocspCertStatus_unknown;
+ break;
+ default:
+ certStatusType = ocspCertStatus_other;
+ break;
}
return certStatusType;
@@ -2407,7 +2415,7 @@ ocsp_CertStatusTypeByTag(int derTag)
*/
static SECStatus
ocsp_FinishDecodingSingleResponses(PLArenaPool *reqArena,
- CERTOCSPSingleResponse **responses)
+ CERTOCSPSingleResponse **responses)
{
ocspCertStatus *certStatus;
ocspCertStatusType certStatusType;
@@ -2421,39 +2429,39 @@ ocsp_FinishDecodingSingleResponses(PLArenaPool *reqArena,
return SECFailure;
}
- if (responses == NULL) /* nothing to do */
- return SECSuccess;
+ if (responses == NULL) /* nothing to do */
+ return SECSuccess;
for (i = 0; responses[i] != NULL; i++) {
- SECItem* newStatus;
- /*
+ SECItem *newStatus;
+ /*
* The following assert points out internal errors (problems in
* the template definitions or in the ASN.1 decoder itself, etc.).
*/
- PORT_Assert(responses[i]->derCertStatus.data != NULL);
+ PORT_Assert(responses[i]->derCertStatus.data != NULL);
- derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK;
- certStatusType = ocsp_CertStatusTypeByTag(derTag);
- certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType);
+ derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK;
+ certStatusType = ocsp_CertStatusTypeByTag(derTag);
+ certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType);
- certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus));
- if (certStatus == NULL) {
- goto loser;
- }
+ certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus));
+ if (certStatus == NULL) {
+ goto loser;
+ }
newStatus = SECITEM_ArenaDupItem(reqArena, &responses[i]->derCertStatus);
if (!newStatus) {
goto loser;
}
- rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate,
- newStatus);
- if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto loser;
- }
+ rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate,
+ newStatus);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ goto loser;
+ }
- certStatus->certStatusType = certStatusType;
- responses[i]->certStatus = certStatus;
+ certStatus->certStatusType = certStatusType;
+ responses[i]->certStatus = certStatus;
}
return SECSuccess;
@@ -2472,15 +2480,15 @@ ocsp_ResponderIDTypeByTag(int derTag)
CERTOCSPResponderIDType responderIDType;
switch (derTag) {
- case 1:
- responderIDType = ocspResponderID_byName;
- break;
- case 2:
- responderIDType = ocspResponderID_byKey;
- break;
- default:
- responderIDType = ocspResponderID_other;
- break;
+ case 1:
+ responderIDType = ocspResponderID_byName;
+ break;
+ case 2:
+ responderIDType = ocspResponderID_byKey;
+ break;
+ default:
+ responderIDType = ocspResponderID_other;
+ break;
}
return responderIDType;
@@ -2506,22 +2514,22 @@ ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src)
basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse));
if (basicResponse == NULL) {
- goto loser;
+ goto loser;
}
/* copy the DER into the arena, since Quick DER returns data that points
into the DER input, which may get freed by the caller */
rv = SECITEM_CopyItem(arena, &newsrc, src);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, basicResponse,
- ocsp_BasicOCSPResponseTemplate, &newsrc);
+ ocsp_BasicOCSPResponseTemplate, &newsrc);
if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto loser;
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ goto loser;
}
responseData = basicResponse->tbsResponseData;
@@ -2543,15 +2551,15 @@ ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src)
responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID));
if (responderID == NULL) {
- goto loser;
+ goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, responderID, responderIDTemplate,
- &responseData->derResponderID);
+ &responseData->derResponderID);
if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto loser;
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ goto loser;
}
responderID->responderIDType = responderIDType;
@@ -2563,7 +2571,7 @@ ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src)
*/
rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
PORT_ArenaUnmark(arena, mark);
@@ -2574,7 +2582,6 @@ loser:
return NULL;
}
-
/*
* Decode the responseBytes based on the responseType found in "rbytes",
* leaving the resulting translated/decoded information in there as well.
@@ -2583,38 +2590,35 @@ static SECStatus
ocsp_DecodeResponseBytes(PLArenaPool *arena, ocspResponseBytes *rbytes)
{
if (rbytes == NULL) {
- PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
+ return SECFailure;
}
rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType);
switch (rbytes->responseTypeTag) {
- case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
- {
- ocspBasicOCSPResponse *basicResponse;
+ case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: {
+ ocspBasicOCSPResponse *basicResponse;
- basicResponse = ocsp_DecodeBasicOCSPResponse(arena,
- &rbytes->response);
- if (basicResponse == NULL)
- return SECFailure;
+ basicResponse = ocsp_DecodeBasicOCSPResponse(arena,
+ &rbytes->response);
+ if (basicResponse == NULL)
+ return SECFailure;
- rbytes->decodedResponse.basic = basicResponse;
- }
- break;
+ rbytes->decodedResponse.basic = basicResponse;
+ } break;
- /*
+ /*
* Add new/future response types here.
*/
- default:
- PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
- return SECFailure;
+ default:
+ PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
+ return SECFailure;
}
return SECSuccess;
}
-
/*
* FUNCTION: CERT_DecodeOCSPResponse
* Decode a DER encoded OCSP Response.
@@ -2639,37 +2643,37 @@ CERT_DecodeOCSPResponse(const SECItem *src)
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
- goto loser;
+ goto loser;
}
- response = (CERTOCSPResponse *) PORT_ArenaZAlloc(arena,
- sizeof(CERTOCSPResponse));
+ response = (CERTOCSPResponse *)PORT_ArenaZAlloc(arena,
+ sizeof(CERTOCSPResponse));
if (response == NULL) {
- goto loser;
+ goto loser;
}
response->arena = arena;
/* copy the DER into the arena, since Quick DER returns data that points
into the DER input, which may get freed by the caller */
rv = SECITEM_CopyItem(arena, &newSrc, src);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, response, ocsp_OCSPResponseTemplate, &newSrc);
if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto loser;
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ goto loser;
}
- sv = (ocspResponseStatus) DER_GetInteger(&response->responseStatus);
+ sv = (ocspResponseStatus)DER_GetInteger(&response->responseStatus);
response->statusValue = sv;
if (sv != ocspResponse_successful) {
- /*
+ /*
* If the response status is anything but successful, then we
* are all done with decoding; the status is all there is.
*/
- return response;
+ return response;
}
/*
@@ -2678,14 +2682,14 @@ CERT_DecodeOCSPResponse(const SECItem *src)
*/
rv = ocsp_DecodeResponseBytes(arena, response->responseBytes);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
return response;
loser:
if (arena != NULL) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
@@ -2711,7 +2715,7 @@ loser:
*
* FUNCTION: ocsp_GetResponseData
* Returns ocspResponseData structure and a pointer to tbs response
- * data DER from a valid ocsp response.
+ * data DER from a valid ocsp response.
* INPUTS:
* CERTOCSPResponse *response
* structure of a valid ocsp response
@@ -2729,8 +2733,8 @@ ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER)
PORT_Assert(response->responseBytes != NULL);
- PORT_Assert(response->responseBytes->responseTypeTag
- == SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+ PORT_Assert(response->responseBytes->responseTypeTag ==
+ SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
basic = response->responseBytes->decodedResponse.basic;
PORT_Assert(basic != NULL);
@@ -2761,8 +2765,8 @@ ocsp_GetResponseSignature(CERTOCSPResponse *response)
if (NULL == response->responseBytes) {
return NULL;
}
- if (response->responseBytes->responseTypeTag
- != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) {
+ if (response->responseBytes->responseTypeTag !=
+ SEC_OID_PKIX_OCSP_BASIC_RESPONSE) {
return NULL;
}
basic = response->responseBytes->decodedResponse.basic;
@@ -2771,7 +2775,6 @@ ocsp_GetResponseSignature(CERTOCSPResponse *response)
return &(basic->responseSignature);
}
-
/*
* FUNCTION: CERT_DestroyOCSPResponse
* Frees an OCSP Response structure.
@@ -2785,28 +2788,26 @@ void
CERT_DestroyOCSPResponse(CERTOCSPResponse *response)
{
if (response != NULL) {
- ocspSignature *signature = ocsp_GetResponseSignature(response);
- if (signature && signature->cert != NULL)
- CERT_DestroyCertificate(signature->cert);
+ ocspSignature *signature = ocsp_GetResponseSignature(response);
+ if (signature && signature->cert != NULL)
+ CERT_DestroyCertificate(signature->cert);
- /*
+ /*
* We should actually never have a response without an arena,
* but check just in case. (If there isn't one, there is not
* much we can do about it...)
*/
- PORT_Assert(response->arena != NULL);
- if (response->arena != NULL) {
- PORT_FreeArena(response->arena, PR_FALSE);
- }
+ PORT_Assert(response->arena != NULL);
+ if (response->arena != NULL) {
+ PORT_FreeArena(response->arena, PR_FALSE);
+ }
}
}
-
/*
* OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response):
*/
-
/*
* Pick apart a URL, saving the important things in the passed-in pointers.
*
@@ -2822,7 +2823,7 @@ CERT_DestroyOCSPResponse(CERTOCSPResponse *response)
static SECStatus
ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
{
- unsigned short port = 80; /* default, in case not in url */
+ unsigned short port = 80; /* default, in case not in url */
char *hostname = NULL;
char *path = NULL;
const char *save;
@@ -2830,25 +2831,25 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
int len;
if (url == NULL)
- goto loser;
+ goto loser;
/*
* Skip beginning whitespace.
*/
c = *url;
while ((c == ' ' || c == '\t') && c != '\0') {
- url++;
- c = *url;
+ url++;
+ c = *url;
}
if (c == '\0')
- goto loser;
+ goto loser;
/*
* Confirm, then skip, protocol. (Since we only know how to do http,
* that is all we will accept).
*/
if (PORT_Strncasecmp(url, "http://", 7) != 0)
- goto loser;
+ goto loser;
url += 7;
/*
@@ -2866,13 +2867,13 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
save = url;
c = *url;
while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') {
- url++;
- c = *url;
+ url++;
+ c = *url;
}
len = url - save;
hostname = PORT_Alloc(len + 1);
if (hostname == NULL)
- goto loser;
+ goto loser;
PORT_Memcpy(hostname, save, len);
hostname[len] = '\0';
@@ -2881,15 +2882,15 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
* If so, we need to parse it (as a number) and skip it.
*/
if (c == ':') {
- url++;
- port = (unsigned short) PORT_Atoi(url);
- c = *url;
- while (c != '/' && c != '\0' && c != ' ' && c != '\t') {
- if (c < '0' || c > '9')
- goto loser;
- url++;
- c = *url;
- }
+ url++;
+ port = (unsigned short)PORT_Atoi(url);
+ c = *url;
+ while (c != '/' && c != '\0' && c != ' ' && c != '\t') {
+ if (c < '0' || c > '9')
+ goto loser;
+ url++;
+ c = *url;
+ }
}
/*
@@ -2897,21 +2898,22 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
* if nothing else -- but if there is not we provide one.
*/
if (c == '/') {
- save = url;
- while (c != '\0' && c != ' ' && c != '\t') {
- url++;
- c = *url;
- }
- len = url - save;
- path = PORT_Alloc(len + 1);
- if (path == NULL)
- goto loser;
- PORT_Memcpy(path, save, len);
- path[len] = '\0';
- } else {
- path = PORT_Strdup("/");
- if (path == NULL)
- goto loser;
+ save = url;
+ while (c != '\0' && c != ' ' && c != '\t') {
+ url++;
+ c = *url;
+ }
+ len = url - save;
+ path = PORT_Alloc(len + 1);
+ if (path == NULL)
+ goto loser;
+ PORT_Memcpy(path, save, len);
+ path[len] = '\0';
+ }
+ else {
+ path = PORT_Strdup("/");
+ if (path == NULL)
+ goto loser;
}
*pHostname = hostname;
@@ -2921,7 +2923,7 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
loser:
if (hostname != NULL)
- PORT_Free(hostname);
+ PORT_Free(hostname);
PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
return SECFailure;
}
@@ -2940,7 +2942,7 @@ ocsp_ConnectToHost(const char *host, PRUint16 port)
sock = PR_NewTCPSocket();
if (sock == NULL)
- goto loser;
+ goto loser;
/* XXX Some day need a way to set (and get?) the following value */
timeout = PR_SecondsToInterval(30);
@@ -2954,42 +2956,43 @@ ocsp_ConnectToHost(const char *host, PRUint16 port)
* valid numerical IP address from a hostname.
*/
if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) {
- PRIntn hostIndex;
- PRHostEnt hostEntry;
-
- netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE);
- if (netdbbuf == NULL)
- goto loser;
-
- if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE,
- &hostEntry) != PR_SUCCESS)
- goto loser;
-
- hostIndex = 0;
- do {
- hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
- if (hostIndex <= 0)
- goto loser;
- } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS);
-
- PORT_Free(netdbbuf);
- } else {
- /*
+ PRIntn hostIndex;
+ PRHostEnt hostEntry;
+
+ netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE);
+ if (netdbbuf == NULL)
+ goto loser;
+
+ if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE,
+ &hostEntry) != PR_SUCCESS)
+ goto loser;
+
+ hostIndex = 0;
+ do {
+ hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
+ if (hostIndex <= 0)
+ goto loser;
+ } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS);
+
+ PORT_Free(netdbbuf);
+ }
+ else {
+ /*
* First put the port into the address, then connect.
*/
- if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
- goto loser;
- if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
- goto loser;
+ if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
+ goto loser;
+ if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
+ goto loser;
}
return sock;
loser:
if (sock != NULL)
- PR_Close(sock);
+ PR_Close(sock);
if (netdbbuf != NULL)
- PORT_Free(netdbbuf);
+ PORT_Free(netdbbuf);
return NULL;
}
@@ -3024,14 +3027,14 @@ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
*/
rv = ocsp_ParseURL(location, &hostname, &port, &path);
if (rv != SECSuccess)
- goto loser;
+ goto loser;
PORT_Assert(hostname != NULL);
PORT_Assert(path != NULL);
sock = ocsp_ConnectToHost(hostname, port);
if (sock == NULL)
- goto loser;
+ goto loser;
portstr[0] = '\0';
if (port != 80) {
@@ -3039,38 +3042,38 @@ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
}
if (!encodedRequest) {
- header = PR_smprintf("GET %s HTTP/1.0\r\n"
- "Host: %s%s\r\n\r\n",
- path, hostname, portstr);
- if (header == NULL)
- goto loser;
-
- /*
- * The NSPR documentation promises that if it can, it will write the full
- * amount; this will not return a partial value expecting us to loop.
- */
- if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
- goto loser;
+ header = PR_smprintf("GET %s HTTP/1.0\r\n"
+ "Host: %s%s\r\n\r\n",
+ path, hostname, portstr);
+ if (header == NULL)
+ goto loser;
+
+ /*
+ * The NSPR documentation promises that if it can, it will write the full
+ * amount; this will not return a partial value expecting us to loop.
+ */
+ if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0)
+ goto loser;
}
else {
- header = PR_smprintf("POST %s HTTP/1.0\r\n"
- "Host: %s%s\r\n"
- "Content-Type: application/ocsp-request\r\n"
- "Content-Length: %u\r\n\r\n",
- path, hostname, portstr, encodedRequest->len);
- if (header == NULL)
- goto loser;
-
- /*
- * The NSPR documentation promises that if it can, it will write the full
- * amount; this will not return a partial value expecting us to loop.
- */
- if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
- goto loser;
-
- if (PR_Write(sock, encodedRequest->data,
- (PRInt32) encodedRequest->len) < 0)
- goto loser;
+ header = PR_smprintf("POST %s HTTP/1.0\r\n"
+ "Host: %s%s\r\n"
+ "Content-Type: application/ocsp-request\r\n"
+ "Content-Length: %u\r\n\r\n",
+ path, hostname, portstr, encodedRequest->len);
+ if (header == NULL)
+ goto loser;
+
+ /*
+ * The NSPR documentation promises that if it can, it will write the full
+ * amount; this will not return a partial value expecting us to loop.
+ */
+ if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0)
+ goto loser;
+
+ if (PR_Write(sock, encodedRequest->data,
+ (PRInt32)encodedRequest->len) < 0)
+ goto loser;
}
returnSock = sock;
@@ -3078,13 +3081,13 @@ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
loser:
if (header != NULL)
- PORT_Free(header);
+ PORT_Free(header);
if (sock != NULL)
- PR_Close(sock);
+ PR_Close(sock);
if (path != NULL)
- PORT_Free(path);
+ PORT_Free(path);
if (hostname != NULL)
- PORT_Free(hostname);
+ PORT_Free(hostname);
return returnSock;
}
@@ -3099,22 +3102,17 @@ ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout)
{
int total = 0;
- while (total < toread)
- {
+ while (total < toread) {
PRInt32 got;
- got = PR_Recv(fd, buf + total, (PRInt32) (toread - total), 0, timeout);
- if (got < 0)
- {
- if (0 == total)
- {
+ got = PR_Recv(fd, buf + total, (PRInt32)(toread - total), 0, timeout);
+ if (got < 0) {
+ if (0 == total) {
total = -1; /* report the error if we didn't read anything yet */
}
break;
}
- else
- if (got == 0)
- { /* EOS */
+ else if (got == 0) { /* EOS */
break;
}
@@ -3126,14 +3124,13 @@ ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout)
#define OCSP_BUFSIZE 1024
-#define AbortHttpDecode(error) \
-{ \
- if (inBuffer) \
+#define AbortHttpDecode(error) \
+ { \
+ if (inBuffer) \
PORT_Free(inBuffer); \
- PORT_SetError(error); \
- return NULL; \
-}
-
+ PORT_SetError(error); \
+ return NULL; \
+ }
/*
* Reads on the given socket and returns an encoded response when received.
@@ -3148,92 +3145,82 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock)
{
/* first read HTTP status line and headers */
- char* inBuffer = NULL;
+ char *inBuffer = NULL;
PRInt32 offset = 0;
PRInt32 inBufsize = 0;
- const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */
- const PRInt32 maxBufSize = 8 * bufSizeIncrement ; /* 8 KB max */
- const char* CRLF = "\r\n";
+ const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */
+ const PRInt32 maxBufSize = 8 * bufSizeIncrement; /* 8 KB max */
+ const char *CRLF = "\r\n";
const PRInt32 CRLFlen = strlen(CRLF);
- const char* headerEndMark = "\r\n\r\n";
+ const char *headerEndMark = "\r\n\r\n";
const PRInt32 markLen = strlen(headerEndMark);
const PRIntervalTime ocsptimeout =
PR_SecondsToInterval(30); /* hardcoded to 30s for now */
- char* headerEnd = NULL;
+ char *headerEnd = NULL;
PRBool EOS = PR_FALSE;
- const char* httpprotocol = "HTTP/";
+ const char *httpprotocol = "HTTP/";
const PRInt32 httplen = strlen(httpprotocol);
- const char* httpcode = NULL;
- const char* contenttype = NULL;
+ const char *httpcode = NULL;
+ const char *contenttype = NULL;
PRInt32 contentlength = 0;
PRInt32 bytesRead = 0;
- char* statusLineEnd = NULL;
- char* space = NULL;
- char* nextHeader = NULL;
- SECItem* result = NULL;
+ char *statusLineEnd = NULL;
+ char *space = NULL;
+ char *nextHeader = NULL;
+ SECItem *result = NULL;
/* read up to at least the end of the HTTP headers */
- do
- {
+ do {
inBufsize += bufSizeIncrement;
- inBuffer = PORT_Realloc(inBuffer, inBufsize+1);
- if (NULL == inBuffer)
- {
+ inBuffer = PORT_Realloc(inBuffer, inBufsize + 1);
+ if (NULL == inBuffer) {
AbortHttpDecode(SEC_ERROR_NO_MEMORY);
}
bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement,
- ocsptimeout);
- if (bytesRead > 0)
- {
- PRInt32 searchOffset = (offset - markLen) >0 ? offset-markLen : 0;
+ ocsptimeout);
+ if (bytesRead > 0) {
+ PRInt32 searchOffset = (offset - markLen) > 0 ? offset - markLen : 0;
offset += bytesRead;
*(inBuffer + offset) = '\0'; /* NULL termination */
- headerEnd = strstr((const char*)inBuffer + searchOffset, headerEndMark);
- if (bytesRead < bufSizeIncrement)
- {
+ headerEnd = strstr((const char *)inBuffer + searchOffset, headerEndMark);
+ if (bytesRead < bufSizeIncrement) {
/* we read less data than requested, therefore we are at
EOS or there was a read error */
EOS = PR_TRUE;
}
}
- else
- {
+ else {
/* recv error or EOS */
EOS = PR_TRUE;
}
- } while ( (!headerEnd) && (PR_FALSE == EOS) &&
- (inBufsize < maxBufSize) );
+ } while ((!headerEnd) && (PR_FALSE == EOS) &&
+ (inBufsize < maxBufSize));
- if (!headerEnd)
- {
+ if (!headerEnd) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
/* parse the HTTP status line */
- statusLineEnd = strstr((const char*)inBuffer, CRLF);
- if (!statusLineEnd)
- {
+ statusLineEnd = strstr((const char *)inBuffer, CRLF);
+ if (!statusLineEnd) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
*statusLineEnd = '\0';
/* check for HTTP/ response */
- space = strchr((const char*)inBuffer, ' ');
- if (!space || PORT_Strncasecmp((const char*)inBuffer, httpprotocol, httplen) != 0 )
- {
+ space = strchr((const char *)inBuffer, ' ');
+ if (!space || PORT_Strncasecmp((const char *)inBuffer, httpprotocol, httplen) != 0) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
/* check the HTTP status code of 200 */
- httpcode = space +1;
+ httpcode = space + 1;
space = strchr(httpcode, ' ');
- if (!space)
- {
+ if (!space) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
*space = 0;
- if (0 != strcmp(httpcode, "200"))
- {
+ if (0 != strcmp(httpcode, "200")) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
@@ -3243,14 +3230,12 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock)
nextHeader = statusLineEnd + CRLFlen;
*headerEnd = '\0'; /* terminate */
- do
- {
- char* thisHeaderEnd = NULL;
- char* value = NULL;
- char* colon = strchr(nextHeader, ':');
-
- if (!colon)
- {
+ do {
+ char *thisHeaderEnd = NULL;
+ char *value = NULL;
+ char *colon = strchr(nextHeader, ':');
+
+ if (!colon) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
@@ -3263,90 +3248,74 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock)
and should not be an issue, but it could become one in the
future */
- if (*value != ' ')
- {
+ if (*value != ' ') {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
value++;
- thisHeaderEnd = strstr(value, CRLF);
- if (thisHeaderEnd )
- {
- *thisHeaderEnd = '\0';
+ thisHeaderEnd = strstr(value, CRLF);
+ if (thisHeaderEnd) {
+ *thisHeaderEnd = '\0';
}
- if (0 == PORT_Strcasecmp(nextHeader, "content-type"))
- {
+ if (0 == PORT_Strcasecmp(nextHeader, "content-type")) {
contenttype = value;
}
- else
- if (0 == PORT_Strcasecmp(nextHeader, "content-length"))
- {
+ else if (0 == PORT_Strcasecmp(nextHeader, "content-length")) {
contentlength = atoi(value);
}
- if (thisHeaderEnd )
- {
+ if (thisHeaderEnd) {
nextHeader = thisHeaderEnd + CRLFlen;
}
- else
- {
+ else {
nextHeader = NULL;
}
- } while (nextHeader && (nextHeader < (headerEnd + CRLFlen) ) );
+ } while (nextHeader && (nextHeader < (headerEnd + CRLFlen)));
/* check content-type */
if (!contenttype ||
- (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response")) )
- {
+ (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response"))) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
/* read the body of the OCSP response */
- offset = offset - (PRInt32) (headerEnd - (const char*)inBuffer) - markLen;
- if (offset)
- {
+ offset = offset - (PRInt32)(headerEnd - (const char *)inBuffer) - markLen;
+ if (offset) {
/* move all data to the beginning of the buffer */
PORT_Memmove(inBuffer, headerEnd + markLen, offset);
}
/* resize buffer to only what's needed to hold the current response */
- inBufsize = (1 + (offset-1) / bufSizeIncrement ) * bufSizeIncrement ;
+ inBufsize = (1 + (offset - 1) / bufSizeIncrement) * bufSizeIncrement;
- while ( (PR_FALSE == EOS) &&
- ( (contentlength == 0) || (offset < contentlength) ) &&
- (inBufsize < maxBufSize)
- )
- {
+ while ((PR_FALSE == EOS) &&
+ ((contentlength == 0) || (offset < contentlength)) &&
+ (inBufsize < maxBufSize)) {
/* we still need to receive more body data */
inBufsize += bufSizeIncrement;
- inBuffer = PORT_Realloc(inBuffer, inBufsize+1);
- if (NULL == inBuffer)
- {
+ inBuffer = PORT_Realloc(inBuffer, inBufsize + 1);
+ if (NULL == inBuffer) {
AbortHttpDecode(SEC_ERROR_NO_MEMORY);
}
bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement,
ocsptimeout);
- if (bytesRead > 0)
- {
+ if (bytesRead > 0) {
offset += bytesRead;
- if (bytesRead < bufSizeIncrement)
- {
+ if (bytesRead < bufSizeIncrement) {
/* we read less data than requested, therefore we are at
EOS or there was a read error */
EOS = PR_TRUE;
}
}
- else
- {
+ else {
/* recv error or EOS */
EOS = PR_TRUE;
}
}
- if (0 == offset)
- {
+ if (0 == offset) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
@@ -3354,14 +3323,13 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock)
* Now allocate the item to hold the data.
*/
result = SECITEM_AllocItem(arena, NULL, offset);
- if (NULL == result)
- {
+ if (NULL == result) {
AbortHttpDecode(SEC_ERROR_NO_MEMORY);
}
/*
* And copy the data left in the buffer.
- */
+ */
PORT_Memcpy(result->data, inBuffer, offset);
/* and free the temporary buffer */
@@ -3378,7 +3346,7 @@ CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
/*
* Limit the size of http responses we are willing to accept.
*/
-#define MAX_WANTED_OCSP_RESPONSE_LEN 64*1024
+#define MAX_WANTED_OCSP_RESPONSE_LEN 64 * 1024
/* if (encodedRequest == NULL)
* then location MUST already include the full request,
@@ -3388,9 +3356,9 @@ CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
* then the request will be sent with POST
*/
static SECItem *
-fetchOcspHttpClientV1(PLArenaPool *arena,
- const SEC_HttpClientFcnV1 *hcv1,
- const char *location,
+fetchOcspHttpClientV1(PLArenaPool *arena,
+ const SEC_HttpClientFcnV1 *hcv1,
+ const char *location,
const SECItem *encodedRequest)
{
char *hostname = NULL;
@@ -3407,13 +3375,13 @@ fetchOcspHttpClientV1(PLArenaPool *arena,
PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
goto loser;
}
-
+
PORT_Assert(hostname != NULL);
PORT_Assert(path != NULL);
if ((*hcv1->createSessionFcn)(
- hostname,
- port,
+ hostname,
+ port,
&pServerSession) != SECSuccess) {
PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
goto loser;
@@ -3439,8 +3407,8 @@ fetchOcspHttpClientV1(PLArenaPool *arena,
if (encodedRequest &&
(*hcv1->setPostDataFcn)(
- pRequestSession,
- (char*)encodedRequest->data,
+ pRequestSession,
+ (char *)encodedRequest->data,
encodedRequest->len,
"application/ocsp-request") != SECSuccess) {
PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
@@ -3453,7 +3421,7 @@ fetchOcspHttpClientV1(PLArenaPool *arena,
OCSP_TRACE(("OCSP trySendAndReceive %s\n", location));
if ((*hcv1->trySendAndReceiveFcn)(
- pRequestSession,
+ pRequestSession,
NULL,
&myHttpResponseCode,
NULL,
@@ -3481,15 +3449,15 @@ fetchOcspHttpClientV1(PLArenaPool *arena,
PORT_Memcpy(encodedResponse->data, myHttpResponseData, myHttpResponseDataLen);
loser:
- if (pRequestSession != NULL)
+ if (pRequestSession != NULL)
(*hcv1->freeFcn)(pRequestSession);
if (pServerSession != NULL)
(*hcv1->freeSessionFcn)(pServerSession);
if (path != NULL)
- PORT_Free(path);
+ PORT_Free(path);
if (hostname != NULL)
- PORT_Free(hostname);
-
+ PORT_Free(hostname);
+
return encodedResponse;
}
@@ -3518,7 +3486,7 @@ loser:
* Additionals methods for http or other protocols might be added
* in the future.
* PRTime time
- * Indicates the time for which the certificate status is to be
+ * Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* but has no other bearing on the operation.
* PRBool addServiceLocator
@@ -3546,10 +3514,10 @@ loser:
*/
SECItem *
CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList,
- const char *location, const char *method,
- PRTime time, PRBool addServiceLocator,
- CERTCertificate *signerCert, void *pwArg,
- CERTOCSPRequest **pRequest)
+ const char *location, const char *method,
+ PRTime time, PRBool addServiceLocator,
+ CERTCertificate *signerCert, void *pwArg,
+ CERTOCSPRequest **pRequest)
{
CERTOCSPRequest *request;
request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
@@ -3571,25 +3539,25 @@ CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList,
*/
SECItem *
CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
- const char *location, PRTime time,
- PRBool addServiceLocator,
- CERTCertificate *signerCert, void *pwArg,
- CERTOCSPRequest **pRequest)
+ const char *location, PRTime time,
+ PRBool addServiceLocator,
+ CERTCertificate *signerCert, void *pwArg,
+ CERTOCSPRequest **pRequest)
{
return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location,
- "POST", time, addServiceLocator,
- signerCert, pwArg, pRequest);
+ "POST", time, addServiceLocator,
+ signerCert, pwArg, pRequest);
}
/* URL encode a buffer that consists of base64-characters, only,
* which means we can use a simple encoding logic.
- *
+ *
* No output buffer size checking is performed.
* You should call the function twice, to calculate the required buffer size.
- *
- * If the outpufBuf parameter is NULL, the function will calculate the
+ *
+ * If the outpufBuf parameter is NULL, the function will calculate the
* required size, including the trailing zero termination char.
- *
+ *
* The function returns the number of bytes calculated or produced.
*/
size_t
@@ -3598,44 +3566,44 @@ ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf)
const char *walkInput = NULL;
char *walkOutput = outputBuf;
size_t count = 0;
-
- for (walkInput=base64Buf; *walkInput; ++walkInput) {
- char c = *walkInput;
- if (isspace(c))
- continue;
- switch (c) {
- case '+':
- if (outputBuf) {
- strcpy(walkOutput, "%2B");
- walkOutput += 3;
- }
- count += 3;
- break;
- case '/':
- if (outputBuf) {
- strcpy(walkOutput, "%2F");
- walkOutput += 3;
- }
- count += 3;
- break;
- case '=':
- if (outputBuf) {
- strcpy(walkOutput, "%3D");
- walkOutput += 3;
- }
- count += 3;
- break;
- default:
- if (outputBuf) {
- *walkOutput = *walkInput;
- ++walkOutput;
- }
- ++count;
- break;
- }
+
+ for (walkInput = base64Buf; *walkInput; ++walkInput) {
+ char c = *walkInput;
+ if (isspace(c))
+ continue;
+ switch (c) {
+ case '+':
+ if (outputBuf) {
+ strcpy(walkOutput, "%2B");
+ walkOutput += 3;
+ }
+ count += 3;
+ break;
+ case '/':
+ if (outputBuf) {
+ strcpy(walkOutput, "%2F");
+ walkOutput += 3;
+ }
+ count += 3;
+ break;
+ case '=':
+ if (outputBuf) {
+ strcpy(walkOutput, "%3D");
+ walkOutput += 3;
+ }
+ count += 3;
+ break;
+ default:
+ if (outputBuf) {
+ *walkOutput = *walkInput;
+ ++walkOutput;
+ }
+ ++count;
+ break;
+ }
}
if (outputBuf) {
- *walkOutput = 0;
+ *walkOutput = 0;
}
++count;
return count;
@@ -3644,15 +3612,15 @@ ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf)
enum { max_get_request_size = 255 }; /* defined by RFC2560 */
static SECItem *
-cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
+cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest);
static SECItem *
ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
CERTOCSPRequest *request,
const char *location,
- const char *method,
- PRTime time,
+ const char *method,
+ PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest)
@@ -3665,13 +3633,13 @@ ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
goto loser;
rv = CERT_AddOCSPAcceptableResponses(request,
- SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+ SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
if (rv != SECSuccess)
- goto loser;
+ goto loser;
encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
if (encodedRequest == NULL)
- goto loser;
+ goto loser;
if (!strcmp(method, "GET")) {
encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest);
@@ -3680,29 +3648,29 @@ ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
}
else {
- goto loser;
+ goto loser;
}
if (encodedResponse != NULL && pRequest != NULL) {
- *pRequest = request;
- request = NULL; /* avoid destroying below */
+ *pRequest = request;
+ request = NULL; /* avoid destroying below */
}
loser:
if (request != NULL)
- CERT_DestroyOCSPRequest(request);
+ CERT_DestroyOCSPRequest(request);
if (encodedRequest != NULL)
- SECITEM_FreeItem(encodedRequest, PR_TRUE);
+ SECITEM_FreeItem(encodedRequest, PR_TRUE);
return encodedResponse;
}
static SECItem *
-cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
+cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest);
/* using HTTP GET method */
static SECItem *
-cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
+cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest)
{
char *walkOutput = NULL;
@@ -3710,49 +3678,50 @@ cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
size_t pathLength;
PRInt32 urlEncodedBufLength;
size_t base64size;
- char b64ReqBuf[max_get_request_size+1];
+ char b64ReqBuf[max_get_request_size + 1];
size_t slashLengthIfNeeded = 0;
size_t getURLLength;
SECItem *item;
if (!location || !*location) {
- return NULL;
+ return NULL;
}
-
+
pathLength = strlen(location);
- if (location[pathLength-1] != '/') {
- slashLengthIfNeeded = 1;
+ if (location[pathLength - 1] != '/') {
+ slashLengthIfNeeded = 1;
}
-
+
/* Calculation as documented by PL_Base64Encode function.
* Use integer conversion to avoid having to use function ceil().
*/
- base64size = (((encodedRequest->len +2)/3) * 4);
+ base64size = (((encodedRequest->len + 2) / 3) * 4);
if (base64size > max_get_request_size) {
- return NULL;
+ return NULL;
}
memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
- PL_Base64Encode((const char*)encodedRequest->data, encodedRequest->len,
- b64ReqBuf);
+ PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len,
+ b64ReqBuf);
urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
-
+
/* urlEncodedBufLength already contains room for the zero terminator.
* Add another if we must add the '/' char.
*/
if (arena) {
- fullGetPath = (char*)PORT_ArenaAlloc(arena, getURLLength);
- } else {
- fullGetPath = (char*)PORT_Alloc(getURLLength);
+ fullGetPath = (char *)PORT_ArenaAlloc(arena, getURLLength);
+ }
+ else {
+ fullGetPath = (char *)PORT_Alloc(getURLLength);
}
if (!fullGetPath) {
- return NULL;
+ return NULL;
}
-
+
strcpy(fullGetPath, location);
walkOutput = fullGetPath + pathLength;
-
+
if (walkOutput > fullGetPath && slashLengthIfNeeded) {
strcpy(walkOutput, "/");
++walkOutput;
@@ -3761,20 +3730,20 @@ cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
item = cert_FetchOCSPResponse(arena, fullGetPath, NULL);
if (!arena) {
- PORT_Free(fullGetPath);
+ PORT_Free(fullGetPath);
}
return item;
}
SECItem *
-CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
+CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest)
{
return cert_FetchOCSPResponse(arena, location, encodedRequest);
}
SECItem *
-cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
+cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest)
{
const SEC_HttpClientFcn *registeredHttpClient;
@@ -3784,11 +3753,12 @@ cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
if (registeredHttpClient && registeredHttpClient->version == 1) {
encodedResponse = fetchOcspHttpClientV1(
- arena,
- &registeredHttpClient->fcnTable.ftable1,
- location,
- encodedRequest);
- } else {
+ arena,
+ &registeredHttpClient->fcnTable.ftable1,
+ location,
+ encodedRequest);
+ }
+ else {
/* use internal http client */
PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest);
if (sock) {
@@ -3801,18 +3771,18 @@ cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
}
static SECItem *
-ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena,
- CERTOCSPCertID *certID,
- CERTCertificate *singleCert,
+ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena,
+ CERTOCSPCertID *certID,
+ CERTCertificate *singleCert,
const char *location,
- const char *method,
- PRTime time,
+ const char *method,
+ PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest)
{
CERTOCSPRequest *request;
- request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time,
+ request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time,
addServiceLocator, NULL);
if (!request)
return NULL;
@@ -3833,29 +3803,28 @@ ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert)
PRBool retval;
CERTOidSequence *oidSeq = NULL;
-
extItem.data = NULL;
rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
oidSeq = CERT_DecodeOidSequence(&extItem);
- if ( oidSeq == NULL ) {
- goto loser;
+ if (oidSeq == NULL) {
+ goto loser;
}
oids = oidSeq->oids;
- while ( *oids != NULL ) {
- oid = *oids;
-
- oidTag = SECOID_FindOIDTag(oid);
-
- if ( oidTag == SEC_OID_OCSP_RESPONDER ) {
- goto success;
- }
-
- oids++;
+ while (*oids != NULL) {
+ oid = *oids;
+
+ oidTag = SECOID_FindOIDTag(oid);
+
+ if (oidTag == SEC_OID_OCSP_RESPONDER) {
+ goto success;
+ }
+
+ oids++;
}
loser:
@@ -3865,42 +3834,41 @@ loser:
success:
retval = PR_TRUE;
done:
- if ( extItem.data != NULL ) {
- PORT_Free(extItem.data);
+ if (extItem.data != NULL) {
+ PORT_Free(extItem.data);
}
- if ( oidSeq != NULL ) {
- CERT_DestroyOidSequence(oidSeq);
+ if (oidSeq != NULL) {
+ CERT_DestroyOidSequence(oidSeq);
}
-
- return(retval);
-}
+ return (retval);
+}
-#ifdef LATER /*
- * XXX This function is not currently used, but will
- * be needed later when we do revocation checking of
- * the responder certificate. Of course, it may need
- * revising then, if the cert extension interface has
- * changed. (Hopefully it will!)
- */
+#ifdef LATER /*
+ * XXX This function is not currently used, but will
+ * be needed later when we do revocation checking of
+ * the responder certificate. Of course, it may need
+ * revising then, if the cert extension interface has
+ * changed. (Hopefully it will!)
+ */
/* Checks a certificate to see if it has the OCSP no check extension. */
static PRBool
ocsp_CertHasNoCheckExtension(CERTCertificate *cert)
{
SECStatus rv;
-
- rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK,
- NULL);
+
+ rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK,
+ NULL);
if (rv == SECSuccess) {
- return PR_TRUE;
+ return PR_TRUE;
}
return PR_FALSE;
}
-#endif /* LATER */
+#endif /* LATER */
static PRBool
-ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
+ocsp_matchcert(SECItem *certIndex, CERTCertificate *testCert)
{
SECItem item;
unsigned char buf[HASH_LENGTH_MAX];
@@ -3908,33 +3876,33 @@ ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
item.data = buf;
item.len = SHA1_LENGTH;
- if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1,
- &item) == NULL) {
- return PR_FALSE;
+ if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_SHA1,
+ &item) == NULL) {
+ return PR_FALSE;
}
- if (SECITEM_ItemsAreEqual(certIndex,&item)) {
- return PR_TRUE;
+ if (SECITEM_ItemsAreEqual(certIndex, &item)) {
+ return PR_TRUE;
}
- if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5,
- &item) == NULL) {
- return PR_FALSE;
+ if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD5,
+ &item) == NULL) {
+ return PR_FALSE;
}
- if (SECITEM_ItemsAreEqual(certIndex,&item)) {
- return PR_TRUE;
+ if (SECITEM_ItemsAreEqual(certIndex, &item)) {
+ return PR_TRUE;
}
- if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2,
- &item) == NULL) {
- return PR_FALSE;
+ if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD2,
+ &item) == NULL) {
+ return PR_FALSE;
}
- if (SECITEM_ItemsAreEqual(certIndex,&item)) {
- return PR_TRUE;
+ if (SECITEM_ItemsAreEqual(certIndex, &item)) {
+ return PR_TRUE;
}
return PR_FALSE;
}
static CERTCertificate *
-ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle,CERTOCSPCertID *certID);
+ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID);
CERTCertificate *
ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
@@ -3949,19 +3917,19 @@ ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
PORT_Assert(tbsData->responderID != NULL);
switch (tbsData->responderID->responderIDType) {
- case ocspResponderID_byName:
- lookupByName = PR_TRUE;
- certIndex = &tbsData->derResponderID;
- break;
- case ocspResponderID_byKey:
- lookupByName = PR_FALSE;
- certIndex = &tbsData->responderID->responderIDValue.keyHash;
- break;
- case ocspResponderID_other:
- default:
- PORT_Assert(0);
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- return NULL;
+ case ocspResponderID_byName:
+ lookupByName = PR_TRUE;
+ certIndex = &tbsData->derResponderID;
+ break;
+ case ocspResponderID_byKey:
+ lookupByName = PR_FALSE;
+ certIndex = &tbsData->responderID->responderIDValue.keyHash;
+ break;
+ case ocspResponderID_other:
+ default:
+ PORT_Assert(0);
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ return NULL;
}
/*
@@ -3972,14 +3940,14 @@ ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
* to be destroyed.
*/
if (signature->derCerts != NULL) {
- for (; signature->derCerts[certCount] != NULL; certCount++) {
- /* just counting */
- }
- rv = CERT_ImportCerts(handle, certUsageStatusResponder, certCount,
- signature->derCerts, &certs,
- PR_FALSE, PR_FALSE, NULL);
- if (rv != SECSuccess)
- goto finish;
+ for (; signature->derCerts[certCount] != NULL; certCount++) {
+ /* just counting */
+ }
+ rv = CERT_ImportCerts(handle, certUsageStatusResponder, certCount,
+ signature->derCerts, &certs,
+ PR_FALSE, PR_FALSE, NULL);
+ if (rv != SECSuccess)
+ goto finish;
}
/*
@@ -3987,51 +3955,54 @@ ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
* The signer can be specified either by name or by key hash.
*/
if (lookupByName) {
- SECItem *crIndex = (SECItem*)certIndex;
- SECItem encodedName;
- PLArenaPool *arena;
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena != NULL) {
-
- rv = SEC_QuickDERDecodeItem(arena, &encodedName,
- ocsp_ResponderIDDerNameTemplate,
- crIndex);
- if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- } else {
- signerCert = CERT_FindCertByName(handle, &encodedName);
- }
- PORT_FreeArena(arena, PR_FALSE);
- }
- } else {
- /*
- * The signer is either 1) a known issuer CA we passed in,
- * 2) the default OCSP responder, or 3) an intermediate CA
- * passed in the cert list to use. Figure out which it is.
- */
- int i;
- CERTCertificate *responder =
+ SECItem *crIndex = (SECItem *)certIndex;
+ SECItem encodedName;
+ PLArenaPool *arena;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena != NULL) {
+
+ rv = SEC_QuickDERDecodeItem(arena, &encodedName,
+ ocsp_ResponderIDDerNameTemplate,
+ crIndex);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ }
+ else {
+ signerCert = CERT_FindCertByName(handle, &encodedName);
+ }
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+ }
+ else {
+ /*
+ * The signer is either 1) a known issuer CA we passed in,
+ * 2) the default OCSP responder, or 3) an intermediate CA
+ * passed in the cert list to use. Figure out which it is.
+ */
+ int i;
+ CERTCertificate *responder =
ocsp_CertGetDefaultResponder(handle, NULL);
- if (responder && ocsp_matchcert(certIndex,responder)) {
- signerCert = CERT_DupCertificate(responder);
- } else if (issuer && ocsp_matchcert(certIndex,issuer)) {
- signerCert = CERT_DupCertificate(issuer);
- }
- for (i=0; (signerCert == NULL) && (i < certCount); i++) {
- if (ocsp_matchcert(certIndex,certs[i])) {
- signerCert = CERT_DupCertificate(certs[i]);
- }
- }
- if (signerCert == NULL) {
- PORT_SetError(SEC_ERROR_UNKNOWN_CERT);
- }
+ if (responder && ocsp_matchcert(certIndex, responder)) {
+ signerCert = CERT_DupCertificate(responder);
+ }
+ else if (issuer && ocsp_matchcert(certIndex, issuer)) {
+ signerCert = CERT_DupCertificate(issuer);
+ }
+ for (i = 0; (signerCert == NULL) && (i < certCount); i++) {
+ if (ocsp_matchcert(certIndex, certs[i])) {
+ signerCert = CERT_DupCertificate(certs[i]);
+ }
+ }
+ if (signerCert == NULL) {
+ PORT_SetError(SEC_ERROR_UNKNOWN_CERT);
+ }
}
finish:
if (certs != NULL) {
- CERT_DestroyCertArray(certs, certCount);
+ CERT_DestroyCertArray(certs, certCount);
}
return signerCert;
@@ -4067,7 +4038,7 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
rv = CERT_VerifySignedDataWithPublicKey(&signedData, signerKey, pwArg);
if (rv != SECSuccess &&
- (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE ||
+ (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE ||
PORT_GetError() == SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)) {
PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE);
}
@@ -4079,7 +4050,6 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
return rv;
}
-
/*
* FUNCTION: CERT_VerifyOCSPResponseSignature
* Check the signature on an OCSP Response. Will also perform a
@@ -4110,10 +4080,10 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
* verifying the signer's cert, or low-level problems (no memory, etc.)
*/
SECStatus
-CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
- CERTCertDBHandle *handle, void *pwArg,
- CERTCertificate **pSignerCert,
- CERTCertificate *issuer)
+CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
+ CERTCertDBHandle *handle, void *pwArg,
+ CERTCertificate **pSignerCert,
+ CERTCertificate *issuer)
{
SECItem *tbsResponseDataDER;
CERTCertificate *signerCert = NULL;
@@ -4138,24 +4108,25 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
* return the cached result.
*/
if (signature->wasChecked) {
- if (signature->status == SECSuccess) {
- if (pSignerCert != NULL)
- *pSignerCert = CERT_DupCertificate(signature->cert);
- } else {
- PORT_SetError(signature->failureReason);
- }
- return signature->status;
+ if (signature->status == SECSuccess) {
+ if (pSignerCert != NULL)
+ *pSignerCert = CERT_DupCertificate(signature->cert);
+ }
+ else {
+ PORT_SetError(signature->failureReason);
+ }
+ return signature->status;
}
signerCert = ocsp_GetSignerCertificate(handle, tbsData,
signature, issuer);
if (signerCert == NULL) {
- rv = SECFailure;
- if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
- /* Make the error a little more specific. */
- PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
- }
- goto finish;
+ rv = SECFailure;
+ if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
+ /* Make the error a little more specific. */
+ PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
+ }
+ goto finish;
}
/*
@@ -4182,11 +4153,13 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
*/
if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) {
rv = SECSuccess;
- } else {
+ }
+ else {
SECCertUsage certUsage;
if (CERT_IsCACert(signerCert, NULL)) {
certUsage = certUsageAnyCA;
- } else {
+ }
+ else {
certUsage = certUsageStatusResponder;
}
rv = cert_VerifyCertWithFlags(handle, signerCert, PR_TRUE, certUsage,
@@ -4204,24 +4177,25 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
finish:
if (signature->wasChecked)
- signature->status = rv;
+ signature->status = rv;
if (rv != SECSuccess) {
- signature->failureReason = PORT_GetError();
- if (signerCert != NULL)
- CERT_DestroyCertificate(signerCert);
- } else {
- /*
- * Save signer's certificate in signature.
- */
- signature->cert = signerCert;
- if (pSignerCert != NULL) {
- /*
- * Pass pointer to signer's certificate back to our caller,
- * who is also now responsible for destroying it.
- */
- *pSignerCert = CERT_DupCertificate(signerCert);
- }
+ signature->failureReason = PORT_GetError();
+ if (signerCert != NULL)
+ CERT_DestroyCertificate(signerCert);
+ }
+ else {
+ /*
+ * Save signer's certificate in signature.
+ */
+ signature->cert = signerCert;
+ if (pSignerCert != NULL) {
+ /*
+ * Pass pointer to signer's certificate back to our caller,
+ * who is also now responsible for destroying it.
+ */
+ *pSignerCert = CERT_DupCertificate(signerCert);
+ }
}
return rv;
@@ -4234,7 +4208,7 @@ finish:
*/
static PRBool
ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID,
- CERTOCSPCertID *responseCertID)
+ CERTOCSPCertID *responseCertID)
{
PRBool match = PR_FALSE;
SECOidTag hashAlg;
@@ -4248,8 +4222,8 @@ ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID,
* We just compare the easier things first.
*/
if (SECITEM_CompareItem(&requestCertID->serialNumber,
- &responseCertID->serialNumber) != SECEqual) {
- goto done;
+ &responseCertID->serialNumber) != SECEqual) {
+ goto done;
}
/*
@@ -4257,48 +4231,49 @@ ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID,
* requestCertID->hashAlgorithm, we don't need to check it.
*/
if (responseCertID->hashAlgorithm.parameters.len > 2) {
- goto done;
+ goto done;
}
if (SECITEM_CompareItem(&requestCertID->hashAlgorithm.algorithm,
- &responseCertID->hashAlgorithm.algorithm) == SECEqual) {
- /*
- * If the hash algorithms match then we can do a simple compare
- * of the hash values themselves.
- */
- if ((SECITEM_CompareItem(&requestCertID->issuerNameHash,
- &responseCertID->issuerNameHash) == SECEqual)
- && (SECITEM_CompareItem(&requestCertID->issuerKeyHash,
- &responseCertID->issuerKeyHash) == SECEqual)) {
- match = PR_TRUE;
- }
- goto done;
+ &responseCertID->hashAlgorithm.algorithm) ==
+ SECEqual) {
+ /*
+ * If the hash algorithms match then we can do a simple compare
+ * of the hash values themselves.
+ */
+ if ((SECITEM_CompareItem(&requestCertID->issuerNameHash,
+ &responseCertID->issuerNameHash) == SECEqual) &&
+ (SECITEM_CompareItem(&requestCertID->issuerKeyHash,
+ &responseCertID->issuerKeyHash) == SECEqual)) {
+ match = PR_TRUE;
+ }
+ goto done;
}
hashAlg = SECOID_FindOIDTag(&responseCertID->hashAlgorithm.algorithm);
switch (hashAlg) {
- case SEC_OID_SHA1:
- keyHash = &requestCertID->issuerSHA1KeyHash;
- nameHash = &requestCertID->issuerSHA1NameHash;
- break;
- case SEC_OID_MD5:
- keyHash = &requestCertID->issuerMD5KeyHash;
- nameHash = &requestCertID->issuerMD5NameHash;
- break;
- case SEC_OID_MD2:
- keyHash = &requestCertID->issuerMD2KeyHash;
- nameHash = &requestCertID->issuerMD2NameHash;
- break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return PR_FALSE;
- }
-
- if ((keyHash != NULL)
- && (SECITEM_CompareItem(nameHash,
- &responseCertID->issuerNameHash) == SECEqual)
- && (SECITEM_CompareItem(keyHash,
- &responseCertID->issuerKeyHash) == SECEqual)) {
- match = PR_TRUE;
+ case SEC_OID_SHA1:
+ keyHash = &requestCertID->issuerSHA1KeyHash;
+ nameHash = &requestCertID->issuerSHA1NameHash;
+ break;
+ case SEC_OID_MD5:
+ keyHash = &requestCertID->issuerMD5KeyHash;
+ nameHash = &requestCertID->issuerMD5NameHash;
+ break;
+ case SEC_OID_MD2:
+ keyHash = &requestCertID->issuerMD2KeyHash;
+ nameHash = &requestCertID->issuerMD2NameHash;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return PR_FALSE;
+ }
+
+ if ((keyHash != NULL) &&
+ (SECITEM_CompareItem(nameHash,
+ &responseCertID->issuerNameHash) == SECEqual) &&
+ (SECITEM_CompareItem(keyHash,
+ &responseCertID->issuerKeyHash) == SECEqual)) {
+ match = PR_TRUE;
}
done:
@@ -4313,27 +4288,27 @@ done:
*/
static CERTOCSPSingleResponse *
ocsp_GetSingleResponseForCertID(CERTOCSPSingleResponse **responses,
- CERTCertDBHandle *handle,
- CERTOCSPCertID *certID)
+ CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID)
{
CERTOCSPSingleResponse *single;
int i;
if (responses == NULL)
- return NULL;
+ return NULL;
for (i = 0; responses[i] != NULL; i++) {
- single = responses[i];
- if (ocsp_CertIDsMatch(certID, single->certID)) {
- return single;
- }
+ single = responses[i];
+ if (ocsp_CertIDsMatch(certID, single->certID)) {
+ return single;
+ }
}
/*
* The OCSP server should have included a response even if it knew
* nothing about the certificate in question. Since it did not,
* this will make it look as if it had.
- *
+ *
* XXX Should we make this a separate error to notice the server's
* bad behavior?
*/
@@ -4349,19 +4324,19 @@ ocsp_GetCheckingContext(CERTCertDBHandle *handle)
statusConfig = CERT_GetStatusConfig(handle);
if (statusConfig != NULL) {
- ocspcx = statusConfig->statusContext;
+ ocspcx = statusConfig->statusContext;
- /*
- * This is actually an internal error, because we should never
- * have a good statusConfig without a good statusContext, too.
- * For lack of anything better, though, we just assert and use
- * the same error as if there were no statusConfig (set below).
- */
- PORT_Assert(ocspcx != NULL);
+ /*
+ * This is actually an internal error, because we should never
+ * have a good statusConfig without a good statusContext, too.
+ * For lack of anything better, though, we just assert and use
+ * the same error as if there were no statusConfig (set below).
+ */
+ PORT_Assert(ocspcx != NULL);
}
if (ocspcx == NULL)
- PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
+ PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
return ocspcx;
}
@@ -4377,19 +4352,19 @@ ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID)
ocspcx = ocsp_GetCheckingContext(handle);
if (ocspcx == NULL)
- goto loser;
-
- /*
- * Right now we have only one default responder. It applies to
- * all certs when it is used, so the check is simple and certID
- * has no bearing on the answer. Someday in the future we may
- * allow configuration of different responders for different
- * issuers, and then we would have to use the issuer specified
- * in certID to determine if signerCert is the right one.
- */
+ goto loser;
+
+ /*
+ * Right now we have only one default responder. It applies to
+ * all certs when it is used, so the check is simple and certID
+ * has no bearing on the answer. Someday in the future we may
+ * allow configuration of different responders for different
+ * issuers, and then we would have to use the issuer specified
+ * in certID to determine if signerCert is the right one.
+ */
if (ocspcx->useDefaultResponder) {
- PORT_Assert(ocspcx->defaultResponderCert != NULL);
- return ocspcx->defaultResponderCert;
+ PORT_Assert(ocspcx->defaultResponderCert != NULL);
+ return ocspcx->defaultResponderCert;
}
loser:
@@ -4407,19 +4382,19 @@ ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert)
ocspcx = ocsp_GetCheckingContext(handle);
if (ocspcx == NULL)
- return PR_FALSE;
-
- /*
- * Right now we have only one default responder. It applies to
- * all certs when it is used, so the check is simple and certID
- * has no bearing on the answer. Someday in the future we may
- * allow configuration of different responders for different
- * issuers, and then we would have to use the issuer specified
- * in certID to determine if signerCert is the right one.
- */
+ return PR_FALSE;
+
+ /*
+ * Right now we have only one default responder. It applies to
+ * all certs when it is used, so the check is simple and certID
+ * has no bearing on the answer. Someday in the future we may
+ * allow configuration of different responders for different
+ * issuers, and then we would have to use the issuer specified
+ * in certID to determine if signerCert is the right one.
+ */
if (ocspcx->useDefaultResponder &&
CERT_CompareCerts(ocspcx->defaultResponderCert, cert)) {
- return PR_TRUE;
+ return PR_TRUE;
}
return PR_FALSE;
@@ -4444,9 +4419,9 @@ ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert)
*/
static PRBool
ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
- CERTCertificate *signerCert,
- CERTOCSPCertID *certID,
- PRTime thisUpdate)
+ CERTCertificate *signerCert,
+ CERTOCSPCertID *certID,
+ PRTime thisUpdate)
{
CERTCertificate *issuerCert = NULL, *defRespCert;
SECItem *keyHash = NULL;
@@ -4490,7 +4465,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
nameHashEQ =
(SECITEM_CompareItem(nameHash,
&certID->issuerNameHash) == SECEqual);
-
+
SECITEM_FreeItem(nameHash, PR_TRUE);
if (nameHashEQ) {
/* The issuer of the cert is the the signer of the response */
@@ -4498,7 +4473,6 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
}
}
-
keyHashEQ = PR_FALSE;
nameHashEQ = PR_FALSE;
@@ -4529,7 +4503,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
CERT_DestroyCertificate(issuerCert);
if (keyHash != NULL && nameHash != NULL) {
- keyHashEQ =
+ keyHashEQ =
(SECITEM_CompareItem(keyHash,
&certID->issuerKeyHash) == SECEqual);
@@ -4565,7 +4539,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
* want something from within the last 24 hours. This macro defines that
* number in seconds.
*/
-#define OCSP_ALLOWABLE_LAPSE_SECONDS (24L * 60L * 60L)
+#define OCSP_ALLOWABLE_LAPSE_SECONDS (24L * 60L * 60L)
static PRBool
ocsp_TimeIsRecent(PRTime checkTime)
@@ -4575,19 +4549,19 @@ ocsp_TimeIsRecent(PRTime checkTime)
LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS);
LL_I2L(tmp, PR_USEC_PER_SEC);
- LL_MUL(lapse, lapse, tmp); /* allowable lapse in microseconds */
+ LL_MUL(lapse, lapse, tmp); /* allowable lapse in microseconds */
LL_ADD(checkTime, checkTime, lapse);
if (LL_CMP(now, >, checkTime))
- return PR_FALSE;
+ return PR_FALSE;
return PR_TRUE;
}
-#define OCSP_SLOP (5L*60L) /* OCSP responses are allowed to be 5 minutes
- in the future by default */
+#define OCSP_SLOP (5L * 60L) /* OCSP responses are allowed to be 5 minutes \
+ in the future by default */
-static PRUint32 ocspsloptime = OCSP_SLOP; /* seconds */
+static PRUint32 ocspsloptime = OCSP_SLOP; /* seconds */
/*
* If an old response contains the revoked certificate status, we want
@@ -4610,7 +4584,6 @@ ocsp_HandleOldSingleResponse(CERTOCSPSingleResponse *single, PRTime time)
*/
return SECSuccess;
}
-
}
PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
return SECFailure;
@@ -4638,19 +4611,19 @@ ocsp_HandleOldSingleResponse(CERTOCSPSingleResponse *single, PRTime time)
* SEC_ERROR_OCSP_OLD_RESPONSE
* SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
* Other errors are low-level problems (no memory, bad database, etc.).
- */
+ */
static SECStatus
ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
- CERTCertDBHandle *handle,
- CERTCertificate *signerCert,
- PRTime producedAt)
+ CERTCertDBHandle *handle,
+ CERTCertificate *signerCert,
+ PRTime producedAt)
{
CERTOCSPCertID *certID = single->certID;
PRTime now, thisUpdate, nextUpdate, tmstamp, tmp;
SECStatus rv;
- OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n",
- ((single->nextUpdate) != 0)));
+ OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n",
+ ((single->nextUpdate) != 0)));
/*
* If all the responder said was that the given cert was unknown to it,
* that is a valid response. Not very interesting to us, of course,
@@ -4659,7 +4632,7 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
*/
PORT_Assert(single->certStatus != NULL);
if (single->certStatus->certStatusType == ocspCertStatus_unknown)
- return SECSuccess;
+ return SECSuccess;
/*
* We need to extract "thisUpdate" for use below and to pass along
@@ -4668,14 +4641,14 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
*/
rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate);
if (rv != SECSuccess)
- return rv;
+ return rv;
/*
* First confirm that signerCert is authorized to give this status.
*/
if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID,
- thisUpdate) != PR_TRUE)
- return SECFailure;
+ thisUpdate) != PR_TRUE)
+ return SECFailure;
/*
* Now check the time stuff, as described above.
@@ -4688,25 +4661,25 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
LL_ADD(tmstamp, tmp, now); /* add current time to it */
if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) {
- PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE);
+ return SECFailure;
}
if (single->nextUpdate != NULL) {
- rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
- if (rv != SECSuccess)
- return rv;
+ rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
+ if (rv != SECSuccess)
+ return rv;
- LL_ADD(tmp, tmp, nextUpdate);
- if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate))
- return ocsp_HandleOldSingleResponse(single, now);
- } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
- return ocsp_HandleOldSingleResponse(single, now);
+ LL_ADD(tmp, tmp, nextUpdate);
+ if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate))
+ return ocsp_HandleOldSingleResponse(single, now);
+ }
+ else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
+ return ocsp_HandleOldSingleResponse(single, now);
}
return SECSuccess;
}
-
/*
* FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
* Get the value of the URI of the OCSP responder for the given cert.
@@ -4721,7 +4694,7 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
* extension is not present or it does not contain an entry for OCSP,
* SEC_ERROR_CERT_BAD_ACCESS_LOCATION will be set and a NULL returned.
* Any other error will also result in a NULL being returned.
- *
+ *
* This result should be freed (via PORT_Free) when no longer in use.
*/
char *
@@ -4743,13 +4716,13 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
*/
encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0);
if (encodedAuthInfoAccess == NULL)
- goto loser;
+ goto loser;
rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
- encodedAuthInfoAccess);
+ encodedAuthInfoAccess);
if (rv == SECFailure) {
- PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- goto loser;
+ PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ goto loser;
}
/*
@@ -4760,16 +4733,16 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
*/
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL)
- goto loser;
+ goto loser;
authInfoAccess = CERT_DecodeAuthInfoAccessExtension(arena,
- encodedAuthInfoAccess);
+ encodedAuthInfoAccess);
if (authInfoAccess == NULL)
- goto loser;
+ goto loser;
for (i = 0; authInfoAccess[i] != NULL; i++) {
- if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP)
- locname = authInfoAccess[i]->location;
+ if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP)
+ locname = authInfoAccess[i]->location;
}
/*
@@ -4780,8 +4753,8 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
* not there at all.
*/
if (locname == NULL) {
- PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- goto loser;
+ PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ goto loser;
}
/*
@@ -4790,15 +4763,15 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
*/
location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE);
if (location == NULL) {
- /*
- * XXX Appears that CERT_GetGeneralNameByType does not set an
- * error if there is no name by that type. For lack of anything
- * better, act as if the extension was not found. In the future
- * this should probably be something more like the extension was
- * badly formed.
- */
- PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- goto loser;
+ /*
+ * XXX Appears that CERT_GetGeneralNameByType does not set an
+ * error if there is no name by that type. For lack of anything
+ * better, act as if the extension was not found. In the future
+ * this should probably be something more like the extension was
+ * badly formed.
+ */
+ PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ goto loser;
}
/*
@@ -4809,22 +4782,21 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
*/
locURI = PORT_Alloc(location->len + 1);
if (locURI == NULL) {
- goto loser;
+ goto loser;
}
PORT_Memcpy(locURI, location->data, location->len);
locURI[location->len] = '\0';
loser:
if (arena != NULL)
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
if (encodedAuthInfoAccess != NULL)
- SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE);
+ SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE);
return locURI;
}
-
/*
* Figure out where we should go to find out the status of the given cert
* via OCSP. If allowed to use a default responder uri and a default
@@ -4840,7 +4812,7 @@ loser:
*/
char *
ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool canUseDefault, PRBool *isDefault)
+ PRBool canUseDefault, PRBool *isDefault)
{
ocspCheckingContext *ocspcx = NULL;
char *ocspUrl = NULL;
@@ -4849,15 +4821,15 @@ ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
ocspcx = ocsp_GetCheckingContext(handle);
}
if (ocspcx != NULL && ocspcx->useDefaultResponder) {
- /*
- * A default responder wins out, if specified.
- * XXX Someday this may be a more complicated determination based
- * on the cert's issuer. (That is, we could have different default
- * responders configured for different issuers.)
- */
- PORT_Assert(ocspcx->defaultResponderURI != NULL);
- *isDefault = PR_TRUE;
- return (PORT_Strdup(ocspcx->defaultResponderURI));
+ /*
+ * A default responder wins out, if specified.
+ * XXX Someday this may be a more complicated determination based
+ * on the cert's issuer. (That is, we could have different default
+ * responders configured for different issuers.)
+ */
+ PORT_Assert(ocspcx->defaultResponderURI != NULL);
+ *isDefault = PR_TRUE;
+ return (PORT_Strdup(ocspcx->defaultResponderURI));
}
/*
@@ -4867,16 +4839,16 @@ ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
*isDefault = PR_FALSE;
ocspUrl = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
if (!ocspUrl) {
- CERT_StringFromCertFcn altFcn;
+ CERT_StringFromCertFcn altFcn;
- PR_EnterMonitor(OCSP_Global.monitor);
- altFcn = OCSP_Global.alternateOCSPAIAFcn;
- PR_ExitMonitor(OCSP_Global.monitor);
- if (altFcn) {
- ocspUrl = (*altFcn)(cert);
- if (ocspUrl)
- *isDefault = PR_TRUE;
- }
+ PR_EnterMonitor(OCSP_Global.monitor);
+ altFcn = OCSP_Global.alternateOCSPAIAFcn;
+ PR_ExitMonitor(OCSP_Global.monitor);
+ if (altFcn) {
+ ocspUrl = (*altFcn)(cert);
+ if (ocspUrl)
+ *isDefault = PR_TRUE;
+ }
}
return ocspUrl;
}
@@ -4893,7 +4865,7 @@ ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time)
rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime);
if (rv != SECSuccess)
- return rv;
+ return rv;
/*
* Set the error even if we will return success; someone might care.
@@ -4901,7 +4873,7 @@ ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time)
PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
if (LL_CMP(revokedTime, >, time))
- return SECSuccess;
+ return SECSuccess;
return SECFailure;
}
@@ -4915,28 +4887,28 @@ ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time)
{
SECStatus rv;
switch (status->certStatusType) {
- case ocspCertStatus_good:
- rv = SECSuccess;
- break;
- case ocspCertStatus_revoked:
- rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time);
- break;
- case ocspCertStatus_unknown:
- PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
- rv = SECFailure;
- break;
- case ocspCertStatus_other:
- default:
- PORT_Assert(0);
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- rv = SECFailure;
- break;
+ case ocspCertStatus_good:
+ rv = SECSuccess;
+ break;
+ case ocspCertStatus_revoked:
+ rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time);
+ break;
+ case ocspCertStatus_unknown:
+ PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
+ rv = SECFailure;
+ break;
+ case ocspCertStatus_other:
+ default:
+ PORT_Assert(0);
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ rv = SECFailure;
+ break;
}
return rv;
}
static SECStatus
-ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
+ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
PRTime time)
{
return ocsp_CertHasGoodStatus(single->certStatus, time);
@@ -4963,7 +4935,7 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
OCSPFreshness *cacheFreshness)
{
OCSPCacheItem *cacheItem = NULL;
-
+
if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
@@ -4971,7 +4943,7 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
*rvOcsp = SECFailure;
*missingResponseError = 0;
*cacheFreshness = ocspMissing;
-
+
PR_EnterMonitor(OCSP_Global.monitor);
cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID);
if (cacheItem) {
@@ -4983,16 +4955,17 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
if (*rvOcsp != SECSuccess) {
*missingResponseError = PORT_GetError();
}
- } else {
+ }
+ else {
/*
* No status cached, the previous attempt failed.
- * If OCSP is required, we never decide based on a failed attempt
+ * If OCSP is required, we never decide based on a failed attempt
* However, if OCSP is optional, a recent OCSP failure is
* an allowed good state.
*/
if (*cacheFreshness == ocspFresh &&
!ignoreGlobalOcspFailureSetting &&
- OCSP_Global.ocspFailureMode ==
+ OCSP_Global.ocspFailureMode ==
ocspMode_FailureIsNotAVerificationFailure) {
*rvOcsp = SECSuccess;
}
@@ -5064,10 +5037,10 @@ ocsp_FetchingFailureIsVerificationFailure(void)
* (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
* verifying the signer's cert, or low-level problems (error allocating
* memory, error performing ASN.1 decoding, etc.).
- */
-SECStatus
+ */
+SECStatus
CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRTime time, void *pwArg)
+ PRTime time, void *pwArg)
{
CERTOCSPCertID *certID;
PRBool certIDWasConsumed = PR_FALSE;
@@ -5075,10 +5048,10 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
SECStatus rvOcsp;
SECErrorCodes cachedErrorCode;
OCSPFreshness cachedResponseFreshness;
-
+
OCSP_TRACE_CERT(cert);
OCSP_TRACE_TIME("## requested validity time:", time);
-
+
certID = CERT_CreateOCSPCertID(cert, time);
if (!certID)
return SECFailure;
@@ -5098,16 +5071,17 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
}
rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg,
- &certIDWasConsumed,
+ &certIDWasConsumed,
&rvOcsp);
if (rv != SECSuccess) {
PRErrorCode err = PORT_GetError();
if (ocsp_FetchingFailureIsVerificationFailure()) {
PORT_SetError(err);
rvOcsp = SECFailure;
- } else if (cachedResponseFreshness == ocspStale &&
- (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
- cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
+ }
+ else if (cachedResponseFreshness == ocspStale &&
+ (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
+ cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
/* If we couldn't get a response for a certificate that the OCSP
* responder previously told us was bad, then assume it is still
* bad until we hear otherwise, as it is very unlikely that the
@@ -5117,7 +5091,8 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
*/
PORT_SetError(cachedErrorCode);
rvOcsp = SECFailure;
- } else {
+ }
+ else {
rvOcsp = SECSuccess;
}
}
@@ -5157,10 +5132,10 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
*/
SECStatus
CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
- CERTCertificate *cert,
- PRTime time,
- const SECItem *encodedResponse,
- void *pwArg)
+ CERTCertificate *cert,
+ PRTime time,
+ const SECItem *encodedResponse,
+ void *pwArg)
{
CERTOCSPCertID *certID = NULL;
PRBool certIDWasConsumed = PR_FALSE;
@@ -5235,17 +5210,17 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
* ocsp_CacheSingleResponse. */
rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
- time, pwArg,
- encodedResponse,
- &decodedResponse,
- &singleResponse);
+ time, pwArg,
+ encodedResponse,
+ &decodedResponse,
+ &singleResponse);
if (rv == SECSuccess) {
- rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
- /* Cache any valid singleResponse, regardless of status. */
- ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed);
+ rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
+ /* Cache any valid singleResponse, regardless of status. */
+ ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed);
}
if (decodedResponse) {
- CERT_DestroyOCSPResponse(decodedResponse);
+ CERT_DestroyOCSPResponse(decodedResponse);
}
if (!certIDWasConsumed) {
CERT_DestroyOCSPCertID(certID);
@@ -5254,13 +5229,13 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
}
/*
- * Status in *certIDWasConsumed will always be correct, regardless of
+ * Status in *certIDWasConsumed will always be correct, regardless of
* return value.
*/
static SECStatus
-ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
+ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
PRTime time,
void *pwArg,
PRBool *certIDWasConsumed,
@@ -5274,7 +5249,8 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
CERTOCSPResponse *decodedResponse = NULL;
CERTOCSPSingleResponse *singleResponse = NULL;
- enum { stageGET, stagePOST } currentStage;
+ enum { stageGET,
+ stagePOST } currentStage;
PRBool retry = PR_FALSE;
if (!certIDWasConsumed || !rv_ocsp) {
@@ -5291,7 +5267,8 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
PR_EnterMonitor(OCSP_Global.monitor);
if (OCSP_Global.forcePost) {
currentStage = stagePOST;
- } else {
+ }
+ else {
currentStage = stageGET;
}
PR_ExitMonitor(OCSP_Global.monitor);
@@ -5310,14 +5287,14 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
location = ocsp_GetResponderLocation(handle, cert, PR_TRUE,
&locationIsDefault);
if (location == NULL) {
- int err = PORT_GetError();
- if (err == SEC_ERROR_EXTENSION_NOT_FOUND ||
- err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
- PORT_SetError(0);
- *rv_ocsp = SECSuccess;
- return SECSuccess;
- }
- return SECFailure;
+ int err = PORT_GetError();
+ if (err == SEC_ERROR_EXTENSION_NOT_FOUND ||
+ err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
+ PORT_SetError(0);
+ *rv_ocsp = SECSuccess;
+ return SECSuccess;
+ }
+ return SECFailure;
}
/*
@@ -5343,75 +5320,79 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
*/
do {
- const char *method;
- PRBool validResponseWithAccurateInfo = PR_FALSE;
- retry = PR_FALSE;
- *rv_ocsp = SECFailure;
-
- if (currentStage == stageGET) {
- method = "GET";
- } else {
- PORT_Assert(currentStage == stagePOST);
- method = "POST";
- }
-
- encodedResponse =
- ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
- location, method,
- time, locationIsDefault,
- pwArg, &request);
-
- if (encodedResponse) {
- rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
- time, pwArg,
- encodedResponse,
- &decodedResponse,
- &singleResponse);
- if (rv == SECSuccess) {
- switch (singleResponse->certStatus->certStatusType) {
- case ocspCertStatus_good:
- case ocspCertStatus_revoked:
- validResponseWithAccurateInfo = PR_TRUE;
- break;
- default:
- break;
- }
- *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
- }
- }
-
- if (currentStage == stageGET) {
- /* only accept GET response if good or revoked */
- if (validResponseWithAccurateInfo) {
- ocsp_CacheSingleResponse(certID, singleResponse,
- certIDWasConsumed);
- } else {
- retry = PR_TRUE;
- currentStage = stagePOST;
- }
- } else {
- /* cache the POST respone, regardless of status */
- if (!singleResponse) {
- cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed);
- } else {
- ocsp_CacheSingleResponse(certID, singleResponse,
- certIDWasConsumed);
- }
- }
-
- if (encodedResponse) {
- SECITEM_FreeItem(encodedResponse, PR_TRUE);
- encodedResponse = NULL;
- }
- if (request) {
- CERT_DestroyOCSPRequest(request);
- request = NULL;
- }
- if (decodedResponse) {
- CERT_DestroyOCSPResponse(decodedResponse);
- decodedResponse = NULL;
- }
- singleResponse = NULL;
+ const char *method;
+ PRBool validResponseWithAccurateInfo = PR_FALSE;
+ retry = PR_FALSE;
+ *rv_ocsp = SECFailure;
+
+ if (currentStage == stageGET) {
+ method = "GET";
+ }
+ else {
+ PORT_Assert(currentStage == stagePOST);
+ method = "POST";
+ }
+
+ encodedResponse =
+ ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
+ location, method,
+ time, locationIsDefault,
+ pwArg, &request);
+
+ if (encodedResponse) {
+ rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
+ time, pwArg,
+ encodedResponse,
+ &decodedResponse,
+ &singleResponse);
+ if (rv == SECSuccess) {
+ switch (singleResponse->certStatus->certStatusType) {
+ case ocspCertStatus_good:
+ case ocspCertStatus_revoked:
+ validResponseWithAccurateInfo = PR_TRUE;
+ break;
+ default:
+ break;
+ }
+ *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
+ }
+ }
+
+ if (currentStage == stageGET) {
+ /* only accept GET response if good or revoked */
+ if (validResponseWithAccurateInfo) {
+ ocsp_CacheSingleResponse(certID, singleResponse,
+ certIDWasConsumed);
+ }
+ else {
+ retry = PR_TRUE;
+ currentStage = stagePOST;
+ }
+ }
+ else {
+ /* cache the POST respone, regardless of status */
+ if (!singleResponse) {
+ cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed);
+ }
+ else {
+ ocsp_CacheSingleResponse(certID, singleResponse,
+ certIDWasConsumed);
+ }
+ }
+
+ if (encodedResponse) {
+ SECITEM_FreeItem(encodedResponse, PR_TRUE);
+ encodedResponse = NULL;
+ }
+ if (request) {
+ CERT_DestroyOCSPRequest(request);
+ request = NULL;
+ }
+ if (decodedResponse) {
+ CERT_DestroyOCSPResponse(decodedResponse);
+ decodedResponse = NULL;
+ }
+ singleResponse = NULL;
} while (retry);
@@ -5454,25 +5435,25 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
*/
static SECStatus
ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
- PRTime time,
- void *pwArg,
- const SECItem *encodedResponse,
- CERTOCSPResponse **pDecodedResponse,
- CERTOCSPSingleResponse **pSingle)
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
+ void *pwArg,
+ const SECItem *encodedResponse,
+ CERTOCSPResponse **pDecodedResponse,
+ CERTOCSPSingleResponse **pSingle)
{
CERTCertificate *signerCert = NULL;
CERTCertificate *issuerCert = NULL;
SECStatus rv = SECFailure;
if (!pSingle || !pDecodedResponse) {
- return SECFailure;
+ return SECFailure;
}
*pSingle = NULL;
*pDecodedResponse = CERT_DecodeOCSPResponse(encodedResponse);
if (!*pDecodedResponse) {
- return SECFailure;
+ return SECFailure;
}
/*
@@ -5485,7 +5466,7 @@ ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
* in the response.
*/
if (CERT_GetOCSPResponseStatus(*pDecodedResponse) != SECSuccess) {
- goto loser;
+ goto loser;
}
/*
@@ -5496,32 +5477,32 @@ ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
rv = CERT_VerifyOCSPResponseSignature(*pDecodedResponse, handle, pwArg,
&signerCert, issuerCert);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
- PORT_Assert(signerCert != NULL); /* internal consistency check */
+ PORT_Assert(signerCert != NULL); /* internal consistency check */
/* XXX probably should set error, return failure if signerCert is null */
/*
* Again, we are only doing one request for one cert.
* XXX When we handle cert chains, the following code will obviously
* have to be modified, in coordation with the code above that will
- * have to determine how to make multiple requests, etc.
+ * have to determine how to make multiple requests, etc.
*/
- rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, certID,
+ rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, certID,
signerCert, time, pSingle);
loser:
if (issuerCert != NULL)
- CERT_DestroyCertificate(issuerCert);
+ CERT_DestroyCertificate(issuerCert);
if (signerCert != NULL)
- CERT_DestroyCertificate(signerCert);
+ CERT_DestroyCertificate(signerCert);
return rv;
}
/*
* FUNCTION: ocsp_CacheSingleResponse
* This function requires that the caller has checked that the response
- * is valid and verified.
+ * is valid and verified.
* The (positive or negative) valid response will be used to update the cache.
* INPUTS:
* CERTOCSPCertID *certID
@@ -5532,27 +5513,27 @@ loser:
*/
void
ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
- CERTOCSPSingleResponse *single,
- PRBool *certIDWasConsumed)
+ CERTOCSPSingleResponse *single,
+ PRBool *certIDWasConsumed)
{
if (single != NULL) {
- PR_EnterMonitor(OCSP_Global.monitor);
- if (OCSP_Global.maxCacheEntries >= 0) {
- ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single,
- certIDWasConsumed);
- /* ignore cache update failures */
- }
- PR_ExitMonitor(OCSP_Global.monitor);
+ PR_EnterMonitor(OCSP_Global.monitor);
+ if (OCSP_Global.maxCacheEntries >= 0) {
+ ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single,
+ certIDWasConsumed);
+ /* ignore cache update failures */
+ }
+ PR_ExitMonitor(OCSP_Global.monitor);
}
}
SECStatus
-ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time,
- CERTOCSPSingleResponse
+ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time,
+ CERTOCSPSingleResponse
**pSingleResponse)
{
SECStatus rv;
@@ -5596,11 +5577,11 @@ loser:
}
SECStatus
-CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time)
+CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time)
{
/*
* We do not update the cache, because:
@@ -5612,17 +5593,17 @@ CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
* requires the ability to transfer ownership of the the given certID to
* the cache. The external API doesn't allow us to prevent the caller from
* destroying the certID. We don't have the original certificate available,
- * therefore we are unable to produce another certID object (that could
+ * therefore we are unable to produce another certID object (that could
* be stored in the cache).
*
* Should we ever implement code to produce a deep copy of certID,
* then this could be changed to allow updating the cache.
- * The duplication would have to be done in
+ * The duplication would have to be done in
* cert_ProcessOCSPResponse, if the out parameter to indicate
* a transfer of ownership is NULL.
*/
- return cert_ProcessOCSPResponse(handle, response, certID,
- signerCert, time,
+ return cert_ProcessOCSPResponse(handle, response, certID,
+ signerCert, time,
NULL, NULL);
}
@@ -5630,23 +5611,23 @@ CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
* The first 5 parameters match the definition of CERT_GetOCSPStatusForCertID.
*/
SECStatus
-cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time,
- PRBool *certIDWasConsumed,
- SECStatus *cacheUpdateStatus)
+cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time,
+ PRBool *certIDWasConsumed,
+ SECStatus *cacheUpdateStatus)
{
SECStatus rv;
SECStatus rv_cache = SECSuccess;
CERTOCSPSingleResponse *single = NULL;
- rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID,
+ rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID,
signerCert, time, &single);
if (rv == SECSuccess) {
/*
- * Check whether the status says revoked, and if so
+ * Check whether the status says revoked, and if so
* how that compares to the time value passed into this routine.
*/
rv = ocsp_SingleResponseCertHasGoodStatus(single, time);
@@ -5654,15 +5635,15 @@ cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
if (certIDWasConsumed) {
/*
- * We don't have copy-of-certid implemented. In order to update
- * the cache, the caller must supply an out variable
+ * We don't have copy-of-certid implemented. In order to update
+ * the cache, the caller must supply an out variable
* certIDWasConsumed, allowing us to return ownership status.
*/
-
+
PR_EnterMonitor(OCSP_Global.monitor);
if (OCSP_Global.maxCacheEntries >= 0) {
/* single == NULL means: remember response failure */
- rv_cache =
+ rv_cache =
ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID,
single, certIDWasConsumed);
}
@@ -5677,12 +5658,12 @@ cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
SECStatus
cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
- PRBool *certIDWasConsumed)
+ PRBool *certIDWasConsumed)
{
SECStatus rv = SECSuccess;
PR_EnterMonitor(OCSP_Global.monitor);
if (OCSP_Global.maxCacheEntries >= 0) {
- rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL,
+ rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL,
certIDWasConsumed);
}
PR_ExitMonitor(OCSP_Global.monitor);
@@ -5705,12 +5686,12 @@ ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig)
statusContext = statusConfig->statusContext;
PORT_Assert(statusContext != NULL);
if (statusContext == NULL)
- return SECFailure;
+ return SECFailure;
if (statusContext->defaultResponderURI != NULL)
- PORT_Free(statusContext->defaultResponderURI);
+ PORT_Free(statusContext->defaultResponderURI);
if (statusContext->defaultResponderNickname != NULL)
- PORT_Free(statusContext->defaultResponderNickname);
+ PORT_Free(statusContext->defaultResponderNickname);
PORT_Free(statusContext);
statusConfig->statusContext = NULL;
@@ -5720,7 +5701,6 @@ ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig)
return SECSuccess;
}
-
/*
* FUNCTION: CERT_DisableOCSPChecking
* Turns off OCSP checking for the given certificate database.
@@ -5743,22 +5723,22 @@ CERT_DisableOCSPChecking(CERTCertDBHandle *handle)
ocspCheckingContext *statusContext;
if (handle == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
statusConfig = CERT_GetStatusConfig(handle);
statusContext = ocsp_GetCheckingContext(handle);
if (statusContext == NULL)
- return SECFailure;
+ return SECFailure;
if (statusConfig->statusChecker != CERT_CheckOCSPStatus) {
- /*
- * Status configuration is present, but either not currently
- * enabled or not for OCSP.
- */
- PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
- return SECFailure;
+ /*
+ * Status configuration is present, but either not currently
+ * enabled or not for OCSP.
+ */
+ PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
+ return SECFailure;
}
/* cache no longer necessary */
@@ -5786,17 +5766,17 @@ ocsp_InitStatusChecking(CERTCertDBHandle *handle)
PORT_Assert(CERT_GetStatusConfig(handle) == NULL);
if (CERT_GetStatusConfig(handle) != NULL) {
- /* XXX or call statusConfig->statusDestroy and continue? */
- return SECFailure;
+ /* XXX or call statusConfig->statusDestroy and continue? */
+ return SECFailure;
}
statusConfig = PORT_ZNew(CERTStatusConfig);
if (statusConfig == NULL)
- goto loser;
+ goto loser;
statusContext = PORT_ZNew(ocspCheckingContext);
if (statusContext == NULL)
- goto loser;
+ goto loser;
statusConfig->statusDestroy = ocsp_DestroyStatusChecking;
statusConfig->statusContext = statusContext;
@@ -5807,11 +5787,10 @@ ocsp_InitStatusChecking(CERTCertDBHandle *handle)
loser:
if (statusConfig != NULL)
- PORT_Free(statusConfig);
+ PORT_Free(statusConfig);
return SECFailure;
}
-
/*
* FUNCTION: CERT_EnableOCSPChecking
* Turns on OCSP checking for the given certificate database.
@@ -5826,23 +5805,23 @@ SECStatus
CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
{
CERTStatusConfig *statusConfig;
-
+
SECStatus rv;
if (handle == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
statusConfig = CERT_GetStatusConfig(handle);
if (statusConfig == NULL) {
- rv = ocsp_InitStatusChecking(handle);
- if (rv != SECSuccess)
- return rv;
+ rv = ocsp_InitStatusChecking(handle);
+ if (rv != SECSuccess)
+ return rv;
- /* Get newly established value */
- statusConfig = CERT_GetStatusConfig(handle);
- PORT_Assert(statusConfig != NULL);
+ /* Get newly established value */
+ statusConfig = CERT_GetStatusConfig(handle);
+ PORT_Assert(statusConfig != NULL);
}
/*
@@ -5854,7 +5833,6 @@ CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
return SECSuccess;
}
-
/*
* FUNCTION: CERT_SetOCSPDefaultResponder
* Specify the location and cert of the default responder.
@@ -5881,7 +5859,7 @@ CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
*/
SECStatus
CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
- const char *url, const char *name)
+ const char *url, const char *name)
{
CERTCertificate *cert;
ocspCheckingContext *statusContext;
@@ -5890,12 +5868,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
SECStatus rv;
if (handle == NULL || url == NULL || name == NULL) {
- /*
- * XXX When interface is exported, probably want better errors;
- * perhaps different one for each parameter.
- */
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ /*
+ * XXX When interface is exported, probably want better errors;
+ * perhaps different one for each parameter.
+ */
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
/*
@@ -5905,15 +5883,15 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
* XXX Shouldn't need that cast if the FindCertByNickname interface
* used const to convey that it does not modify the name. Maybe someday.
*/
- cert = CERT_FindCertByNickname(handle, (char *) name);
+ cert = CERT_FindCertByNickname(handle, (char *)name);
if (cert == NULL) {
- /*
- * look for the cert on an external token.
- */
- cert = PK11_FindCertFromNickname((char *)name, NULL);
+ /*
+ * look for the cert on an external token.
+ */
+ cert = PK11_FindCertFromNickname((char *)name, NULL);
}
if (cert == NULL)
- return SECFailure;
+ return SECFailure;
/*
* Make a copy of the url and nickname.
@@ -5921,8 +5899,8 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
url_copy = PORT_Strdup(url);
name_copy = PORT_Strdup(name);
if (url_copy == NULL || name_copy == NULL) {
- rv = SECFailure;
- goto loser;
+ rv = SECFailure;
+ goto loser;
}
statusContext = ocsp_GetCheckingContext(handle);
@@ -5931,12 +5909,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
* Allocate and init the context if it doesn't already exist.
*/
if (statusContext == NULL) {
- rv = ocsp_InitStatusChecking(handle);
- if (rv != SECSuccess)
- goto loser;
+ rv = ocsp_InitStatusChecking(handle);
+ if (rv != SECSuccess)
+ goto loser;
- statusContext = ocsp_GetCheckingContext(handle);
- PORT_Assert(statusContext != NULL); /* extreme paranoia */
+ statusContext = ocsp_GetCheckingContext(handle);
+ PORT_Assert(statusContext != NULL); /* extreme paranoia */
}
/*
@@ -5949,9 +5927,9 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
* Get rid of old url and name if there.
*/
if (statusContext->defaultResponderNickname != NULL)
- PORT_Free(statusContext->defaultResponderNickname);
+ PORT_Free(statusContext->defaultResponderNickname);
if (statusContext->defaultResponderURI != NULL)
- PORT_Free(statusContext->defaultResponderURI);
+ PORT_Free(statusContext->defaultResponderURI);
/*
* And replace them with the new ones.
@@ -5966,13 +5944,14 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
* enabled.
*/
if (statusContext->defaultResponderCert != NULL) {
- CERT_DestroyCertificate(statusContext->defaultResponderCert);
- statusContext->defaultResponderCert = cert;
+ CERT_DestroyCertificate(statusContext->defaultResponderCert);
+ statusContext->defaultResponderCert = cert;
/*OCSP enabled, switching responder: clear cache*/
CERT_ClearOCSPCache();
- } else {
- PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
- CERT_DestroyCertificate(cert);
+ }
+ else {
+ PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
+ CERT_DestroyCertificate(cert);
/*OCSP currently not enabled, no need to clear cache*/
}
@@ -5981,13 +5960,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
loser:
CERT_DestroyCertificate(cert);
if (url_copy != NULL)
- PORT_Free(url_copy);
+ PORT_Free(url_copy);
if (name_copy != NULL)
- PORT_Free(name_copy);
+ PORT_Free(name_copy);
return rv;
}
-
/*
* FUNCTION: CERT_EnableOCSPDefaultResponder
* Turns on use of a default responder when OCSP checking.
@@ -6014,36 +5992,36 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
SECCertificateUsage usage;
if (handle == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
statusContext = ocsp_GetCheckingContext(handle);
if (statusContext == NULL) {
- /*
- * Strictly speaking, the error already set is "correct",
- * but cover over it with one more helpful in this context.
- */
- PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
- return SECFailure;
+ /*
+ * Strictly speaking, the error already set is "correct",
+ * but cover over it with one more helpful in this context.
+ */
+ PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+ return SECFailure;
}
if (statusContext->defaultResponderURI == NULL) {
- PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+ return SECFailure;
}
if (statusContext->defaultResponderNickname == NULL) {
- PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+ return SECFailure;
}
/*
* Find the cert for the nickname.
*/
cert = CERT_FindCertByNickname(handle,
- statusContext->defaultResponderNickname);
+ statusContext->defaultResponderNickname);
if (cert == NULL) {
cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname,
NULL);
@@ -6054,13 +6032,13 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
*/
PORT_Assert(cert != NULL);
if (cert == NULL)
- return SECFailure;
+ return SECFailure;
- /*
- * Supplied cert should at least have a signing capability in order for us
- * to use it as a trusted responder cert. Ability to sign is guaranteed if
- * cert is validated to have any set of the usages below.
- */
+ /*
+ * Supplied cert should at least have a signing capability in order for us
+ * to use it as a trusted responder cert. Ability to sign is guaranteed if
+ * cert is validated to have any set of the usages below.
+ */
rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE,
certificateUsageCheckAllUsages,
NULL, &usage);
@@ -6071,8 +6049,8 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
certificateUsageObjectSigner |
certificateUsageStatusResponder |
certificateUsageSSLCA)) == 0) {
- PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID);
+ return SECFailure;
}
/*
@@ -6090,7 +6068,6 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
return SECSuccess;
}
-
/*
* FUNCTION: CERT_DisableOCSPDefaultResponder
* Turns off use of a default responder when OCSP checking.
@@ -6111,23 +6088,23 @@ CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle)
CERTCertificate *tmpCert;
if (handle == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
statusConfig = CERT_GetStatusConfig(handle);
if (statusConfig == NULL)
- return SECSuccess;
+ return SECSuccess;
statusContext = ocsp_GetCheckingContext(handle);
PORT_Assert(statusContext != NULL);
if (statusContext == NULL)
- return SECFailure;
+ return SECFailure;
tmpCert = statusContext->defaultResponderCert;
if (tmpCert) {
- statusContext->defaultResponderCert = NULL;
- CERT_DestroyCertificate(tmpCert);
+ statusContext->defaultResponderCert = NULL;
+ CERT_DestroyCertificate(tmpCert);
/* we don't allow a mix of cache entries from different responders */
CERT_ClearOCSPCache();
}
@@ -6159,29 +6136,29 @@ CERT_GetOCSPResponseStatus(CERTOCSPResponse *response)
{
PORT_Assert(response);
if (response->statusValue == ocspResponse_successful)
- return SECSuccess;
+ return SECSuccess;
switch (response->statusValue) {
- case ocspResponse_malformedRequest:
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
- break;
- case ocspResponse_internalError:
- PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
- break;
- case ocspResponse_tryLater:
- PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
- break;
- case ocspResponse_sigRequired:
- /* XXX We *should* retry with a signature, if possible. */
- PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
- break;
- case ocspResponse_unauthorized:
- PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
- break;
- case ocspResponse_unused:
- default:
- PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
- break;
+ case ocspResponse_malformedRequest:
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ break;
+ case ocspResponse_internalError:
+ PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+ break;
+ case ocspResponse_tryLater:
+ PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
+ break;
+ case ocspResponse_sigRequired:
+ /* XXX We *should* retry with a signature, if possible. */
+ PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
+ break;
+ case ocspResponse_unauthorized:
+ PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
+ break;
+ case ocspResponse_unused:
+ default:
+ PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
+ break;
}
return SECFailure;
}
diff --git a/lib/certhigh/ocsp.h b/lib/certhigh/ocsp.h
index 75225eb03..ac9dd6465 100644
--- a/lib/certhigh/ocsp.h
+++ b/lib/certhigh/ocsp.h
@@ -9,7 +9,6 @@
#ifndef _OCSP_H_
#define _OCSP_H_
-
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
@@ -17,7 +16,6 @@
#include "certt.h"
#include "ocspt.h"
-
/************************************************************************/
SEC_BEGIN_PROTOS
@@ -134,7 +132,7 @@ CERT_DisableOCSPChecking(CERTCertDBHandle *handle);
*/
extern SECStatus
CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
- const char *url, const char *name);
+ const char *url, const char *name);
/*
* FUNCTION: CERT_EnableOCSPDefaultResponder
@@ -174,7 +172,7 @@ CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
/* If forcePost is set, OCSP requests will only be sent using the HTTP POST
* method. When forcePost is not set, OCSP requests will be sent using the
* HTTP GET method, with a fallback to POST when we fail to receive a response
- * and/or when we receive an uncacheable response like "Unknown."
+ * and/or when we receive an uncacheable response like "Unknown."
*
* The default is to use GET and fallback to POST.
*/
@@ -191,7 +189,7 @@ extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost);
/*
* FUNCTION: CERT_CreateOCSPRequest
- * Creates a CERTOCSPRequest, requesting the status of the certs in
+ * Creates a CERTOCSPRequest, requesting the status of the certs in
* the given list.
* INPUTS:
* CERTCertList *certList
@@ -203,7 +201,7 @@ extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost);
* to this routine), who knows about where the request(s) are being
* sent and whether there are any trusted responders in place.
* PRTime time
- * Indicates the time for which the certificate status is to be
+ * Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* but has no effect on the request itself.
* PRBool addServiceLocator
@@ -221,9 +219,9 @@ extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost);
* Other errors are low-level problems (no memory, bad database, etc.).
*/
extern CERTOCSPRequest *
-CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
- PRBool addServiceLocator,
- CERTCertificate *signerCert);
+CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
+ PRBool addServiceLocator,
+ CERTCertificate *signerCert);
/*
* FUNCTION: CERT_AddOCSPAcceptableResponses
@@ -243,13 +241,13 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
*/
extern SECStatus
CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
- SECOidTag responseType0, ...);
+ SECOidTag responseType0, ...);
-/*
+/*
* FUNCTION: CERT_EncodeOCSPRequest
* DER encodes an OCSP Request, possibly adding a signature as well.
* XXX Signing is not yet supported, however; see comments in code.
- * INPUTS:
+ * INPUTS:
* PLArenaPool *arena
* The return value is allocated from here.
* If a NULL is passed in, allocation is done from the heap instead.
@@ -264,8 +262,8 @@ CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
* (e.g. no memory).
*/
extern SECItem *
-CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
- void *pwArg);
+CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
+ void *pwArg);
/*
* FUNCTION: CERT_DecodeOCSPRequest
@@ -341,7 +339,7 @@ CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
* const char *location
* The location of the OCSP responder (a URL).
* PRTime time
- * Indicates the time for which the certificate status is to be
+ * Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* but has no other bearing on the operation.
* PRBool addServiceLocator
@@ -369,10 +367,10 @@ CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
*/
extern SECItem *
CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
- const char *location, PRTime time,
- PRBool addServiceLocator,
- CERTCertificate *signerCert, void *pwArg,
- CERTOCSPRequest **pRequest);
+ const char *location, PRTime time,
+ PRBool addServiceLocator,
+ CERTCertificate *signerCert, void *pwArg,
+ CERTOCSPRequest **pRequest);
/*
* FUNCTION: CERT_VerifyOCSPResponseSignature
@@ -406,10 +404,10 @@ CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
* verifying the signer's cert, or low-level problems (no memory, etc.)
*/
extern SECStatus
-CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
- CERTCertDBHandle *handle, void *pwArg,
- CERTCertificate **pSignerCert,
- CERTCertificate *issuerCert);
+CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
+ CERTCertDBHandle *handle, void *pwArg,
+ CERTCertificate **pSignerCert,
+ CERTCertificate *issuerCert);
/*
* FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
@@ -425,7 +423,7 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
* extension is not present or it does not contain an entry for OCSP,
* SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
* Any other error will also result in a NULL being returned.
- *
+ *
* This result should be freed (via PORT_Free) when no longer in use.
*/
extern char *
@@ -433,21 +431,21 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert);
/*
* FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack
- * This function serves two purposes.
- * 1) It registers the address of a callback function that will be
- * called for certs that have no OCSP AIA extension, to see if the
+ * This function serves two purposes.
+ * 1) It registers the address of a callback function that will be
+ * called for certs that have no OCSP AIA extension, to see if the
* callback wishes to supply an alternative URL for such an OCSP inquiry.
- * 2) It outputs the previously registered function's address to the
+ * 2) It outputs the previously registered function's address to the
* address supplied by the caller, unless that is NULL.
- * The registered callback function returns NULL, or an allocated string
+ * The registered callback function returns NULL, or an allocated string
* that may be subsequently freed by calling PORT_Free().
* RETURN:
* SECSuccess or SECFailure (if the library is not yet intialized)
*/
extern SECStatus
CERT_RegisterAlternateOCSPAIAInfoCallBack(
- CERT_StringFromCertFcn newCallback,
- CERT_StringFromCertFcn * oldCallback);
+ CERT_StringFromCertFcn newCallback,
+ CERT_StringFromCertFcn *oldCallback);
/*
* FUNCTION: CERT_ParseURL
@@ -521,10 +519,10 @@ CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath);
* (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
* verifying the signer's cert, or low-level problems (error allocating
* memory, error performing ASN.1 decoding, etc.).
- */
-extern SECStatus
+ */
+extern SECStatus
CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRTime time, void *pwArg);
+ PRTime time, void *pwArg);
/*
* FUNCTION: CERT_CacheOCSPResponseFromSideChannel
@@ -556,10 +554,10 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
*/
extern SECStatus
CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
- CERTCertificate *cert,
- PRTime time,
- const SECItem *encodedResponse,
- void *pwArg);
+ CERTCertificate *cert,
+ PRTime time,
+ const SECItem *encodedResponse,
+ void *pwArg);
/*
* FUNCTION: CERT_GetOCSPStatusForCertID
@@ -581,11 +579,11 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
* Return values are the same as those for CERT_CheckOCSPStatus
*/
extern SECStatus
-CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time);
+CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time);
/*
* FUNCTION CERT_GetOCSPResponseStatus
@@ -619,10 +617,10 @@ CERT_GetOCSPResponseStatus(CERTOCSPResponse *response);
* the issuing CA may be an older expired certificate.
* RETURN:
* A new copy of a CERTOCSPCertID*. The memory for this certID
- * should be freed by calling CERT_DestroyOCSPCertID when the
+ * should be freed by calling CERT_DestroyOCSPCertID when the
* certID is no longer necessary.
*/
-extern CERTOCSPCertID*
+extern CERTOCSPCertID *
CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time);
/*
@@ -630,7 +628,7 @@ CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time);
* Frees the memory associated with the certID passed in.
* INPUTS:
* CERTOCSPCertID* certID
- * The certID that the caller no longer needs and wants to
+ * The certID that the caller no longer needs and wants to
* free the associated memory.
* RETURN:
* SECSuccess if freeing the memory was successful. Returns
@@ -638,31 +636,30 @@ CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time);
* a call to CERT_CreateOCSPCertID.
*/
extern SECStatus
-CERT_DestroyOCSPCertID(CERTOCSPCertID* certID);
-
+CERT_DestroyOCSPCertID(CERTOCSPCertID *certID);
-extern CERTOCSPSingleResponse*
+extern CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
CERTOCSPCertID *id,
PRTime thisUpdate,
const PRTime *nextUpdate);
-extern CERTOCSPSingleResponse*
+extern CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
CERTOCSPCertID *id,
PRTime thisUpdate,
const PRTime *nextUpdate);
-extern CERTOCSPSingleResponse*
+extern CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseRevoked(
PLArenaPool *arena,
CERTOCSPCertID *id,
PRTime thisUpdate,
const PRTime *nextUpdate,
PRTime revocationTime,
- const CERTCRLEntryReasonCode* revocationReason);
+ const CERTCRLEntryReasonCode *revocationReason);
-extern SECItem*
+extern SECItem *
CERT_CreateEncodedOCSPSuccessResponse(
PLArenaPool *arena,
CERTCertificate *responderCert,
@@ -703,7 +700,7 @@ CERT_CreateEncodedOCSPSuccessResponse(
* SEC_ERROR_INVALID_ARGS
* Other errors are low-level problems (no memory, bad database, etc.).
*/
-extern SECItem*
+extern SECItem *
CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error);
/* Sends an OCSP request using the HTTP POST method to the location addressed
@@ -717,7 +714,7 @@ CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error);
* SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an
* internal HTTP client is used.
*/
-SECItem* CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
+SECItem *CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest);
/************************************************************************/
diff --git a/lib/certhigh/ocspi.h b/lib/certhigh/ocspi.h
index 01c20daec..c946d9f51 100644
--- a/lib/certhigh/ocspi.h
+++ b/lib/certhigh/ocspi.h
@@ -35,13 +35,15 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
void *pwArg);
CERTOCSPRequest *
-cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
- CERTCertificate *singleCert,
+cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
+ CERTCertificate *singleCert,
PRTime time,
PRBool addServiceLocator,
CERTCertificate *signerCert);
-typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness;
+typedef enum { ocspMissing,
+ ocspFresh,
+ ocspStale } OCSPFreshness;
SECStatus
ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
@@ -84,13 +86,13 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
*/
SECStatus
-cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time,
- PRBool *certIDWasConsumed,
- SECStatus *cacheUpdateStatus);
+cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time,
+ PRBool *certIDWasConsumed,
+ SECStatus *cacheUpdateStatus);
/*
* FUNCTION: cert_RememberOCSPProcessingFailure
@@ -109,7 +111,7 @@ cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
SECStatus
cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
- PRBool *certIDWasConsumed);
+ PRBool *certIDWasConsumed);
/*
* FUNCTION: ocsp_GetResponderLocation
@@ -146,11 +148,11 @@ size_t
ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);
SECStatus
-ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time,
+ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time,
CERTOCSPSingleResponse **pSingleResponse);
SECStatus
@@ -158,7 +160,7 @@ ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);
void
ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
- CERTOCSPSingleResponse *single,
- PRBool *certIDWasConsumed);
+ CERTOCSPSingleResponse *single,
+ PRBool *certIDWasConsumed);
#endif /* _OCSPI_H_ */
diff --git a/lib/certhigh/ocspsig.c b/lib/certhigh/ocspsig.c
index 232e247f3..958dee029 100644
--- a/lib/certhigh/ocspsig.c
+++ b/lib/certhigh/ocspsig.c
@@ -19,12 +19,11 @@
#include "ocspi.h"
#include "pk11pub.h"
-
extern const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[];
extern const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[];
extern const SEC_ASN1Template ocsp_OCSPResponseTemplate[];
-ocspCertStatus*
+ocspCertStatus *
ocsp_CreateCertStatus(PLArenaPool *arena,
ocspCertStatusType status,
PRTime revocationTime)
@@ -45,7 +44,7 @@ ocsp_CreateCertStatus(PLArenaPool *arena,
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
-
+
cs = PORT_ArenaZNew(arena, ocspCertStatus);
if (!cs)
return NULL;
@@ -71,8 +70,9 @@ ocsp_CreateCertStatus(PLArenaPool *arena,
if (!cs->certStatusInfo.revokedInfo->revocationReason)
return NULL;
if (DER_TimeToGeneralizedTimeArena(arena,
- &cs->certStatusInfo.revokedInfo->revocationTime,
- revocationTime) != SECSuccess)
+ &cs->certStatusInfo.revokedInfo->revocationTime,
+ revocationTime) !=
+ SECSuccess)
return NULL;
break;
default:
@@ -91,11 +91,11 @@ static const SEC_ASN1Template mySEC_PointerToEnumeratedTemplate[] = {
static const SEC_ASN1Template ocsp_EncodeRevokedInfoTemplate[] = {
{ SEC_ASN1_GENERALIZED_TIME,
- offsetof(ocspRevokedInfo, revocationTime) },
+ offsetof(ocspRevokedInfo, revocationTime) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC| 0,
- offsetof(ocspRevokedInfo, revocationReason),
- mySEC_PointerToEnumeratedTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(ocspRevokedInfo, revocationReason),
+ mySEC_PointerToEnumeratedTemplate },
{ 0 }
};
@@ -110,25 +110,25 @@ static const SEC_ASN1Template mySEC_NullTemplate[] = {
static const SEC_ASN1Template ocsp_CertStatusTemplate[] = {
{ SEC_ASN1_CHOICE, offsetof(ocspCertStatus, certStatusType),
- 0, sizeof(ocspCertStatus) },
+ 0, sizeof(ocspCertStatus) },
{ SEC_ASN1_CONTEXT_SPECIFIC | 0,
- 0, mySEC_NullTemplate, ocspCertStatus_good },
+ 0, mySEC_NullTemplate, ocspCertStatus_good },
{ SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
- SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
- ocsp_PointerToEncodeRevokedInfoTemplate, ocspCertStatus_revoked },
+ SEC_ASN1_CONTEXT_SPECIFIC | 1,
+ offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
+ ocsp_PointerToEncodeRevokedInfoTemplate, ocspCertStatus_revoked },
{ SEC_ASN1_CONTEXT_SPECIFIC | 2,
- 0, mySEC_NullTemplate, ocspCertStatus_unknown },
+ 0, mySEC_NullTemplate, ocspCertStatus_unknown },
{ 0 }
};
static const SEC_ASN1Template mySECOID_AlgorithmIDTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(SECAlgorithmID) },
+ 0, NULL, sizeof(SECAlgorithmID) },
{ SEC_ASN1_OBJECT_ID,
- offsetof(SECAlgorithmID,algorithm) },
+ offsetof(SECAlgorithmID, algorithm) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
- offsetof(SECAlgorithmID,parameters) },
+ offsetof(SECAlgorithmID, parameters) },
{ 0 }
};
@@ -153,7 +153,7 @@ static const SEC_ASN1Template mySEC_PointerToIntegerTemplate[] = {
};
static const SEC_ASN1Template mySEC_GeneralizedTimeTemplate[] = {
- { SEC_ASN1_GENERALIZED_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+ { SEC_ASN1_GENERALIZED_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
};
static const SEC_ASN1Template mySEC_PointerToGeneralizedTimeTemplate[] = {
@@ -162,28 +162,28 @@ static const SEC_ASN1Template mySEC_PointerToGeneralizedTimeTemplate[] = {
static const SEC_ASN1Template ocsp_myCertIDTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPCertID) },
+ 0, NULL, sizeof(CERTOCSPCertID) },
{ SEC_ASN1_INLINE,
- offsetof(CERTOCSPCertID, hashAlgorithm),
- mySECOID_AlgorithmIDTemplate },
+ offsetof(CERTOCSPCertID, hashAlgorithm),
+ mySECOID_AlgorithmIDTemplate },
{ SEC_ASN1_OCTET_STRING,
- offsetof(CERTOCSPCertID, issuerNameHash) },
+ offsetof(CERTOCSPCertID, issuerNameHash) },
{ SEC_ASN1_OCTET_STRING,
- offsetof(CERTOCSPCertID, issuerKeyHash) },
+ offsetof(CERTOCSPCertID, issuerKeyHash) },
{ SEC_ASN1_INTEGER,
- offsetof(CERTOCSPCertID, serialNumber) },
+ offsetof(CERTOCSPCertID, serialNumber) },
{ 0 }
};
static const SEC_ASN1Template myCERT_CertExtensionTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTCertExtension) },
+ 0, NULL, sizeof(CERTCertExtension) },
{ SEC_ASN1_OBJECT_ID,
- offsetof(CERTCertExtension,id) },
- { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */
- offsetof(CERTCertExtension,critical) },
+ offsetof(CERTCertExtension, id) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */
+ offsetof(CERTCertExtension, critical) },
{ SEC_ASN1_OCTET_STRING,
- offsetof(CERTCertExtension,value) },
+ offsetof(CERTCertExtension, value) },
{ 0 }
};
@@ -197,66 +197,65 @@ static const SEC_ASN1Template myCERT_PointerToSequenceOfCertExtensionTemplate[]
static const SEC_ASN1Template ocsp_mySingleResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPSingleResponse) },
+ 0, NULL, sizeof(CERTOCSPSingleResponse) },
{ SEC_ASN1_POINTER,
- offsetof(CERTOCSPSingleResponse, certID),
- ocsp_myCertIDTemplate },
+ offsetof(CERTOCSPSingleResponse, certID),
+ ocsp_myCertIDTemplate },
{ SEC_ASN1_ANY,
- offsetof(CERTOCSPSingleResponse, derCertStatus) },
+ offsetof(CERTOCSPSingleResponse, derCertStatus) },
{ SEC_ASN1_GENERALIZED_TIME,
- offsetof(CERTOCSPSingleResponse, thisUpdate) },
+ offsetof(CERTOCSPSingleResponse, thisUpdate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(CERTOCSPSingleResponse, nextUpdate),
- mySEC_PointerToGeneralizedTimeTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(CERTOCSPSingleResponse, nextUpdate),
+ mySEC_PointerToGeneralizedTimeTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(CERTOCSPSingleResponse, singleExtensions),
- myCERT_PointerToSequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+ offsetof(CERTOCSPSingleResponse, singleExtensions),
+ myCERT_PointerToSequenceOfCertExtensionTemplate },
{ 0 }
};
static const SEC_ASN1Template ocsp_myResponseDataTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspResponseData) },
- { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(ocspResponseData, version),
- mySEC_PointerToIntegerTemplate },
+ 0, NULL, sizeof(ocspResponseData) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(ocspResponseData, version),
+ mySEC_PointerToIntegerTemplate },
{ SEC_ASN1_ANY,
- offsetof(ocspResponseData, derResponderID) },
+ offsetof(ocspResponseData, derResponderID) },
{ SEC_ASN1_GENERALIZED_TIME,
- offsetof(ocspResponseData, producedAt) },
+ offsetof(ocspResponseData, producedAt) },
{ SEC_ASN1_SEQUENCE_OF,
- offsetof(ocspResponseData, responses),
- ocsp_mySingleResponseTemplate },
+ offsetof(ocspResponseData, responses),
+ ocsp_mySingleResponseTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(ocspResponseData, responseExtensions),
- myCERT_PointerToSequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+ offsetof(ocspResponseData, responseExtensions),
+ myCERT_PointerToSequenceOfCertExtensionTemplate },
{ 0 }
};
-
static const SEC_ASN1Template ocsp_EncodeBasicOCSPResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspBasicOCSPResponse) },
+ 0, NULL, sizeof(ocspBasicOCSPResponse) },
{ SEC_ASN1_POINTER,
- offsetof(ocspBasicOCSPResponse, tbsResponseData),
- ocsp_myResponseDataTemplate },
+ offsetof(ocspBasicOCSPResponse, tbsResponseData),
+ ocsp_myResponseDataTemplate },
{ SEC_ASN1_INLINE,
- offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
- mySECOID_AlgorithmIDTemplate },
+ offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
+ mySECOID_AlgorithmIDTemplate },
{ SEC_ASN1_BIT_STRING,
- offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
+ offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
- mySEC_PointerToSequenceOfAnyTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
+ mySEC_PointerToSequenceOfAnyTemplate },
{ 0 }
};
-static CERTOCSPSingleResponse*
+static CERTOCSPSingleResponse *
ocsp_CreateSingleResponse(PLArenaPool *arena,
CERTOCSPCertID *id, ocspCertStatus *status,
PRTime thisUpdate, const PRTime *nextUpdate)
@@ -274,25 +273,25 @@ ocsp_CreateSingleResponse(PLArenaPool *arena,
sr->arena = arena;
sr->certID = id;
sr->certStatus = status;
- if (DER_TimeToGeneralizedTimeArena(arena, &sr->thisUpdate, thisUpdate)
- != SECSuccess)
+ if (DER_TimeToGeneralizedTimeArena(arena, &sr->thisUpdate, thisUpdate) !=
+ SECSuccess)
return NULL;
sr->nextUpdate = NULL;
if (nextUpdate) {
sr->nextUpdate = SECITEM_AllocItem(arena, NULL, 0);
if (!sr->nextUpdate)
return NULL;
- if (DER_TimeToGeneralizedTimeArena(arena, sr->nextUpdate, *nextUpdate)
- != SECSuccess)
+ if (DER_TimeToGeneralizedTimeArena(arena, sr->nextUpdate, *nextUpdate) !=
+ SECSuccess)
return NULL;
}
- sr->singleExtensions = PORT_ArenaNewArray(arena, CERTCertExtension*, 1);
+ sr->singleExtensions = PORT_ArenaNewArray(arena, CERTCertExtension *, 1);
if (!sr->singleExtensions)
return NULL;
sr->singleExtensions[0] = NULL;
-
+
if (!SEC_ASN1EncodeItem(arena, &sr->derCertStatus,
status, ocsp_CertStatusTemplate))
return NULL;
@@ -300,13 +299,13 @@ ocsp_CreateSingleResponse(PLArenaPool *arena,
return sr;
}
-CERTOCSPSingleResponse*
+CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
CERTOCSPCertID *id,
PRTime thisUpdate,
const PRTime *nextUpdate)
{
- ocspCertStatus * cs;
+ ocspCertStatus *cs;
if (!arena) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
@@ -317,13 +316,13 @@ CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate);
}
-CERTOCSPSingleResponse*
+CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
CERTOCSPCertID *id,
PRTime thisUpdate,
const PRTime *nextUpdate)
{
- ocspCertStatus * cs;
+ ocspCertStatus *cs;
if (!arena) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
@@ -334,16 +333,16 @@ CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate);
}
-CERTOCSPSingleResponse*
+CERTOCSPSingleResponse *
CERT_CreateOCSPSingleResponseRevoked(
PLArenaPool *arena,
CERTOCSPCertID *id,
PRTime thisUpdate,
const PRTime *nextUpdate,
PRTime revocationTime,
- const CERTCRLEntryReasonCode* revocationReason)
+ const CERTCRLEntryReasonCode *revocationReason)
{
- ocspCertStatus * cs;
+ ocspCertStatus *cs;
/* revocationReason is not yet supported, so it must be NULL. */
if (!arena || revocationReason) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -357,7 +356,7 @@ CERT_CreateOCSPSingleResponseRevoked(
/* responderCert == 0 means:
* create a response with an invalid signature (for testing purposes) */
-SECItem*
+SECItem *
CERT_CreateEncodedOCSPSuccessResponse(
PLArenaPool *arena,
CERTCertificate *responderCert,
@@ -373,12 +372,12 @@ CERT_CreateEncodedOCSPSuccessResponse(
ocspBasicOCSPResponse *br = NULL;
ocspResponseBytes *rb = NULL;
CERTOCSPResponse *response = NULL;
-
+
SECOidTag algID;
SECOidData *od = NULL;
SECKEYPrivateKey *privKey = NULL;
SECItem *result = NULL;
-
+
if (!arena || !responses) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
@@ -408,114 +407,114 @@ CERT_CreateEncodedOCSPSuccessResponse(
response = PORT_ArenaZNew(tmpArena, CERTOCSPResponse);
if (!response)
goto done;
-
- rd->version.data=NULL;
- rd->version.len=0;
+
+ rd->version.data = NULL;
+ rd->version.len = 0;
rd->responseExtensions = NULL;
rd->responses = responses;
- if (DER_TimeToGeneralizedTimeArena(tmpArena, &rd->producedAt, producedAt)
- != SECSuccess)
+ if (DER_TimeToGeneralizedTimeArena(tmpArena, &rd->producedAt, producedAt) !=
+ SECSuccess)
goto done;
if (!responderCert) {
- /* use invalid signature for testing purposes */
- unsigned char dummyChar = 'd';
- SECItem dummy;
-
- dummy.len = 1;
- dummy.data = &dummyChar;
-
- /* it's easier to produdce a keyHash out of nowhere,
- * than to produce an encoded subject,
- * so for our dummy response we always use byKey
- */
-
- rid->responderIDType = ocspResponderID_byKey;
- if (!ocsp_DigestValue(tmpArena, SEC_OID_SHA1, &rid->responderIDValue.keyHash,
- &dummy))
- goto done;
-
- if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
- ocsp_ResponderIDByKeyTemplate))
- goto done;
-
- br->tbsResponseData = rd;
-
- if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData,
- ocsp_myResponseDataTemplate))
- goto done;
-
- br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem*, 1);
- if (!br->responseSignature.derCerts)
- goto done;
- br->responseSignature.derCerts[0] = NULL;
-
- algID = SEC_GetSignatureAlgorithmOidTag(rsaKey, SEC_OID_SHA1);
- if (algID == SEC_OID_UNKNOWN)
- goto done;
-
- /* match the regular signature code, which doesn't use the arena */
- if (!SECITEM_AllocItem(NULL, &br->responseSignature.signature, 1))
- goto done;
- PORT_Memcpy(br->responseSignature.signature.data, &dummyChar, 1);
-
- /* convert len-in-bytes to len-in-bits */
- br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
+ /* use invalid signature for testing purposes */
+ unsigned char dummyChar = 'd';
+ SECItem dummy;
+
+ dummy.len = 1;
+ dummy.data = &dummyChar;
+
+ /* it's easier to produdce a keyHash out of nowhere,
+ * than to produce an encoded subject,
+ * so for our dummy response we always use byKey
+ */
+
+ rid->responderIDType = ocspResponderID_byKey;
+ if (!ocsp_DigestValue(tmpArena, SEC_OID_SHA1, &rid->responderIDValue.keyHash,
+ &dummy))
+ goto done;
+
+ if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
+ ocsp_ResponderIDByKeyTemplate))
+ goto done;
+
+ br->tbsResponseData = rd;
+
+ if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData,
+ ocsp_myResponseDataTemplate))
+ goto done;
+
+ br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem *, 1);
+ if (!br->responseSignature.derCerts)
+ goto done;
+ br->responseSignature.derCerts[0] = NULL;
+
+ algID = SEC_GetSignatureAlgorithmOidTag(rsaKey, SEC_OID_SHA1);
+ if (algID == SEC_OID_UNKNOWN)
+ goto done;
+
+ /* match the regular signature code, which doesn't use the arena */
+ if (!SECITEM_AllocItem(NULL, &br->responseSignature.signature, 1))
+ goto done;
+ PORT_Memcpy(br->responseSignature.signature.data, &dummyChar, 1);
+
+ /* convert len-in-bytes to len-in-bits */
+ br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
}
else {
- rid->responderIDType = responderIDType;
- if (responderIDType == ocspResponderID_byName) {
- responderIDTemplate = ocsp_ResponderIDByNameTemplate;
- if (CERT_CopyName(tmpArena, &rid->responderIDValue.name,
- &responderCert->subject) != SECSuccess)
- goto done;
- }
- else {
- responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
- if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert,
- SEC_OID_SHA1, &rid->responderIDValue.keyHash))
- goto done;
- }
-
- if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
- responderIDTemplate))
- goto done;
-
- br->tbsResponseData = rd;
-
- if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData,
- ocsp_myResponseDataTemplate))
- goto done;
-
- br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem*, 1);
- if (!br->responseSignature.derCerts)
- goto done;
- br->responseSignature.derCerts[0] = NULL;
-
- privKey = PK11_FindKeyByAnyCert(responderCert, wincx);
- if (!privKey)
- goto done;
-
- algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, SEC_OID_SHA1);
- if (algID == SEC_OID_UNKNOWN)
- goto done;
-
- if (SEC_SignData(&br->responseSignature.signature,
- br->tbsResponseDataDER.data, br->tbsResponseDataDER.len,
- privKey, algID)
- != SECSuccess)
- goto done;
-
- /* convert len-in-bytes to len-in-bits */
- br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
-
- /* br->responseSignature.signature wasn't allocated from arena,
- * we must free it when done. */
+ rid->responderIDType = responderIDType;
+ if (responderIDType == ocspResponderID_byName) {
+ responderIDTemplate = ocsp_ResponderIDByNameTemplate;
+ if (CERT_CopyName(tmpArena, &rid->responderIDValue.name,
+ &responderCert->subject) != SECSuccess)
+ goto done;
+ }
+ else {
+ responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
+ if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert,
+ SEC_OID_SHA1, &rid->responderIDValue.keyHash))
+ goto done;
+ }
+
+ if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
+ responderIDTemplate))
+ goto done;
+
+ br->tbsResponseData = rd;
+
+ if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData,
+ ocsp_myResponseDataTemplate))
+ goto done;
+
+ br->responseSignature.derCerts = PORT_ArenaNewArray(tmpArena, SECItem *, 1);
+ if (!br->responseSignature.derCerts)
+ goto done;
+ br->responseSignature.derCerts[0] = NULL;
+
+ privKey = PK11_FindKeyByAnyCert(responderCert, wincx);
+ if (!privKey)
+ goto done;
+
+ algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, SEC_OID_SHA1);
+ if (algID == SEC_OID_UNKNOWN)
+ goto done;
+
+ if (SEC_SignData(&br->responseSignature.signature,
+ br->tbsResponseDataDER.data, br->tbsResponseDataDER.len,
+ privKey, algID) !=
+ SECSuccess)
+ goto done;
+
+ /* convert len-in-bytes to len-in-bits */
+ br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
+
+ /* br->responseSignature.signature wasn't allocated from arena,
+ * we must free it when done. */
}
- if (SECOID_SetAlgorithmID(tmpArena, &br->responseSignature.signatureAlgorithm, algID, 0)
- != SECSuccess)
- goto done;
+ if (SECOID_SetAlgorithmID(tmpArena, &br->responseSignature.signatureAlgorithm, algID, 0) !=
+ SECSuccess)
+ goto done;
if (!SEC_ASN1EncodeItem(tmpArena, &rb->response, br,
ocsp_EncodeBasicOCSPResponseTemplate))
@@ -552,15 +551,15 @@ done:
static const SEC_ASN1Template ocsp_OCSPErrorResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPResponse) },
+ 0, NULL, sizeof(CERTOCSPResponse) },
{ SEC_ASN1_ENUMERATED,
- offsetof(CERTOCSPResponse, responseStatus) },
+ offsetof(CERTOCSPResponse, responseStatus) },
{ 0, 0,
- mySEC_NullTemplate },
+ mySEC_NullTemplate },
{ 0 }
};
-SECItem*
+SECItem *
CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error)
{
CERTOCSPResponse response;
diff --git a/lib/certhigh/ocspt.h b/lib/certhigh/ocspt.h
index 888fd32c7..db429ff05 100644
--- a/lib/certhigh/ocspt.h
+++ b/lib/certhigh/ocspt.h
@@ -46,8 +46,8 @@ typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
* dependent, and should be opaque to the user.
*/
-typedef void * SEC_HTTP_SERVER_SESSION;
-typedef void * SEC_HTTP_REQUEST_SESSION;
+typedef void *SEC_HTTP_SERVER_SESSION;
+typedef void *SEC_HTTP_REQUEST_SESSION;
/*
* This function creates a SEC_HTTP_SERVER_SESSION object. The implementer of a
@@ -61,9 +61,9 @@ typedef void * SEC_HTTP_REQUEST_SESSION;
* after processing is finished.
*/
typedef SECStatus (*SEC_HttpServer_CreateSessionFcn)(
- const char *host,
- PRUint16 portnum,
- SEC_HTTP_SERVER_SESSION *pSession);
+ const char *host,
+ PRUint16 portnum,
+ SEC_HTTP_SERVER_SESSION *pSession);
/*
* This function is called to allow the implementation to attempt to keep
@@ -77,10 +77,10 @@ typedef SECStatus (*SEC_HttpServer_CreateSessionFcn)(
* SECWouldBlock and store a nonzero value at "pPollDesc". In that case
* the caller may wait on the poll descriptor, and should call this function
* again until SECSuccess (and a zero value at "pPollDesc") is obtained.
- */
+ */
typedef SECStatus (*SEC_HttpServer_KeepAliveSessionFcn)(
- SEC_HTTP_SERVER_SESSION session,
- PRPollDesc **pPollDesc);
+ SEC_HTTP_SERVER_SESSION session,
+ PRPollDesc **pPollDesc);
/*
* This function frees the client SEC_HTTP_SERVER_SESSION object, closes all
@@ -88,9 +88,9 @@ typedef SECStatus (*SEC_HttpServer_KeepAliveSessionFcn)(
* frees any memory that was allocated by the client, and invalidates any
* response pointers that might have been returned by prior server or request
* functions.
- */
+ */
typedef SECStatus (*SEC_HttpServer_FreeSessionFcn)(
- SEC_HTTP_SERVER_SESSION session);
+ SEC_HTTP_SERVER_SESSION session);
/*
* This function creates a SEC_HTTP_REQUEST_SESSION object. The implementer of a
@@ -111,30 +111,30 @@ typedef SECStatus (*SEC_HttpServer_FreeSessionFcn)(
* after processing is finished.
*/
typedef SECStatus (*SEC_HttpRequest_CreateFcn)(
- SEC_HTTP_SERVER_SESSION session,
- const char *http_protocol_variant, /* usually "http" */
- const char *path_and_query_string,
- const char *http_request_method,
- const PRIntervalTime timeout,
- SEC_HTTP_REQUEST_SESSION *pRequest);
+ SEC_HTTP_SERVER_SESSION session,
+ const char *http_protocol_variant, /* usually "http" */
+ const char *path_and_query_string,
+ const char *http_request_method,
+ const PRIntervalTime timeout,
+ SEC_HTTP_REQUEST_SESSION *pRequest);
/*
* This function sets data to be sent to the server for an HTTP request
- * of http_request_method == POST. If a particular implementation
- * supports it, the details for the POST request can be set by calling
+ * of http_request_method == POST. If a particular implementation
+ * supports it, the details for the POST request can be set by calling
* this function, prior to activating the request with TrySendAndReceiveFcn.
*
- * An implementation that does not support the POST method should
+ * An implementation that does not support the POST method should
* implement a SetPostDataFcn function that returns immediately.
*
* Setting http_content_type is optional, the parameter may
* by NULL or the empty string.
- */
+ */
typedef SECStatus (*SEC_HttpRequest_SetPostDataFcn)(
- SEC_HTTP_REQUEST_SESSION request,
- const char *http_data,
- const PRUint32 http_data_len,
- const char *http_content_type);
+ SEC_HTTP_REQUEST_SESSION request,
+ const char *http_data,
+ const PRUint32 http_data_len,
+ const char *http_content_type);
/*
* This function sets an additional HTTP protocol request header.
@@ -144,11 +144,11 @@ typedef SECStatus (*SEC_HttpRequest_SetPostDataFcn)(
*
* An implementation that does not support setting additional headers
* should implement an AddRequestHeaderFcn function that returns immediately.
- */
+ */
typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)(
- SEC_HTTP_REQUEST_SESSION request,
- const char *http_header_name,
- const char *http_header_value);
+ SEC_HTTP_REQUEST_SESSION request,
+ const char *http_header_name,
+ const char *http_header_value);
/*
* This function initiates or continues an HTTP request. After
@@ -180,10 +180,10 @@ typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)(
* size, the function will return SECFailure.
* http_response_data_len will be set to a value different from zero to
* indicate the reason of the failure.
- * An out value of "0" means, the failure was unrelated to the
+ * An out value of "0" means, the failure was unrelated to the
* acceptable size.
* An out value of "1" means, the result data is larger than the
- * accpeptable size, but the real size is not yet known to the http client
+ * accpeptable size, but the real size is not yet known to the http client
* implementation and it stopped retrieving it,
* Any other out value combined with a return value of SECFailure
* will indicate the actual size of the server data.
@@ -195,64 +195,64 @@ typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)(
* the completion of the operation.
*
* All returned pointers will be owned by the the HttpClient
- * implementation and will remain valid until the call to
+ * implementation and will remain valid until the call to
* SEC_HttpRequest_FreeFcn.
- */
+ */
typedef SECStatus (*SEC_HttpRequest_TrySendAndReceiveFcn)(
- SEC_HTTP_REQUEST_SESSION request,
- PRPollDesc **pPollDesc,
- PRUint16 *http_response_code,
- const char **http_response_content_type,
- const char **http_response_headers,
- const char **http_response_data,
- PRUint32 *http_response_data_len);
+ SEC_HTTP_REQUEST_SESSION request,
+ PRPollDesc **pPollDesc,
+ PRUint16 *http_response_code,
+ const char **http_response_content_type,
+ const char **http_response_headers,
+ const char **http_response_data,
+ PRUint32 *http_response_data_len);
/*
* Calling CancelFcn asks for premature termination of the request.
*
* Future calls to SEC_HttpRequest_TrySendAndReceive should
- * by avoided, but in this case the HttpClient implementation
+ * by avoided, but in this case the HttpClient implementation
* is expected to return immediately with SECFailure.
*
- * After calling CancelFcn, a separate call to SEC_HttpRequest_FreeFcn
+ * After calling CancelFcn, a separate call to SEC_HttpRequest_FreeFcn
* is still necessary to free resources.
- */
+ */
typedef SECStatus (*SEC_HttpRequest_CancelFcn)(
- SEC_HTTP_REQUEST_SESSION request);
+ SEC_HTTP_REQUEST_SESSION request);
/*
* Before calling this function, it must be assured the request
* has been completed, i.e. either SEC_HttpRequest_TrySendAndReceiveFcn has
* returned SECSuccess, or the request has been canceled with
* a call to SEC_HttpRequest_CancelFcn.
- *
- * This function frees the client state object, closes all sockets,
- * discards all partial results, frees any memory that was allocated
+ *
+ * This function frees the client state object, closes all sockets,
+ * discards all partial results, frees any memory that was allocated
* by the client, and invalidates all response pointers that might
* have been returned by SEC_HttpRequest_TrySendAndReceiveFcn
- */
+ */
typedef SECStatus (*SEC_HttpRequest_FreeFcn)(
- SEC_HTTP_REQUEST_SESSION request);
+ SEC_HTTP_REQUEST_SESSION request);
typedef struct SEC_HttpClientFcnV1Struct {
- SEC_HttpServer_CreateSessionFcn createSessionFcn;
- SEC_HttpServer_KeepAliveSessionFcn keepAliveSessionFcn;
- SEC_HttpServer_FreeSessionFcn freeSessionFcn;
- SEC_HttpRequest_CreateFcn createFcn;
- SEC_HttpRequest_SetPostDataFcn setPostDataFcn;
- SEC_HttpRequest_AddHeaderFcn addHeaderFcn;
- SEC_HttpRequest_TrySendAndReceiveFcn trySendAndReceiveFcn;
- SEC_HttpRequest_CancelFcn cancelFcn;
- SEC_HttpRequest_FreeFcn freeFcn;
+ SEC_HttpServer_CreateSessionFcn createSessionFcn;
+ SEC_HttpServer_KeepAliveSessionFcn keepAliveSessionFcn;
+ SEC_HttpServer_FreeSessionFcn freeSessionFcn;
+ SEC_HttpRequest_CreateFcn createFcn;
+ SEC_HttpRequest_SetPostDataFcn setPostDataFcn;
+ SEC_HttpRequest_AddHeaderFcn addHeaderFcn;
+ SEC_HttpRequest_TrySendAndReceiveFcn trySendAndReceiveFcn;
+ SEC_HttpRequest_CancelFcn cancelFcn;
+ SEC_HttpRequest_FreeFcn freeFcn;
} SEC_HttpClientFcnV1;
typedef struct SEC_HttpClientFcnStruct {
- PRInt16 version;
- union {
- SEC_HttpClientFcnV1 ftable1;
- /* SEC_HttpClientFcnV2 ftable2; */
- /* ... */
- } fcnTable;
+ PRInt16 version;
+ union {
+ SEC_HttpClientFcnV1 ftable1;
+ /* SEC_HttpClientFcnV2 ftable2; */
+ /* ... */
+ } fcnTable;
} SEC_HttpClientFcn;
/*
@@ -293,7 +293,7 @@ typedef enum {
*/
typedef enum {
- ocspResponderID_other = -1, /* unknown kind of responderID */
+ ocspResponderID_other = -1, /* unknown kind of responderID */
ocspResponderID_byName = 1,
ocspResponderID_byKey = 2
} CERTOCSPResponderIDType;
diff --git a/lib/certhigh/ocspti.h b/lib/certhigh/ocspti.h
index a2b3852f2..d9297dba6 100644
--- a/lib/certhigh/ocspti.h
+++ b/lib/certhigh/ocspti.h
@@ -16,7 +16,6 @@
#include "seccomon.h"
#include "secoidt.h"
-
/*
* Some notes about naming conventions...
*
@@ -49,7 +48,6 @@
* way around (reference before definition).
*/
-
/*
* Forward-declarations of internal-only data structures.
*
@@ -67,12 +65,11 @@ typedef struct ocspSingleRequestStr ocspSingleRequest;
typedef struct ocspSingleResponseStr ocspSingleResponse;
typedef struct ocspTBSRequestStr ocspTBSRequest;
-
/*
* An OCSPRequest; this is what is sent (encoded) to an OCSP responder.
*/
struct CERTOCSPRequestStr {
- PLArenaPool *arena; /* local; not part of encoding */
+ PLArenaPool *arena; /* local; not part of encoding */
ocspTBSRequest *tbsRequest;
ocspSignature *optionalSignature;
};
@@ -92,12 +89,12 @@ struct CERTOCSPRequestStr {
* in-progress extensions as they are optionally added to the request.
*/
struct ocspTBSRequestStr {
- SECItem version; /* an INTEGER */
- SECItem *derRequestorName; /* encoded GeneralName; see above */
- CERTGeneralNameList *requestorName; /* local; not part of encoding */
+ SECItem version; /* an INTEGER */
+ SECItem *derRequestorName; /* encoded GeneralName; see above */
+ CERTGeneralNameList *requestorName; /* local; not part of encoding */
ocspSingleRequest **requestList;
CERTCertExtension **requestExtensions;
- void *extensionHandle; /* local; not part of encoding */
+ void *extensionHandle; /* local; not part of encoding */
};
/*
@@ -124,12 +121,12 @@ struct ocspTBSRequestStr {
*/
struct ocspSignatureStr {
SECAlgorithmID signatureAlgorithm;
- SECItem signature; /* a BIT STRING */
- SECItem **derCerts; /* a SEQUENCE OF Certificate */
- CERTCertificate *cert; /* local; not part of encoding */
- PRBool wasChecked; /* local; not part of encoding */
- SECStatus status; /* local; not part of encoding */
- int failureReason; /* local; not part of encoding */
+ SECItem signature; /* a BIT STRING */
+ SECItem **derCerts; /* a SEQUENCE OF Certificate */
+ CERTCertificate *cert; /* local; not part of encoding */
+ PRBool wasChecked; /* local; not part of encoding */
+ SECStatus status; /* local; not part of encoding */
+ int failureReason; /* local; not part of encoding */
};
/*
@@ -140,11 +137,11 @@ struct ocspSignatureStr {
* but since that seemed confusing (vs. an OCSPRequest) and to be more
* consistent with the parallel type "SingleResponse", I called it a
* "SingleRequest".
- *
+ *
* XXX figure out how to get rid of that arena -- there must be a way
*/
struct ocspSingleRequestStr {
- PLArenaPool *arena; /* just a copy of the response arena,
+ PLArenaPool *arena; /* just a copy of the response arena,
* needed here for extension handling
* routines, on creation only */
CERTOCSPCertID *reqCert;
@@ -160,14 +157,14 @@ struct ocspSingleRequestStr {
*/
struct CERTOCSPCertIDStr {
SECAlgorithmID hashAlgorithm;
- SECItem issuerNameHash; /* an OCTET STRING */
- SECItem issuerKeyHash; /* an OCTET STRING */
- SECItem serialNumber; /* an INTEGER */
- SECItem issuerSHA1NameHash; /* keep other hashes around when */
- SECItem issuerMD5NameHash; /* we have them */
+ SECItem issuerNameHash; /* an OCTET STRING */
+ SECItem issuerKeyHash; /* an OCTET STRING */
+ SECItem serialNumber; /* an INTEGER */
+ SECItem issuerSHA1NameHash; /* keep other hashes around when */
+ SECItem issuerMD5NameHash; /* we have them */
SECItem issuerMD2NameHash;
- SECItem issuerSHA1KeyHash; /* keep other hashes around when */
- SECItem issuerMD5KeyHash; /* we have them */
+ SECItem issuerSHA1KeyHash; /* keep other hashes around when */
+ SECItem issuerMD5KeyHash; /* we have them */
SECItem issuerMD2KeyHash;
PLArenaPool *poolp;
};
@@ -209,10 +206,10 @@ typedef enum {
* type ocspResponseStatus.
*/
struct CERTOCSPResponseStr {
- PLArenaPool *arena; /* local; not part of encoding */
- SECItem responseStatus; /* an ENUMERATED, see above */
- ocspResponseStatus statusValue; /* local; not part of encoding */
- ocspResponseBytes *responseBytes; /* only when status is successful */
+ PLArenaPool *arena; /* local; not part of encoding */
+ SECItem responseStatus; /* an ENUMERATED, see above */
+ ocspResponseStatus statusValue; /* local; not part of encoding */
+ ocspResponseBytes *responseBytes; /* only when status is successful */
};
/*
@@ -230,12 +227,12 @@ struct CERTOCSPResponseStr {
* response types, just add them to the union.
*/
struct ocspResponseBytesStr {
- SECItem responseType; /* an OBJECT IDENTIFIER */
- SECOidTag responseTypeTag; /* local; not part of encoding */
- SECItem response; /* an OCTET STRING */
+ SECItem responseType; /* an OBJECT IDENTIFIER */
+ SECOidTag responseTypeTag; /* local; not part of encoding */
+ SECItem response; /* an OCTET STRING */
union {
- ocspBasicOCSPResponse *basic; /* when type is id-pkix-ocsp-basic */
- } decodedResponse; /* local; not part of encoding */
+ ocspBasicOCSPResponse *basic; /* when type is id-pkix-ocsp-basic */
+ } decodedResponse; /* local; not part of encoding */
};
/*
@@ -250,7 +247,7 @@ struct ocspResponseBytesStr {
*/
struct ocspBasicOCSPResponseStr {
SECItem tbsResponseDataDER;
- ocspResponseData *tbsResponseData; /* "tbs" == To Be Signed */
+ ocspResponseData *tbsResponseData; /* "tbs" == To Be Signed */
ocspSignature responseSignature;
};
@@ -260,38 +257,38 @@ struct ocspBasicOCSPResponseStr {
* (a per-certificate status).
*/
struct ocspResponseDataStr {
- SECItem version; /* an INTEGER */
+ SECItem version; /* an INTEGER */
SECItem derResponderID;
- ocspResponderID *responderID; /* local; not part of encoding */
- SECItem producedAt; /* a GeneralizedTime */
+ ocspResponderID *responderID; /* local; not part of encoding */
+ SECItem producedAt; /* a GeneralizedTime */
CERTOCSPSingleResponse **responses;
CERTCertExtension **responseExtensions;
};
struct ocspResponderIDStr {
- CERTOCSPResponderIDType responderIDType;/* local; not part of encoding */
+ CERTOCSPResponderIDType responderIDType; /* local; not part of encoding */
union {
- CERTName name; /* when ocspResponderID_byName */
- SECItem keyHash; /* when ocspResponderID_byKey */
- SECItem other; /* when ocspResponderID_other */
+ CERTName name; /* when ocspResponderID_byName */
+ SECItem keyHash; /* when ocspResponderID_byKey */
+ SECItem other; /* when ocspResponderID_other */
} responderIDValue;
};
/*
* The ResponseData in a BasicOCSPResponse contains a SEQUENCE OF
* SingleResponse -- one for each certificate whose status is being supplied.
- *
+ *
* XXX figure out how to get rid of that arena -- there must be a way
*/
struct CERTOCSPSingleResponseStr {
- PLArenaPool *arena; /* just a copy of the response arena,
+ PLArenaPool *arena; /* just a copy of the response arena,
* needed here for extension handling
* routines, on creation only */
CERTOCSPCertID *certID;
SECItem derCertStatus;
- ocspCertStatus *certStatus; /* local; not part of encoding */
- SECItem thisUpdate; /* a GeneralizedTime */
- SECItem *nextUpdate; /* a GeneralizedTime */
+ ocspCertStatus *certStatus; /* local; not part of encoding */
+ SECItem thisUpdate; /* a GeneralizedTime */
+ SECItem *nextUpdate; /* a GeneralizedTime */
CERTCertExtension **singleExtensions;
};
@@ -313,10 +310,10 @@ struct CERTOCSPSingleResponseStr {
*/
typedef enum {
- ocspCertStatus_good, /* cert is not revoked */
- ocspCertStatus_revoked, /* cert is revoked */
- ocspCertStatus_unknown, /* cert was unknown to the responder */
- ocspCertStatus_other /* status was not an expected value */
+ ocspCertStatus_good, /* cert is not revoked */
+ ocspCertStatus_revoked, /* cert is revoked */
+ ocspCertStatus_unknown, /* cert was unknown to the responder */
+ ocspCertStatus_other /* status was not an expected value */
} ocspCertStatusType;
/*
@@ -327,13 +324,13 @@ typedef enum {
* gives more detailed information.)
*/
struct ocspCertStatusStr {
- ocspCertStatusType certStatusType; /* local; not part of encoding */
+ ocspCertStatusType certStatusType; /* local; not part of encoding */
union {
- SECItem *goodInfo; /* when ocspCertStatus_good */
- ocspRevokedInfo *revokedInfo; /* when ocspCertStatus_revoked */
- SECItem *unknownInfo; /* when ocspCertStatus_unknown */
- SECItem *otherInfo; /* when ocspCertStatus_other */
- } certStatusInfo;
+ SECItem *goodInfo; /* when ocspCertStatus_good */
+ ocspRevokedInfo *revokedInfo; /* when ocspCertStatus_revoked */
+ SECItem *unknownInfo; /* when ocspCertStatus_unknown */
+ SECItem *otherInfo; /* when ocspCertStatus_other */
+ } certStatusInfo;
};
/*
@@ -341,8 +338,8 @@ struct ocspCertStatusStr {
* was revoked and why.
*/
struct ocspRevokedInfoStr {
- SECItem revocationTime; /* a GeneralizedTime */
- SECItem *revocationReason; /* a CRLReason; ignored for now */
+ SECItem revocationTime; /* a GeneralizedTime */
+ SECItem *revocationReason; /* a CRLReason; ignored for now */
};
/*
@@ -353,7 +350,7 @@ struct ocspRevokedInfoStr {
*/
struct ocspServiceLocatorStr {
CERTName *issuer;
- SECItem locator; /* DER encoded authInfoAccess extension from cert */
+ SECItem locator; /* DER encoded authInfoAccess extension from cert */
};
#endif /* _OCSPTI_H_ */
diff --git a/lib/certhigh/xcrldist.c b/lib/certhigh/xcrldist.c
index 291a9d888..4f74cdb25 100644
--- a/lib/certhigh/xcrldist.c
+++ b/lib/certhigh/xcrldist.c
@@ -12,203 +12,201 @@
SEC_ASN1_MKSUB(SEC_AnyTemplate)
SEC_ASN1_MKSUB(SEC_BitStringTemplate)
-extern void PrepareBitStringForEncoding (SECItem *bitMap, SECItem *value);
+extern void PrepareBitStringForEncoding(SECItem *bitMap, SECItem *value);
static const SEC_ASN1Template FullNameTemplate[] = {
- {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
- offsetof (CRLDistributionPoint,derFullName),
- CERT_GeneralNamesTemplate}
+ { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
+ offsetof(CRLDistributionPoint, derFullName),
+ CERT_GeneralNamesTemplate }
};
static const SEC_ASN1Template RelativeNameTemplate[] = {
- {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1,
- offsetof (CRLDistributionPoint,distPoint.relativeName),
- CERT_RDNTemplate}
+ { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1,
+ offsetof(CRLDistributionPoint, distPoint.relativeName),
+ CERT_RDNTemplate }
};
static const SEC_ASN1Template DistributionPointNameTemplate[] = {
{ SEC_ASN1_CHOICE,
- offsetof(CRLDistributionPoint, distPointType), NULL,
- sizeof(CRLDistributionPoint) },
+ offsetof(CRLDistributionPoint, distPointType), NULL,
+ sizeof(CRLDistributionPoint) },
{ SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
- offsetof (CRLDistributionPoint, derFullName),
- CERT_GeneralNamesTemplate, generalName },
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1,
- offsetof (CRLDistributionPoint, distPoint.relativeName),
- CERT_RDNTemplate, relativeDistinguishedName },
+ offsetof(CRLDistributionPoint, derFullName),
+ CERT_GeneralNamesTemplate, generalName },
+ { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1,
+ offsetof(CRLDistributionPoint, distPoint.relativeName),
+ CERT_RDNTemplate, relativeDistinguishedName },
{ 0 }
};
static const SEC_ASN1Template CRLDistributionPointTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRLDistributionPoint) },
- { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | SEC_ASN1_XTRN | 0,
- offsetof(CRLDistributionPoint,derDistPoint),
- SEC_ASN1_SUB(SEC_AnyTemplate)},
- { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
- offsetof(CRLDistributionPoint,bitsmap),
- SEC_ASN1_SUB(SEC_BitStringTemplate) },
- { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
- SEC_ASN1_CONSTRUCTED | 2,
- offsetof(CRLDistributionPoint, derCrlIssuer),
- CERT_GeneralNamesTemplate},
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | SEC_ASN1_XTRN | 0,
+ offsetof(CRLDistributionPoint, derDistPoint),
+ SEC_ASN1_SUB(SEC_AnyTemplate) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+ offsetof(CRLDistributionPoint, bitsmap),
+ SEC_ASN1_SUB(SEC_BitStringTemplate) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
+ SEC_ASN1_CONSTRUCTED | 2,
+ offsetof(CRLDistributionPoint, derCrlIssuer),
+ CERT_GeneralNamesTemplate },
{ 0 }
};
const SEC_ASN1Template CERTCRLDistributionPointsTemplate[] = {
- {SEC_ASN1_SEQUENCE_OF, 0, CRLDistributionPointTemplate}
+ { SEC_ASN1_SEQUENCE_OF, 0, CRLDistributionPointTemplate }
};
SECStatus
-CERT_EncodeCRLDistributionPoints (PLArenaPool *arena,
- CERTCrlDistributionPoints *value,
- SECItem *derValue)
+CERT_EncodeCRLDistributionPoints(PLArenaPool *arena,
+ CERTCrlDistributionPoints *value,
+ SECItem *derValue)
{
CRLDistributionPoint **pointList, *point;
PLArenaPool *ourPool = NULL;
SECStatus rv = SECSuccess;
- PORT_Assert (derValue);
- PORT_Assert (value && value->distPoints);
+ PORT_Assert(derValue);
+ PORT_Assert(value && value->distPoints);
do {
- ourPool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
- if (ourPool == NULL) {
- rv = SECFailure;
- break;
- }
-
- pointList = value->distPoints;
- while (*pointList) {
- point = *pointList;
- point->derFullName = NULL;
- point->derDistPoint.data = NULL;
-
- switch (point->distPointType) {
- case generalName:
- point->derFullName = cert_EncodeGeneralNames
- (ourPool, point->distPoint.fullName);
-
- if (!point->derFullName ||
- !SEC_ASN1EncodeItem (ourPool, &point->derDistPoint,
- point, FullNameTemplate))
- rv = SECFailure;
- break;
-
- case relativeDistinguishedName:
- if (!SEC_ASN1EncodeItem(ourPool, &point->derDistPoint,
- point, RelativeNameTemplate))
- rv = SECFailure;
- break;
-
- default:
- PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
- rv = SECFailure;
- break;
- }
-
- if (rv != SECSuccess)
- break;
-
- if (point->reasons.data)
- PrepareBitStringForEncoding (&point->bitsmap, &point->reasons);
-
- if (point->crlIssuer) {
- point->derCrlIssuer = cert_EncodeGeneralNames
- (ourPool, point->crlIssuer);
- if (!point->derCrlIssuer) {
- rv = SECFailure;
- break;
- }
- }
- ++pointList;
- }
- if (rv != SECSuccess)
- break;
- if (!SEC_ASN1EncodeItem(arena, derValue, value,
- CERTCRLDistributionPointsTemplate)) {
- rv = SECFailure;
- break;
- }
+ ourPool = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+ if (ourPool == NULL) {
+ rv = SECFailure;
+ break;
+ }
+
+ pointList = value->distPoints;
+ while (*pointList) {
+ point = *pointList;
+ point->derFullName = NULL;
+ point->derDistPoint.data = NULL;
+
+ switch (point->distPointType) {
+ case generalName:
+ point->derFullName = cert_EncodeGeneralNames(ourPool, point->distPoint.fullName);
+
+ if (!point->derFullName ||
+ !SEC_ASN1EncodeItem(ourPool, &point->derDistPoint,
+ point, FullNameTemplate))
+ rv = SECFailure;
+ break;
+
+ case relativeDistinguishedName:
+ if (!SEC_ASN1EncodeItem(ourPool, &point->derDistPoint,
+ point, RelativeNameTemplate))
+ rv = SECFailure;
+ break;
+
+ default:
+ PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
+ rv = SECFailure;
+ break;
+ }
+
+ if (rv != SECSuccess)
+ break;
+
+ if (point->reasons.data)
+ PrepareBitStringForEncoding(&point->bitsmap, &point->reasons);
+
+ if (point->crlIssuer) {
+ point->derCrlIssuer = cert_EncodeGeneralNames(ourPool, point->crlIssuer);
+ if (!point->derCrlIssuer) {
+ rv = SECFailure;
+ break;
+ }
+ }
+ ++pointList;
+ }
+ if (rv != SECSuccess)
+ break;
+ if (!SEC_ASN1EncodeItem(arena, derValue, value,
+ CERTCRLDistributionPointsTemplate)) {
+ rv = SECFailure;
+ break;
+ }
} while (0);
- PORT_FreeArena (ourPool, PR_FALSE);
+ PORT_FreeArena(ourPool, PR_FALSE);
return rv;
}
CERTCrlDistributionPoints *
-CERT_DecodeCRLDistributionPoints (PLArenaPool *arena, SECItem *encodedValue)
+CERT_DecodeCRLDistributionPoints(PLArenaPool *arena, SECItem *encodedValue)
{
- CERTCrlDistributionPoints *value = NULL;
- CRLDistributionPoint **pointList, *point;
- SECStatus rv = SECSuccess;
- SECItem newEncodedValue;
-
- PORT_Assert (arena);
- do {
- value = PORT_ArenaZNew(arena, CERTCrlDistributionPoints);
- if (value == NULL) {
- rv = SECFailure;
- break;
- }
+ CERTCrlDistributionPoints *value = NULL;
+ CRLDistributionPoint **pointList, *point;
+ SECStatus rv = SECSuccess;
+ SECItem newEncodedValue;
+
+ PORT_Assert(arena);
+ do {
+ value = PORT_ArenaZNew(arena, CERTCrlDistributionPoints);
+ if (value == NULL) {
+ rv = SECFailure;
+ break;
+ }
/* copy the DER into the arena, since Quick DER returns data that points
into the DER input, which may get freed by the caller */
rv = SECITEM_CopyItem(arena, &newEncodedValue, encodedValue);
if (rv != SECSuccess)
- break;
-
- rv = SEC_QuickDERDecodeItem(arena, &value->distPoints,
- CERTCRLDistributionPointsTemplate, &newEncodedValue);
- if (rv != SECSuccess)
- break;
-
- pointList = value->distPoints;
- while (NULL != (point = *pointList)) {
-
- /* get the data if the distributionPointName is not omitted */
- if (point->derDistPoint.data != NULL) {
- rv = SEC_QuickDERDecodeItem(arena, point,
- DistributionPointNameTemplate, &(point->derDistPoint));
- if (rv != SECSuccess)
- break;
-
- switch (point->distPointType) {
- case generalName:
- point->distPoint.fullName =
- cert_DecodeGeneralNames(arena, point->derFullName);
- rv = point->distPoint.fullName ? SECSuccess : SECFailure;
- break;
-
- case relativeDistinguishedName:
- break;
-
- default:
- PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
- rv = SECFailure;
- break;
- } /* end switch */
- if (rv != SECSuccess)
- break;
- } /* end if */
-
- /* Get the reason code if it's not omitted in the encoding */
- if (point->bitsmap.data != NULL) {
- SECItem bitsmap = point->bitsmap;
- DER_ConvertBitString(&bitsmap);
- rv = SECITEM_CopyItem(arena, &point->reasons, &bitsmap);
- if (rv != SECSuccess)
- break;
- }
-
- /* Get the crl issuer name if it's not omitted in the encoding */
- if (point->derCrlIssuer != NULL) {
- point->crlIssuer = cert_DecodeGeneralNames(arena,
- point->derCrlIssuer);
- if (!point->crlIssuer)
- break;
- }
- ++pointList;
- } /* end while points remain */
- } while (0);
- return (rv == SECSuccess ? value : NULL);
+ break;
+
+ rv = SEC_QuickDERDecodeItem(arena, &value->distPoints,
+ CERTCRLDistributionPointsTemplate, &newEncodedValue);
+ if (rv != SECSuccess)
+ break;
+
+ pointList = value->distPoints;
+ while (NULL != (point = *pointList)) {
+
+ /* get the data if the distributionPointName is not omitted */
+ if (point->derDistPoint.data != NULL) {
+ rv = SEC_QuickDERDecodeItem(arena, point,
+ DistributionPointNameTemplate, &(point->derDistPoint));
+ if (rv != SECSuccess)
+ break;
+
+ switch (point->distPointType) {
+ case generalName:
+ point->distPoint.fullName =
+ cert_DecodeGeneralNames(arena, point->derFullName);
+ rv = point->distPoint.fullName ? SECSuccess : SECFailure;
+ break;
+
+ case relativeDistinguishedName:
+ break;
+
+ default:
+ PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
+ rv = SECFailure;
+ break;
+ } /* end switch */
+ if (rv != SECSuccess)
+ break;
+ } /* end if */
+
+ /* Get the reason code if it's not omitted in the encoding */
+ if (point->bitsmap.data != NULL) {
+ SECItem bitsmap = point->bitsmap;
+ DER_ConvertBitString(&bitsmap);
+ rv = SECITEM_CopyItem(arena, &point->reasons, &bitsmap);
+ if (rv != SECSuccess)
+ break;
+ }
+
+ /* Get the crl issuer name if it's not omitted in the encoding */
+ if (point->derCrlIssuer != NULL) {
+ point->crlIssuer = cert_DecodeGeneralNames(arena,
+ point->derCrlIssuer);
+ if (!point->crlIssuer)
+ break;
+ }
+ ++pointList;
+ } /* end while points remain */
+ } while (0);
+ return (rv == SECSuccess ? value : NULL);
}
View Lorry Controller Status