diff options
author | richard.freedman%sun.com <devnull@localhost> | 2006-06-22 15:40:11 +0000 |
---|---|---|
committer | richard.freedman%sun.com <devnull@localhost> | 2006-06-22 15:40:11 +0000 |
commit | 1ef0aca8e25a538f602c346e4f3485a11874f20d (patch) | |
tree | 0e90bbfdc1294df6927c9a155cecdeab368c06c7 | |
parent | 0a081b83ee6af7295fabd6a47047c82519a6889c (diff) | |
download | nss-hg-1ef0aca8e25a538f602c346e4f3485a11874f20d.tar.gz |
Isolate the CERT_VerifyCert call in OCSP processing, and allow the user
to provide an alternate function (via PKIX_OcspChecker_SetVerifyFcn).
8 files changed, 302 insertions, 29 deletions
diff --git a/security/nss/cmd/libpkix/pkix/top/ocspchecker/test_ocsp.c b/security/nss/cmd/libpkix/pkix/top/ocspchecker/test_ocsp.c index 255dcd733..cbe095d88 100644 --- a/security/nss/cmd/libpkix/pkix/top/ocspchecker/test_ocsp.c +++ b/security/nss/cmd/libpkix/pkix/top/ocspchecker/test_ocsp.c @@ -97,6 +97,8 @@ testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir) PKIX_ProcessingParams *procParams = NULL; PKIX_PL_Date *validity = NULL; PKIX_List *revCheckers = NULL; + PKIX_RevocationChecker *revChecker = NULL; + PKIX_PL_Object *revCheckerContext = NULL; PKIX_OcspChecker *ocspChecker = NULL; PKIX_TEST_STD_VARS(); @@ -132,15 +134,29 @@ testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir) PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); /* create revChecker */ - PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Create + PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize (validity, NULL, /* pwArg */ NULL, /* Use default responder */ - &ocspChecker, + &revChecker, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_RevocationChecker_GetRevCheckerContext + (revChecker, &revCheckerContext, plContext)); + + /* Check that this object is a ocsp checker */ + PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType + (revCheckerContext, PKIX_OCSPCHECKER_TYPE, plContext)); + + ocspChecker = (PKIX_OcspChecker *)revCheckerContext; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_SetVerifyFcn + (ocspChecker, + PKIX_PL_OcspResponse_UseBuildChain, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem - (revCheckers, (PKIX_PL_Object *)ocspChecker, plContext)); + (revCheckers, (PKIX_PL_Object *)revChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers (procParams, revCheckers, plContext)); @@ -151,6 +167,7 @@ cleanup: PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(revCheckers); + PKIX_TEST_DECREF_AC(revChecker); PKIX_TEST_DECREF_AC(ocspChecker); PKIX_TEST_DECREF_AC(validity); diff --git a/security/nss/cmd/libpkix/pkix/top/validatechain/test_validatechain.c b/security/nss/cmd/libpkix/pkix/top/validatechain/test_validatechain.c index c64c32b82..c72885a37 100755 --- a/security/nss/cmd/libpkix/pkix/top/validatechain/test_validatechain.c +++ b/security/nss/cmd/libpkix/pkix/top/validatechain/test_validatechain.c @@ -97,7 +97,7 @@ testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir) PKIX_ProcessingParams *procParams = NULL; PKIX_PL_Date *validity = NULL; PKIX_List *revCheckers = NULL; - PKIX_OcspChecker *ocspChecker = NULL; + PKIX_RevocationChecker *ocspChecker = NULL; PKIX_TEST_STD_VARS(); @@ -132,7 +132,7 @@ testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir) PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); /* create revChecker */ - PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Create + PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize (validity, NULL, /* pwArg */ NULL, /* Use default responder */ diff --git a/security/nss/lib/libpkix/include/pkix_pl_pki.h b/security/nss/lib/libpkix/include/pkix_pl_pki.h index b5999e9eb..2fe2729f9 100755 --- a/security/nss/lib/libpkix/include/pkix_pl_pki.h +++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h @@ -2438,6 +2438,12 @@ PKIX_PL_AIAMgr_GetAIACerts( typedef PKIX_Error * (*PKIX_PL_OcspResponse_VerifyCallback)( + PKIX_PL_Cert *signerCert, + PKIX_PL_Date *producedAt, + void **pNBIOContext, + void **pState, + PKIX_BuildResult **pBuildResult, + PKIX_VerifyNode **pVerifyTree, void *plContext); PKIX_Error * @@ -2447,36 +2453,36 @@ pkix_pl_OcspRequest_Create( PKIX_Boolean addServiceLocator, PKIX_PL_Cert *signerCert, PKIX_Boolean *pURIFound, - PKIX_PL_OcspRequest **pRequest, + PKIX_PL_OcspRequest **pRequest, void *plContext); PKIX_Error * pkix_pl_OcspResponse_Create( - PKIX_PL_OcspRequest *request, - void *responder, + PKIX_PL_OcspRequest *request, + void *responder, PKIX_PL_OcspResponse_VerifyCallback verifyFcn, - void **pNBIOContext, + void **pNBIOContext, PKIX_PL_OcspResponse **pResponse, void *plContext); PKIX_Error * pkix_pl_OcspResponse_Decode( PKIX_PL_OcspResponse *response, - PKIX_Boolean *passed, + PKIX_Boolean *passed, SECErrorCodes *pReturnCode, void *plContext); PKIX_Error * pkix_pl_OcspResponse_GetStatus( PKIX_PL_OcspResponse *response, - PKIX_Boolean *passed, + PKIX_Boolean *passed, SECErrorCodes *pReturnCode, void *plContext); PKIX_Error * pkix_pl_OcspResponse_VerifySignature( PKIX_PL_OcspResponse *response, - PKIX_PL_Cert *cert, + PKIX_PL_Cert *cert, PKIX_Boolean *pPassed, SECErrorCodes *pReturnCode, void *plContext); diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c index 42f75a651..5f0ead332 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c @@ -43,6 +43,7 @@ #include "pkix_ocspchecker.h" + /* --Private-Functions-------------------------------------------- */ /* @@ -186,7 +187,7 @@ pkix_OcspChecker_Check( } - /* send request and create response */ + /* send request and create a response object */ PKIX_CHECK(pkix_pl_OcspResponse_Create (request, checker->responder, @@ -240,10 +241,10 @@ cleanup: } /* - * FUNCTION: PKIX_OcspChecker_Create (see comments in pkix_checker.h) + * FUNCTION: pkix_OcspChecker_Create */ PKIX_Error * -PKIX_OcspChecker_Create( +pkix_OcspChecker_Create( PKIX_PL_Date *validityTime, void *passwordInfo, void *responder, @@ -253,7 +254,7 @@ PKIX_OcspChecker_Create( PKIX_OcspChecker *checkerObject = NULL; PKIX_RevocationChecker *revChecker = NULL; - PKIX_ENTER(OCSPCHECKER, "PKIX_OcspChecker_Create"); + PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_Create"); PKIX_NULLCHECK_ONE(pChecker); PKIX_CHECK(PKIX_PL_Object_Alloc @@ -275,16 +276,9 @@ PKIX_OcspChecker_Create( checkerObject->responder = responder; checkerObject->nbioContext = NULL; - PKIX_CHECK(PKIX_RevocationChecker_Create - (pkix_OcspChecker_Check, - (PKIX_PL_Object *)checkerObject, - &revChecker, - plContext), - "PKIX_RevocationChecker_Create failed"); + *pChecker = checkerObject; - *pChecker = (PKIX_OcspChecker *)revChecker; cleanup: - PKIX_DECREF(checkerObject); PKIX_RETURN(OCSPCHECKER); @@ -326,3 +320,53 @@ PKIX_OcspChecker_SetOCSPResponder( PKIX_RETURN(OCSPCHECKER); } +/* + * FUNCTION: PKIX_OcspChecker_SetVerifyFcn + * (see comments in pkix_checker.h) + */ +PKIX_Error * +PKIX_OcspChecker_SetVerifyFcn( + PKIX_OcspChecker *checker, + PKIX_PL_OcspResponse_VerifyCallback verifyFcn, + void *plContext) +{ + PKIX_ENTER(OCSPCHECKER, "PKIX_OcspChecker_SetVerifyFcn"); + PKIX_NULLCHECK_ONE(checker); + + checker->verifyFcn = verifyFcn; + + PKIX_RETURN(OCSPCHECKER); +} + +PKIX_Error * +PKIX_OcspChecker_Initialize( + PKIX_PL_Date *validityTime, + void *passwordInfo, + void *responder, + PKIX_RevocationChecker **pChecker, + void *plContext) +{ + PKIX_OcspChecker *oChecker = NULL; + + PKIX_ENTER(OCSPCHECKER, "PKIX_OcspChecker_Initialize"); + PKIX_NULLCHECK_ONE(pChecker); + + PKIX_CHECK(pkix_OcspChecker_Create + (validityTime, passwordInfo, responder, &oChecker, plContext), + "PKIX_OcspChecker_Create failed"); + + PKIX_CHECK(PKIX_RevocationChecker_Create + (pkix_OcspChecker_Check, + (PKIX_PL_Object *)oChecker, + pChecker, + plContext), + "PKIX_RevocationChecker_Create failed"); + +cleanup: + + PKIX_DECREF(oChecker); + + PKIX_RETURN(OCSPCHECKER); +} + + diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h index 7a63e21e9..1a4369866 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h @@ -65,11 +65,29 @@ struct PKIX_OcspCheckerStruct { PKIX_Error *pkix_OcspChecker_RegisterSelf(void *plContext); PKIX_Error * -PKIX_OcspChecker_Create( +PKIX_OcspChecker_SetPasswordInfo( + PKIX_OcspChecker *checker, + void *passwordInfo, + void *plContext); + +PKIX_Error * +PKIX_OcspChecker_SetOCSPResponder( + PKIX_OcspChecker *checker, + void *ocspResponder, + void *plContext); + +PKIX_Error * +PKIX_OcspChecker_SetVerifyFcn( + PKIX_OcspChecker *checker, + PKIX_PL_OcspResponse_VerifyCallback verifyFcn, + void *plContext); + +PKIX_Error * +PKIX_OcspChecker_Initialize( PKIX_PL_Date *validityTime, void *passwordInfo, void *responder, - PKIX_OcspChecker **pChecker, + PKIX_RevocationChecker **pChecker, void *plContext); #ifdef __cplusplus diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c index 623a59dcd..71c60d48d 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c @@ -140,6 +140,159 @@ loser: return NULL; } +/* ----Public functions------------------------------------- */ +/* + * This is the libpkix replacement for CERT_VerifyOCSPResponseSignature. + * It is used if it has been set as the verifyFcn member of ocspChecker. + */ +PKIX_Error * +PKIX_PL_OcspResponse_UseBuildChain( + PKIX_PL_Cert *signerCert, + PKIX_PL_Date *producedAt, + void **pNBIOContext, + void **pState, + PKIX_BuildResult **pBuildResult, + PKIX_VerifyNode **pVerifyTree, + void *plContext) +{ + PKIX_List *anchorsList = NULL; + PKIX_List *certStores = NULL; + PKIX_List *revCheckers = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_PL_Date *date = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_CertStore *certStore = NULL; + void *state = NULL; + void *nbioContext = NULL; + PKIX_Error *buildError = NULL; + + PKIX_ENTER(OCSPRESPONSE, "pkix_OcspResponse_UseBuildChain"); + PKIX_NULLCHECK_THREE(signerCert, producedAt, pNBIOContext); + PKIX_NULLCHECK_THREE(pState, pBuildResult, pVerifyTree); + + nbioContext = *pNBIOContext; + *pNBIOContext = NULL; + + /* Are we resuming after a WOULDBLOCK return, or starting anew ? */ + if (nbioContext == NULL) { + /* Starting anew */ + PKIX_CHECK(PKIX_List_Create(&anchorsList, plContext), + "PKIX_List_Create failed"); + + PKIX_CHECK(PKIX_ProcessingParams_Create + (anchorsList, &procParams, plContext), + "PKIX_ProcessingParams_Create failed"); + + PKIX_CHECK(PKIX_ProcessingParams_SetDate(procParams, date, plContext), + "PKIX_ProcessingParams_SetDate failed"); + + /* + * Let's hope the default value used in PKIX_ProcessingParams_Create + * is suitable. I don't see how to get a caller-supplied value in here. + * + * PKIX_CHECK(PKIX_ProcessingParams_SetRevocationEnabled + * (procParams, isCrlEnabled, plContext), + * "PKIX_ProcessingParams_SetRevocationEnabled failed"); + * + */ + PKIX_CHECK(PKIX_ProcessingParams_SetRevocationEnabled + (procParams, PKIX_FALSE, plContext), + "PKIX_ProcessingParams_SetRevocationEnabled failed"); + + /* create CertSelector with target certificate in params */ + + PKIX_CHECK(PKIX_ComCertSelParams_Create(&certSelParams, plContext), + "PKIX_ComCertSelParams_Create failed"); + + PKIX_CHECK(PKIX_ComCertSelParams_SetCertificate + (certSelParams, signerCert, plContext), + "PKIX_ComCertSelParams_SetCertificate failed"); + + PKIX_CHECK(PKIX_CertSelector_Create + (NULL, NULL, &certSelector, plContext), + "PKIX_CertSelector_Create failed"); + + PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams + (certSelector, certSelParams, plContext), + "PKIX_CertSelector_SetCommonCertSelectorParams failed"); + + PKIX_CHECK(PKIX_ProcessingParams_SetTargetCertConstraints + (procParams, certSelector, plContext), + "PKIX_ProcessingParams_SetTargetCertConstraints failed"); + + /* create CertStores */ + + PKIX_CHECK(PKIX_List_Create(&certStores, plContext), + "PKIX_List_Create failed"); + + PKIX_CHECK(PKIX_PL_Pk11CertStore_Create(&certStore, plContext), + "PKIX_PL_Pk11CertStore_Create failed"); + + PKIX_CHECK(PKIX_List_AppendItem + (certStores, (PKIX_PL_Object *)certStore, plContext), + "PKIX_List_AppendItem failed"); + + PKIX_CHECK(PKIX_ProcessingParams_SetCertStores + (procParams, certStores, plContext), + "PKIX_ProcessingParams_SetCertStores failed"); + + /* create RevocationCheckers */ + + /* + * PKIX_CHECK(PKIX_List_Create(&revCheckers, plContext), + * "PKIX_List_Create failed"); + */ + + /* + * PKIX_CHECK(PKIX_List_AppendItem + * (revCheckers, (PKIX_PL_Object *)revChecker, plContext), + * "PKIX_List_AppendItem failed"); + */ + + /* + * PKIX_CHECK(PKIX_ProcessingParams_SetRevocationCheckers + * (procParams, revCheckers, plContext), + * "PKIX_ProcessingParams_SetRevocationCheckers failed"); + */ + + } + + buildError = PKIX_BuildChain + (procParams, + &nbioContext, + pState, + pBuildResult, + pVerifyTree, + plContext); + + /* non-null nbioContext means the build would block */ + if (nbioContext != NULL) { + + *pNBIOContext = nbioContext; + + /* no buildResult means the build has failed */ + } else if (buildError || (pBuildResult == NULL)) { + PKIX_ERROR("Unable to build chain"); + } else { + PKIX_DECREF(*pState); + } + +cleanup: + + PKIX_DECREF(procParams); + PKIX_DECREF(date); + PKIX_DECREF(anchorsList); + PKIX_DECREF(certSelParams); + PKIX_DECREF(certSelector); + PKIX_DECREF(certStores); + PKIX_DECREF(certStore); + PKIX_DECREF(revCheckers); + + PKIX_RETURN(OCSPRESPONSE); + +} + /* --Private-OcspResponse-Functions------------------------------------- */ /* @@ -772,6 +925,13 @@ pkix_pl_OcspResponse_VerifySignature( int64 producedAt = 0; CERTCertDBHandle *handle = NULL; void *pwarg = NULL; /* must modify API if this can be non-NULL */ + void *nbioContext = NULL; + PKIX_PL_Cert *targetCert = NULL; + PKIX_PL_Date *producedAtDate = NULL; + void *state = NULL; + PKIX_BuildResult *buildResult = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_Error *verifyError = NULL; PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_VerifySignature"); PKIX_NULLCHECK_FOUR(response, cert, pPassed, pReturnCode); @@ -948,8 +1108,22 @@ pkix_pl_OcspResponse_VerifySignature( * verification function, if one was supplied. */ if (response->verifyFcn != NULL) { - PKIX_CHECK((response->verifyFcn)(plContext), - "Caller-supplied verifyFcn failed"); + PKIX_CHECK(pkix_pl_Date_CreateFromPRTime + ((PRTime)producedAt, &producedAtDate, plContext), + "pkix_pl_Date_CreateFromPRTime failed"); + + PKIX_CHECK(pkix_pl_Cert_CreateWithNSSCert + (signerCert, &targetCert, plContext), + "pkix_pl_Cert_CreateWithNSSCert failed"); + + verifyError = (response->verifyFcn) + (targetCert, + producedAtDate, + &nbioContext, + &state, + &buildResult, + &verifyTree, + plContext); } else { PKIX_PL_NSSCALLRV(OCSPRESPONSE, rv, CERT_VerifyCert, diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h index fb1992f8d..41843038d 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h @@ -71,6 +71,16 @@ struct PKIX_PL_OcspResponseStruct{ PKIX_Error *pkix_pl_OcspResponse_RegisterSelf(void *plContext); +PKIX_Error * +PKIX_PL_OcspResponse_UseBuildChain( + PKIX_PL_Cert *signerCert, + PKIX_PL_Date *producedAt, + void **pNBIOContext, + void **pState, + PKIX_BuildResult **pBuildResult, + PKIX_VerifyNode **pVerifyTree, + void *plContext); + #ifdef __cplusplus } #endif diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index ea959beff..c3f152f38 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -978,7 +978,10 @@ PKIX_Logger_GetLogCallback; PKIX_Logger_GetMaxLoggingLevel; PKIX_Logger_SetLoggingComponent; PKIX_Logger_SetMaxLoggingLevel; -PKIX_OcspChecker_Create; +PKIX_OcspChecker_Initialize; +PKIX_OcspChecker_SetOCSPResponder; +PKIX_OcspChecker_SetPasswordInfo; +PKIX_OcspChecker_SetVerifyFcn; PKIX_PL_AcquireReaderLock; PKIX_PL_AcquireWriterLock; PKIX_PL_BasicConstraints_GetCAFlag; @@ -1082,6 +1085,7 @@ pkix_pl_OcspResponse_Create; pkix_pl_OcspResponse_Decode; pkix_pl_OcspResponse_GetStatus; pkix_pl_OcspResponse_GetStatusForCert; +PKIX_PL_OcspResponse_UseBuildChain; pkix_pl_OcspResponse_VerifySignature; PKIX_PL_Pk11CertStore_Create; PKIX_PL_PolicyQualifier_GetPolicyQualifierId; |