diff options
| author | alexei.volkov.bugs%sun.com <devnull@localhost> | 2009-04-10 21:44:14 +0000 |
|---|---|---|
| committer | alexei.volkov.bugs%sun.com <devnull@localhost> | 2009-04-10 21:44:14 +0000 |
| commit | 6424413517ef2e3511cdd91625eb0eb6b13cae3f (patch) | |
| tree | 95cce1daefe5d9902732be0b87d8ccc3a983251d /security | |
| parent | 65a3130787bc41c35fd09299184ac8e6d5d0e60e (diff) | |
| download | nss-hg-6424413517ef2e3511cdd91625eb0eb6b13cae3f.tar.gz | |
420991 - libPKIX returns wrong NSS error code. r=nelson
Diffstat (limited to 'security')
11 files changed, 175 insertions, 281 deletions
diff --git a/security/nss/lib/libpkix/include/pkix_certsel.h b/security/nss/lib/libpkix/include/pkix_certsel.h index 8d424619c..6d7553666 100755 --- a/security/nss/lib/libpkix/include/pkix_certsel.h +++ b/security/nss/lib/libpkix/include/pkix_certsel.h @@ -118,10 +118,9 @@ extern "C" { * DESCRIPTION: * * This callback function determines whether the specified Cert pointed to by - * "cert" matches the criteria of the CertSelector pointed to by "selector", - * and stores the result at "pResult". If the Cert matches the CertSelector's - * criteria, a value of PKIX_TRUE will be stored at "pResult"; otherwise a - * value of PKIX_FALSE will be stored. + * "cert" matches the criteria of the CertSelector pointed to by "selector". + * If the Cert does not matches the CertSelector's criteria, an exception will + * be thrown. * * PARAMETERS: * "selector" @@ -130,8 +129,6 @@ extern "C" { * "cert" * Address of Cert that is to be matched using "selector". * Must be non-NULL. - * "pResult" - * Address where Boolean value will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: @@ -148,7 +145,6 @@ typedef PKIX_Error * (*PKIX_CertSelector_MatchCallback)( PKIX_CertSelector *selector, PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, void *plContext); /* diff --git a/security/nss/lib/libpkix/include/pkix_certstore.h b/security/nss/lib/libpkix/include/pkix_certstore.h index 42e202760..edeaf5223 100755 --- a/security/nss/lib/libpkix/include/pkix_certstore.h +++ b/security/nss/lib/libpkix/include/pkix_certstore.h @@ -141,6 +141,8 @@ extern "C" { * "selector" * Address of CertSelector whose criteria must be satisfied. * Must be non-NULL. + * "verifyNode" + * Parent log node for tracking of filtered out certs. * "pNBIOContext" * Address at which platform-dependent information is stored if the * operation is suspended for non-blocking I/O. Must be non-NULL. @@ -162,6 +164,7 @@ typedef PKIX_Error * (*PKIX_CertStore_CertCallback)( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, /* list of PKIX_PL_Cert */ void *plContext); @@ -194,6 +197,8 @@ typedef PKIX_Error * * "selector" * Address of CertSelector whose criteria must be satisfied. * Must be non-NULL. + * "verifyNode" + * Parent log node for tracking of filtered out certs. * "pNBIOContext" * Address at which platform-dependent information is stored if the * operation is suspended for non-blocking I/O. Must be non-NULL. @@ -215,6 +220,7 @@ PKIX_Error * PKIX_CertStore_CertContinue( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, /* list of PKIX_PL_Cert */ void *plContext); @@ -223,6 +229,7 @@ typedef PKIX_Error * (*PKIX_CertStore_CertContinueFunction)( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, /* list of PKIX_PL_Cert */ void *plContext); diff --git a/security/nss/lib/libpkix/include/pkix_errorstrings.h b/security/nss/lib/libpkix/include/pkix_errorstrings.h index 20bfd5e22..2e5dcbcdb 100755 --- a/security/nss/lib/libpkix/include/pkix_errorstrings.h +++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h @@ -228,9 +228,14 @@ PKIX_ERRORENTRY(CERTSELECTORMATCHAUTHKEYIDFAILED,pkix_CertSelector_Match_AuthKey PKIX_ERRORENTRY(CERTSELECTORMATCHBASICCONSTRAINTFAILED,pkix_CertSelector_Match_BasicConstraint failed,0), PKIX_ERRORENTRY(CERTSELECTORMATCHCALLBACKFAILED,PKIX_CertSelector_MatchCallback failed,0), PKIX_ERRORENTRY(CERTSELECTORMATCHCERTIFICATEVALIDFAILED,pkix_CertSelector_Match_CertificateValid failed,0), -PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTISSUERFAILED,cert does not match issuer name,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTOBJECTFAILED,cert does not match cert object,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSERIALNUMFAILED,cert does not match serial number,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSUBJECTFAILED,cert does not match subject name,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTVERSIONFAILED,cert does not match cert version,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,SEC_ERROR_INADEQUATE_CERT_TYPE), PKIX_ERRORENTRY(CERTSELECTORMATCHFAILED,certSelectorMatch failed,0), -PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,SEC_ERROR_INADEQUATE_KEY_USAGE), PKIX_ERRORENTRY(CERTSELECTORMATCHNAMECONSTRAINTSFAILED,pkix_CertSelector_Match_NameConstraints failed,0), PKIX_ERRORENTRY(CERTSELECTORMATCHPATHTONAMESFAILED,pkix_CertSelector_Match_PathToNames failed,0), PKIX_ERRORENTRY(CERTSELECTORMATCHPOLICIESFAILED,pkix_CertSelector_Match_Policies failed,0), diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c index 1ea99ac4a..f02ce4295 100755 --- a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c +++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c @@ -296,8 +296,7 @@ pkix_CertSelector_Match_Policies( if (!certPolicyInfos) { PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n"); *pResult = PKIX_FALSE; - goto cleanup; - + PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED); } PKIX_CHECK(PKIX_List_GetLength @@ -334,10 +333,8 @@ pkix_CertSelector_Match_Policies( PKIX_DECREF(polOID); } if (!result) { - PKIX_CERTSELECTOR_DEBUG - ("Certificate has no acceptable policies\n"); - *pResult = PKIX_FALSE; - goto cleanup; + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED); } } } @@ -407,7 +404,9 @@ pkix_CertSelector_Match_CertificateValid( } cleanup: - + if (PKIX_ERROR_RECEIVED) { + *pResult = PKIX_FALSE; + } PKIX_DECREF(validityTime); PKIX_RETURN(CERTSELECTOR); @@ -466,6 +465,9 @@ pkix_CertSelector_Match_NameConstraints( } cleanup: + if (PKIX_ERROR_RECEIVED) { + *pResult = PKIX_FALSE; + } PKIX_DECREF(nameConstraints); PKIX_RETURN(CERTSELECTOR); @@ -531,9 +533,8 @@ pkix_CertSelector_Match_PathToNames( PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED); if (passed != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG("PathToName Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHPATHTONAMESFAILED); } } @@ -607,59 +608,52 @@ pkix_CertSelector_Match_SubjAltNames( (cert, &certSubjAltNames, plContext), PKIX_CERTGETSUBJALTNAMESFAILED); - if (certSubjAltNames != NULL) { - - PKIX_CHECK(PKIX_List_GetLength - (subjAltNamesList, &numItems, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (i = 0; i < numItems; i++) { + if (certSubjAltNames == NULL) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED); + } - PKIX_CHECK(PKIX_List_GetItem - (subjAltNamesList, + PKIX_CHECK(PKIX_List_GetLength + (subjAltNamesList, &numItems, plContext), + PKIX_LISTGETLENGTHFAILED); + + for (i = 0; i < numItems; i++) { + + PKIX_CHECK(PKIX_List_GetItem + (subjAltNamesList, i, (PKIX_PL_Object **) &name, plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK(pkix_List_Contains - (certSubjAltNames, + PKIX_LISTGETITEMFAILED); + + PKIX_CHECK(pkix_List_Contains + (certSubjAltNames, (PKIX_PL_Object *) name, &checkPassed, plContext), - PKIX_LISTCONTAINSFAILED); - - PKIX_DECREF(name); - - if (checkPassed == PKIX_TRUE) { - - if (matchAll == PKIX_FALSE) { - /* one match is good enough */ - matchCount = numItems; - break; - } else { - /* else continue checking next */ - matchCount++; - } - - } - - } - - if (matchCount != numItems) { - PKIX_CERTSELECTOR_DEBUG("SubjAltName Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_LISTCONTAINSFAILED); + + PKIX_DECREF(name); + + if (checkPassed == PKIX_TRUE) { + + if (matchAll == PKIX_FALSE) { + /* one match is good enough */ + matchCount = numItems; + break; + } else { + /* else continue checking next */ + matchCount++; + } + } - - } else { - - PKIX_CERTSELECTOR_DEBUG - ("SubjAltName Match failed: Cert has no SubjAltName\n"); + + } + + if (matchCount != numItems) { *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED); } - } cleanup: @@ -750,10 +744,8 @@ pkix_CertSelector_Match_ExtendedKeyUsage( PKIX_DECREF(ekuOid); if (isContained != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG - ("Extended Key Usage Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED); } } } @@ -819,6 +811,9 @@ pkix_CertSelector_Match_KeyUsage( } cleanup: + if (PKIX_ERROR_RECEIVED) { + *pResult = PKIX_FALSE; + } PKIX_RETURN(CERTSELECTOR); } @@ -874,24 +869,21 @@ pkix_CertSelector_Match_SubjKeyId( (cert, &certSubjKeyId, plContext), PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED); - if (certSubjKeyId != NULL) { - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selSubjKeyId, - (PKIX_PL_Object *)certSubjKeyId, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); + if (certSubjKeyId == NULL) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED); + } - if (equals != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - } else { - PKIX_CERTSELECTOR_DEBUG - ("SubjKeyId Match failed: Cert has no SubjKeyId\n"); + PKIX_CHECK(PKIX_PL_Object_Equals + ((PKIX_PL_Object *)selSubjKeyId, + (PKIX_PL_Object *)certSubjKeyId, + &equals, + plContext), + PKIX_OBJECTEQUALSFAILED); + + if (equals != PKIX_TRUE) { *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED); } } @@ -954,24 +946,20 @@ pkix_CertSelector_Match_AuthKeyId( (cert, &certAuthKeyId, plContext), PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED); - if (certAuthKeyId != NULL) { - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selAuthKeyId, - (PKIX_PL_Object *)certAuthKeyId, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - } else { - PKIX_CERTSELECTOR_DEBUG - ("AuthKeyId Match failed: Cert has no AuthKeyId\n"); + if (certAuthKeyId == NULL) { *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED); + } + PKIX_CHECK(PKIX_PL_Object_Equals + ((PKIX_PL_Object *)selAuthKeyId, + (PKIX_PL_Object *)certAuthKeyId, + &equals, + plContext), + PKIX_OBJECTEQUALSFAILED); + + if (equals != PKIX_TRUE) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED); } } @@ -1035,24 +1023,19 @@ pkix_CertSelector_Match_SubjPKAlgId( PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED); if (certPKAlgId != NULL) { - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selPKAlgId, - (PKIX_PL_Object *)certPKAlgId, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG - ("SubjPKAlgId Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - } else { - PKIX_CERTSELECTOR_DEBUG - ("SubjPKAlgId Match failed: Cert has no SubjPKAlgId\n"); *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED); + } + PKIX_CHECK(PKIX_PL_Object_Equals + ((PKIX_PL_Object *)selPKAlgId, + (PKIX_PL_Object *)certPKAlgId, + &equals, + plContext), + PKIX_OBJECTEQUALSFAILED); + + if (equals != PKIX_TRUE) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED); } } @@ -1115,26 +1098,20 @@ pkix_CertSelector_Match_SubjPubKey( (cert, &certPK, plContext), PKIX_CERTGETSUBJECTPUBLICKEYFAILED); - if (certPK != NULL) { - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selPK, - (PKIX_PL_Object *)certPK, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG - ("Subject Public Key Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - - } else { - PKIX_CERTSELECTOR_DEBUG - ("SubjPubKey Match failed: Cert has no SubjPubKey\n"); + if (certPK == NULL) { *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED); + } + PKIX_CHECK(PKIX_PL_Object_Equals + ((PKIX_PL_Object *)selPK, + (PKIX_PL_Object *)certPK, + &equals, + plContext), + PKIX_OBJECTEQUALSFAILED); + + if (equals != PKIX_TRUE) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED); } } @@ -1152,9 +1129,8 @@ cleanup: * * This default match function determines whether the specified Cert pointed * to by "cert" matches the criteria of the CertSelector pointed to by - * "selector". If the Cert satisfies the CertSelector's criteria, PKIX_TRUE - * is stored at "pResult". If the Cert does not match the CertSelector's - * criteria, PKIX_FALSE is stored at "pResult". + * "selector". If the Cert does not match the CertSelector's + * criteria, an error will be thrown. * * This default match function understands how to process the most common * parameters. Any common parameter that is not set is assumed to be disabled, @@ -1175,8 +1151,6 @@ cleanup: * "cert" * Address of Cert that is to be matched using "selector". * Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: @@ -1191,7 +1165,6 @@ static PKIX_Error * pkix_CertSelector_DefaultMatch( PKIX_CertSelector *selector, PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, void *plContext) { PKIX_ComCertSelParams *params = NULL; @@ -1203,7 +1176,6 @@ pkix_CertSelector_DefaultMatch( PKIX_PL_BigInt *selSerialNumber = NULL; PKIX_PL_Cert *selCert = NULL; PKIX_PL_Date *selDate = NULL; - PKIX_UInt32 requiredKeyUsage = 0; PKIX_UInt32 selVersion = 0xFFFFFFFF; PKIX_UInt32 certVersion = 0; PKIX_Boolean result = PKIX_TRUE; @@ -1215,9 +1187,7 @@ pkix_CertSelector_DefaultMatch( #endif PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch"); - PKIX_NULLCHECK_THREE(selector, cert, pResult); - - *pResult = PKIX_TRUE; + PKIX_NULLCHECK_TWO(selector, cert); PKIX_INCREF(selector->params); params = selector->params; @@ -1236,9 +1206,7 @@ pkix_CertSelector_DefaultMatch( PKIX_CERTGETVERSIONFAILED); if (selVersion != certVersion) { - PKIX_CERTSELECTOR_DEBUG("Version Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTVERSIONFAILED); } } @@ -1257,16 +1225,10 @@ pkix_CertSelector_DefaultMatch( PKIX_X500NAMEMATCHFAILED); if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG - ("Subject Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED); } } else { /* cert has no subject */ - PKIX_CERTSELECTOR_DEBUG("Subject Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED); } } @@ -1284,9 +1246,7 @@ pkix_CertSelector_DefaultMatch( PKIX_X500NAMEMATCHFAILED); if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("Issuer Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTISSUERFAILED); } } @@ -1307,9 +1267,7 @@ pkix_CertSelector_DefaultMatch( PKIX_OBJECTEQUALSFAILED); if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("Serial Number Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSERIALNUMFAILED); } } @@ -1326,13 +1284,10 @@ pkix_CertSelector_DefaultMatch( PKIX_OBJECTEQUALSFAILED); if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("Certificate Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTOBJECTFAILED); } } - PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid (params, &selDate, plContext), PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED); @@ -1343,136 +1298,55 @@ pkix_CertSelector_DefaultMatch( PKIX_CERTCHECKVALIDITYFAILED); } - PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage - (params, &requiredKeyUsage, plContext), - PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED); - - if (requiredKeyUsage != 0) { - PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage - (cert, requiredKeyUsage, plContext), - PKIX_CERTVERIFYKEYUSAGEFAILED); - } - PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("BasicConstraint Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_Policies (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHPOLICIESFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("Policies Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_CertificateValid (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("CertificateValid Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_NameConstraints (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("NameConstraints Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_PathToNames (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHPATHTONAMESFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("PathToNames Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("SubjAltNames Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - + /* Next two check are for user supplied additional KU and EKU. */ PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("ExtendedKeyUsage Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_KeyUsage (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHKEYUSAGEFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("KeyUsage Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("SubjPKAlgId Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("SubjPubKey Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - /* if we reach here, the cert has successfully matched criteria */ @@ -1725,7 +1599,6 @@ pkix_CertSelector_Select( PKIX_List **pAfter, void *plContext) { - PKIX_Boolean match = PKIX_FALSE; PKIX_UInt32 numBefore = 0; PKIX_UInt32 i = 0; PKIX_List *filtered = NULL; @@ -1747,10 +1620,10 @@ pkix_CertSelector_Select( PKIX_LISTGETITEMFAILED); PKIX_CHECK_ONLY_FATAL(selector->matchCallback - (selector, candidate, &match, plContext), + (selector, candidate, plContext), PKIX_CERTSELECTORMATCHCALLBACKFAILED); - if ((!(PKIX_ERROR_RECEIVED)) && (match == PKIX_TRUE)) { + if (!(PKIX_ERROR_RECEIVED)) { PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem (filtered, diff --git a/security/nss/lib/libpkix/pkix/store/pkix_store.c b/security/nss/lib/libpkix/pkix/store/pkix_store.c index faa3ccd8e..b1976ae35 100755 --- a/security/nss/lib/libpkix/pkix/store/pkix_store.c +++ b/security/nss/lib/libpkix/pkix/store/pkix_store.c @@ -299,6 +299,7 @@ PKIX_Error * PKIX_CertStore_CertContinue( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) @@ -307,7 +308,8 @@ PKIX_CertStore_CertContinue( PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList); PKIX_CHECK(store->certContinue - (store, selector, pNBIOContext, pCertList, plContext), + (store, selector, verifyNode, + pNBIOContext, pCertList, plContext), PKIX_CERTSTORECERTCONTINUEFUNCTIONFAILED); cleanup: diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index df19eecdf..be16622ea 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -1557,7 +1557,6 @@ pkix_Build_SelectCertsFromTrustAnchors( PKIX_List *matchList = NULL; PKIX_CertSelector *certSel = NULL; PKIX_CertSelector_MatchCallback selectorMatchCB = NULL; - PKIX_Boolean certMatch = PKIX_TRUE; PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors"); @@ -1582,9 +1581,8 @@ pkix_Build_SelectCertsFromTrustAnchors( (anchor, &trustedCert, plContext), PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); pkixErrorResult = - (*selectorMatchCB)(certSel, trustedCert, - &certMatch, plContext); - if (!pkixErrorResult && certMatch) { + (*selectorMatchCB)(certSel, trustedCert, plContext); + if (!pkixErrorResult) { if (!matchList) { PKIX_CHECK(PKIX_List_Create(&matchList, plContext), @@ -1796,6 +1794,7 @@ pkix_Build_GatherCerts( PKIX_CHECK(getCerts (certStore, state->certSel, + state->verifyNode, &nbioContext, &certsFound, plContext), @@ -1804,6 +1803,7 @@ pkix_Build_GatherCerts( PKIX_CHECK(PKIX_CertStore_CertContinue (certStore, state->certSel, + state->verifyNode, &nbioContext, &certsFound, plContext), diff --git a/security/nss/lib/libpkix/pkix/util/pkix_tools.c b/security/nss/lib/libpkix/pkix/util/pkix_tools.c index 36775dee9..5fcdfb1b1 100755 --- a/security/nss/lib/libpkix/pkix/util/pkix_tools.c +++ b/security/nss/lib/libpkix/pkix/util/pkix_tools.c @@ -968,10 +968,10 @@ pkix_CacheCert_Lookup( PKIX_PL_Date *cacheValidUntilDate = NULL; PKIX_CertSelector *certSel = NULL; PKIX_Error *cachedCertError = NULL; + PKIX_Error *selectorError = NULL; PKIX_CertSelector_MatchCallback selectorMatch = NULL; PKIX_Int32 cmpValidTimeResult = PKIX_FALSE; PKIX_Int32 cmpCacheTimeResult = 0; - PKIX_Boolean certMatch = PKIX_FALSE; PKIX_UInt32 numItems = 0; PKIX_UInt32 i; @@ -1095,22 +1095,16 @@ pkix_CacheCert_Lookup( goto cleanup; } - PKIX_CHECK(selectorMatch - (certSel, - cert, - &certMatch, - plContext), - PKIX_SELECTORMATCHFAILED); - - if (certMatch){ + selectorError = selectorMatch(certSel, cert, plContext); + if (!selectorError){ /* put on the return list */ PKIX_CHECK(PKIX_List_AppendItem (selCertList, (PKIX_PL_Object *)cert, plContext), PKIX_LISTAPPENDITEMFAILED); - - *pFound = PKIX_TRUE; + } else { + PKIX_DECREF(selectorError); } PKIX_DECREF(cert); @@ -1149,6 +1143,7 @@ cleanup: PKIX_DECREF(selCertList); PKIX_DECREF(invalidAfterDate); PKIX_DECREF(cachedCertError); + PKIX_DECREF(selectorError); PKIX_RETURN(BUILD); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c index 3be401691..bf40ea3f8 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c @@ -910,7 +910,6 @@ pkix_pl_CollectionCertStoreContext_GetSelectedCert( PKIX_List *selectCertList = NULL; PKIX_PL_Cert *certItem = NULL; PKIX_CertSelector_MatchCallback certSelectorMatch = NULL; - PKIX_Boolean pass = PKIX_TRUE; PKIX_UInt32 numCerts = 0; PKIX_UInt32 i = 0; @@ -942,10 +941,10 @@ pkix_pl_CollectionCertStoreContext_GetSelectedCert( if (!PKIX_ERROR_RECEIVED){ PKIX_CHECK_ONLY_FATAL (certSelectorMatch - (selector, certItem, &pass, plContext), + (selector, certItem, plContext), PKIX_CERTSELECTORMATCHFAILED); - if (!PKIX_ERROR_RECEIVED && pass){ + if (!PKIX_ERROR_RECEIVED){ PKIX_CHECK_ONLY_FATAL (PKIX_List_AppendItem (selectCertList, @@ -1098,6 +1097,7 @@ PKIX_Error * pkix_pl_CollectionCertStore_GetCert( PKIX_CertStore *certStore, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, void *plContext) diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c index fc3ab3c1e..b2776e802 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c @@ -590,6 +590,7 @@ PKIX_Error * pkix_pl_HttpCertStore_GetCert( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) @@ -668,6 +669,7 @@ PKIX_Error * pkix_pl_HttpCertStore_GetCertContinue( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c index 04022cca8..964cec1f1 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c @@ -568,6 +568,7 @@ PKIX_Error * pkix_pl_LdapCertStore_GetCert( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) @@ -737,6 +738,7 @@ PKIX_Error * pkix_pl_LdapCertStore_GetCertContinue( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c index e7c13295f..4a94161a9 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c @@ -680,6 +680,7 @@ PKIX_Error * pkix_pl_Pk11CertStore_GetCert( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *parentVerifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) @@ -689,11 +690,12 @@ pkix_pl_Pk11CertStore_GetCert( PKIX_PL_Cert *candidate = NULL; PKIX_List *selected = NULL; PKIX_List *filtered = NULL; - PKIX_CertSelector_MatchCallback callback = NULL; + PKIX_CertSelector_MatchCallback selectorCallback = NULL; PKIX_CertStore_CheckTrustCallback trustCallback = NULL; PKIX_ComCertSelParams *params = NULL; - PKIX_Boolean pass = PKIX_TRUE; PKIX_Boolean cacheFlag = PKIX_FALSE; + PKIX_VerifyNode *verifyNode = NULL; + PKIX_Error *selectorError = NULL; PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_GetCert"); PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList); @@ -701,7 +703,7 @@ pkix_pl_Pk11CertStore_GetCert( *pNBIOContext = NULL; /* We don't use non-blocking I/O */ PKIX_CHECK(PKIX_CertSelector_GetMatchCallback - (selector, &callback, plContext), + (selector, &selectorCallback, plContext), PKIX_CERTSELECTORGETMATCHCALLBACKFAILED); PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams @@ -740,12 +742,9 @@ pkix_pl_Pk11CertStore_GetCert( continue; /* just skip bad certs */ } - PKIX_CHECK_ONLY_FATAL(callback - (selector, candidate, &pass, plContext), - PKIX_CERTSELECTORFAILED); - - if (!(PKIX_ERROR_RECEIVED) && pass) { - + selectorError = + selectorCallback(selector, candidate, plContext); + if (!selectorError) { PKIX_CHECK(PKIX_PL_Cert_SetCacheFlag (candidate, cacheFlag, plContext), PKIX_CERTSETCACHEFLAGFAILED); @@ -761,8 +760,19 @@ pkix_pl_Pk11CertStore_GetCert( (PKIX_PL_Object *)candidate, plContext), PKIX_LISTAPPENDITEMFAILED); + } else if (parentVerifyNode) { + PKIX_CHECK_FATAL( + pkix_VerifyNode_Create(candidate, 0, selectorError, + &verifyNode, plContext), + PKIX_VERIFYNODECREATEFAILED); + PKIX_CHECK_FATAL( + pkix_VerifyNode_AddToTree(parentVerifyNode, + verifyNode, + plContext), + PKIX_VERIFYNODEADDTOTREEFAILED); + PKIX_DECREF(verifyNode); } - + PKIX_DECREF(selectorError); PKIX_DECREF(candidate); } @@ -773,11 +783,13 @@ pkix_pl_Pk11CertStore_GetCert( filtered = NULL; cleanup: - +fatal: PKIX_DECREF(filtered); PKIX_DECREF(candidate); PKIX_DECREF(selected); PKIX_DECREF(params); + PKIX_DECREF(verifyNode); + PKIX_DECREF(selectorError); PKIX_RETURN(CERTSTORE); } |