diff options
Diffstat (limited to 'security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c')
-rwxr-xr-x | security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c | 1633 |
1 files changed, 0 insertions, 1633 deletions
diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c deleted file mode 100755 index b9cde1697..000000000 --- a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c +++ /dev/null @@ -1,1633 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -/* - * pkix_certselector.c - * - * CertSelector Object Functions - * - */ - -#include "pkix_certselector.h" - -/* --Private-Functions-------------------------------------------- */ - -/* - * FUNCTION: pkix_CertSelector_Destroy - * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) - */ -static PKIX_Error * -pkix_CertSelector_Destroy( - PKIX_PL_Object *object, - void *plContext) -{ - PKIX_CertSelector *selector = NULL; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Destroy"); - PKIX_NULLCHECK_ONE(object); - - /* Check that this object is a cert selector */ - PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext), - PKIX_OBJECTNOTCERTSELECTOR); - - selector = (PKIX_CertSelector *)object; - PKIX_DECREF(selector->params); - PKIX_DECREF(selector->context); - -cleanup: - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Duplicate - * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h) - */ -static PKIX_Error * -pkix_CertSelector_Duplicate( - PKIX_PL_Object *object, - PKIX_PL_Object **pNewObject, - void *plContext) -{ - PKIX_CertSelector *certSelector = NULL; - PKIX_CertSelector *certSelectorDuplicate = NULL; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Duplicate"); - PKIX_NULLCHECK_TWO(object, pNewObject); - - PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext), - PKIX_OBJECTNOTCERTSELECTOR); - - certSelector = (PKIX_CertSelector *)object; - - PKIX_CHECK(PKIX_CertSelector_Create - (certSelector->matchCallback, - certSelector->context, - &certSelectorDuplicate, - plContext), - PKIX_CERTSELECTORCREATEFAILED); - - PKIX_CHECK(PKIX_PL_Object_Duplicate - ((PKIX_PL_Object *)certSelector->params, - (PKIX_PL_Object **)&certSelectorDuplicate->params, - plContext), - PKIX_OBJECTDUPLICATEFAILED); - - *pNewObject = (PKIX_PL_Object *)certSelectorDuplicate; - -cleanup: - - if (PKIX_ERROR_RECEIVED){ - PKIX_DECREF(certSelectorDuplicate); - } - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_BasicConstraint - * DESCRIPTION: - * - * Determines whether the Cert pointed to by "cert" matches the basic - * constraints criterion using the basic constraints field of the - * ComCertSelParams pointed to by "params". If the basic constraints field is - * -1, no basic constraints check is done and the Cert is considered to match - * the basic constraints criterion. If the Cert does not match the basic - * constraints criterion, an Error pointer is returned. - * - * In order to match against this criterion, there are several possibilities. - * - * 1) If the criterion's minimum path length is greater than or equal to zero, - * a certificate must include a BasicConstraints extension with a pathLen of - * at least this value. - * - * 2) If the criterion's minimum path length is -2, a certificate must be an - * end-entity certificate. - * - * 3) If the criterion's minimum path length is -1, no basic constraints check - * is done and all certificates are considered to match this criterion. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose basic constraints field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * OUTPUT PARAMETERS ON FAILURE: - * If the function returns a failure, - * the output parameters of this function are undefined. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_BasicConstraint( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_PL_CertBasicConstraints *basicConstraints = NULL; - PKIX_Boolean caFlag = PKIX_FALSE; /* EE Cert by default */ - PKIX_Int32 pathLength = 0; - PKIX_Int32 minPathLength = 0; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_BasicConstraint"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - *pResult = PKIX_TRUE; - - PKIX_CHECK(PKIX_ComCertSelParams_GetBasicConstraints - (params, &minPathLength, plContext), - PKIX_COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED); - - /* If the minPathLength is unlimited (-1), no checking */ - if (minPathLength == PKIX_CERTSEL_ALL_MATCH_MIN_PATHLENGTH) { - goto cleanup; - } - - PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints - (cert, &basicConstraints, plContext), - PKIX_CERTGETBASICCONSTRAINTSFAILED); - - if (basicConstraints != NULL) { - PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag - (basicConstraints, &caFlag, plContext), - PKIX_BASICCONSTRAINTSGETCAFLAGFAILED); - - PKIX_CHECK(PKIX_PL_BasicConstraints_GetPathLenConstraint - (basicConstraints, &pathLength, plContext), - PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED); - } - - /* - * if minPathLength >= 0, the cert must have a BasicConstraints ext and - * the pathLength in this cert - * BasicConstraints needs to be >= minPathLength. - */ - if (minPathLength >= 0){ - if ((!basicConstraints) || (caFlag == PKIX_FALSE)){ - PKIX_ERROR(PKIX_CERTNOTALLOWEDTOSIGNCERTIFICATES); - } else if ((pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) && - (pathLength < minPathLength)){ - PKIX_CERTSELECTOR_DEBUG - ("Basic Constraints path length match failed\n"); - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID); - } - } - - /* if the minPathLength is -2, this cert must be an end-entity cert. */ - if (minPathLength == PKIX_CERTSEL_ENDENTITY_MIN_PATHLENGTH) { - if (caFlag == PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG - ("Basic Constraints end-entity match failed\n"); - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID); - } - } - -cleanup: - - PKIX_DECREF(basicConstraints); - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_Policies - * DESCRIPTION: - * - * Determines whether the Cert pointed to by "cert" matches the policy - * constraints specified in the ComCertsSelParams given by "params". - * If "params" specifies a policy constraint of NULL, all certificates - * match. If "params" specifies an empty list, "cert" must have at least - * some policy. Otherwise "cert" must include at least one of the - * policies in the list. See the description of PKIX_CertSelector in - * pkix_certsel.h for more. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose policy criterion (if any) is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_Policies( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_UInt32 numConstraintPolicies = 0; - PKIX_UInt32 numCertPolicies = 0; - PKIX_UInt32 certPolicyIndex = 0; - PKIX_Boolean result = PKIX_FALSE; - PKIX_List *constraintPolicies = NULL; /* List of PKIX_PL_OID */ - PKIX_List *certPolicyInfos = NULL; /* List of PKIX_PL_CertPolicyInfo */ - PKIX_PL_CertPolicyInfo *policyInfo = NULL; - PKIX_PL_OID *polOID = NULL; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_Policies"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetPolicy - (params, &constraintPolicies, plContext), - PKIX_COMCERTSELPARAMSGETPOLICYFAILED); - - /* If constraintPolicies is NULL, all certificates "match" */ - if (constraintPolicies) { - PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation - (cert, &certPolicyInfos, plContext), - PKIX_CERTGETPOLICYINFORMATIONFAILED); - - /* No hope of a match if cert has no policies */ - if (!certPolicyInfos) { - PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n"); - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED); - } - - PKIX_CHECK(PKIX_List_GetLength - (constraintPolicies, &numConstraintPolicies, plContext), - PKIX_LISTGETLENGTHFAILED); - - if (numConstraintPolicies > 0) { - - PKIX_CHECK(PKIX_List_GetLength - (certPolicyInfos, &numCertPolicies, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (certPolicyIndex = 0; - ((!result) && (certPolicyIndex < numCertPolicies)); - certPolicyIndex++) { - - PKIX_CHECK(PKIX_List_GetItem - (certPolicyInfos, - certPolicyIndex, - (PKIX_PL_Object **)&policyInfo, - plContext), - PKIX_LISTGETELEMENTFAILED); - PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId - (policyInfo, &polOID, plContext), - PKIX_CERTPOLICYINFOGETPOLICYIDFAILED); - - PKIX_CHECK(pkix_List_Contains - (constraintPolicies, - (PKIX_PL_Object *)polOID, - &result, - plContext), - PKIX_LISTCONTAINSFAILED); - PKIX_DECREF(policyInfo); - PKIX_DECREF(polOID); - } - if (!result) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED); - } - } - } - -cleanup: - - PKIX_DECREF(constraintPolicies); - PKIX_DECREF(certPolicyInfos); - PKIX_DECREF(policyInfo); - PKIX_DECREF(polOID); - - PKIX_RETURN(CERTSELECTOR); - -} - -/* - * FUNCTION: pkix_CertSelector_Match_CertificateValid - * DESCRIPTION: - * - * Determines whether the Cert pointed to by "cert" matches the certificate - * validity criterion using the CertificateValid field of the - * ComCertSelParams pointed to by "params". If the CertificateValid field is - * NULL, no validity check is done and the Cert is considered to match - * the CertificateValid criterion. If the CertificateValid field specifies a - * Date prior to the notBefore field in the Cert, or greater than the notAfter - * field in the Cert, an Error is returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose certValid field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_CertificateValid( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_PL_Date *validityTime = NULL; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_CertificateValid"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid - (params, &validityTime, plContext), - PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED); - - /* If the validityTime is not set, all certificates are acceptable */ - if (validityTime) { - PKIX_CHECK(PKIX_PL_Cert_CheckValidity - (cert, validityTime, plContext), - PKIX_CERTCHECKVALIDITYFAILED); - } - -cleanup: - if (PKIX_ERROR_RECEIVED) { - *pResult = PKIX_FALSE; - } - PKIX_DECREF(validityTime); - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_NameConstraints - * DESCRIPTION: - * - * Determines whether the Cert pointed to by "cert" matches the name - * constraints criterion specified in the ComCertSelParams pointed to by - * "params". If the name constraints field is NULL, no name constraints check - * is done and the Cert is considered to match the name constraints criterion. - * If the Cert does not match the name constraints criterion, an Error pointer - * is returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose name constraints field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_NameConstraints( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_PL_CertNameConstraints *nameConstraints = NULL; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_NameConstraints"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetNameConstraints - (params, &nameConstraints, plContext), - PKIX_COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED); - - if (nameConstraints != NULL) { - - PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints - (cert, nameConstraints, plContext), - PKIX_CERTCHECKNAMECONSTRAINTSFAILED); - } - -cleanup: - if (PKIX_ERROR_RECEIVED) { - *pResult = PKIX_FALSE; - } - - PKIX_DECREF(nameConstraints); - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_PathToNames - * DESCRIPTION: - * - * Determines whether the names at pathToNames in "params" complies with the - * NameConstraints pointed to by "cert". If the pathToNames field is NULL - * or there is no name constraints for this "cert", no checking is done - * and the Cert is considered to match the name constraints criterion. - * If the Cert does not match the name constraints criterion, an Error - * pointer is returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose PathToNames field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_PathToNames( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_List *pathToNamesList = NULL; - PKIX_Boolean passed = PKIX_FALSE; - PKIX_PL_CertNameConstraints *nameConstraints = NULL; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_PathToNames"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames - (params, &pathToNamesList, plContext), - PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED); - - if (pathToNamesList != NULL) { - - PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints - (cert, &nameConstraints, plContext), - PKIX_CERTGETNAMECONSTRAINTSFAILED); - - if (nameConstraints != NULL) { - - PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace - (pathToNamesList, nameConstraints, &passed, plContext), - PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED); - - if (passed != PKIX_TRUE) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHPATHTONAMESFAILED); - } - } - - } - -cleanup: - - PKIX_DECREF(nameConstraints); - PKIX_DECREF(pathToNamesList); - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_SubjAltNames - * DESCRIPTION: - * - * Determines whether the names at subjAltNames in "params" match with the - * SubjAltNames pointed to by "cert". If the subjAltNames field is NULL, - * no name checking is done and the Cert is considered to match the - * criterion. If the Cert does not match the criterion, an Error pointer - * is returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose SubjAltNames field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_SubjAltNames( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_List *subjAltNamesList = NULL; - PKIX_List *certSubjAltNames = NULL; - PKIX_PL_GeneralName *name = NULL; - PKIX_Boolean checkPassed = PKIX_FALSE; - PKIX_Boolean matchAll = PKIX_TRUE; - PKIX_UInt32 i, numItems; - PKIX_UInt32 matchCount = 0; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjAltNames"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames - (params, &matchAll, plContext), - PKIX_COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED); - - PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames - (params, &subjAltNamesList, plContext), - PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED); - - if (subjAltNamesList != NULL) { - - PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames - (cert, &certSubjAltNames, plContext), - PKIX_CERTGETSUBJALTNAMESFAILED); - - if (certSubjAltNames == NULL) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED); - } - - PKIX_CHECK(PKIX_List_GetLength - (subjAltNamesList, &numItems, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (i = 0; i < numItems; i++) { - - PKIX_CHECK(PKIX_List_GetItem - (subjAltNamesList, - i, - (PKIX_PL_Object **) &name, - plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK(pkix_List_Contains - (certSubjAltNames, - (PKIX_PL_Object *) name, - &checkPassed, - plContext), - PKIX_LISTCONTAINSFAILED); - - PKIX_DECREF(name); - - if (checkPassed == PKIX_TRUE) { - - if (matchAll == PKIX_FALSE) { - /* one match is good enough */ - matchCount = numItems; - break; - } else { - /* else continue checking next */ - matchCount++; - } - - } - - } - - if (matchCount != numItems) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED); - } - } - -cleanup: - - PKIX_DECREF(name); - PKIX_DECREF(certSubjAltNames); - PKIX_DECREF(subjAltNamesList); - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_ExtendedKeyUsage - * DESCRIPTION: - * - * Determines whether the names at ExtKeyUsage in "params" matches with the - * ExtKeyUsage pointed to by "cert". If the ExtKeyUsage criterion or - * ExtKeyUsage in "cert" is NULL, no checking is done and the Cert is - * considered a match. If the Cert does not match, an Error pointer is - * returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose ExtKeyUsage field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_ExtendedKeyUsage( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_List *extKeyUsageList = NULL; - PKIX_List *certExtKeyUsageList = NULL; - PKIX_PL_OID *ekuOid = NULL; - PKIX_Boolean isContained = PKIX_FALSE; - PKIX_UInt32 numItems = 0; - PKIX_UInt32 i; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_ExtendedKeyUsage"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage - (params, &extKeyUsageList, plContext), - PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED); - - if (extKeyUsageList == NULL) { - goto cleanup; - } - - PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage - (cert, &certExtKeyUsageList, plContext), - PKIX_CERTGETEXTENDEDKEYUSAGEFAILED); - - if (certExtKeyUsageList != NULL) { - - PKIX_CHECK(PKIX_List_GetLength - (extKeyUsageList, &numItems, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (i = 0; i < numItems; i++) { - - PKIX_CHECK(PKIX_List_GetItem - (extKeyUsageList, i, (PKIX_PL_Object **)&ekuOid, plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK(pkix_List_Contains - (certExtKeyUsageList, - (PKIX_PL_Object *)ekuOid, - &isContained, - plContext), - PKIX_LISTCONTAINSFAILED); - - PKIX_DECREF(ekuOid); - - if (isContained != PKIX_TRUE) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED); - } - } - } - -cleanup: - - PKIX_DECREF(ekuOid); - PKIX_DECREF(extKeyUsageList); - PKIX_DECREF(certExtKeyUsageList); - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_KeyUsage - * DESCRIPTION: - * - * Determines whether the bits at KeyUsage in "params" matches with the - * KeyUsage pointed to by "cert". If the KeyUsage in params is 0 - * no checking is done and the Cert is considered a match. If the Cert does - * not match, an Error pointer is returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose ExtKeyUsage field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_KeyUsage( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_UInt32 keyUsage = 0; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_KeyUsage"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage - (params, &keyUsage, plContext), - PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED); - - if (keyUsage != 0) { - - PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage - (cert, keyUsage, plContext), - PKIX_CERTVERIFYKEYUSAGEFAILED); - - } - -cleanup: - if (PKIX_ERROR_RECEIVED) { - *pResult = PKIX_FALSE; - } - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_SubjKeyId - * DESCRIPTION: - * - * Determines whether the bytes at subjKeyId in "params" matches with the - * Subject Key Identifier pointed to by "cert". If the subjKeyId in params is - * set to NULL or the Cert doesn't have a Subject Key Identifier, no checking - * is done and the Cert is considered a match. If the Cert does not match, an - * Error pointer is returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose subjKeyId field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_SubjKeyId( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_PL_ByteArray *selSubjKeyId = NULL; - PKIX_PL_ByteArray *certSubjKeyId = NULL; - PKIX_Boolean equals = PKIX_FALSE; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjKeyId"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetSubjKeyIdentifier - (params, &selSubjKeyId, plContext), - PKIX_COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED); - - if (selSubjKeyId != NULL) { - - PKIX_CHECK(PKIX_PL_Cert_GetSubjectKeyIdentifier - (cert, &certSubjKeyId, plContext), - PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED); - - if (certSubjKeyId == NULL) { - goto cleanup; - } - - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selSubjKeyId, - (PKIX_PL_Object *)certSubjKeyId, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals == PKIX_FALSE) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED); - } - } - -cleanup: - - PKIX_DECREF(selSubjKeyId); - PKIX_DECREF(certSubjKeyId); - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_AuthKeyId - * DESCRIPTION: - * - * Determines whether the bytes at authKeyId in "params" matches with the - * Authority Key Identifier pointed to by "cert". If the authKeyId in params - * is set to NULL, no checking is done and the Cert is considered a match. If - * the Cert does not match, an Error pointer is returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose authKeyId field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_AuthKeyId( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_PL_ByteArray *selAuthKeyId = NULL; - PKIX_PL_ByteArray *certAuthKeyId = NULL; - PKIX_Boolean equals = PKIX_FALSE; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_AuthKeyId"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetAuthorityKeyIdentifier - (params, &selAuthKeyId, plContext), - PKIX_COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED); - - if (selAuthKeyId != NULL) { - - PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier - (cert, &certAuthKeyId, plContext), - PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED); - - if (certAuthKeyId == NULL) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED); - } - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selAuthKeyId, - (PKIX_PL_Object *)certAuthKeyId, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED); - } - } - -cleanup: - - PKIX_DECREF(selAuthKeyId); - PKIX_DECREF(certAuthKeyId); - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_SubjPKAlgId - * DESCRIPTION: - * - * Determines whether the OID at subjPKAlgId in "params" matches with the - * Subject Public Key Alg Id pointed to by "cert". If the subjPKAlgId in params - * is set to NULL, no checking is done and the Cert is considered a match. If - * the Cert does not match, an Error pointer is returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose subjPKAlgId field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_SubjPKAlgId( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_PL_OID *selPKAlgId = NULL; - PKIX_PL_OID *certPKAlgId = NULL; - PKIX_Boolean equals = PKIX_FALSE; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPKAlgId"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPKAlgId - (params, &selPKAlgId, plContext), - PKIX_COMCERTSELPARAMSGETSUBJPKALGIDFAILED); - - if (selPKAlgId != NULL) { - - PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKeyAlgId - (cert, &certPKAlgId, plContext), - PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED); - - if (certPKAlgId != NULL) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED); - } - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selPKAlgId, - (PKIX_PL_Object *)certPKAlgId, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED); - } - } - -cleanup: - - PKIX_DECREF(selPKAlgId); - PKIX_DECREF(certPKAlgId); - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_Match_SubjPubKey - * DESCRIPTION: - * - * Determines whether the key at subjPubKey in "params" matches with the - * Subject Public Key pointed to by "cert". If the subjPubKey in params - * is set to NULL, no checking is done and the Cert is considered a match. If - * the Cert does not match, an Error pointer is returned. - * - * PARAMETERS: - * "params" - * Address of ComCertSelParams whose subPubKey field is used. - * Must be non-NULL. - * "cert" - * Address of Cert that is to be matched. Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_Match_SubjPubKey( - PKIX_ComCertSelParams *params, - PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_PL_PublicKey *selPK = NULL; - PKIX_PL_PublicKey *certPK = NULL; - PKIX_Boolean equals = PKIX_FALSE; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPubKey"); - PKIX_NULLCHECK_THREE(params, cert, pResult); - - PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPubKey - (params, &selPK, plContext), - PKIX_COMCERTSELPARAMSGETSUBJPUBKEYFAILED); - - if (selPK != NULL) { - - PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey - (cert, &certPK, plContext), - PKIX_CERTGETSUBJECTPUBLICKEYFAILED); - - if (certPK == NULL) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED); - } - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selPK, - (PKIX_PL_Object *)certPK, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - *pResult = PKIX_FALSE; - PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED); - } - } - -cleanup: - - PKIX_DECREF(selPK); - PKIX_DECREF(certPK); - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_DefaultMatch - * DESCRIPTION: - * - * This default match function determines whether the specified Cert pointed - * to by "cert" matches the criteria of the CertSelector pointed to by - * "selector". If the Cert does not match the CertSelector's - * criteria, an error will be thrown. - * - * This default match function understands how to process the most common - * parameters. Any common parameter that is not set is assumed to be disabled, - * which means this function will select all certificates without regard to - * that particular disabled parameter. For example, if the SerialNumber - * parameter is not set, this function will not filter out any certificate - * based on its serial number. As such, if no parameters are set, all are - * disabled and any certificate will match. If a parameter is disabled, its - * associated PKIX_ComCertSelParams_Get* function returns a default value. - * That value is -1 for PKIX_ComCertSelParams_GetBasicConstraints and - * PKIX_ComCertSelParams_GetVersion, 0 for PKIX_ComCertSelParams_GetKeyUsage, - * and NULL for all other Get functions. - * - * PARAMETERS: - * "selector" - * Address of CertSelector whose MatchCallback logic and parameters are - * to be used. Must be non-NULL. - * "cert" - * Address of Cert that is to be matched using "selector". - * Must be non-NULL. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_CertSelector_DefaultMatch( - PKIX_CertSelector *selector, - PKIX_PL_Cert *cert, - void *plContext) -{ - PKIX_ComCertSelParams *params = NULL; - PKIX_PL_X500Name *certSubject = NULL; - PKIX_PL_X500Name *selSubject = NULL; - PKIX_PL_X500Name *certIssuer = NULL; - PKIX_PL_X500Name *selIssuer = NULL; - PKIX_PL_BigInt *certSerialNumber = NULL; - PKIX_PL_BigInt *selSerialNumber = NULL; - PKIX_PL_Cert *selCert = NULL; - PKIX_PL_Date *selDate = NULL; - PKIX_UInt32 selVersion = 0xFFFFFFFF; - PKIX_UInt32 certVersion = 0; - PKIX_Boolean result = PKIX_TRUE; - PKIX_Boolean isLeafCert = PKIX_TRUE; - -#ifdef PKIX_BUILDDEBUG - PKIX_PL_String *certString = NULL; - void *certAscii = NULL; - PKIX_UInt32 certAsciiLen; -#endif - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch"); - PKIX_NULLCHECK_TWO(selector, cert); - - PKIX_INCREF(selector->params); - params = selector->params; - - /* Are we looking for CAs? */ - PKIX_CHECK(PKIX_ComCertSelParams_GetLeafCertFlag - (params, &isLeafCert, plContext), - PKIX_COMCERTSELPARAMSGETLEAFCERTFLAGFAILED); - - if (params == NULL){ - goto cleanup; - } - - PKIX_CHECK(PKIX_ComCertSelParams_GetVersion - (params, &selVersion, plContext), - PKIX_COMCERTSELPARAMSGETVERSIONFAILED); - - if (selVersion != 0xFFFFFFFF){ - PKIX_CHECK(PKIX_PL_Cert_GetVersion - (cert, &certVersion, plContext), - PKIX_CERTGETVERSIONFAILED); - - if (selVersion != certVersion) { - PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTVERSIONFAILED); - } - } - - PKIX_CHECK(PKIX_ComCertSelParams_GetSubject - (params, &selSubject, plContext), - PKIX_COMCERTSELPARAMSGETSUBJECTFAILED); - - if (selSubject){ - PKIX_CHECK(PKIX_PL_Cert_GetSubject - (cert, &certSubject, plContext), - PKIX_CERTGETSUBJECTFAILED); - - if (certSubject){ - PKIX_CHECK(PKIX_PL_X500Name_Match - (selSubject, certSubject, &result, plContext), - PKIX_X500NAMEMATCHFAILED); - - if (result == PKIX_FALSE){ - PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED); - } - } else { /* cert has no subject */ - PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED); - } - } - - PKIX_CHECK(PKIX_ComCertSelParams_GetIssuer - (params, &selIssuer, plContext), - PKIX_COMCERTSELPARAMSGETISSUERFAILED); - - if (selIssuer){ - PKIX_CHECK(PKIX_PL_Cert_GetIssuer - (cert, &certIssuer, plContext), - PKIX_CERTGETISSUERFAILED); - - PKIX_CHECK(PKIX_PL_X500Name_Match - (selIssuer, certIssuer, &result, plContext), - PKIX_X500NAMEMATCHFAILED); - - if (result == PKIX_FALSE){ - PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTISSUERFAILED); - } - } - - PKIX_CHECK(PKIX_ComCertSelParams_GetSerialNumber - (params, &selSerialNumber, plContext), - PKIX_COMCERTSELPARAMSGETSERIALNUMBERFAILED); - - if (selSerialNumber){ - PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber - (cert, &certSerialNumber, plContext), - PKIX_CERTGETSERIALNUMBERFAILED); - - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selSerialNumber, - (PKIX_PL_Object *)certSerialNumber, - &result, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (result == PKIX_FALSE){ - PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSERIALNUMFAILED); - } - } - - PKIX_CHECK(PKIX_ComCertSelParams_GetCertificate - (params, &selCert, plContext), - PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED); - - if (selCert){ - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *) selCert, - (PKIX_PL_Object *) cert, - &result, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (result == PKIX_FALSE){ - PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTOBJECTFAILED); - } - } - - PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid - (params, &selDate, plContext), - PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED); - - if (selDate){ - PKIX_CHECK(PKIX_PL_Cert_CheckValidity - (cert, selDate, plContext), - PKIX_CERTCHECKVALIDITYFAILED); - } - - PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_Policies - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHPOLICIESFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_CertificateValid - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_NameConstraints - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_PathToNames - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHPATHTONAMESFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED); - - /* Check key usage and cert type based on certificate usage. */ - PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, !isLeafCert, - plContext), - PKIX_CERTVERIFYCERTTYPEFAILED); - - /* Next two check are for user supplied additional KU and EKU. */ - PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_KeyUsage - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHKEYUSAGEFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED); - - PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey - (params, cert, &result, plContext), - PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED); - - /* if we reach here, the cert has successfully matched criteria */ - - -#ifdef PKIX_BUILDDEBUG - - PKIX_CHECK(pkix_pl_Cert_ToString_Helper - (cert, PKIX_TRUE, &certString, plContext), - PKIX_CERTTOSTRINGHELPERFAILED); - - PKIX_CHECK(PKIX_PL_String_GetEncoded - (certString, - PKIX_ESCASCII, - &certAscii, - &certAsciiLen, - plContext), - PKIX_STRINGGETENCODEDFAILED); - - PKIX_CERTSELECTOR_DEBUG_ARG("Cert Selected:\n%s\n", certAscii); - -#endif - -cleanup: - -#ifdef PKIX_BUILDDEBUG - PKIX_DECREF(certString); - PKIX_FREE(certAscii); -#endif - - PKIX_DECREF(certSubject); - PKIX_DECREF(selSubject); - PKIX_DECREF(certIssuer); - PKIX_DECREF(selIssuer); - PKIX_DECREF(certSerialNumber); - PKIX_DECREF(selSerialNumber); - PKIX_DECREF(selCert); - PKIX_DECREF(selDate); - PKIX_DECREF(params); - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: pkix_CertSelector_RegisterSelf - * DESCRIPTION: - * Registers PKIX_CERTSELECTOR_TYPE and its related functions with - * systemClasses[] - * THREAD SAFETY: - * Not Thread Safe - for performance and complexity reasons - * - * Since this function is only called by PKIX_PL_Initialize, which should - * only be called once, it is acceptable that this function is not - * thread-safe. - */ -PKIX_Error * -pkix_CertSelector_RegisterSelf(void *plContext) -{ - extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; - pkix_ClassTable_Entry entry; - - PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_RegisterSelf"); - - entry.description = "CertSelector"; - entry.objCounter = 0; - entry.typeObjectSize = sizeof(PKIX_CertSelector); - entry.destructor = pkix_CertSelector_Destroy; - entry.equalsFunction = NULL; - entry.hashcodeFunction = NULL; - entry.toStringFunction = NULL; - entry.comparator = NULL; - entry.duplicateFunction = pkix_CertSelector_Duplicate; - - systemClasses[PKIX_CERTSELECTOR_TYPE] = entry; - - PKIX_RETURN(CERTSELECTOR); -} - -/* --Public-Functions--------------------------------------------- */ - - -/* - * FUNCTION: PKIX_CertSelector_Create (see comments in pkix_certsel.h) - */ -PKIX_Error * -PKIX_CertSelector_Create( - PKIX_CertSelector_MatchCallback callback, - PKIX_PL_Object *certSelectorContext, - PKIX_CertSelector **pSelector, - void *plContext) -{ - PKIX_CertSelector *selector = NULL; - - PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Create"); - PKIX_NULLCHECK_ONE(pSelector); - - PKIX_CHECK(PKIX_PL_Object_Alloc - (PKIX_CERTSELECTOR_TYPE, - sizeof (PKIX_CertSelector), - (PKIX_PL_Object **)&selector, - plContext), - PKIX_COULDNOTCREATECERTSELECTOROBJECT); - - /* - * if user specified a particular match callback, we use that one. - * otherwise, we use the default match implementation which - * understands how to process PKIX_ComCertSelParams - */ - - if (callback){ - selector->matchCallback = callback; - } else { - selector->matchCallback = pkix_CertSelector_DefaultMatch; - } - - /* initialize other fields */ - selector->params = NULL; - - PKIX_INCREF(certSelectorContext); - selector->context = certSelectorContext; - - *pSelector = selector; - -cleanup: - - PKIX_RETURN(CERTSELECTOR); - -} - -/* - * FUNCTION: PKIX_CertSelector_GetMatchCallback - * (see comments in pkix_certsel.h) - */ -PKIX_Error * -PKIX_CertSelector_GetMatchCallback( - PKIX_CertSelector *selector, - PKIX_CertSelector_MatchCallback *pCallback, - void *plContext) -{ - PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetMatchCallback"); - PKIX_NULLCHECK_TWO(selector, pCallback); - - *pCallback = selector->matchCallback; - - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: PKIX_CertSelector_GetCertSelectorContext - * (see comments in pkix_certsel.h) - */ -PKIX_Error * -PKIX_CertSelector_GetCertSelectorContext( - PKIX_CertSelector *selector, - PKIX_PL_Object **pCertSelectorContext, - void *plContext) -{ - PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetCertSelectorContext"); - PKIX_NULLCHECK_TWO(selector, pCertSelectorContext); - - PKIX_INCREF(selector->context); - - *pCertSelectorContext = selector->context; - -cleanup: - PKIX_RETURN(CERTSELECTOR); -} - -/* - * FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams - * (see comments in pkix_certsel.h) - */ -PKIX_Error * -PKIX_CertSelector_GetCommonCertSelectorParams( - PKIX_CertSelector *selector, - PKIX_ComCertSelParams **pParams, - void *plContext) -{ - PKIX_ENTER(CERTSELECTOR, - "PKIX_CertSelector_GetCommonCertSelectorParams"); - - PKIX_NULLCHECK_TWO(selector, pParams); - - PKIX_INCREF(selector->params); - *pParams = selector->params; - -cleanup: - PKIX_RETURN(CERTSELECTOR); - -} - -/* - * FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams - * (see comments in pkix_certsel.h) - */ -PKIX_Error * -PKIX_CertSelector_SetCommonCertSelectorParams( - PKIX_CertSelector *selector, - PKIX_ComCertSelParams *params, - void *plContext) -{ - PKIX_ENTER(CERTSELECTOR, - "PKIX_CertSelector_SetCommonCertSelectorParams"); - - PKIX_NULLCHECK_ONE(selector); - - PKIX_DECREF(selector->params); - PKIX_INCREF(params); - selector->params = params; - - PKIX_CHECK(PKIX_PL_Object_InvalidateCache - ((PKIX_PL_Object *)selector, plContext), - PKIX_OBJECTINVALIDATECACHEFAILED); - -cleanup: - - PKIX_RETURN(CERTSELECTOR); - -} - -/* - * FUNCTION: pkix_CertSelector_Select - * DESCRIPTION: - * - * This function applies the selector pointed to by "selector" to each Cert, - * in turn, in the List pointed to by "before", and creates a List containing - * all the Certs that matched, or passed the selection process, storing that - * List at "pAfter". If no Certs match, an empty List is stored at "pAfter". - * - * The List returned in "pAfter" is immutable. - * - * PARAMETERS: - * "selector" - * Address of CertSelelector to be applied to the List. Must be non-NULL. - * "before" - * Address of List that is to be filtered. Must be non-NULL. - * "pAfter" - * Address at which resulting List, possibly empty, is stored. Must be - * non-NULL. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertSelector Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -PKIX_Error * -pkix_CertSelector_Select( - PKIX_CertSelector *selector, - PKIX_List *before, - PKIX_List **pAfter, - void *plContext) -{ - PKIX_UInt32 numBefore = 0; - PKIX_UInt32 i = 0; - PKIX_List *filtered = NULL; - PKIX_PL_Cert *candidate = NULL; - - PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Select"); - PKIX_NULLCHECK_THREE(selector, before, pAfter); - - PKIX_CHECK(PKIX_List_Create(&filtered, plContext), - PKIX_LISTCREATEFAILED); - - PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (i = 0; i < numBefore; i++) { - - PKIX_CHECK(PKIX_List_GetItem - (before, i, (PKIX_PL_Object **)&candidate, plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK_ONLY_FATAL(selector->matchCallback - (selector, candidate, plContext), - PKIX_CERTSELECTORMATCHCALLBACKFAILED); - - if (!(PKIX_ERROR_RECEIVED)) { - - PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem - (filtered, - (PKIX_PL_Object *)candidate, - plContext), - PKIX_LISTAPPENDITEMFAILED); - } - - pkixTempErrorReceived = PKIX_FALSE; - PKIX_DECREF(candidate); - } - - PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext), - PKIX_LISTSETIMMUTABLEFAILED); - - /* Don't throw away the list if one Cert was bad! */ - pkixTempErrorReceived = PKIX_FALSE; - - *pAfter = filtered; - filtered = NULL; - -cleanup: - - PKIX_DECREF(filtered); - PKIX_DECREF(candidate); - - PKIX_RETURN(CERTSELECTOR); - -} |