diff options
Diffstat (limited to 'security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c')
-rw-r--r-- | security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c | 440 |
1 files changed, 0 insertions, 440 deletions
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c deleted file mode 100644 index 63bccd565..000000000 --- a/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c +++ /dev/null @@ -1,440 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -/* - * pkix_defaultcrlchecker.c - * - * Functions for default CRL Checkers - * - */ -#include "pkix.h" -#include "pkix_crlchecker.h" -#include "pkix_tools.h" - -/* --Private-CRLChecker-Data-and-Types------------------------------- */ - -typedef struct pkix_CrlCheckerStruct { - /* RevocationMethod is the super class of CrlChecker. */ - pkix_RevocationMethod method; - PKIX_List *certStores; /* list of CertStore */ - PKIX_PL_VerifyCallback crlVerifyFn; -} pkix_CrlChecker; - - -/* --Private-CRLChecker-Functions----------------------------------- */ - -/* - * FUNCTION: pkix_CrlCheckerstate_Destroy - * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) - */ -static PKIX_Error * -pkix_CrlChecker_Destroy( - PKIX_PL_Object *object, - void *plContext) -{ - pkix_CrlChecker *state = NULL; - - PKIX_ENTER(CRLCHECKER, "pkix_CrlChecker_Destroy"); - PKIX_NULLCHECK_ONE(object); - - /* Check that this object is a default CRL checker state */ - PKIX_CHECK( - pkix_CheckType(object, PKIX_CRLCHECKER_TYPE, plContext), - PKIX_OBJECTNOTCRLCHECKER); - - state = (pkix_CrlChecker *)object; - - PKIX_DECREF(state->certStores); - -cleanup: - - PKIX_RETURN(CRLCHECKER); -} - -/* - * FUNCTION: pkix_CrlChecker_RegisterSelf - * - * DESCRIPTION: - * Registers PKIX_CRLCHECKER_TYPE and its related functions - * with systemClasses[] - * - * THREAD SAFETY: - * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * - * Since this function is only called by PKIX_PL_Initialize, which should - * only be called once, it is acceptable that this function is not - * thread-safe. - */ -PKIX_Error * -pkix_CrlChecker_RegisterSelf(void *plContext) -{ - extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; - pkix_ClassTable_Entry* entry = &systemClasses[PKIX_CRLCHECKER_TYPE]; - - PKIX_ENTER(CRLCHECKER, "pkix_CrlChecker_RegisterSelf"); - - entry->description = "CRLChecker"; - entry->typeObjectSize = sizeof(pkix_CrlChecker); - entry->destructor = pkix_CrlChecker_Destroy; - - PKIX_RETURN(CRLCHECKER); -} - -/* - * FUNCTION: pkix_CrlChecker_Create - * - * DESCRIPTION: - * Allocate and initialize CRLChecker state data. - * - * PARAMETERS - * "certStores" - * Address of CertStore List to be stored in state. Must be non-NULL. - * "testDate" - * Address of PKIX_PL_Date to be checked. May be NULL. - * "trustedPubKey" - * Trusted Anchor Public Key for verifying first Cert in the chain. - * Must be non-NULL. - * "certsRemaining" - * Number of certificates remaining in the chain. - * "nistCRLPolicyEnabled" - * If enabled, enforce nist crl policy. - * "pChecker" - * Address of CRLChecker that is returned. Must be non-NULL. - * "plContext" - * Platform-specific context pointer. - * - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a DefaultCrlChecker Error if the function fails in a - * non-fatal way. - * Returns a Fatal Error - */ -PKIX_Error * -pkix_CrlChecker_Create(PKIX_RevocationMethodType methodType, - PKIX_UInt32 flags, - PKIX_UInt32 priority, - pkix_LocalRevocationCheckFn localRevChecker, - pkix_ExternalRevocationCheckFn externalRevChecker, - PKIX_List *certStores, - PKIX_PL_VerifyCallback crlVerifyFn, - pkix_RevocationMethod **pChecker, - void *plContext) -{ - pkix_CrlChecker *crlChecker = NULL; - - PKIX_ENTER(CRLCHECKER, "pkix_CrlChecker_Create"); - PKIX_NULLCHECK_TWO(certStores, pChecker); - - PKIX_CHECK(PKIX_PL_Object_Alloc - (PKIX_CRLCHECKER_TYPE, - sizeof (pkix_CrlChecker), - (PKIX_PL_Object **)&crlChecker, - plContext), - PKIX_COULDNOTCREATECRLCHECKEROBJECT); - - pkixErrorResult = pkix_RevocationMethod_Init( - (pkix_RevocationMethod*)crlChecker, methodType, flags, priority, - localRevChecker, externalRevChecker, plContext); - if (pkixErrorResult) { - goto cleanup; - } - - /* Initialize fields */ - PKIX_INCREF(certStores); - crlChecker->certStores = certStores; - - crlChecker->crlVerifyFn = crlVerifyFn; - *pChecker = (pkix_RevocationMethod*)crlChecker; - crlChecker = NULL; - -cleanup: - PKIX_DECREF(crlChecker); - - PKIX_RETURN(CRLCHECKER); -} - -/* --Private-CRLChecker-Functions------------------------------------ */ - -/* - * FUNCTION: pkix_CrlChecker_CheckLocal - * - * DESCRIPTION: - * Check if the Cert has been revoked based the CRLs data. This function - * maintains the checker state to be current. - * - * PARAMETERS - * "checker" - * Address of CertChainChecker which has the state data. - * Must be non-NULL. - * "cert" - * Address of Certificate that is to be validated. Must be non-NULL. - * "unreslvdCrtExts" - * A List OIDs. Not **yet** used in this checker function. - * "plContext" - * Platform-specific context pointer. - * - * THREAD SAFETY: - * Not Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertChainChecker Error if the function fails in a non-fatal way. - * Returns a Fatal Error - */ -PKIX_Error * -pkix_CrlChecker_CheckLocal( - PKIX_PL_Cert *cert, - PKIX_PL_Cert *issuer, - PKIX_PL_Date *date, - pkix_RevocationMethod *checkerObject, - PKIX_ProcessingParams *procParams, - PKIX_UInt32 methodFlags, - PKIX_Boolean chainVerificationState, - PKIX_RevocationStatus *pRevStatus, - PKIX_UInt32 *pReasonCode, - void *plContext) -{ - PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn; - PKIX_CertStore *certStore = NULL; - pkix_CrlChecker *state = NULL; - PKIX_UInt32 reasonCode = 0; - PKIX_UInt32 crlStoreIndex = 0; - PKIX_UInt32 numCrlStores = 0; - PKIX_Boolean storeIsLocal = PKIX_FALSE; - PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo; - - PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckLocal"); - PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, checkerObject); - - state = (pkix_CrlChecker*)checkerObject; - - PKIX_CHECK( - PKIX_List_GetLength(state->certStores, &numCrlStores, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (;crlStoreIndex < numCrlStores;crlStoreIndex++) { - PKIX_CHECK( - PKIX_List_GetItem(state->certStores, crlStoreIndex, - (PKIX_PL_Object **)&certStore, - plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK( - PKIX_CertStore_GetLocalFlag(certStore, &storeIsLocal, - plContext), - PKIX_CERTSTOREGETLOCALFLAGFAILED); - if (storeIsLocal) { - PKIX_CHECK( - PKIX_CertStore_GetCrlCheckerFn(certStore, - &storeCheckRevocationFn, - plContext), - PKIX_CERTSTOREGETCHECKREVBYCRLFAILED); - - if (storeCheckRevocationFn) { - PKIX_CHECK( - (*storeCheckRevocationFn)(certStore, cert, issuer, - /* delay sig check if building - * a chain by not specifying the time*/ - chainVerificationState ? date : NULL, - /* crl downloading is not done. */ - PKIX_FALSE, - &reasonCode, &revStatus, plContext), - PKIX_CERTSTORECRLCHECKFAILED); - if (revStatus == PKIX_RevStatus_Revoked) { - break; - } - } - } - PKIX_DECREF(certStore); - } /* while */ - -cleanup: - *pRevStatus = revStatus; - PKIX_DECREF(certStore); - - PKIX_RETURN(CERTCHAINCHECKER); -} - -/* - * FUNCTION: pkix_CrlChecker_CheckRemote - * - * DESCRIPTION: - * Check if the Cert has been revoked based the CRLs data. This function - * maintains the checker state to be current. - * - * PARAMETERS - * "checker" - * Address of CertChainChecker which has the state data. - * Must be non-NULL. - * "cert" - * Address of Certificate that is to be validated. Must be non-NULL. - * "unreslvdCrtExts" - * A List OIDs. Not **yet** used in this checker function. - * "plContext" - * Platform-specific context pointer. - * - * THREAD SAFETY: - * Not Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a CertChainChecker Error if the function fails in a non-fatal way. - * Returns a Fatal Error - */ -PKIX_Error * -pkix_CrlChecker_CheckExternal( - PKIX_PL_Cert *cert, - PKIX_PL_Cert *issuer, - PKIX_PL_Date *date, - pkix_RevocationMethod *checkerObject, - PKIX_ProcessingParams *procParams, - PKIX_UInt32 methodFlags, - PKIX_RevocationStatus *pRevStatus, - PKIX_UInt32 *pReasonCode, - void **pNBIOContext, - void *plContext) -{ - PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn = NULL; - PKIX_CertStore_ImportCrlCallback storeImportCrlFn = NULL; - PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo; - PKIX_CertStore *certStore = NULL; - PKIX_CertStore *localStore = NULL; - PKIX_CRLSelector *crlSelector = NULL; - PKIX_PL_X500Name *issuerName = NULL; - pkix_CrlChecker *state = NULL; - PKIX_UInt32 reasonCode = 0; - PKIX_UInt32 crlStoreIndex = 0; - PKIX_UInt32 numCrlStores = 0; - PKIX_Boolean storeIsLocal = PKIX_FALSE; - PKIX_List *crlList = NULL; - PKIX_List *dpList = NULL; - void *nbioContext = NULL; - - PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckExternal"); - PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, pNBIOContext); - - nbioContext = *pNBIOContext; - *pNBIOContext = NULL; /* prepare for Error exit */ - - state = (pkix_CrlChecker*)checkerObject; - - PKIX_CHECK( - PKIX_List_GetLength(state->certStores, &numCrlStores, plContext), - PKIX_LISTGETLENGTHFAILED); - - /* Find a cert store that is capable of storing crls */ - for (;crlStoreIndex < numCrlStores;crlStoreIndex++) { - PKIX_CHECK( - PKIX_List_GetItem(state->certStores, crlStoreIndex, - (PKIX_PL_Object **)&certStore, - plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK( - PKIX_CertStore_GetLocalFlag(certStore, &storeIsLocal, - plContext), - PKIX_CERTSTOREGETLOCALFLAGFAILED); - if (storeIsLocal) { - PKIX_CHECK( - PKIX_CertStore_GetImportCrlCallback(certStore, - &storeImportCrlFn, - plContext), - PKIX_CERTSTOREGETCHECKREVBYCRLFAILED); - - PKIX_CHECK( - PKIX_CertStore_GetCrlCheckerFn(certStore, - &storeCheckRevocationFn, - plContext), - PKIX_CERTSTOREGETCHECKREVBYCRLFAILED); - - if (storeImportCrlFn && storeCheckRevocationFn) { - localStore = certStore; - certStore = NULL; - break; - } - } - PKIX_DECREF(certStore); - } /* while */ - - /* Report unknown status if we can not check crl in one of the - * local stores. */ - if (!localStore) { - PKIX_ERROR_FATAL(PKIX_CRLCHECKERNOLOCALCERTSTOREFOUND); - } - PKIX_CHECK( - PKIX_PL_Cert_VerifyKeyUsage(issuer, PKIX_CRL_SIGN, plContext), - PKIX_CERTCHECKKEYUSAGEFAILED); - PKIX_CHECK( - PKIX_PL_Cert_GetCrlDp(cert, &dpList, plContext), - PKIX_CERTGETCRLDPFAILED); - if (!(methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE) && - (!dpList || !dpList->length)) { - goto cleanup; - } - PKIX_CHECK( - PKIX_PL_Cert_GetIssuer(cert, &issuerName, plContext), - PKIX_CERTGETISSUERFAILED); - PKIX_CHECK( - PKIX_CRLSelector_Create(issuer, dpList, date, &crlSelector, plContext), - PKIX_CRLCHECKERSETSELECTORFAILED); - /* Fetch crl and store in a local cert store */ - for (crlStoreIndex = 0;crlStoreIndex < numCrlStores;crlStoreIndex++) { - PKIX_CertStore_CRLCallback getCrlsFn; - - PKIX_CHECK( - PKIX_List_GetItem(state->certStores, crlStoreIndex, - (PKIX_PL_Object **)&certStore, - plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK( - PKIX_CertStore_GetCRLCallback(certStore, &getCrlsFn, - plContext), - PKIX_CERTSTOREGETCRLCALLBACKFAILED); - - PKIX_CHECK( - (*getCrlsFn)(certStore, crlSelector, &nbioContext, - &crlList, plContext), - PKIX_GETCRLSFAILED); - - PKIX_CHECK( - (*storeImportCrlFn)(localStore, issuerName, crlList, plContext), - PKIX_CERTSTOREFAILTOIMPORTCRLLIST); - - PKIX_CHECK( - (*storeCheckRevocationFn)(certStore, cert, issuer, date, - /* done with crl downloading */ - PKIX_TRUE, - &reasonCode, &revStatus, plContext), - PKIX_CERTSTORECRLCHECKFAILED); - if (revStatus != PKIX_RevStatus_NoInfo) { - break; - } - PKIX_DECREF(crlList); - PKIX_DECREF(certStore); - } /* while */ - -cleanup: - /* Update return flags */ - if (revStatus == PKIX_RevStatus_NoInfo && - ((dpList && dpList->length > 0) || - (methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE)) && - methodFlags & PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) { - revStatus = PKIX_RevStatus_Revoked; - } - *pRevStatus = revStatus; - - PKIX_DECREF(dpList); - PKIX_DECREF(crlList); - PKIX_DECREF(certStore); - PKIX_DECREF(issuerName); - PKIX_DECREF(localStore); - PKIX_DECREF(crlSelector); - - PKIX_RETURN(CERTCHAINCHECKER); -} |