diff options
Diffstat (limited to 'security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c')
-rw-r--r-- | security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c | 1307 |
1 files changed, 0 insertions, 1307 deletions
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c deleted file mode 100644 index a0127668b..000000000 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c +++ /dev/null @@ -1,1307 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the PKIX-C library. - * - * The Initial Developer of the Original Code is - * Sun Microsystems, Inc. - * Portions created by the Initial Developer are - * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved. - * - * Contributor(s): - * Sun Microsystems, Inc. - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ -/* - * pkix_pl_nameconstraints.c - * - * Name Constraints Object Functions Definitions - * - */ - -#include "pkix_pl_nameconstraints.h" - - -/* --Private-NameConstraints-Functions----------------------------- */ - -/* - * FUNCTION: pkix_pl_CertNameConstraints_GetPermitted - * DESCRIPTION: - * - * This function retrieve name constraints permitted list from NSS - * data in "nameConstraints" and returns a PKIX_PL_GeneralName list - * in "pPermittedList". - * - * PARAMETERS - * "nameConstraints" - * Address of CertNameConstraints which has a pointer to - * CERTNameConstraints data. Must be non-NULL. - * "pPermittedList" - * Address where returned permitted name list is stored. Must be non-NULL. - * "plContext" - Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a NameConstraints Error if the function fails in a - * non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_GetPermitted( - PKIX_PL_CertNameConstraints *nameConstraints, - PKIX_List **pPermittedList, - void *plContext) -{ - CERTNameConstraints *nssNameConstraints = NULL; - CERTNameConstraints **nssNameConstraintsList = NULL; - CERTNameConstraint *nssPermitted = NULL; - CERTNameConstraint *firstPermitted = NULL; - PKIX_List *permittedList = NULL; - PKIX_PL_GeneralName *name = NULL; - PKIX_UInt32 numItems = 0; - PKIX_UInt32 i; - - PKIX_ENTER(CERTNAMECONSTRAINTS, - "pkix_pl_CertNameConstraints_GetPermitted"); - PKIX_NULLCHECK_TWO(nameConstraints, pPermittedList); - - /* - * nssNameConstraints is an array of CERTNameConstraints - * pointers where CERTNameConstraints keep its permitted and excluded - * lists as pointer array of CERTNameConstraint. - */ - - if (nameConstraints->permittedList == NULL) { - - PKIX_OBJECT_LOCK(nameConstraints); - - if (nameConstraints->permittedList == NULL) { - - PKIX_CHECK(PKIX_List_Create(&permittedList, plContext), - PKIX_LISTCREATEFAILED); - - numItems = nameConstraints->numNssNameConstraints; - nssNameConstraintsList = - nameConstraints->nssNameConstraintsList; - - for (i = 0; i < numItems; i++) { - - PKIX_NULLCHECK_ONE(nssNameConstraintsList); - nssNameConstraints = *(nssNameConstraintsList + i); - PKIX_NULLCHECK_ONE(nssNameConstraints); - - if (nssNameConstraints->permited != NULL) { - - nssPermitted = nssNameConstraints->permited; - firstPermitted = nssPermitted; - - do { - - PKIX_CHECK(pkix_pl_GeneralName_Create - (&nssPermitted->name, &name, plContext), - PKIX_GENERALNAMECREATEFAILED); - - PKIX_CHECK(PKIX_List_AppendItem - (permittedList, - (PKIX_PL_Object *)name, - plContext), - PKIX_LISTAPPENDITEMFAILED); - - PKIX_DECREF(name); - - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_GetNextNameConstraint\n"); - nssPermitted = CERT_GetNextNameConstraint - (nssPermitted); - - } while (nssPermitted != firstPermitted); - - } - } - - PKIX_CHECK(PKIX_List_SetImmutable(permittedList, plContext), - PKIX_LISTSETIMMUTABLEFAILED); - - nameConstraints->permittedList = permittedList; - - } - - PKIX_OBJECT_UNLOCK(nameConstraints); - - } - - PKIX_INCREF(nameConstraints->permittedList); - - *pPermittedList = nameConstraints->permittedList; - -cleanup: - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_GetExcluded - * DESCRIPTION: - * - * This function retrieve name constraints excluded list from NSS - * data in "nameConstraints" and returns a PKIX_PL_GeneralName list - * in "pExcludedList". - * - * PARAMETERS - * "nameConstraints" - * Address of CertNameConstraints which has a pointer to NSS data. - * Must be non-NULL. - * "pPermittedList" - * Address where returned excluded name list is stored. Must be non-NULL. - * "plContext" - Platform-specific context pointer. - * THREAD SAFETY: - * Conditionally Thread Safe - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a NameConstraints Error if the function fails in a - * non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_GetExcluded( - PKIX_PL_CertNameConstraints *nameConstraints, - PKIX_List **pExcludedList, - void *plContext) -{ - CERTNameConstraints *nssNameConstraints = NULL; - CERTNameConstraints **nssNameConstraintsList = NULL; - CERTNameConstraint *nssExcluded = NULL; - CERTNameConstraint *firstExcluded = NULL; - PKIX_List *excludedList = NULL; - PKIX_PL_GeneralName *name = NULL; - PKIX_UInt32 numItems = 0; - PKIX_UInt32 i; - - PKIX_ENTER(CERTNAMECONSTRAINTS, - "pkix_pl_CertNameConstraints_GetExcluded"); - PKIX_NULLCHECK_TWO(nameConstraints, pExcludedList); - - if (nameConstraints->excludedList == NULL) { - - PKIX_OBJECT_LOCK(nameConstraints); - - if (nameConstraints->excludedList == NULL) { - - PKIX_CHECK(PKIX_List_Create(&excludedList, plContext), - PKIX_LISTCREATEFAILED); - - numItems = nameConstraints->numNssNameConstraints; - nssNameConstraintsList = - nameConstraints->nssNameConstraintsList; - - for (i = 0; i < numItems; i++) { - - PKIX_NULLCHECK_ONE(nssNameConstraintsList); - nssNameConstraints = *(nssNameConstraintsList + i); - PKIX_NULLCHECK_ONE(nssNameConstraints); - - if (nssNameConstraints->excluded != NULL) { - - nssExcluded = nssNameConstraints->excluded; - firstExcluded = nssExcluded; - - do { - - PKIX_CHECK(pkix_pl_GeneralName_Create - (&nssExcluded->name, &name, plContext), - PKIX_GENERALNAMECREATEFAILED); - - PKIX_CHECK(PKIX_List_AppendItem - (excludedList, - (PKIX_PL_Object *)name, - plContext), - PKIX_LISTAPPENDITEMFAILED); - - PKIX_DECREF(name); - - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_GetNextNameConstraint\n"); - nssExcluded = CERT_GetNextNameConstraint - (nssExcluded); - - } while (nssExcluded != firstExcluded); - - } - - } - PKIX_CHECK(PKIX_List_SetImmutable(excludedList, plContext), - PKIX_LISTSETIMMUTABLEFAILED); - - nameConstraints->excludedList = excludedList; - - } - - PKIX_OBJECT_UNLOCK(nameConstraints); - } - - PKIX_INCREF(nameConstraints->excludedList); - - *pExcludedList = nameConstraints->excludedList; - -cleanup: - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_CheckNameSpaceNssNames - * DESCRIPTION: - * - * This function checks if CERTGeneral names in "nssSubjectNames" complies - * with the permitted and excluded names in "nameConstraints". It returns - * PKIX_TRUE in "pCheckPass", if the Names satify the name space of the - * permitted list and if the Names are not in the excluded list. Otherwise, - * it returns PKIX_FALSE. - * - * PARAMETERS - * "nssSubjectNames" - * List of CERTGeneralName that nameConstraints verification is based on. - * "nameConstraints" - * Address of CertNameConstraints that provides lists of permitted - * and excluded names. Must be non-NULL. - * "pCheckPass" - * Address where PKIX_TRUE is returned if the all names in "nameList" are - * valid. - * "plContext" - Platform-specific context pointer. - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a NameConstraints Error if the function fails in a - * non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -PKIX_Error * -pkix_pl_CertNameConstraints_CheckNameSpaceNssNames( - CERTGeneralName *nssSubjectNames, - PKIX_PL_CertNameConstraints *nameConstraints, - PKIX_Boolean *pCheckPass, - void *plContext) -{ - CERTNameConstraints **nssNameConstraintsList = NULL; - CERTNameConstraints *nssNameConstraints = NULL; - CERTGeneralName *nssMatchName = NULL; - PRArenaPool *arena = NULL; - PKIX_UInt32 numItems = 0; - PKIX_UInt32 i; - SECStatus status = SECSuccess; - - PKIX_ENTER(CERTNAMECONSTRAINTS, - "pkix_pl_CertNameConstraints_CheckNameSpaceNssNames"); - PKIX_NULLCHECK_THREE(nssSubjectNames, nameConstraints, pCheckPass); - - *pCheckPass = PKIX_TRUE; - - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n"); - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) { - PKIX_ERROR(PKIX_OUTOFMEMORY); - } - - nssMatchName = nssSubjectNames; - nssNameConstraintsList = nameConstraints->nssNameConstraintsList; - - /* - * CERTNameConstraint items in each permitted or excluded list - * is verified as OR condition. That means, if one item matched, - * then the checking on the remaining items on the list is skipped. - * (see NSS cert_CompareNameWithConstraints(...)). - * Items on PKIX_PL_NameConstraint's nssNameConstraints are verified - * as AND condition. PKIX_PL_NameConstraint keeps an array of pointers - * of CERTNameConstraints resulting from merging multiple - * PKIX_PL_NameConstraints. Since each CERTNameConstraint are created - * for different entity, a union condition of these entities then is - * performed. - */ - - do { - - numItems = nameConstraints->numNssNameConstraints; - - for (i = 0; i < numItems; i++) { - - PKIX_NULLCHECK_ONE(nssNameConstraintsList); - nssNameConstraints = *(nssNameConstraintsList + i); - PKIX_NULLCHECK_ONE(nssNameConstraints); - - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_CheckNameSpace\n"); - status = CERT_CheckNameSpace - (arena, nssNameConstraints, nssMatchName); - if (status != SECSuccess) { - break; - } - - } - - if (status != SECSuccess) { - break; - } - - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_GetNextGeneralName\n"); - nssMatchName = CERT_GetNextGeneralName(nssMatchName); - - } while (nssMatchName != nssSubjectNames); - - if (status == SECFailure) { - - *pCheckPass = PKIX_FALSE; - } - -cleanup: - - if (arena){ - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling PORT_FreeArena).\n"); - PORT_FreeArena(arena, PR_FALSE); - } - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_NameConstraints_Destroy - * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_Destroy( - PKIX_PL_Object *object, - void *plContext) -{ - PKIX_PL_CertNameConstraints *nameConstraints = NULL; - - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Destroy"); - PKIX_NULLCHECK_ONE(object); - - PKIX_CHECK(pkix_CheckType - (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext), - PKIX_OBJECTNOTCERTNAMECONSTRAINTS); - - nameConstraints = (PKIX_PL_CertNameConstraints *)object; - - PKIX_CHECK(PKIX_PL_Free - (nameConstraints->nssNameConstraintsList, plContext), - PKIX_FREEFAILED); - - if (nameConstraints->arena){ - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling PORT_FreeArena).\n"); - PORT_FreeArena(nameConstraints->arena, PR_FALSE); - nameConstraints->arena = NULL; - } - - PKIX_DECREF(nameConstraints->permittedList); - PKIX_DECREF(nameConstraints->excludedList); - -cleanup: - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_ToString_Helper - * DESCRIPTION: - * - * Helper function that creates a string representation of the object - * NameConstraints and stores it at "pString". - * - * PARAMETERS - * "nameConstraints" - * Address of CertNameConstraints whose string representation is - * desired. Must be non-NULL. - * "pString" - * Address where string object pointer will be stored. Must be non-NULL. - * "plContext" - Platform-specific context pointer. - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a NameConstraints Error if the function fails in a - * non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_ToString_Helper( - PKIX_PL_CertNameConstraints *nameConstraints, - PKIX_PL_String **pString, - void *plContext) -{ - char *asciiFormat = NULL; - PKIX_PL_String *formatString = NULL; - PKIX_List *permittedList = NULL; - PKIX_List *excludedList = NULL; - PKIX_PL_String *permittedListString = NULL; - PKIX_PL_String *excludedListString = NULL; - PKIX_PL_String *nameConstraintsString = NULL; - - PKIX_ENTER(CERTNAMECONSTRAINTS, - "pkix_pl_CertNameConstraints_ToString_Helper"); - PKIX_NULLCHECK_TWO(nameConstraints, pString); - - asciiFormat = - "[\n" - "\t\tPermitted Name: %s\n" - "\t\tExcluded Name: %s\n" - "\t]\n"; - - PKIX_CHECK(PKIX_PL_String_Create - (PKIX_ESCASCII, - asciiFormat, - 0, - &formatString, - plContext), - PKIX_STRINGCREATEFAILED); - - PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted - (nameConstraints, &permittedList, plContext), - PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED); - - PKIX_TOSTRING(permittedList, &permittedListString, plContext, - PKIX_LISTTOSTRINGFAILED); - - PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded - (nameConstraints, &excludedList, plContext), - PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED); - - PKIX_TOSTRING(excludedList, &excludedListString, plContext, - PKIX_LISTTOSTRINGFAILED); - - PKIX_CHECK(PKIX_PL_Sprintf - (&nameConstraintsString, - plContext, - formatString, - permittedListString, - excludedListString), - PKIX_SPRINTFFAILED); - - *pString = nameConstraintsString; - -cleanup: - - PKIX_DECREF(formatString); - PKIX_DECREF(permittedList); - PKIX_DECREF(excludedList); - PKIX_DECREF(permittedListString); - PKIX_DECREF(excludedListString); - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_ToString - * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h) - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_ToString( - PKIX_PL_Object *object, - PKIX_PL_String **pString, - void *plContext) -{ - PKIX_PL_String *nameConstraintsString = NULL; - PKIX_PL_CertNameConstraints *nameConstraints = NULL; - - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_ToString"); - PKIX_NULLCHECK_TWO(object, pString); - - PKIX_CHECK(pkix_CheckType( - object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext), - PKIX_OBJECTNOTCERTNAMECONSTRAINTS); - - nameConstraints = (PKIX_PL_CertNameConstraints *)object; - - PKIX_CHECK(pkix_pl_CertNameConstraints_ToString_Helper - (nameConstraints, &nameConstraintsString, plContext), - PKIX_CERTNAMECONSTRAINTSTOSTRINGHELPERFAILED); - - *pString = nameConstraintsString; - -cleanup: - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_Hashcode - * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h) - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_Hashcode( - PKIX_PL_Object *object, - PKIX_UInt32 *pHashcode, - void *plContext) -{ - PKIX_PL_CertNameConstraints *nameConstraints = NULL; - PKIX_List *permittedList = NULL; - PKIX_List *excludedList = NULL; - PKIX_UInt32 permitHash = 0; - PKIX_UInt32 excludeHash = 0; - - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Hashcode"); - PKIX_NULLCHECK_TWO(object, pHashcode); - - PKIX_CHECK(pkix_CheckType - (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext), - PKIX_OBJECTNOTCERTNAMECONSTRAINTS); - - nameConstraints = (PKIX_PL_CertNameConstraints *)object; - - PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted - (nameConstraints, &permittedList, plContext), - PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED); - - PKIX_HASHCODE(permittedList, &permitHash, plContext, - PKIX_OBJECTHASHCODEFAILED); - - PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded - (nameConstraints, &excludedList, plContext), - PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED); - - PKIX_HASHCODE(excludedList, &excludeHash, plContext, - PKIX_OBJECTHASHCODEFAILED); - - *pHashcode = (((permitHash << 7) + excludeHash) << 7) + - nameConstraints->numNssNameConstraints; - -cleanup: - - PKIX_DECREF(permittedList); - PKIX_DECREF(excludedList); - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_Equals - * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h) - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_Equals( - PKIX_PL_Object *firstObject, - PKIX_PL_Object *secondObject, - PKIX_Boolean *pResult, - void *plContext) -{ - PKIX_PL_CertNameConstraints *firstNC = NULL; - PKIX_PL_CertNameConstraints *secondNC = NULL; - PKIX_List *firstPermittedList = NULL; - PKIX_List *secondPermittedList = NULL; - PKIX_List *firstExcludedList = NULL; - PKIX_List *secondExcludedList = NULL; - PKIX_UInt32 secondType; - PKIX_Boolean cmpResult = PKIX_FALSE; - - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Equals"); - PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult); - - /* test that firstObject is a CertNameConstraints */ - PKIX_CHECK(pkix_CheckType - (firstObject, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext), - PKIX_FIRSTOBJECTNOTCERTNAMECONSTRAINTS); - - firstNC = (PKIX_PL_CertNameConstraints *)firstObject; - secondNC = (PKIX_PL_CertNameConstraints *)secondObject; - - /* - * Since we know firstObject is a CertNameConstraints, if both - * references are identical, they must be equal - */ - if (firstNC == secondNC){ - *pResult = PKIX_TRUE; - goto cleanup; - } - - /* - * If secondNC isn't a CertNameConstraints, we don't throw an error. - * We simply return a Boolean result of FALSE - */ - *pResult = PKIX_FALSE; - - PKIX_CHECK(PKIX_PL_Object_GetType - ((PKIX_PL_Object *)secondNC, &secondType, plContext), - PKIX_COULDNOTGETTYPEOFSECONDARGUMENT); - - if (secondType != PKIX_CERTNAMECONSTRAINTS_TYPE) { - goto cleanup; - } - - PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted - (firstNC, &firstPermittedList, plContext), - PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED); - - PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted - (secondNC, &secondPermittedList, plContext), - PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED); - - PKIX_EQUALS - (firstPermittedList, secondPermittedList, &cmpResult, plContext, - PKIX_OBJECTEQUALSFAILED); - - if (cmpResult != PKIX_TRUE) { - goto cleanup; - } - - PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded - (firstNC, &firstExcludedList, plContext), - PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED); - - PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded - (secondNC, &secondExcludedList, plContext), - PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED); - - PKIX_EQUALS - (firstExcludedList, secondExcludedList, &cmpResult, plContext, - PKIX_OBJECTEQUALSFAILED); - - if (cmpResult != PKIX_TRUE) { - goto cleanup; - } - - /* - * numNssNameConstraints is not checked because it is basically a - * merge count, it cannot determine the data equality. - */ - - *pResult = PKIX_TRUE; - -cleanup: - - PKIX_DECREF(firstPermittedList); - PKIX_DECREF(secondPermittedList); - PKIX_DECREF(firstExcludedList); - PKIX_DECREF(secondExcludedList); - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_RegisterSelf - * DESCRIPTION: - * Registers PKIX_CERTNAMECONSTRAINTS_TYPE and its related functions with - * systemClasses[] - * THREAD SAFETY: - * Not Thread Safe - for performance and complexity reasons - * - * Since this function is only called by PKIX_PL_Initialize, which should - * only be called once, it is acceptable that this function is not - * thread-safe. - */ -PKIX_Error * -pkix_pl_CertNameConstraints_RegisterSelf(void *plContext) -{ - extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; - pkix_ClassTable_Entry entry; - - PKIX_ENTER(CERTNAMECONSTRAINTS, - "pkix_pl_CertNameConstraints_RegisterSelf"); - - entry.description = "CertNameConstraints"; - entry.objCounter = 0; - entry.typeObjectSize = sizeof(PKIX_PL_CertNameConstraints); - entry.destructor = pkix_pl_CertNameConstraints_Destroy; - entry.equalsFunction = pkix_pl_CertNameConstraints_Equals; - entry.hashcodeFunction = pkix_pl_CertNameConstraints_Hashcode; - entry.toStringFunction = pkix_pl_CertNameConstraints_ToString; - entry.comparator = NULL; - entry.duplicateFunction = pkix_duplicateImmutable; - - systemClasses[PKIX_CERTNAMECONSTRAINTS_TYPE] = entry; - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_Create_Helper - * - * DESCRIPTION: - * This function retrieves name constraints in "nssNameConstraints", - * converts and stores the result in a PKIX_PL_CertNameConstraints object. - * - * PARAMETERS - * "nssNameConstraints" - * Address of CERTNameConstraints that contains this object's data. - * Must be non-NULL. - * "pNameConstraints" - * Address where object pointer will be stored. Must be non-NULL. - * A NULL value will be returned if there is no Name Constraints extension. - * "plContext" - Platform-specific context pointer. - * - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a NameConstraints Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_Create_Helper( - CERTNameConstraints *nssNameConstraints, - PKIX_PL_CertNameConstraints **pNameConstraints, - void *plContext) -{ - PKIX_PL_CertNameConstraints *nameConstraints = NULL; - CERTNameConstraints **nssNameConstraintPtr = NULL; - - PKIX_ENTER(CERTNAMECONSTRAINTS, - "pkix_pl_CertNameConstraints_Create_Helper"); - PKIX_NULLCHECK_TWO(nssNameConstraints, pNameConstraints); - - PKIX_CHECK(PKIX_PL_Object_Alloc - (PKIX_CERTNAMECONSTRAINTS_TYPE, - sizeof (PKIX_PL_CertNameConstraints), - (PKIX_PL_Object **)&nameConstraints, - plContext), - PKIX_COULDNOTCREATECERTNAMECONSTRAINTSOBJECT); - - PKIX_CHECK(PKIX_PL_Malloc - (sizeof (CERTNameConstraint *), - (void *)&nssNameConstraintPtr, - plContext), - PKIX_MALLOCFAILED); - - nameConstraints->numNssNameConstraints = 1; - nameConstraints->nssNameConstraintsList = nssNameConstraintPtr; - *nssNameConstraintPtr = nssNameConstraints; - - nameConstraints->permittedList = NULL; - nameConstraints->excludedList = NULL; - nameConstraints->arena = NULL; - - *pNameConstraints = nameConstraints; - -cleanup: - - if (PKIX_ERROR_RECEIVED){ - PKIX_DECREF(nameConstraints); - } - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_Create - * - * DESCRIPTION: - * function that allocates and initialize the object CertNameConstraints. - * - * PARAMETERS - * "nssCert" - * Address of CERT that contains this object's data. - * Must be non-NULL. - * "pNameConstraints" - * Address where object pointer will be stored. Must be non-NULL. - * A NULL value will be returned if there is no Name Constraints extension. - * "plContext" - Platform-specific context pointer. - * - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a NameConstraints Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -PKIX_Error * -pkix_pl_CertNameConstraints_Create( - CERTCertificate *nssCert, - PKIX_PL_CertNameConstraints **pNameConstraints, - void *plContext) -{ - PKIX_PL_CertNameConstraints *nameConstraints = NULL; - CERTNameConstraints *nssNameConstraints = NULL; - PLArenaPool *arena = NULL; - SECStatus status; - - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Create"); - PKIX_NULLCHECK_THREE(nssCert, pNameConstraints, nssCert->arena); - - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n"); - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) { - PKIX_ERROR(PKIX_OUTOFMEMORY); - } - - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_FindNameConstraintsExten\n"); - status = CERT_FindNameConstraintsExten - (arena, nssCert, &nssNameConstraints); - - if (status != SECSuccess) { - PKIX_ERROR(PKIX_DECODINGCERTNAMECONSTRAINTSFAILED); - } - - if (nssNameConstraints == NULL) { - *pNameConstraints = NULL; - if (arena){ - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling PORT_FreeArena).\n"); - PORT_FreeArena(arena, PR_FALSE); - } - goto cleanup; - } - - PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper - (nssNameConstraints, &nameConstraints, plContext), - PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED); - - nameConstraints->arena = arena; - - *pNameConstraints = nameConstraints; - -cleanup: - - if (PKIX_ERROR_RECEIVED){ - if (arena){ - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling PORT_FreeArena).\n"); - PORT_FreeArena(arena, PR_FALSE); - } - } - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_CreateByMerge - * - * DESCRIPTION: - * - * This function allocates and creates a PKIX_PL_NameConstraint object - * for merging. It also allocates CERTNameConstraints data space for the - * merged NSS NameConstraints data. - * - * PARAMETERS - * "pNameConstraints" - * Address where object pointer will be stored and returned. - * Must be non-NULL. - * "plContext" - Platform-specific context pointer. - * - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a NameConstraints Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_CreateByMerge( - PKIX_PL_CertNameConstraints **pNameConstraints, - void *plContext) -{ - PKIX_PL_CertNameConstraints *nameConstraints = NULL; - CERTNameConstraints *nssNameConstraints = NULL; - PLArenaPool *arena = NULL; - - PKIX_ENTER(CERTNAMECONSTRAINTS, - "pkix_pl_CertNameConstraints_CreateByMerge"); - PKIX_NULLCHECK_ONE(pNameConstraints); - - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n"); - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) { - PKIX_ERROR(PKIX_OUTOFMEMORY); - } - - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n"); - nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints); - if (nssNameConstraints == NULL) { - PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); - } - - nssNameConstraints->permited = NULL; - nssNameConstraints->excluded = NULL; - nssNameConstraints->DERPermited = NULL; - nssNameConstraints->DERExcluded = NULL; - - PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper - (nssNameConstraints, &nameConstraints, plContext), - PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED); - - nameConstraints->arena = arena; - - *pNameConstraints = nameConstraints; - -cleanup: - - if (PKIX_ERROR_RECEIVED){ - if (arena){ - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling PORT_FreeArena).\n"); - PORT_FreeArena(arena, PR_FALSE); - } - } - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_CopyNssNameConstraints - * - * DESCRIPTION: - * - * This function allocates and copies data to a NSS CERTNameConstraints from - * the NameConstraints given by "srcNC" and stores the result at "pDestNC". It - * copies items on both the permitted and excluded lists, but not the - * DERPermited and DERExcluded. - * - * PARAMETERS - * "arena" - * Memory pool where object data is allocated from. Must be non-NULL. - * "srcNC" - * Address of the NameConstraints to copy from. Must be non-NULL. - * "pDestNC" - * Address where new copied object is stored and returned. - * Must be non-NULL. - * "plContext" - Platform-specific context pointer. - * - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a NameConstraints Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_pl_CertNameConstraints_CopyNssNameConstraints( - PLArenaPool *arena, - CERTNameConstraints *srcNC, - CERTNameConstraints **pDestNC, - void *plContext) -{ - CERTNameConstraints *nssNameConstraints = NULL; - CERTNameConstraint *nssNameConstraintHead = NULL; - CERTNameConstraint *nssCurrent = NULL; - CERTNameConstraint *nssCopyTo = NULL; - CERTNameConstraint *nssCopyFrom = NULL; - - PKIX_ENTER(CERTNAMECONSTRAINTS, - "pkix_pl_CertNameConstraints_CopyNssNameConstraints"); - PKIX_NULLCHECK_THREE(arena, srcNC, pDestNC); - - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n"); - nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints); - if (nssNameConstraints == NULL) { - PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); - } - - if (srcNC->permited) { - - nssCopyFrom = srcNC->permited; - - do { - - nssCopyTo = NULL; - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_CopyNameConstraint).\n"); - nssCopyTo = CERT_CopyNameConstraint - (arena, nssCopyTo, nssCopyFrom); - if (nssCopyTo == NULL) { - PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED); - } - if (nssCurrent == NULL) { - nssCurrent = nssNameConstraintHead = nssCopyTo; - } else { - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_AddNameConstraint).\n"); - nssCurrent = CERT_AddNameConstraint - (nssCurrent, nssCopyTo); - } - - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_GetNextNameConstrain).\n"); - nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom); - - } while (nssCopyFrom != srcNC->permited); - - nssNameConstraints->permited = nssNameConstraintHead; - } - - if (srcNC->excluded) { - - nssCurrent = NULL; - nssCopyFrom = srcNC->excluded; - - do { - - /* - * Cannot use CERT_DupGeneralNameList, which just increments - * refcount. We need our own copy since arena is for each - * PKIX_PL_NameConstraints. Perhaps contribute this code - * as CERT_CopyGeneralNameList (in the future). - */ - nssCopyTo = NULL; - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_CopyNameConstraint).\n"); - nssCopyTo = CERT_CopyNameConstraint - (arena, nssCopyTo, nssCopyFrom); - if (nssCopyTo == NULL) { - PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED); - } - if (nssCurrent == NULL) { - nssCurrent = nssNameConstraintHead = nssCopyTo; - } else { - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_AddNameConstraint).\n"); - nssCurrent = CERT_AddNameConstraint - (nssCurrent, nssCopyTo); - } - - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_GetNextNameConstrain).\n"); - nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom); - - } while (nssCopyFrom != srcNC->excluded); - - nssNameConstraints->excluded = nssNameConstraintHead; - } - - *pDestNC = nssNameConstraints; - -cleanup: - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* - * FUNCTION: pkix_pl_CertNameConstraints_Merge - * - * DESCRIPTION: - * - * This function merges two NameConstraints pointed to by "firstNC" and - * "secondNC" and stores the result in "pMergedNC". - * - * PARAMETERS - * "firstNC" - * Address of the first NameConstraints to be merged. Must be non-NULL. - * "secondNC" - * Address of the second NameConstraints to be merged. Must be non-NULL. - * "pMergedNC" - * Address where the merge result is stored and returned. Must be non-NULL. - * "plContext" - Platform-specific context pointer. - * - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a NameConstraints Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -PKIX_Error * -pkix_pl_CertNameConstraints_Merge( - PKIX_PL_CertNameConstraints *firstNC, - PKIX_PL_CertNameConstraints *secondNC, - PKIX_PL_CertNameConstraints **pMergedNC, - void *plContext) -{ - PKIX_PL_CertNameConstraints *nameConstraints = NULL; - CERTNameConstraints **nssNCto = NULL; - CERTNameConstraints **nssNCfrom = NULL; - CERTNameConstraints *nssNameConstraints = NULL; - PKIX_UInt32 numNssItems = 0; - PKIX_UInt32 i; - - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Merge"); - PKIX_NULLCHECK_THREE(firstNC, secondNC, pMergedNC); - - PKIX_CHECK(pkix_pl_CertNameConstraints_CreateByMerge - (&nameConstraints, plContext), - PKIX_CERTNAMECONSTRAINTSCREATEBYMERGEFAILED); - - /* Merge NSSCertConstraint lists */ - - numNssItems = firstNC->numNssNameConstraints + - secondNC->numNssNameConstraints; - - /* Free the default space (only one entry) allocated by create */ - PKIX_CHECK(PKIX_PL_Free - (nameConstraints->nssNameConstraintsList, plContext), - PKIX_FREEFAILED); - - /* Reallocate the size we need */ - PKIX_CHECK(PKIX_PL_Malloc - (numNssItems * sizeof (CERTNameConstraint *), - (void *)&nssNCto, - plContext), - PKIX_MALLOCFAILED); - - nameConstraints->nssNameConstraintsList = nssNCto; - - nssNCfrom = firstNC->nssNameConstraintsList; - - for (i = 0; i < firstNC->numNssNameConstraints; i++) { - - PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints - (nameConstraints->arena, - *nssNCfrom, - &nssNameConstraints, - plContext), - PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED); - - *nssNCto = nssNameConstraints; - - nssNCto++; - nssNCfrom++; - } - - nssNCfrom = secondNC->nssNameConstraintsList; - - for (i = 0; i < secondNC->numNssNameConstraints; i++) { - - PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints - (nameConstraints->arena, - *nssNCfrom, - &nssNameConstraints, - plContext), - PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED); - - *nssNCto = nssNameConstraints; - - nssNCto++; - nssNCfrom++; - } - - nameConstraints->numNssNameConstraints = numNssItems; - nameConstraints->permittedList = NULL; - nameConstraints->excludedList = NULL; - - *pMergedNC = nameConstraints; - -cleanup: - - if (PKIX_ERROR_RECEIVED){ - PKIX_DECREF(nameConstraints); - } - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} - -/* --Public-NameConstraints-Functions-------------------------------- */ - -/* - * FUNCTION: PKIX_PL_CertNameConstraints_CheckNamesInNameSpace - * (see comments in pkix_pl_system.h) - */ -PKIX_Error * -PKIX_PL_CertNameConstraints_CheckNamesInNameSpace( - PKIX_List *nameList, /* List of PKIX_PL_GeneralName */ - PKIX_PL_CertNameConstraints *nameConstraints, - PKIX_Boolean *pCheckPass, - void *plContext) -{ - CERTNameConstraints **nssNameConstraintsList = NULL; - CERTNameConstraints *nssNameConstraints = NULL; - CERTGeneralName *nssMatchName = NULL; - PRArenaPool *arena = NULL; - PKIX_PL_GeneralName *name = NULL; - PKIX_UInt32 numNameItems = 0; - PKIX_UInt32 numNCItems = 0; - PKIX_UInt32 i, j; - SECStatus status = SECSuccess; - - PKIX_ENTER(CERTNAMECONSTRAINTS, - "PKIX_PL_CertNameConstraints_CheckNamesInNameSpace"); - PKIX_NULLCHECK_TWO(nameConstraints, pCheckPass); - - *pCheckPass = PKIX_TRUE; - - if (nameList != NULL) { - - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n"); - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) { - PKIX_ERROR(PKIX_OUTOFMEMORY); - } - - nssNameConstraintsList = - nameConstraints->nssNameConstraintsList; - PKIX_NULLCHECK_ONE(nssNameConstraintsList); - numNCItems = nameConstraints->numNssNameConstraints; - - PKIX_CHECK(PKIX_List_GetLength - (nameList, &numNameItems, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (i = 0; i < numNameItems; i++) { - - PKIX_CHECK(PKIX_List_GetItem - (nameList, - i, - (PKIX_PL_Object **) &name, - plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK(pkix_pl_GeneralName_GetNssGeneralName - (name, &nssMatchName, plContext), - PKIX_GENERALNAMEGETNSSGENERALNAMEFAILED); - - PKIX_DECREF(name); - - for (j = 0; j < numNCItems; j++) { - - nssNameConstraints = *(nssNameConstraintsList + j); - PKIX_NULLCHECK_ONE(nssNameConstraints); - - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling CERT_CheckNameSpace\n"); - status = CERT_CheckNameSpace - (arena, nssNameConstraints, nssMatchName); - if (status != SECSuccess) { - break; - } - - } - - if (status != SECSuccess) { - break; - } - - } - } - - if (status == SECFailure) { - *pCheckPass = PKIX_FALSE; - } - -cleanup: - - if (arena){ - PKIX_CERTNAMECONSTRAINTS_DEBUG - ("\t\tCalling PORT_FreeArena).\n"); - PORT_FreeArena(arena, PR_FALSE); - } - - PKIX_RETURN(CERTNAMECONSTRAINTS); -} |