/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
C | 3599 lines | 2283 code | 658 blank | 658 comment | 294 complexity | a2cff297d4276fb777167a69d835656c MD5 | raw file
Possible License(s): LGPL-3.0, MIT, BSD-3-Clause, MPL-2.0-no-copyleft-exception, GPL-2.0, LGPL-2.1
Large files files are truncated, but you can click here to view the full file
- /* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
- *
- * Contributor(s):
- * Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
- /*
- * pkix_pl_cert.c
- *
- * Certificate Object Functions
- *
- */
- #include "pkix_pl_cert.h"
- extern PKIX_PL_HashTable *cachedCertSigTable;
- /* --Private-Cert-Functions------------------------------------- */
- /*
- * FUNCTION: pkix_pl_Cert_IsExtensionCritical
- * DESCRIPTION:
- *
- * Checks the Cert specified by "cert" to determine whether the extension
- * whose tag is the UInt32 value given by "tag" is marked as a critical
- * extension, and stores the result in "pCritical".
- *
- * Tags are the index into the table "oids" of SECOidData defined in the
- * file secoid.c. Constants, such as SEC_OID_X509_CERTIFICATE_POLICIES, are
- * are defined in secoidt.h for most of the table entries.
- *
- * If the specified tag is invalid (not in the list of tags) or if the
- * extension is not found in the certificate, PKIX_FALSE is stored.
- *
- * PARAMETERS
- * "cert"
- * Address of Cert whose extensions are to be examined. Must be non-NULL.
- * "tag"
- * The UInt32 value of the tag for the extension whose criticality is
- * to be determined
- * "pCritical"
- * Address where the Boolean value will be stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
- static PKIX_Error *
- pkix_pl_Cert_IsExtensionCritical(
- PKIX_PL_Cert *cert,
- PKIX_UInt32 tag,
- PKIX_Boolean *pCritical,
- void *plContext)
- {
- PKIX_Boolean criticality = PKIX_FALSE;
- CERTCertExtension **extensions = NULL;
- SECStatus rv;
- PKIX_ENTER(CERT, "pkix_pl_Cert_IsExtensionCritical");
- PKIX_NULLCHECK_THREE(cert, cert->nssCert, pCritical);
- extensions = cert->nssCert->extensions;
- PKIX_NULLCHECK_ONE(extensions);
- PKIX_CERT_DEBUG("\t\tCalling CERT_GetExtenCriticality).\n");
- rv = CERT_GetExtenCriticality(extensions, tag, &criticality);
- if (SECSuccess == rv) {
- *pCritical = criticality;
- } else {
- *pCritical = PKIX_FALSE;
- }
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_DecodePolicyInfo
- * DESCRIPTION:
- *
- * Decodes the contents of the CertificatePolicy extension in the
- * CERTCertificate pointed to by "nssCert", to create a List of
- * CertPolicyInfos, which is stored at the address "pCertPolicyInfos".
- * A CERTCertificate contains the DER representation of the Cert.
- * If this certificate does not have a CertificatePolicy extension,
- * NULL will be stored. If a List is returned, it will be immutable.
- *
- * PARAMETERS
- * "nssCert"
- * Address of the Cert data whose extension is to be examined. Must be
- * non-NULL.
- * "pCertPolicyInfos"
- * Address where the List of CertPolicyInfos will be stored. Must be
- * non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns a Cert Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
- static PKIX_Error *
- pkix_pl_Cert_DecodePolicyInfo(
- CERTCertificate *nssCert,
- PKIX_List **pCertPolicyInfos,
- void *plContext)
- {
- SECStatus rv;
- SECItem encodedCertPolicyInfo;
- /* Allocated in the arena; freed in CERT_Destroy... */
- CERTCertificatePolicies *certPol = NULL;
- CERTPolicyInfo **policyInfos = NULL;
- CERTPolicyInfo *policyInfo = NULL;
- CERTPolicyQualifier **policyQualifiers = NULL;
- CERTPolicyQualifier *policyQualifier = NULL;
- /* Holder for the return value */
- PKIX_List *infos = NULL;
- char *oidAscii = NULL;
- PKIX_PL_OID *pkixOID = NULL;
- PKIX_List *qualifiers = NULL;
- PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
- PKIX_PL_CertPolicyQualifier *certPolicyQualifier = NULL;
- PKIX_PL_ByteArray *qualifierArray = NULL;
- PKIX_ENTER(CERT, "pkix_pl_Cert_DecodePolicyInfo");
- PKIX_NULLCHECK_TWO(nssCert, pCertPolicyInfos);
- /* get PolicyInfo as a SECItem */
- PKIX_CERT_DEBUG("\t\tCERT_FindCertExtension).\n");
- rv = CERT_FindCertExtension
- (nssCert,
- SEC_OID_X509_CERTIFICATE_POLICIES,
- &encodedCertPolicyInfo);
- if (SECSuccess != rv) {
- *pCertPolicyInfos = NULL;
- goto cleanup;
- }
- /* translate PolicyInfo to CERTCertificatePolicies */
- PKIX_CERT_DEBUG("\t\tCERT_DecodeCertificatePoliciesExtension).\n");
- certPol = CERT_DecodeCertificatePoliciesExtension
- (&encodedCertPolicyInfo);
- PORT_Free(encodedCertPolicyInfo.data);
- if (NULL == certPol) {
- PKIX_ERROR(PKIX_CERTDECODECERTIFICATEPOLICIESEXTENSIONFAILED);
- }
- /*
- * Check whether there are any policyInfos, so we can
- * avoid creating an unnecessary List
- */
- policyInfos = certPol->policyInfos;
- if (!policyInfos) {
- *pCertPolicyInfos = NULL;
- goto cleanup;
- }
- /* create a List of CertPolicyInfo Objects */
- PKIX_CHECK(PKIX_List_Create(&infos, plContext),
- PKIX_LISTCREATEFAILED);
- /*
- * Traverse the CERTCertificatePolicies structure,
- * building each PKIX_PL_CertPolicyInfo object in turn
- */
- while (*policyInfos != NULL) {
- policyInfo = *policyInfos;
- policyQualifiers = policyInfo->policyQualifiers;
- if (policyQualifiers) {
- /* create a PKIX_List of PKIX_PL_CertPolicyQualifiers */
- PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext),
- PKIX_LISTCREATEFAILED);
- while (*policyQualifiers != NULL) {
- policyQualifier = *policyQualifiers;
- /* create the qualifier's OID object */
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&(policyQualifier->qualifierID),
- &oidAscii,
- plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
- PKIX_CHECK(PKIX_PL_OID_Create
- (oidAscii, &pkixOID, plContext),
- PKIX_OIDCREATEFAILED);
- /* create qualifier's ByteArray object */
- PKIX_CHECK(PKIX_PL_ByteArray_Create
- (policyQualifier->qualifierValue.data,
- policyQualifier->qualifierValue.len,
- &qualifierArray,
- plContext),
- PKIX_BYTEARRAYCREATEFAILED);
- /* create a CertPolicyQualifier object */
- PKIX_CHECK(pkix_pl_CertPolicyQualifier_Create
- (pkixOID,
- qualifierArray,
- &certPolicyQualifier,
- plContext),
- PKIX_CERTPOLICYQUALIFIERCREATEFAILED);
- PKIX_CHECK(PKIX_List_AppendItem
- (qualifiers,
- (PKIX_PL_Object *)certPolicyQualifier,
- plContext),
- PKIX_LISTAPPENDITEMFAILED);
- PKIX_FREE(oidAscii);
- PKIX_DECREF(pkixOID);
- PKIX_DECREF(qualifierArray);
- PKIX_DECREF(certPolicyQualifier);
- policyQualifiers++;
- }
- PKIX_CHECK(PKIX_List_SetImmutable
- (qualifiers, plContext),
- PKIX_LISTSETIMMUTABLEFAILED);
- }
- /*
- * Create an OID object pkixOID from policyInfo->policyID.
- * (The CERTPolicyInfo structure has an oid field, but it
- * is of type SECOidTag. This function wants a SECItem.)
- */
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&(policyInfo->policyID), &oidAscii, plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
- PKIX_CHECK(PKIX_PL_OID_Create
- (oidAscii, &pkixOID, plContext),
- PKIX_OIDCREATEFAILED);
- /* Create a CertPolicyInfo object */
- PKIX_CHECK(pkix_pl_CertPolicyInfo_Create
- (pkixOID, qualifiers, &certPolicyInfo, plContext),
- PKIX_CERTPOLICYINFOCREATEFAILED);
- /* Append the new CertPolicyInfo object to the list */
- PKIX_CHECK(PKIX_List_AppendItem
- (infos, (PKIX_PL_Object *)certPolicyInfo, plContext),
- PKIX_LISTAPPENDITEMFAILED);
- PKIX_FREE(oidAscii);
- PKIX_DECREF(pkixOID);
- PKIX_DECREF(qualifiers);
- PKIX_DECREF(certPolicyInfo);
- policyInfos++;
- }
- /*
- * If there were no policies, we went straight to
- * cleanup, so we don't have to NULLCHECK infos.
- */
- PKIX_CHECK(PKIX_List_SetImmutable(infos, plContext),
- PKIX_LISTSETIMMUTABLEFAILED);
- *pCertPolicyInfos = infos;
- infos = NULL;
- cleanup:
- if (certPol) {
- PKIX_CERT_DEBUG
- ("\t\tCalling CERT_DestroyCertificatePoliciesExtension).\n");
- CERT_DestroyCertificatePoliciesExtension(certPol);
- }
- PKIX_FREE(oidAscii);
- PKIX_DECREF(infos);
- PKIX_DECREF(pkixOID);
- PKIX_DECREF(qualifiers);
- PKIX_DECREF(certPolicyInfo);
- PKIX_DECREF(certPolicyQualifier);
- PKIX_DECREF(qualifierArray);
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_DecodePolicyMapping
- * DESCRIPTION:
- *
- * Decodes the contents of the PolicyMapping extension of the CERTCertificate
- * pointed to by "nssCert", storing the resulting List of CertPolicyMaps at
- * the address pointed to by "pCertPolicyMaps". If this certificate does not
- * have a PolicyMapping extension, NULL will be stored. If a List is returned,
- * it will be immutable.
- *
- * PARAMETERS
- * "nssCert"
- * Address of the Cert data whose extension is to be examined. Must be
- * non-NULL.
- * "pCertPolicyMaps"
- * Address where the List of CertPolicyMaps will be stored. Must be
- * non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns a Cert Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
- static PKIX_Error *
- pkix_pl_Cert_DecodePolicyMapping(
- CERTCertificate *nssCert,
- PKIX_List **pCertPolicyMaps,
- void *plContext)
- {
- SECStatus rv;
- SECItem encodedCertPolicyMaps;
- /* Allocated in the arena; freed in CERT_Destroy... */
- CERTCertificatePolicyMappings *certPolMaps = NULL;
- CERTPolicyMap **policyMaps = NULL;
- CERTPolicyMap *policyMap = NULL;
- /* Holder for the return value */
- PKIX_List *maps = NULL;
- char *issuerPolicyOIDAscii = NULL;
- char *subjectPolicyOIDAscii = NULL;
- PKIX_PL_OID *issuerDomainOID = NULL;
- PKIX_PL_OID *subjectDomainOID = NULL;
- PKIX_PL_CertPolicyMap *certPolicyMap = NULL;
- PKIX_ENTER(CERT, "pkix_pl_Cert_DecodePolicyMapping");
- PKIX_NULLCHECK_TWO(nssCert, pCertPolicyMaps);
- /* get PolicyMappings as a SECItem */
- PKIX_CERT_DEBUG("\t\tCERT_FindCertExtension).\n");
- rv = CERT_FindCertExtension
- (nssCert, SEC_OID_X509_POLICY_MAPPINGS, &encodedCertPolicyMaps);
- if (SECSuccess != rv) {
- *pCertPolicyMaps = NULL;
- goto cleanup;
- }
- /* translate PolicyMaps to CERTCertificatePolicyMappings */
- certPolMaps = CERT_DecodePolicyMappingsExtension
- (&encodedCertPolicyMaps);
- PORT_Free(encodedCertPolicyMaps.data);
- if (!certPolMaps) {
- PKIX_ERROR(PKIX_CERTDECODEPOLICYMAPPINGSEXTENSIONFAILED);
- }
- PKIX_NULLCHECK_ONE(certPolMaps->policyMaps);
- policyMaps = certPolMaps->policyMaps;
- /* create a List of CertPolicyMap Objects */
- PKIX_CHECK(PKIX_List_Create(&maps, plContext),
- PKIX_LISTCREATEFAILED);
- /*
- * Traverse the CERTCertificatePolicyMappings structure,
- * building each CertPolicyMap object in turn
- */
- do {
- policyMap = *policyMaps;
- /* create the OID for the issuer Domain Policy */
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&(policyMap->issuerDomainPolicy),
- &issuerPolicyOIDAscii,
- plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
- PKIX_CHECK(PKIX_PL_OID_Create
- (issuerPolicyOIDAscii, &issuerDomainOID, plContext),
- PKIX_OIDCREATEFAILED);
- /* create the OID for the subject Domain Policy */
- PKIX_CHECK(pkix_pl_oidBytes2Ascii
- (&(policyMap->subjectDomainPolicy),
- &subjectPolicyOIDAscii,
- plContext),
- PKIX_OIDBYTES2ASCIIFAILED);
- PKIX_CHECK(PKIX_PL_OID_Create
- (subjectPolicyOIDAscii, &subjectDomainOID, plContext),
- PKIX_OIDCREATEFAILED);
- /* create the CertPolicyMap */
- PKIX_CHECK(pkix_pl_CertPolicyMap_Create
- (issuerDomainOID,
- subjectDomainOID,
- &certPolicyMap,
- plContext),
- PKIX_CERTPOLICYMAPCREATEFAILED);
- PKIX_CHECK(PKIX_List_AppendItem
- (maps, (PKIX_PL_Object *)certPolicyMap, plContext),
- PKIX_LISTAPPENDITEMFAILED);
- PKIX_FREE(issuerPolicyOIDAscii);
- PKIX_FREE(subjectPolicyOIDAscii);
- PKIX_DECREF(issuerDomainOID);
- PKIX_DECREF(subjectDomainOID);
- PKIX_DECREF(certPolicyMap);
- policyMaps++;
- } while (*policyMaps != NULL);
- PKIX_CHECK(PKIX_List_SetImmutable(maps, plContext),
- PKIX_LISTSETIMMUTABLEFAILED);
- *pCertPolicyMaps = maps;
- maps = NULL;
- cleanup:
- if (certPolMaps) {
- PKIX_CERT_DEBUG
- ("\t\tCalling CERT_DestroyPolicyMappingsExtension).\n");
- CERT_DestroyPolicyMappingsExtension(certPolMaps);
- }
- PKIX_FREE(issuerPolicyOIDAscii);
- PKIX_FREE(subjectPolicyOIDAscii);
- PKIX_DECREF(maps);
- PKIX_DECREF(issuerDomainOID);
- PKIX_DECREF(subjectDomainOID);
- PKIX_DECREF(certPolicyMap);
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_DecodePolicyConstraints
- * DESCRIPTION:
- *
- * Decodes the contents of the PolicyConstraints extension in the
- * CERTCertificate pointed to by "nssCert", to obtain SkipCerts values
- * which are stored at the addresses "pExplicitPolicySkipCerts" and
- * "pInhibitMappingSkipCerts", respectively. If this certificate does
- * not have an PolicyConstraints extension, or if either of the optional
- * components is not supplied, this function stores a value of -1 for any
- * missing component.
- *
- * PARAMETERS
- * "nssCert"
- * Address of the Cert data whose extension is to be examined. Must be
- * non-NULL.
- * "pExplicitPolicySkipCerts"
- * Address where the SkipCert value for the requireExplicitPolicy
- * component will be stored. Must be non-NULL.
- * "pInhibitMappingSkipCerts"
- * Address where the SkipCert value for the inhibitPolicyMapping
- * component will be stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns a Cert Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
- static PKIX_Error *
- pkix_pl_Cert_DecodePolicyConstraints(
- CERTCertificate *nssCert,
- PKIX_Int32 *pExplicitPolicySkipCerts,
- PKIX_Int32 *pInhibitMappingSkipCerts,
- void *plContext)
- {
- CERTCertificatePolicyConstraints policyConstraints;
- SECStatus rv;
- SECItem encodedCertPolicyConstraints;
- PKIX_Int32 explicitPolicySkipCerts = -1;
- PKIX_Int32 inhibitMappingSkipCerts = -1;
- PKIX_ENTER(CERT, "pkix_pl_Cert_DecodePolicyConstraints");
- PKIX_NULLCHECK_THREE
- (nssCert, pExplicitPolicySkipCerts, pInhibitMappingSkipCerts);
- /* get the two skipCert values as SECItems */
- PKIX_CERT_DEBUG("\t\tCalling CERT_FindCertExtension).\n");
- rv = CERT_FindCertExtension
- (nssCert,
- SEC_OID_X509_POLICY_CONSTRAINTS,
- &encodedCertPolicyConstraints);
- if (rv == SECSuccess) {
- policyConstraints.explicitPolicySkipCerts.data =
- (unsigned char *)&explicitPolicySkipCerts;
- policyConstraints.inhibitMappingSkipCerts.data =
- (unsigned char *)&inhibitMappingSkipCerts;
- /* translate DER to CERTCertificatePolicyConstraints */
- rv = CERT_DecodePolicyConstraintsExtension
- (&policyConstraints, &encodedCertPolicyConstraints);
- PORT_Free(encodedCertPolicyConstraints.data);
- if (rv != SECSuccess) {
- PKIX_ERROR
- (PKIX_CERTDECODEPOLICYCONSTRAINTSEXTENSIONFAILED);
- }
- }
- *pExplicitPolicySkipCerts = explicitPolicySkipCerts;
- *pInhibitMappingSkipCerts = inhibitMappingSkipCerts;
- cleanup:
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_DecodeInhibitAnyPolicy
- * DESCRIPTION:
- *
- * Decodes the contents of the InhibitAnyPolicy extension in the
- * CERTCertificate pointed to by "nssCert", to obtain a SkipCerts value,
- * which is stored at the address "pSkipCerts". If this certificate does
- * not have an InhibitAnyPolicy extension, -1 will be stored.
- *
- * PARAMETERS
- * "nssCert"
- * Address of the Cert data whose InhibitAnyPolicy extension is to be
- * processed. Must be non-NULL.
- * "pSkipCerts"
- * Address where the SkipCert value from the InhibitAnyPolicy extension
- * will be stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns a Cert Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
- PKIX_Error *
- pkix_pl_Cert_DecodeInhibitAnyPolicy(
- CERTCertificate *nssCert,
- PKIX_Int32 *pSkipCerts,
- void *plContext)
- {
- CERTCertificateInhibitAny inhibitAny;
- SECStatus rv;
- SECItem encodedCertInhibitAny;
- PKIX_Int32 skipCerts = -1;
- PKIX_ENTER(CERT, "pkix_pl_Cert_DecodeInhibitAnyPolicy");
- PKIX_NULLCHECK_TWO(nssCert, pSkipCerts);
- /* get InhibitAny as a SECItem */
- PKIX_CERT_DEBUG("\t\tCalling CERT_FindCertExtension).\n");
- rv = CERT_FindCertExtension
- (nssCert, SEC_OID_X509_INHIBIT_ANY_POLICY, &encodedCertInhibitAny);
- if (rv == SECSuccess) {
- inhibitAny.inhibitAnySkipCerts.data =
- (unsigned char *)&skipCerts;
- /* translate DER to CERTCertificateInhibitAny */
- rv = CERT_DecodeInhibitAnyExtension
- (&inhibitAny, &encodedCertInhibitAny);
- PORT_Free(encodedCertInhibitAny.data);
- if (rv != SECSuccess) {
- PKIX_ERROR(PKIX_CERTDECODEINHIBITANYEXTENSIONFAILED);
- }
- }
- *pSkipCerts = skipCerts;
- cleanup:
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_GetNssSubjectAltNames
- * DESCRIPTION:
- *
- * Retrieves the Subject Alternative Names of the certificate specified by
- * "cert" and stores it at "pNssSubjAltNames". If the Subject Alternative
- * Name extension is not present, NULL is returned at "pNssSubjAltNames".
- * If the Subject Alternative Names has not been previously decoded, it is
- * decoded here with lock on the "cert" unless the flag "hasLock" indicates
- * the lock had been obtained at a higher call level.
- *
- * PARAMETERS
- * "cert"
- * Address of the certificate whose Subject Alternative Names extensions
- * is retrieved. Must be non-NULL.
- * "hasLock"
- * Boolean indicates caller has acquired a lock.
- * Must be non-NULL.
- * "pNssSubjAltNames"
- * Address where the returned Subject Alternative Names will be stored.
- * Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns a Cert Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
- static PKIX_Error *
- pkix_pl_Cert_GetNssSubjectAltNames(
- PKIX_PL_Cert *cert,
- PKIX_Boolean hasLock,
- CERTGeneralName **pNssSubjAltNames,
- void *plContext)
- {
- CERTCertificate *nssCert = NULL;
- CERTGeneralName *nssOriginalAltName = NULL;
- PLArenaPool *arena = NULL;
- SECItem altNameExtension = {siBuffer, NULL, 0};
- SECStatus rv = SECFailure;
- PKIX_ENTER(CERT, "pkix_pl_Cert_GetNssSubjectAltNames");
- PKIX_NULLCHECK_THREE(cert, pNssSubjAltNames, cert->nssCert);
- nssCert = cert->nssCert;
- if ((cert->nssSubjAltNames == NULL) && (!cert->subjAltNamesAbsent)){
- if (!hasLock) {
- PKIX_OBJECT_LOCK(cert);
- }
- if ((cert->nssSubjAltNames == NULL) &&
- (!cert->subjAltNamesAbsent)){
- PKIX_PL_NSSCALLRV(CERT, rv, CERT_FindCertExtension,
- (nssCert,
- SEC_OID_X509_SUBJECT_ALT_NAME,
- &altNameExtension));
- if (rv != SECSuccess) {
- *pNssSubjAltNames = NULL;
- cert->subjAltNamesAbsent = PKIX_TRUE;
- goto cleanup;
- }
- if (cert->arenaNameConstraints == NULL) {
- PKIX_PL_NSSCALLRV(CERT, arena, PORT_NewArena,
- (DER_DEFAULT_CHUNKSIZE));
- if (arena == NULL) {
- PKIX_ERROR(PKIX_OUTOFMEMORY);
- }
- cert->arenaNameConstraints = arena;
- }
- PKIX_PL_NSSCALLRV
- (CERT,
- nssOriginalAltName,
- (CERTGeneralName *) CERT_DecodeAltNameExtension,
- (cert->arenaNameConstraints, &altNameExtension));
- PKIX_PL_NSSCALL(CERT, PORT_Free, (altNameExtension.data));
- if (nssOriginalAltName == NULL) {
- PKIX_ERROR(PKIX_CERTDECODEALTNAMEEXTENSIONFAILED);
- }
- cert->nssSubjAltNames = nssOriginalAltName;
- }
- if (!hasLock) {
- PKIX_OBJECT_UNLOCK(cert);
- }
- }
- *pNssSubjAltNames = cert->nssSubjAltNames;
- cleanup:
- PKIX_OBJECT_UNLOCK(lockedObject);
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_CheckExtendKeyUsage
- * DESCRIPTION:
- *
- * For each of the ON bit in "requiredExtendedKeyUsages" that represents its
- * SECCertUsageEnum type, this function checks "cert"'s certType (extended
- * key usage) and key usage with what is required for SECCertUsageEnum type.
- *
- * PARAMETERS
- * "cert"
- * Address of the certificate whose Extended Key Usage extensions
- * is retrieved. Must be non-NULL.
- * "requiredExtendedKeyUsages"
- * An unsigned integer, its bit location is ON based on the required key
- * usage value representing in SECCertUsageEnum.
- * "pPass"
- * Address where the return value, indicating key usage check passed, is
- * stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns a Cert Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
- PKIX_Error *
- pkix_pl_Cert_CheckExtendedKeyUsage(
- PKIX_PL_Cert *cert,
- PKIX_UInt32 requiredExtendedKeyUsages,
- PKIX_Boolean *pPass,
- void *plContext)
- {
- PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
- PKIX_UInt32 certType = 0;
- PKIX_UInt32 requiredKeyUsage = 0;
- PKIX_UInt32 requiredCertType = 0;
- PKIX_UInt32 requiredExtendedKeyUsage = 0;
- PKIX_UInt32 i;
- PKIX_Boolean isCA = PKIX_FALSE;
- SECStatus rv = SECFailure;
- PKIX_ENTER(CERT, "pkix_pl_Cert_CheckExtendKeyUsage");
- PKIX_NULLCHECK_THREE(cert, pPass, cert->nssCert);
- *pPass = PKIX_FALSE;
- PKIX_CERT_DEBUG("\t\tCalling cert_GetCertType).\n");
- cert_GetCertType(cert->nssCert);
- certType = cert->nssCert->nsCertType;
- PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
- (cert,
- &basicConstraints,
- plContext),
- PKIX_CERTGETBASICCONSTRAINTFAILED);
- if (basicConstraints != NULL) {
- PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
- (basicConstraints, &isCA, plContext),
- PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
- }
- i = 0;
- while (requiredExtendedKeyUsages != 0) {
- /* Find the bit location of the right-most non-zero bit */
- while (requiredExtendedKeyUsages != 0) {
- if (((1 << i) & requiredExtendedKeyUsages) != 0) {
- requiredExtendedKeyUsage = 1 << i;
- break;
- }
- i++;
- }
- requiredExtendedKeyUsages ^= requiredExtendedKeyUsage;
- requiredExtendedKeyUsage = i;
- PKIX_PL_NSSCALLRV(CERT, rv, CERT_KeyUsageAndTypeForCertUsage,
- (requiredExtendedKeyUsage,
- isCA,
- &requiredKeyUsage,
- &requiredCertType));
- if (!(certType & requiredCertType)) {
- goto cleanup;
- }
- PKIX_PL_NSSCALLRV(CERT, rv, CERT_CheckKeyUsage,
- (cert->nssCert, requiredKeyUsage));
- if (rv != SECSuccess) {
- goto cleanup;
- }
- i++;
- }
- *pPass = PKIX_TRUE;
- cleanup:
- PKIX_DECREF(basicConstraints);
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_ToString_Helper
- * DESCRIPTION:
- *
- * Helper function that creates a string representation of the Cert pointed
- * to by "cert" and stores it at "pString", where the value of
- * "partialString" determines whether a full or partial representation of
- * the Cert is stored.
- *
- * PARAMETERS
- * "cert"
- * Address of Cert whose string representation is desired.
- * Must be non-NULL.
- * "partialString"
- * Boolean indicating whether a partial Cert representation is desired.
- * "pString"
- * Address where object pointer will be stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns a Cert Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
- PKIX_Error *
- pkix_pl_Cert_ToString_Helper(
- PKIX_PL_Cert *cert,
- PKIX_Boolean partialString,
- PKIX_PL_String **pString,
- void *plContext)
- {
- PKIX_PL_String *certString = NULL;
- char *asciiFormat = NULL;
- PKIX_PL_String *formatString = NULL;
- PKIX_UInt32 certVersion;
- PKIX_PL_BigInt *certSN = NULL;
- PKIX_PL_String *certSNString = NULL;
- PKIX_PL_X500Name *certIssuer = NULL;
- PKIX_PL_String *certIssuerString = NULL;
- PKIX_PL_X500Name *certSubject = NULL;
- PKIX_PL_String *certSubjectString = NULL;
- PKIX_PL_String *notBeforeString = NULL;
- PKIX_PL_String *notAfterString = NULL;
- PKIX_List *subjAltNames = NULL;
- PKIX_PL_String *subjAltNamesString = NULL;
- PKIX_PL_ByteArray *authKeyId = NULL;
- PKIX_PL_String *authKeyIdString = NULL;
- PKIX_PL_ByteArray *subjKeyId = NULL;
- PKIX_PL_String *subjKeyIdString = NULL;
- PKIX_PL_PublicKey *nssPubKey = NULL;
- PKIX_PL_String *nssPubKeyString = NULL;
- PKIX_List *critExtOIDs = NULL;
- PKIX_PL_String *critExtOIDsString = NULL;
- PKIX_List *extKeyUsages = NULL;
- PKIX_PL_String *extKeyUsagesString = NULL;
- PKIX_PL_CertBasicConstraints *basicConstraint = NULL;
- PKIX_PL_String *certBasicConstraintsString = NULL;
- PKIX_List *policyInfo = NULL;
- PKIX_PL_String *certPolicyInfoString = NULL;
- PKIX_List *certPolicyMappings = NULL;
- PKIX_PL_String *certPolicyMappingsString = NULL;
- PKIX_Int32 certExplicitPolicy = 0;
- PKIX_Int32 certInhibitMapping = 0;
- PKIX_Int32 certInhibitAnyPolicy = 0;
- PKIX_PL_CertNameConstraints *nameConstraints = NULL;
- PKIX_PL_String *nameConstraintsString = NULL;
- PKIX_List *authorityInfoAccess = NULL;
- PKIX_PL_String *authorityInfoAccessString = NULL;
- PKIX_List *subjectInfoAccess = NULL;
- PKIX_PL_String *subjectInfoAccessString = NULL;
- PKIX_ENTER(CERT, "pkix_pl_Cert_ToString_Helper");
- PKIX_NULLCHECK_THREE(cert, cert->nssCert, pString);
- /*
- * XXX Add to this format as certificate components are developed.
- */
- if (partialString){
- asciiFormat =
- "\t[Issuer: %s\n"
- "\t Subject: %s]";
- } else {
- asciiFormat =
- "[\n"
- "\tVersion: v%d\n"
- "\tSerialNumber: %s\n"
- "\tIssuer: %s\n"
- "\tSubject: %s\n"
- "\tValidity: [From: %s\n"
- "\t To: %s]\n"
- "\tSubjectAltNames: %s\n"
- "\tAuthorityKeyId: %s\n"
- "\tSubjectKeyId: %s\n"
- "\tSubjPubKeyAlgId: %s\n"
- "\tCritExtOIDs: %s\n"
- "\tExtKeyUsages: %s\n"
- "\tBasicConstraint: %s\n"
- "\tCertPolicyInfo: %s\n"
- "\tPolicyMappings: %s\n"
- "\tExplicitPolicy: %d\n"
- "\tInhibitMapping: %d\n"
- "\tInhibitAnyPolicy:%d\n"
- "\tNameConstraints: %s\n"
- "\tAuthorityInfoAccess: %s\n"
- "\tSubjectInfoAccess: %s\n"
- "\tCacheFlag: %d\n"
- "]\n";
- }
- PKIX_CHECK(PKIX_PL_String_Create
- (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
- PKIX_STRINGCREATEFAILED);
- /* Issuer */
- PKIX_CHECK(PKIX_PL_Cert_GetIssuer
- (cert, &certIssuer, plContext),
- PKIX_CERTGETISSUERFAILED);
- PKIX_CHECK(PKIX_PL_Object_ToString
- ((PKIX_PL_Object *)certIssuer, &certIssuerString, plContext),
- PKIX_X500NAMETOSTRINGFAILED);
- /* Subject */
- PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &certSubject, plContext),
- PKIX_CERTGETSUBJECTFAILED);
- PKIX_TOSTRING(certSubject, &certSubjectString, plContext,
- PKIX_X500NAMETOSTRINGFAILED);
- if (partialString){
- PKIX_CHECK(PKIX_PL_Sprintf
- (&certString,
- plContext,
- formatString,
- certIssuerString,
- certSubjectString),
- PKIX_SPRINTFFAILED);
- *pString = certString;
- goto cleanup;
- }
- /* Version */
- PKIX_CHECK(PKIX_PL_Cert_GetVersion(cert, &certVersion, plContext),
- PKIX_CERTGETVERSIONFAILED);
- /* SerialNumber */
- PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber(cert, &certSN, plContext),
- PKIX_CERTGETSERIALNUMBERFAILED);
- PKIX_CHECK(PKIX_PL_Object_ToString
- ((PKIX_PL_Object *)certSN, &certSNString, plContext),
- PKIX_BIGINTTOSTRINGFAILED);
- /* Validity: NotBefore */
- PKIX_CHECK(pkix_pl_Date_ToString_Helper
- (&(cert->nssCert->validity.notBefore),
- ¬BeforeString,
- plContext),
- PKIX_DATETOSTRINGHELPERFAILED);
- /* Validity: NotAfter */
- PKIX_CHECK(pkix_pl_Date_ToString_Helper
- (&(cert->nssCert->validity.notAfter),
- ¬AfterString,
- plContext),
- PKIX_DATETOSTRINGHELPERFAILED);
- /* SubjectAltNames */
- PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
- (cert, &subjAltNames, plContext),
- PKIX_CERTGETSUBJECTALTNAMESFAILED);
- PKIX_TOSTRING(subjAltNames, &subjAltNamesString, plContext,
- PKIX_LISTTOSTRINGFAILED);
- /* AuthorityKeyIdentifier */
- PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier
- (cert, &authKeyId, plContext),
- PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
- PKIX_TOSTRING(authKeyId, &authKeyIdString, plContext,
- PKIX_BYTEARRAYTOSTRINGFAILED);
- /* SubjectKeyIdentifier */
- PKIX_CHECK(PKIX_PL_Cert_GetSubjectKeyIdentifier
- (cert, &subjKeyId, plContext),
- PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
- PKIX_TOSTRING(subjKeyId, &subjKeyIdString, plContext,
- PKIX_BYTEARRAYTOSTRINGFAILED);
- /* SubjectPublicKey */
- PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
- (cert, &nssPubKey, plContext),
- PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
- PKIX_CHECK(PKIX_PL_Object_ToString
- ((PKIX_PL_Object *)nssPubKey, &nssPubKeyString, plContext),
- PKIX_PUBLICKEYTOSTRINGFAILED);
- /* CriticalExtensionOIDs */
- PKIX_CHECK(PKIX_PL_Cert_GetCriticalExtensionOIDs
- (cert, &critExtOIDs, plContext),
- PKIX_CERTGETCRITICALEXTENSIONOIDSFAILED);
- PKIX_TOSTRING(critExtOIDs, &critExtOIDsString, plContext,
- PKIX_LISTTOSTRINGFAILED);
- /* ExtendedKeyUsages */
- PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
- (cert, &extKeyUsages, plContext),
- PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
- PKIX_TOSTRING(extKeyUsages, &extKeyUsagesString, plContext,
- PKIX_LISTTOSTRINGFAILED);
- /* CertBasicConstraints */
- PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
- (cert, &basicConstraint, plContext),
- PKIX_CERTGETBASICCONSTRAINTSFAILED);
- PKIX_TOSTRING(basicConstraint, &certBasicConstraintsString, plContext,
- PKIX_CERTBASICCONSTRAINTSTOSTRINGFAILED);
- /* CertPolicyInfo */
- PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
- (cert, &policyInfo, plContext),
- PKIX_CERTGETPOLICYINFORMATIONFAILED);
- PKIX_TOSTRING(policyInfo, &certPolicyInfoString, plContext,
- PKIX_LISTTOSTRINGFAILED);
- /* Advanced Policies */
- PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings
- (cert, &certPolicyMappings, plContext),
- PKIX_CERTGETPOLICYMAPPINGSFAILED);
- PKIX_TOSTRING(certPolicyMappings, &certPolicyMappingsString, plContext,
- PKIX_LISTTOSTRINGFAILED);
- PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
- (cert, &certExplicitPolicy, plContext),
- PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
- PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited
- (cert, &certInhibitMapping, plContext),
- PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED);
- PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy
- (cert, &certInhibitAnyPolicy, plContext),
- PKIX_CERTGETINHIBITANYPOLICYFAILED);
- /* Name Constraints */
- PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
- (cert, &nameConstraints, plContext),
- PKIX_CERTGETNAMECONSTRAINTSFAILED);
- PKIX_TOSTRING(nameConstraints, &nameConstraintsString, plContext,
- PKIX_LISTTOSTRINGFAILED);
- /* Authority Information Access */
- PKIX_CHECK(PKIX_PL_Cert_GetAuthorityInfoAccess
- (cert, &authorityInfoAccess, plContext),
- PKIX_CERTGETAUTHORITYINFOACCESSFAILED);
- PKIX_TOSTRING(authorityInfoAccess, &authorityInfoAccessString, plContext,
- PKIX_LISTTOSTRINGFAILED);
- /* Subject Information Access */
- PKIX_CHECK(PKIX_PL_Cert_GetSubjectInfoAccess
- (cert, &subjectInfoAccess, plContext),
- PKIX_CERTGETSUBJECTINFOACCESSFAILED);
- PKIX_TOSTRING(subjectInfoAccess, &subjectInfoAccessString, plContext,
- PKIX_LISTTOSTRINGFAILED);
- PKIX_CHECK(PKIX_PL_Sprintf
- (&certString,
- plContext,
- formatString,
- certVersion + 1,
- certSNString,
- certIssuerString,
- certSubjectString,
- notBeforeString,
- notAfterString,
- subjAltNamesString,
- authKeyIdString,
- subjKeyIdString,
- nssPubKeyString,
- critExtOIDsString,
- extKeyUsagesString,
- certBasicConstraintsString,
- certPolicyInfoString,
- certPolicyMappingsString,
- certExplicitPolicy, /* an Int32, not a String */
- certInhibitMapping, /* an Int32, not a String */
- certInhibitAnyPolicy, /* an Int32, not a String */
- nameConstraintsString,
- authorityInfoAccessString,
- subjectInfoAccessString,
- cert->cacheFlag), /* a boolean */
- PKIX_SPRINTFFAILED);
- *pString = certString;
- cleanup:
- PKIX_DECREF(certSN);
- PKIX_DECREF(certSNString);
- PKIX_DECREF(certIssuer);
- PKIX_DECREF(certIssuerString);
- PKIX_DECREF(certSubject);
- PKIX_DECREF(certSubjectString);
- PKIX_DECREF(notBeforeString);
- PKIX_DECREF(notAfterString);
- PKIX_DECREF(subjAltNames);
- PKIX_DECREF(subjAltNamesString);
- PKIX_DECREF(authKeyId);
- PKIX_DECREF(authKeyIdString);
- PKIX_DECREF(subjKeyId);
- PKIX_DECREF(subjKeyIdString);
- PKIX_DECREF(nssPubKey);
- PKIX_DECREF(nssPubKeyString);
- PKIX_DECREF(critExtOIDs);
- PKIX_DECREF(critExtOIDsString);
- PKIX_DECREF(extKeyUsages);
- PKIX_DECREF(extKeyUsagesString);
- PKIX_DECREF(basicConstraint);
- PKIX_DECREF(certBasicConstraintsString);
- PKIX_DECREF(policyInfo);
- PKIX_DECREF(certPolicyInfoString);
- PKIX_DECREF(certPolicyMappings);
- PKIX_DECREF(certPolicyMappingsString);
- PKIX_DECREF(nameConstraints);
- PKIX_DECREF(nameConstraintsString);
- PKIX_DECREF(authorityInfoAccess);
- PKIX_DECREF(authorityInfoAccessString);
- PKIX_DECREF(subjectInfoAccess);
- PKIX_DECREF(subjectInfoAccessString);
- PKIX_DECREF(formatString);
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_Destroy
- * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
- */
- static PKIX_Error *
- pkix_pl_Cert_Destroy(
- PKIX_PL_Object *object,
- void *plContext)
- {
- PKIX_PL_Cert *cert = NULL;
- PKIX_ENTER(CERT, "pkix_pl_Cert_Destroy");
- PKIX_NULLCHECK_ONE(object);
- PKIX_CHECK(pkix_CheckType(object, PKIX_CERT_TYPE, plContext),
- PKIX_OBJECTNOTCERT);
- cert = (PKIX_PL_Cert*)object;
- PKIX_DECREF(cert->subject);
- PKIX_DECREF(cert->issuer);
- PKIX_DECREF(cert->subjAltNames);
- PKIX_DECREF(cert->publicKeyAlgId);
- PKIX_DECREF(cert->publicKey);
- PKIX_DECREF(cert->serialNumber);
- PKIX_DECREF(cert->critExtOids);
- PKIX_DECREF(cert->authKeyId);
- PKIX_DECREF(cert->subjKeyId);
- PKIX_DECREF(cert->extKeyUsages);
- PKIX_DECREF(cert->certBasicConstraints);
- PKIX_DECREF(cert->certPolicyInfos);
- PKIX_DECREF(cert->certPolicyMappings);
- PKIX_DECREF(cert->nameConstraints);
- PKIX_DECREF(cert->store);
- PKIX_DECREF(cert->authorityInfoAccess);
- PKIX_DECREF(cert->subjectInfoAccess);
- if (cert->arenaNameConstraints){
- /* This arena was allocated for SubjectAltNames */
- PKIX_PL_NSSCALL(CERT, PORT_FreeArena,
- (cert->arenaNameConstraints, PR_FALSE));
- cert->arenaNameConstraints = NULL;
- cert->nssSubjAltNames = NULL;
- }
- CERT_DestroyCertificate(cert->nssCert);
- cert->nssCert = NULL;
- cleanup:
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_ToString
- * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
- */
- static PKIX_Error *
- pkix_pl_Cert_ToString(
- PKIX_PL_Object *object,
- PKIX_PL_String **pString,
- void *plContext)
- {
- PKIX_PL_String *certString = NULL;
- PKIX_PL_Cert *pkixCert = NULL;
- PKIX_ENTER(CERT, "pkix_pl_Cert_toString");
- PKIX_NULLCHECK_TWO(object, pString);
- PKIX_CHECK(pkix_CheckType(object, PKIX_CERT_TYPE, plContext),
- PKIX_OBJECTNOTCERT);
- pkixCert = (PKIX_PL_Cert *)object;
- PKIX_CHECK(pkix_pl_Cert_ToString_Helper
- (pkixCert, PKIX_FALSE, &certString, plContext),
- PKIX_CERTTOSTRINGHELPERFAILED);
- *pString = certString;
- cleanup:
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_Hashcode
- * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
- */
- static PKIX_Error *
- pkix_pl_Cert_Hashcode(
- PKIX_PL_Object *object,
- PKIX_UInt32 *pHashcode,
- void *plContext)
- {
- PKIX_PL_Cert *pkixCert = NULL;
- CERTCertificate *nssCert = NULL;
- unsigned char *derBytes = NULL;
- PKIX_UInt32 derLength;
- PKIX_UInt32 certHash;
- PKIX_ENTER(CERT, "pkix_pl_Cert_Hashcode");
- PKIX_NULLCHECK_TWO(object, pHashcode);
- PKIX_CHECK(pkix_CheckType(object, PKIX_CERT_TYPE, plContext),
- PKIX_OBJECTNOTCERT);
- pkixCert = (PKIX_PL_Cert *)object;
- nssCert = pkixCert->nssCert;
- derBytes = (nssCert->derCert).data;
- derLength = (nssCert->derCert).len;
- PKIX_CHECK(pkix_hash(derBytes, derLength, &certHash, plContext),
- PKIX_HASHFAILED);
- *pHashcode = certHash;
- cleanup:
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_Equals
- * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
- */
- static PKIX_Error *
- pkix_pl_Cert_Equals(
- PKIX_PL_Object *firstObject,
- PKIX_PL_Object *secondObject,
- PKIX_Boolean *pResult,
- void *plContext)
- {
- CERTCertificate *firstCert = NULL;
- CERTCertificate *secondCert = NULL;
- PKIX_UInt32 secondType;
- PKIX_Boolean cmpResult;
- PKIX_ENTER(CERT, "pkix_pl_Cert_Equals");
- PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
- /* test that firstObject is a Cert */
- PKIX_CHECK(pkix_CheckType(firstObject, PKIX_CERT_TYPE, plContext),
- PKIX_FIRSTOBJECTNOTCERT);
- /*
- * Since we know firstObject is a Cert, if both references are
- * identical, they must be equal
- */
- if (firstObject == secondObject){
- *pResult = PKIX_TRUE;
- goto cleanup;
- }
- /*
- * If secondObject isn't a Cert, we don't throw an error.
- * We simply return a Boolean result of FALSE
- */
- *pResult = PKIX_FALSE;
- PKIX_CHECK(PKIX_PL_Object_GetType
- (secondObject, &secondType, plContext),
- PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
- if (secondType != PKIX_CERT_TYPE) goto cleanup;
- firstCert = ((PKIX_PL_Cert *)firstObject)->nssCert;
- secondCert = ((PKIX_PL_Cert *)secondObject)->nssCert;
- PKIX_NULLCHECK_TWO(firstCert, secondCert);
- /* CERT_CompareCerts does byte comparison on DER encodings of certs */
- PKIX_CERT_DEBUG("\t\tCalling CERT_CompareCerts).\n");
- cmpResult = CERT_CompareCerts(firstCert, secondCert);
- *pResult = cmpResult;
- cleanup:
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_RegisterSelf
- * DESCRIPTION:
- * Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
- * THREAD SAFETY:
- * Not Thread Safe - for performance and complexity reasons
- *
- * Since this function is only called by PKIX_PL_Initialize, which should
- * only be called once, it is acceptable that this function is not
- * thread-safe.
- */
- PKIX_Error *
- pkix_pl_Cert_RegisterSelf(void *plContext)
- {
- extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
- pkix_ClassTable_Entry entry;
- PKIX_ENTER(CERT, "pkix_pl_Cert_RegisterSelf");
- entry.description = "Cert";
- entry.objCounter = 0;
- entry.typeObjectSize = sizeof(PKIX_PL_Cert);
- entry.destructor = pkix_pl_Cert_Destroy;
- entry.equalsFunction = pkix_pl_Cert_Equals;
- entry.hashcodeFunction = pkix_pl_Cert_Hashcode;
- entry.toStringFunction = pkix_pl_Cert_ToString;
- entry.comparator = NULL;
- entry.duplicateFunction = pkix_duplicateImmutable;
- systemClasses[PKIX_CERT_TYPE] = entry;
- PKIX_RETURN(CERT);
- }
- /*
- * FUNCTION: pkix_pl_Cert_CreateWithNSSCert
- * DESCRIPTION:
- *
- * Creates …
Large files files are truncated, but you can click here to view the full file