summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/libpkix/pkix/certsel
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/libpkix/pkix/certsel')
-rw-r--r--security/nss/lib/libpkix/pkix/certsel/Makefile46
-rw-r--r--security/nss/lib/libpkix/pkix/certsel/certsel.gyp24
-rw-r--r--security/nss/lib/libpkix/pkix/certsel/exports.gyp26
-rw-r--r--security/nss/lib/libpkix/pkix/certsel/manifest.mn20
-rw-r--r--security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c1637
-rw-r--r--security/nss/lib/libpkix/pkix/certsel/pkix_certselector.h41
-rw-r--r--security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c1188
-rw-r--r--security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h57
8 files changed, 3039 insertions, 0 deletions
diff --git a/security/nss/lib/libpkix/pkix/certsel/Makefile b/security/nss/lib/libpkix/pkix/certsel/Makefile
new file mode 100644
index 0000000000..d714361be7
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/Makefile
@@ -0,0 +1,46 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY). #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL) #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL). #
+#######################################################################
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL) #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL). #
+#######################################################################
+
+
diff --git a/security/nss/lib/libpkix/pkix/certsel/certsel.gyp b/security/nss/lib/libpkix/pkix/certsel/certsel.gyp
new file mode 100644
index 0000000000..a7ff65ce76
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/certsel.gyp
@@ -0,0 +1,24 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+ 'includes': [
+ '../../../../coreconf/config.gypi'
+ ],
+ 'targets': [
+ {
+ 'target_name': 'pkixcertsel',
+ 'type': 'static_library',
+ 'sources': [
+ 'pkix_certselector.c',
+ 'pkix_comcertselparams.c'
+ ],
+ 'dependencies': [
+ '<(DEPTH)/exports.gyp:nss_exports'
+ ]
+ }
+ ],
+ 'variables': {
+ 'module': 'nss'
+ }
+} \ No newline at end of file
diff --git a/security/nss/lib/libpkix/pkix/certsel/exports.gyp b/security/nss/lib/libpkix/pkix/certsel/exports.gyp
new file mode 100644
index 0000000000..9cbd847e7c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/exports.gyp
@@ -0,0 +1,26 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+ 'includes': [
+ '../../../../coreconf/config.gypi'
+ ],
+ 'targets': [
+ {
+ 'target_name': 'lib_libpkix_pkix_certsel_exports',
+ 'type': 'none',
+ 'copies': [
+ {
+ 'files': [
+ 'pkix_certselector.h',
+ 'pkix_comcertselparams.h'
+ ],
+ 'destination': '<(nss_private_dist_dir)/<(module)'
+ }
+ ]
+ }
+ ],
+ 'variables': {
+ 'module': 'nss'
+ }
+}
diff --git a/security/nss/lib/libpkix/pkix/certsel/manifest.mn b/security/nss/lib/libpkix/pkix/certsel/manifest.mn
new file mode 100644
index 0000000000..eb434bd531
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/manifest.mn
@@ -0,0 +1,20 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../../../..
+
+PRIVATE_EXPORTS = \
+ pkix_certselector.h \
+ pkix_comcertselparams.h \
+ $(NULL)
+
+MODULE = nss
+
+CSRCS = \
+ pkix_certselector.c \
+ pkix_comcertselparams.c \
+ $(NULL)
+
+LIBRARY_NAME = pkixcertsel
+SHARED_LIBRARY = $(NULL)
diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
new file mode 100644
index 0000000000..89bddd98bc
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
@@ -0,0 +1,1637 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * pkix_certselector.c
+ *
+ * CertSelector Object Functions
+ *
+ */
+
+#include "pkix_certselector.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_CertSelector_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CertSelector_Destroy(
+ PKIX_PL_Object *object,
+ void *plContext)
+{
+ PKIX_CertSelector *selector = NULL;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Destroy");
+ PKIX_NULLCHECK_ONE(object);
+
+ /* Check that this object is a cert selector */
+ PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
+ PKIX_OBJECTNOTCERTSELECTOR);
+
+ selector = (PKIX_CertSelector *)object;
+ PKIX_DECREF(selector->params);
+ PKIX_DECREF(selector->context);
+
+cleanup:
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Duplicate
+ * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CertSelector_Duplicate(
+ PKIX_PL_Object *object,
+ PKIX_PL_Object **pNewObject,
+ void *plContext)
+{
+ PKIX_CertSelector *certSelector = NULL;
+ PKIX_CertSelector *certSelectorDuplicate = NULL;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Duplicate");
+ PKIX_NULLCHECK_TWO(object, pNewObject);
+
+ PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
+ PKIX_OBJECTNOTCERTSELECTOR);
+
+ certSelector = (PKIX_CertSelector *)object;
+
+ PKIX_CHECK(PKIX_CertSelector_Create
+ (certSelector->matchCallback,
+ certSelector->context,
+ &certSelectorDuplicate,
+ plContext),
+ PKIX_CERTSELECTORCREATEFAILED);
+
+ PKIX_CHECK(PKIX_PL_Object_Duplicate
+ ((PKIX_PL_Object *)certSelector->params,
+ (PKIX_PL_Object **)&certSelectorDuplicate->params,
+ plContext),
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ *pNewObject = (PKIX_PL_Object *)certSelectorDuplicate;
+
+cleanup:
+
+ if (PKIX_ERROR_RECEIVED){
+ PKIX_DECREF(certSelectorDuplicate);
+ }
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_BasicConstraint
+ * DESCRIPTION:
+ *
+ * Determines whether the Cert pointed to by "cert" matches the basic
+ * constraints criterion using the basic constraints field of the
+ * ComCertSelParams pointed to by "params". If the basic constraints field is
+ * -1, no basic constraints check is done and the Cert is considered to match
+ * the basic constraints criterion. If the Cert does not match the basic
+ * constraints criterion, an Error pointer is returned.
+ *
+ * In order to match against this criterion, there are several possibilities.
+ *
+ * 1) If the criterion's minimum path length is greater than or equal to zero,
+ * a certificate must include a BasicConstraints extension with a pathLen of
+ * at least this value.
+ *
+ * 2) If the criterion's minimum path length is -2, a certificate must be an
+ * end-entity certificate.
+ *
+ * 3) If the criterion's minimum path length is -1, no basic constraints check
+ * is done and all certificates are considered to match this criterion.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose basic constraints field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * OUTPUT PARAMETERS ON FAILURE:
+ * If the function returns a failure,
+ * the output parameters of this function are undefined.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_BasicConstraint(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
+ PKIX_Boolean caFlag = PKIX_FALSE; /* EE Cert by default */
+ PKIX_Int32 pathLength = 0;
+ PKIX_Int32 minPathLength = 0;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_BasicConstraint");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+ *pResult = PKIX_TRUE;
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetBasicConstraints
+ (params, &minPathLength, plContext),
+ PKIX_COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED);
+
+ /* If the minPathLength is unlimited (-1), no checking */
+ if (minPathLength == PKIX_CERTSEL_ALL_MATCH_MIN_PATHLENGTH) {
+ goto cleanup;
+ }
+
+ PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
+ (cert, &basicConstraints, plContext),
+ PKIX_CERTGETBASICCONSTRAINTSFAILED);
+
+ if (basicConstraints != NULL) {
+ PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
+ (basicConstraints, &caFlag, plContext),
+ PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
+
+ PKIX_CHECK(PKIX_PL_BasicConstraints_GetPathLenConstraint
+ (basicConstraints, &pathLength, plContext),
+ PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
+ }
+
+ /*
+ * if minPathLength >= 0, the cert must have a BasicConstraints ext and
+ * the pathLength in this cert
+ * BasicConstraints needs to be >= minPathLength.
+ */
+ if (minPathLength >= 0){
+ if ((!basicConstraints) || (caFlag == PKIX_FALSE)){
+ PKIX_ERROR(PKIX_CERTNOTALLOWEDTOSIGNCERTIFICATES);
+ } else if ((pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) &&
+ (pathLength < minPathLength)){
+ PKIX_CERTSELECTOR_DEBUG
+ ("Basic Constraints path length match failed\n");
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
+ }
+ }
+
+ /* if the minPathLength is -2, this cert must be an end-entity cert. */
+ if (minPathLength == PKIX_CERTSEL_ENDENTITY_MIN_PATHLENGTH) {
+ if (caFlag == PKIX_TRUE) {
+ PKIX_CERTSELECTOR_DEBUG
+ ("Basic Constraints end-entity match failed\n");
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
+ }
+ }
+
+cleanup:
+
+ PKIX_DECREF(basicConstraints);
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_Policies
+ * DESCRIPTION:
+ *
+ * Determines whether the Cert pointed to by "cert" matches the policy
+ * constraints specified in the ComCertsSelParams given by "params".
+ * If "params" specifies a policy constraint of NULL, all certificates
+ * match. If "params" specifies an empty list, "cert" must have at least
+ * some policy. Otherwise "cert" must include at least one of the
+ * policies in the list. See the description of PKIX_CertSelector in
+ * pkix_certsel.h for more.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose policy criterion (if any) is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_Policies(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_UInt32 numConstraintPolicies = 0;
+ PKIX_UInt32 numCertPolicies = 0;
+ PKIX_UInt32 certPolicyIndex = 0;
+ PKIX_Boolean result = PKIX_FALSE;
+ PKIX_List *constraintPolicies = NULL; /* List of PKIX_PL_OID */
+ PKIX_List *certPolicyInfos = NULL; /* List of PKIX_PL_CertPolicyInfo */
+ PKIX_PL_CertPolicyInfo *policyInfo = NULL;
+ PKIX_PL_OID *polOID = NULL;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_Policies");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetPolicy
+ (params, &constraintPolicies, plContext),
+ PKIX_COMCERTSELPARAMSGETPOLICYFAILED);
+
+ /* If constraintPolicies is NULL, all certificates "match" */
+ if (constraintPolicies) {
+ PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
+ (cert, &certPolicyInfos, plContext),
+ PKIX_CERTGETPOLICYINFORMATIONFAILED);
+
+ /* No hope of a match if cert has no policies */
+ if (!certPolicyInfos) {
+ PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n");
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
+ }
+
+ PKIX_CHECK(PKIX_List_GetLength
+ (constraintPolicies, &numConstraintPolicies, plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ if (numConstraintPolicies > 0) {
+
+ PKIX_CHECK(PKIX_List_GetLength
+ (certPolicyInfos, &numCertPolicies, plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ for (certPolicyIndex = 0;
+ ((!result) && (certPolicyIndex < numCertPolicies));
+ certPolicyIndex++) {
+
+ PKIX_CHECK(PKIX_List_GetItem
+ (certPolicyInfos,
+ certPolicyIndex,
+ (PKIX_PL_Object **)&policyInfo,
+ plContext),
+ PKIX_LISTGETELEMENTFAILED);
+ PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
+ (policyInfo, &polOID, plContext),
+ PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
+
+ PKIX_CHECK(pkix_List_Contains
+ (constraintPolicies,
+ (PKIX_PL_Object *)polOID,
+ &result,
+ plContext),
+ PKIX_LISTCONTAINSFAILED);
+ PKIX_DECREF(policyInfo);
+ PKIX_DECREF(polOID);
+ }
+ if (!result) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
+ }
+ }
+ }
+
+cleanup:
+
+ PKIX_DECREF(constraintPolicies);
+ PKIX_DECREF(certPolicyInfos);
+ PKIX_DECREF(policyInfo);
+ PKIX_DECREF(polOID);
+
+ PKIX_RETURN(CERTSELECTOR);
+
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_CertificateValid
+ * DESCRIPTION:
+ *
+ * Determines whether the Cert pointed to by "cert" matches the certificate
+ * validity criterion using the CertificateValid field of the
+ * ComCertSelParams pointed to by "params". If the CertificateValid field is
+ * NULL, no validity check is done and the Cert is considered to match
+ * the CertificateValid criterion. If the CertificateValid field specifies a
+ * Date prior to the notBefore field in the Cert, or greater than the notAfter
+ * field in the Cert, an Error is returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose certValid field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_CertificateValid(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_PL_Date *validityTime = NULL;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_CertificateValid");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
+ (params, &validityTime, plContext),
+ PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
+
+ /* If the validityTime is not set, all certificates are acceptable */
+ if (validityTime) {
+ PKIX_CHECK(PKIX_PL_Cert_CheckValidity
+ (cert, validityTime, plContext),
+ PKIX_CERTCHECKVALIDITYFAILED);
+ }
+
+cleanup:
+ if (PKIX_ERROR_RECEIVED) {
+ *pResult = PKIX_FALSE;
+ }
+ PKIX_DECREF(validityTime);
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_NameConstraints
+ * DESCRIPTION:
+ *
+ * Determines whether the Cert pointed to by "cert" matches the name
+ * constraints criterion specified in the ComCertSelParams pointed to by
+ * "params". If the name constraints field is NULL, no name constraints check
+ * is done and the Cert is considered to match the name constraints criterion.
+ * If the Cert does not match the name constraints criterion, an Error pointer
+ * is returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose name constraints field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_NameConstraints(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_NameConstraints");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetNameConstraints
+ (params, &nameConstraints, plContext),
+ PKIX_COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED);
+
+ if (nameConstraints != NULL) {
+ /* As only the end-entity certificate should have
+ * the common name constrained as if it was a dNSName,
+ * do not constrain the common name when building a
+ * forward path.
+ */
+ PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
+ (cert, nameConstraints, PKIX_FALSE, plContext),
+ PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
+ }
+
+cleanup:
+ if (PKIX_ERROR_RECEIVED) {
+ *pResult = PKIX_FALSE;
+ }
+
+ PKIX_DECREF(nameConstraints);
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_PathToNames
+ * DESCRIPTION:
+ *
+ * Determines whether the names at pathToNames in "params" complies with the
+ * NameConstraints pointed to by "cert". If the pathToNames field is NULL
+ * or there is no name constraints for this "cert", no checking is done
+ * and the Cert is considered to match the name constraints criterion.
+ * If the Cert does not match the name constraints criterion, an Error
+ * pointer is returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose PathToNames field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_PathToNames(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_List *pathToNamesList = NULL;
+ PKIX_Boolean passed = PKIX_FALSE;
+ PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_PathToNames");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames
+ (params, &pathToNamesList, plContext),
+ PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED);
+
+ if (pathToNamesList != NULL) {
+
+ PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+ (cert, &nameConstraints, plContext),
+ PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
+ if (nameConstraints != NULL) {
+
+ PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
+ (pathToNamesList, nameConstraints, &passed, plContext),
+ PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED);
+
+ if (passed != PKIX_TRUE) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
+ }
+ }
+
+ }
+
+cleanup:
+
+ PKIX_DECREF(nameConstraints);
+ PKIX_DECREF(pathToNamesList);
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_SubjAltNames
+ * DESCRIPTION:
+ *
+ * Determines whether the names at subjAltNames in "params" match with the
+ * SubjAltNames pointed to by "cert". If the subjAltNames field is NULL,
+ * no name checking is done and the Cert is considered to match the
+ * criterion. If the Cert does not match the criterion, an Error pointer
+ * is returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose SubjAltNames field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_SubjAltNames(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_List *subjAltNamesList = NULL;
+ PKIX_List *certSubjAltNames = NULL;
+ PKIX_PL_GeneralName *name = NULL;
+ PKIX_Boolean checkPassed = PKIX_FALSE;
+ PKIX_Boolean matchAll = PKIX_TRUE;
+ PKIX_UInt32 i, numItems;
+ PKIX_UInt32 matchCount = 0;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjAltNames");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
+ (params, &matchAll, plContext),
+ PKIX_COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames
+ (params, &subjAltNamesList, plContext),
+ PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
+
+ if (subjAltNamesList != NULL) {
+
+ PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
+ (cert, &certSubjAltNames, plContext),
+ PKIX_CERTGETSUBJALTNAMESFAILED);
+
+ if (certSubjAltNames == NULL) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
+ }
+
+ PKIX_CHECK(PKIX_List_GetLength
+ (subjAltNamesList, &numItems, plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ for (i = 0; i < numItems; i++) {
+
+ PKIX_CHECK(PKIX_List_GetItem
+ (subjAltNamesList,
+ i,
+ (PKIX_PL_Object **) &name,
+ plContext),
+ PKIX_LISTGETITEMFAILED);
+
+ PKIX_CHECK(pkix_List_Contains
+ (certSubjAltNames,
+ (PKIX_PL_Object *) name,
+ &checkPassed,
+ plContext),
+ PKIX_LISTCONTAINSFAILED);
+
+ PKIX_DECREF(name);
+
+ if (checkPassed == PKIX_TRUE) {
+
+ if (matchAll == PKIX_FALSE) {
+ /* one match is good enough */
+ matchCount = numItems;
+ break;
+ } else {
+ /* else continue checking next */
+ matchCount++;
+ }
+
+ }
+
+ }
+
+ if (matchCount != numItems) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
+ }
+ }
+
+cleanup:
+
+ PKIX_DECREF(name);
+ PKIX_DECREF(certSubjAltNames);
+ PKIX_DECREF(subjAltNamesList);
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_ExtendedKeyUsage
+ * DESCRIPTION:
+ *
+ * Determines whether the names at ExtKeyUsage in "params" matches with the
+ * ExtKeyUsage pointed to by "cert". If the ExtKeyUsage criterion or
+ * ExtKeyUsage in "cert" is NULL, no checking is done and the Cert is
+ * considered a match. If the Cert does not match, an Error pointer is
+ * returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose ExtKeyUsage field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_ExtendedKeyUsage(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_List *extKeyUsageList = NULL;
+ PKIX_List *certExtKeyUsageList = NULL;
+ PKIX_PL_OID *ekuOid = NULL;
+ PKIX_Boolean isContained = PKIX_FALSE;
+ PKIX_UInt32 numItems = 0;
+ PKIX_UInt32 i;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_ExtendedKeyUsage");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
+ (params, &extKeyUsageList, plContext),
+ PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
+
+ if (extKeyUsageList == NULL) {
+ goto cleanup;
+ }
+
+ PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
+ (cert, &certExtKeyUsageList, plContext),
+ PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
+
+ if (certExtKeyUsageList != NULL) {
+
+ PKIX_CHECK(PKIX_List_GetLength
+ (extKeyUsageList, &numItems, plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ for (i = 0; i < numItems; i++) {
+
+ PKIX_CHECK(PKIX_List_GetItem
+ (extKeyUsageList, i, (PKIX_PL_Object **)&ekuOid, plContext),
+ PKIX_LISTGETITEMFAILED);
+
+ PKIX_CHECK(pkix_List_Contains
+ (certExtKeyUsageList,
+ (PKIX_PL_Object *)ekuOid,
+ &isContained,
+ plContext),
+ PKIX_LISTCONTAINSFAILED);
+
+ PKIX_DECREF(ekuOid);
+
+ if (isContained != PKIX_TRUE) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
+ }
+ }
+ }
+
+cleanup:
+
+ PKIX_DECREF(ekuOid);
+ PKIX_DECREF(extKeyUsageList);
+ PKIX_DECREF(certExtKeyUsageList);
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_KeyUsage
+ * DESCRIPTION:
+ *
+ * Determines whether the bits at KeyUsage in "params" matches with the
+ * KeyUsage pointed to by "cert". If the KeyUsage in params is 0
+ * no checking is done and the Cert is considered a match. If the Cert does
+ * not match, an Error pointer is returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose ExtKeyUsage field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_KeyUsage(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_UInt32 keyUsage = 0;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_KeyUsage");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
+ (params, &keyUsage, plContext),
+ PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
+
+ if (keyUsage != 0) {
+
+ PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
+ (cert, keyUsage, plContext),
+ PKIX_CERTVERIFYKEYUSAGEFAILED);
+
+ }
+
+cleanup:
+ if (PKIX_ERROR_RECEIVED) {
+ *pResult = PKIX_FALSE;
+ }
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_SubjKeyId
+ * DESCRIPTION:
+ *
+ * Determines whether the bytes at subjKeyId in "params" matches with the
+ * Subject Key Identifier pointed to by "cert". If the subjKeyId in params is
+ * set to NULL or the Cert doesn't have a Subject Key Identifier, no checking
+ * is done and the Cert is considered a match. If the Cert does not match, an
+ * Error pointer is returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose subjKeyId field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_SubjKeyId(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_PL_ByteArray *selSubjKeyId = NULL;
+ PKIX_PL_ByteArray *certSubjKeyId = NULL;
+ PKIX_Boolean equals = PKIX_FALSE;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjKeyId");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetSubjKeyIdentifier
+ (params, &selSubjKeyId, plContext),
+ PKIX_COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED);
+
+ if (selSubjKeyId != NULL) {
+
+ PKIX_CHECK(PKIX_PL_Cert_GetSubjectKeyIdentifier
+ (cert, &certSubjKeyId, plContext),
+ PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
+
+ if (certSubjKeyId == NULL) {
+ goto cleanup;
+ }
+
+ PKIX_CHECK(PKIX_PL_Object_Equals
+ ((PKIX_PL_Object *)selSubjKeyId,
+ (PKIX_PL_Object *)certSubjKeyId,
+ &equals,
+ plContext),
+ PKIX_OBJECTEQUALSFAILED);
+
+ if (equals == PKIX_FALSE) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
+ }
+ }
+
+cleanup:
+
+ PKIX_DECREF(selSubjKeyId);
+ PKIX_DECREF(certSubjKeyId);
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_AuthKeyId
+ * DESCRIPTION:
+ *
+ * Determines whether the bytes at authKeyId in "params" matches with the
+ * Authority Key Identifier pointed to by "cert". If the authKeyId in params
+ * is set to NULL, no checking is done and the Cert is considered a match. If
+ * the Cert does not match, an Error pointer is returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose authKeyId field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_AuthKeyId(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_PL_ByteArray *selAuthKeyId = NULL;
+ PKIX_PL_ByteArray *certAuthKeyId = NULL;
+ PKIX_Boolean equals = PKIX_FALSE;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_AuthKeyId");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
+ (params, &selAuthKeyId, plContext),
+ PKIX_COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED);
+
+ if (selAuthKeyId != NULL) {
+
+ PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier
+ (cert, &certAuthKeyId, plContext),
+ PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
+
+ if (certAuthKeyId == NULL) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
+ }
+ PKIX_CHECK(PKIX_PL_Object_Equals
+ ((PKIX_PL_Object *)selAuthKeyId,
+ (PKIX_PL_Object *)certAuthKeyId,
+ &equals,
+ plContext),
+ PKIX_OBJECTEQUALSFAILED);
+
+ if (equals != PKIX_TRUE) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
+ }
+ }
+
+cleanup:
+
+ PKIX_DECREF(selAuthKeyId);
+ PKIX_DECREF(certAuthKeyId);
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_SubjPKAlgId
+ * DESCRIPTION:
+ *
+ * Determines whether the OID at subjPKAlgId in "params" matches with the
+ * Subject Public Key Alg Id pointed to by "cert". If the subjPKAlgId in params
+ * is set to NULL, no checking is done and the Cert is considered a match. If
+ * the Cert does not match, an Error pointer is returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose subjPKAlgId field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_SubjPKAlgId(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_PL_OID *selPKAlgId = NULL;
+ PKIX_PL_OID *certPKAlgId = NULL;
+ PKIX_Boolean equals = PKIX_FALSE;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPKAlgId");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPKAlgId
+ (params, &selPKAlgId, plContext),
+ PKIX_COMCERTSELPARAMSGETSUBJPKALGIDFAILED);
+
+ if (selPKAlgId != NULL) {
+
+ PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKeyAlgId
+ (cert, &certPKAlgId, plContext),
+ PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED);
+
+ if (certPKAlgId != NULL) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
+ }
+ PKIX_CHECK(PKIX_PL_Object_Equals
+ ((PKIX_PL_Object *)selPKAlgId,
+ (PKIX_PL_Object *)certPKAlgId,
+ &equals,
+ plContext),
+ PKIX_OBJECTEQUALSFAILED);
+
+ if (equals != PKIX_TRUE) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
+ }
+ }
+
+cleanup:
+
+ PKIX_DECREF(selPKAlgId);
+ PKIX_DECREF(certPKAlgId);
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_SubjPubKey
+ * DESCRIPTION:
+ *
+ * Determines whether the key at subjPubKey in "params" matches with the
+ * Subject Public Key pointed to by "cert". If the subjPubKey in params
+ * is set to NULL, no checking is done and the Cert is considered a match. If
+ * the Cert does not match, an Error pointer is returned.
+ *
+ * PARAMETERS:
+ * "params"
+ * Address of ComCertSelParams whose subPubKey field is used.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched. Must be non-NULL.
+ * "pResult"
+ * Address of PKIX_Boolean that returns the match result.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_SubjPubKey(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ PKIX_Boolean *pResult,
+ void *plContext)
+{
+ PKIX_PL_PublicKey *selPK = NULL;
+ PKIX_PL_PublicKey *certPK = NULL;
+ PKIX_Boolean equals = PKIX_FALSE;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPubKey");
+ PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPubKey
+ (params, &selPK, plContext),
+ PKIX_COMCERTSELPARAMSGETSUBJPUBKEYFAILED);
+
+ if (selPK != NULL) {
+
+ PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+ (cert, &certPK, plContext),
+ PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+ if (certPK == NULL) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
+ }
+ PKIX_CHECK(PKIX_PL_Object_Equals
+ ((PKIX_PL_Object *)selPK,
+ (PKIX_PL_Object *)certPK,
+ &equals,
+ plContext),
+ PKIX_OBJECTEQUALSFAILED);
+
+ if (equals != PKIX_TRUE) {
+ *pResult = PKIX_FALSE;
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
+ }
+ }
+
+cleanup:
+
+ PKIX_DECREF(selPK);
+ PKIX_DECREF(certPK);
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_DefaultMatch
+ * DESCRIPTION:
+ *
+ * This default match function determines whether the specified Cert pointed
+ * to by "cert" matches the criteria of the CertSelector pointed to by
+ * "selector". If the Cert does not match the CertSelector's
+ * criteria, an error will be thrown.
+ *
+ * This default match function understands how to process the most common
+ * parameters. Any common parameter that is not set is assumed to be disabled,
+ * which means this function will select all certificates without regard to
+ * that particular disabled parameter. For example, if the SerialNumber
+ * parameter is not set, this function will not filter out any certificate
+ * based on its serial number. As such, if no parameters are set, all are
+ * disabled and any certificate will match. If a parameter is disabled, its
+ * associated PKIX_ComCertSelParams_Get* function returns a default value.
+ * That value is -1 for PKIX_ComCertSelParams_GetBasicConstraints and
+ * PKIX_ComCertSelParams_GetVersion, 0 for PKIX_ComCertSelParams_GetKeyUsage,
+ * and NULL for all other Get functions.
+ *
+ * PARAMETERS:
+ * "selector"
+ * Address of CertSelector whose MatchCallback logic and parameters are
+ * to be used. Must be non-NULL.
+ * "cert"
+ * Address of Cert that is to be matched using "selector".
+ * Must be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_DefaultMatch(
+ PKIX_CertSelector *selector,
+ PKIX_PL_Cert *cert,
+ void *plContext)
+{
+ PKIX_ComCertSelParams *params = NULL;
+ PKIX_PL_X500Name *certSubject = NULL;
+ PKIX_PL_X500Name *selSubject = NULL;
+ PKIX_PL_X500Name *certIssuer = NULL;
+ PKIX_PL_X500Name *selIssuer = NULL;
+ PKIX_PL_BigInt *certSerialNumber = NULL;
+ PKIX_PL_BigInt *selSerialNumber = NULL;
+ PKIX_PL_Cert *selCert = NULL;
+ PKIX_PL_Date *selDate = NULL;
+ PKIX_UInt32 selVersion = 0xFFFFFFFF;
+ PKIX_UInt32 certVersion = 0;
+ PKIX_Boolean result = PKIX_TRUE;
+ PKIX_Boolean isLeafCert = PKIX_TRUE;
+
+#ifdef PKIX_BUILDDEBUG
+ PKIX_PL_String *certString = NULL;
+ void *certAscii = NULL;
+ PKIX_UInt32 certAsciiLen;
+#endif
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch");
+ PKIX_NULLCHECK_TWO(selector, cert);
+
+ PKIX_INCREF(selector->params);
+ params = selector->params;
+
+ /* Are we looking for CAs? */
+ PKIX_CHECK(PKIX_ComCertSelParams_GetLeafCertFlag
+ (params, &isLeafCert, plContext),
+ PKIX_COMCERTSELPARAMSGETLEAFCERTFLAGFAILED);
+
+ if (params == NULL){
+ goto cleanup;
+ }
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetVersion
+ (params, &selVersion, plContext),
+ PKIX_COMCERTSELPARAMSGETVERSIONFAILED);
+
+ if (selVersion != 0xFFFFFFFF){
+ PKIX_CHECK(PKIX_PL_Cert_GetVersion
+ (cert, &certVersion, plContext),
+ PKIX_CERTGETVERSIONFAILED);
+
+ if (selVersion != certVersion) {
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTVERSIONFAILED);
+ }
+ }
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
+ (params, &selSubject, plContext),
+ PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
+
+ if (selSubject){
+ PKIX_CHECK(PKIX_PL_Cert_GetSubject
+ (cert, &certSubject, plContext),
+ PKIX_CERTGETSUBJECTFAILED);
+
+ if (certSubject){
+ PKIX_CHECK(PKIX_PL_X500Name_Match
+ (selSubject, certSubject, &result, plContext),
+ PKIX_X500NAMEMATCHFAILED);
+
+ if (result == PKIX_FALSE){
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
+ }
+ } else { /* cert has no subject */
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
+ }
+ }
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetIssuer
+ (params, &selIssuer, plContext),
+ PKIX_COMCERTSELPARAMSGETISSUERFAILED);
+
+ if (selIssuer){
+ PKIX_CHECK(PKIX_PL_Cert_GetIssuer
+ (cert, &certIssuer, plContext),
+ PKIX_CERTGETISSUERFAILED);
+
+ PKIX_CHECK(PKIX_PL_X500Name_Match
+ (selIssuer, certIssuer, &result, plContext),
+ PKIX_X500NAMEMATCHFAILED);
+
+ if (result == PKIX_FALSE){
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTISSUERFAILED);
+ }
+ }
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetSerialNumber
+ (params, &selSerialNumber, plContext),
+ PKIX_COMCERTSELPARAMSGETSERIALNUMBERFAILED);
+
+ if (selSerialNumber){
+ PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
+ (cert, &certSerialNumber, plContext),
+ PKIX_CERTGETSERIALNUMBERFAILED);
+
+ PKIX_CHECK(PKIX_PL_Object_Equals
+ ((PKIX_PL_Object *)selSerialNumber,
+ (PKIX_PL_Object *)certSerialNumber,
+ &result,
+ plContext),
+ PKIX_OBJECTEQUALSFAILED);
+
+ if (result == PKIX_FALSE){
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSERIALNUMFAILED);
+ }
+ }
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetCertificate
+ (params, &selCert, plContext),
+ PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
+
+ if (selCert){
+ PKIX_CHECK(PKIX_PL_Object_Equals
+ ((PKIX_PL_Object *) selCert,
+ (PKIX_PL_Object *) cert,
+ &result,
+ plContext),
+ PKIX_OBJECTEQUALSFAILED);
+
+ if (result == PKIX_FALSE){
+ PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTOBJECTFAILED);
+ }
+ }
+
+ PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
+ (params, &selDate, plContext),
+ PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
+
+ if (selDate){
+ PKIX_CHECK(PKIX_PL_Cert_CheckValidity
+ (cert, selDate, plContext),
+ PKIX_CERTCHECKVALIDITYFAILED);
+ }
+
+ PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_Policies
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHPOLICIESFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_CertificateValid
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_NameConstraints
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_PathToNames
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
+
+ /* Check key usage and cert type based on certificate usage. */
+ PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, !isLeafCert,
+ plContext),
+ PKIX_CERTVERIFYCERTTYPEFAILED);
+
+ /* Next two check are for user supplied additional KU and EKU. */
+ PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_KeyUsage
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHKEYUSAGEFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
+
+ PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey
+ (params, cert, &result, plContext),
+ PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
+
+ /* if we reach here, the cert has successfully matched criteria */
+
+
+#ifdef PKIX_BUILDDEBUG
+
+ PKIX_CHECK(pkix_pl_Cert_ToString_Helper
+ (cert, PKIX_TRUE, &certString, plContext),
+ PKIX_CERTTOSTRINGHELPERFAILED);
+
+ PKIX_CHECK(PKIX_PL_String_GetEncoded
+ (certString,
+ PKIX_ESCASCII,
+ &certAscii,
+ &certAsciiLen,
+ plContext),
+ PKIX_STRINGGETENCODEDFAILED);
+
+ PKIX_CERTSELECTOR_DEBUG_ARG("Cert Selected:\n%s\n", certAscii);
+
+#endif
+
+cleanup:
+
+#ifdef PKIX_BUILDDEBUG
+ PKIX_DECREF(certString);
+ PKIX_FREE(certAscii);
+#endif
+
+ PKIX_DECREF(certSubject);
+ PKIX_DECREF(selSubject);
+ PKIX_DECREF(certIssuer);
+ PKIX_DECREF(selIssuer);
+ PKIX_DECREF(certSerialNumber);
+ PKIX_DECREF(selSerialNumber);
+ PKIX_DECREF(selCert);
+ PKIX_DECREF(selDate);
+ PKIX_DECREF(params);
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_RegisterSelf
+ * DESCRIPTION:
+ * Registers PKIX_CERTSELECTOR_TYPE and its related functions with
+ * systemClasses[]
+ * THREAD SAFETY:
+ * Not Thread Safe - for performance and complexity reasons
+ *
+ * Since this function is only called by PKIX_PL_Initialize, which should
+ * only be called once, it is acceptable that this function is not
+ * thread-safe.
+ */
+PKIX_Error *
+pkix_CertSelector_RegisterSelf(void *plContext)
+{
+ extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+ pkix_ClassTable_Entry entry;
+
+ PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_RegisterSelf");
+
+ entry.description = "CertSelector";
+ entry.objCounter = 0;
+ entry.typeObjectSize = sizeof(PKIX_CertSelector);
+ entry.destructor = pkix_CertSelector_Destroy;
+ entry.equalsFunction = NULL;
+ entry.hashcodeFunction = NULL;
+ entry.toStringFunction = NULL;
+ entry.comparator = NULL;
+ entry.duplicateFunction = pkix_CertSelector_Duplicate;
+
+ systemClasses[PKIX_CERTSELECTOR_TYPE] = entry;
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+
+/*
+ * FUNCTION: PKIX_CertSelector_Create (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_Create(
+ PKIX_CertSelector_MatchCallback callback,
+ PKIX_PL_Object *certSelectorContext,
+ PKIX_CertSelector **pSelector,
+ void *plContext)
+{
+ PKIX_CertSelector *selector = NULL;
+
+ PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Create");
+ PKIX_NULLCHECK_ONE(pSelector);
+
+ PKIX_CHECK(PKIX_PL_Object_Alloc
+ (PKIX_CERTSELECTOR_TYPE,
+ sizeof (PKIX_CertSelector),
+ (PKIX_PL_Object **)&selector,
+ plContext),
+ PKIX_COULDNOTCREATECERTSELECTOROBJECT);
+
+ /*
+ * if user specified a particular match callback, we use that one.
+ * otherwise, we use the default match implementation which
+ * understands how to process PKIX_ComCertSelParams
+ */
+
+ if (callback){
+ selector->matchCallback = callback;
+ } else {
+ selector->matchCallback = pkix_CertSelector_DefaultMatch;
+ }
+
+ /* initialize other fields */
+ selector->params = NULL;
+
+ PKIX_INCREF(certSelectorContext);
+ selector->context = certSelectorContext;
+
+ *pSelector = selector;
+
+cleanup:
+
+ PKIX_RETURN(CERTSELECTOR);
+
+}
+
+/*
+ * FUNCTION: PKIX_CertSelector_GetMatchCallback
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_GetMatchCallback(
+ PKIX_CertSelector *selector,
+ PKIX_CertSelector_MatchCallback *pCallback,
+ void *plContext)
+{
+ PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetMatchCallback");
+ PKIX_NULLCHECK_TWO(selector, pCallback);
+
+ *pCallback = selector->matchCallback;
+
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: PKIX_CertSelector_GetCertSelectorContext
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_GetCertSelectorContext(
+ PKIX_CertSelector *selector,
+ PKIX_PL_Object **pCertSelectorContext,
+ void *plContext)
+{
+ PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetCertSelectorContext");
+ PKIX_NULLCHECK_TWO(selector, pCertSelectorContext);
+
+ PKIX_INCREF(selector->context);
+
+ *pCertSelectorContext = selector->context;
+
+cleanup:
+ PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_GetCommonCertSelectorParams(
+ PKIX_CertSelector *selector,
+ PKIX_ComCertSelParams **pParams,
+ void *plContext)
+{
+ PKIX_ENTER(CERTSELECTOR,
+ "PKIX_CertSelector_GetCommonCertSelectorParams");
+
+ PKIX_NULLCHECK_TWO(selector, pParams);
+
+ PKIX_INCREF(selector->params);
+ *pParams = selector->params;
+
+cleanup:
+ PKIX_RETURN(CERTSELECTOR);
+
+}
+
+/*
+ * FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_SetCommonCertSelectorParams(
+ PKIX_CertSelector *selector,
+ PKIX_ComCertSelParams *params,
+ void *plContext)
+{
+ PKIX_ENTER(CERTSELECTOR,
+ "PKIX_CertSelector_SetCommonCertSelectorParams");
+
+ PKIX_NULLCHECK_ONE(selector);
+
+ PKIX_DECREF(selector->params);
+ PKIX_INCREF(params);
+ selector->params = params;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)selector, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(CERTSELECTOR);
+
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Select
+ * DESCRIPTION:
+ *
+ * This function applies the selector pointed to by "selector" to each Cert,
+ * in turn, in the List pointed to by "before", and creates a List containing
+ * all the Certs that matched, or passed the selection process, storing that
+ * List at "pAfter". If no Certs match, an empty List is stored at "pAfter".
+ *
+ * The List returned in "pAfter" is immutable.
+ *
+ * PARAMETERS:
+ * "selector"
+ * Address of CertSelelector to be applied to the List. Must be non-NULL.
+ * "before"
+ * Address of List that is to be filtered. Must be non-NULL.
+ * "pAfter"
+ * Address at which resulting List, possibly empty, is stored. Must be
+ * non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertSelector Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CertSelector_Select(
+ PKIX_CertSelector *selector,
+ PKIX_List *before,
+ PKIX_List **pAfter,
+ void *plContext)
+{
+ PKIX_UInt32 numBefore = 0;
+ PKIX_UInt32 i = 0;
+ PKIX_List *filtered = NULL;
+ PKIX_PL_Cert *candidate = NULL;
+
+ PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Select");
+ PKIX_NULLCHECK_THREE(selector, before, pAfter);
+
+ PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
+ PKIX_LISTCREATEFAILED);
+
+ PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ for (i = 0; i < numBefore; i++) {
+
+ PKIX_CHECK(PKIX_List_GetItem
+ (before, i, (PKIX_PL_Object **)&candidate, plContext),
+ PKIX_LISTGETITEMFAILED);
+
+ PKIX_CHECK_ONLY_FATAL(selector->matchCallback
+ (selector, candidate, plContext),
+ PKIX_CERTSELECTORMATCHCALLBACKFAILED);
+
+ if (!(PKIX_ERROR_RECEIVED)) {
+
+ PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
+ (filtered,
+ (PKIX_PL_Object *)candidate,
+ plContext),
+ PKIX_LISTAPPENDITEMFAILED);
+ }
+
+ pkixTempErrorReceived = PKIX_FALSE;
+ PKIX_DECREF(candidate);
+ }
+
+ PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
+ PKIX_LISTSETIMMUTABLEFAILED);
+
+ /* Don't throw away the list if one Cert was bad! */
+ pkixTempErrorReceived = PKIX_FALSE;
+
+ *pAfter = filtered;
+ filtered = NULL;
+
+cleanup:
+
+ PKIX_DECREF(filtered);
+ PKIX_DECREF(candidate);
+
+ PKIX_RETURN(CERTSELECTOR);
+
+}
diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.h b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.h
new file mode 100644
index 0000000000..33b648354c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.h
@@ -0,0 +1,41 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * pkix_certselector.h
+ *
+ * CertSelector Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_CERTSELECTOR_H
+#define _PKIX_CERTSELECTOR_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_CertSelectorStruct {
+ PKIX_CertSelector_MatchCallback matchCallback;
+ PKIX_ComCertSelParams *params;
+ PKIX_PL_Object *context;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_CertSelector_Select(
+ PKIX_CertSelector *selector,
+ PKIX_List *before,
+ PKIX_List **pAfter,
+ void *plContext);
+
+PKIX_Error *pkix_CertSelector_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_CERTSELECTOR_H */
diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c
new file mode 100644
index 0000000000..a62f78d231
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c
@@ -0,0 +1,1188 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * pkix_comcertselparams.c
+ *
+ * ComCertSelParams Object Functions
+ *
+ */
+
+#include "pkix_comcertselparams.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_ComCertSelParams_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ComCertSelParams_Destroy(
+ PKIX_PL_Object *object,
+ void *plContext)
+{
+ PKIX_ComCertSelParams *params = NULL;
+
+ PKIX_ENTER(COMCERTSELPARAMS, "pkix_ComCertSelParams_Destroy");
+ PKIX_NULLCHECK_ONE(object);
+
+ /* Check that this object is a comCertSelParams object */
+ PKIX_CHECK(pkix_CheckType
+ (object, PKIX_COMCERTSELPARAMS_TYPE, plContext),
+ PKIX_OBJECTNOTCOMCERTSELPARAMS);
+
+ params = (PKIX_ComCertSelParams *)object;
+
+ PKIX_DECREF(params->subject);
+ PKIX_DECREF(params->policies);
+ PKIX_DECREF(params->cert);
+ PKIX_DECREF(params->nameConstraints);
+ PKIX_DECREF(params->pathToNames);
+ PKIX_DECREF(params->subjAltNames);
+ PKIX_DECREF(params->date);
+ PKIX_DECREF(params->extKeyUsage);
+ PKIX_DECREF(params->certValid);
+ PKIX_DECREF(params->issuer);
+ PKIX_DECREF(params->serialNumber);
+ PKIX_DECREF(params->authKeyId);
+ PKIX_DECREF(params->subjKeyId);
+ PKIX_DECREF(params->subjPubKey);
+ PKIX_DECREF(params->subjPKAlgId);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCertSelParams_Duplicate
+ * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ComCertSelParams_Duplicate(
+ PKIX_PL_Object *object,
+ PKIX_PL_Object **pNewObject,
+ void *plContext)
+{
+ PKIX_ComCertSelParams *params = NULL;
+ PKIX_ComCertSelParams *paramsDuplicate = NULL;
+
+ PKIX_ENTER(COMCERTSELPARAMS, "pkix_ComCertSelParams_Duplicate");
+ PKIX_NULLCHECK_TWO(object, pNewObject);
+
+ PKIX_CHECK(pkix_CheckType
+ (object, PKIX_COMCERTSELPARAMS_TYPE, plContext),
+ PKIX_OBJECTNOTCOMCERTSELPARAMS);
+
+ params = (PKIX_ComCertSelParams *)object;
+
+ PKIX_CHECK(PKIX_ComCertSelParams_Create(&paramsDuplicate, plContext),
+ PKIX_COMCERTSELPARAMSCREATEFAILED);
+
+ paramsDuplicate->minPathLength = params->minPathLength;
+ paramsDuplicate->matchAllSubjAltNames = params->matchAllSubjAltNames;
+
+ PKIX_DUPLICATE(params->subject, &paramsDuplicate->subject, plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ PKIX_DUPLICATE(params->policies, &paramsDuplicate->policies, plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ if (params->cert){
+ PKIX_CHECK(PKIX_PL_Object_Duplicate
+ ((PKIX_PL_Object *)params->cert,
+ (PKIX_PL_Object **)&paramsDuplicate->cert,
+ plContext),
+ PKIX_OBJECTDUPLICATEFAILED);
+ }
+
+ PKIX_DUPLICATE
+ (params->nameConstraints,
+ &paramsDuplicate->nameConstraints,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ PKIX_DUPLICATE
+ (params->pathToNames,
+ &paramsDuplicate->pathToNames,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ PKIX_DUPLICATE
+ (params->subjAltNames,
+ &paramsDuplicate->subjAltNames,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ if (params->date){
+ PKIX_CHECK(PKIX_PL_Object_Duplicate
+ ((PKIX_PL_Object *)params->date,
+ (PKIX_PL_Object **)&paramsDuplicate->date,
+ plContext),
+ PKIX_OBJECTDUPLICATEFAILED);
+ }
+
+ paramsDuplicate->keyUsage = params->keyUsage;
+
+ PKIX_DUPLICATE(params->certValid,
+ &paramsDuplicate->certValid,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ PKIX_DUPLICATE(params->issuer,
+ &paramsDuplicate->issuer,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ PKIX_DUPLICATE(params->serialNumber,
+ &paramsDuplicate->serialNumber,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ PKIX_DUPLICATE(params->authKeyId,
+ &paramsDuplicate->authKeyId,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ PKIX_DUPLICATE(params->subjKeyId,
+ &paramsDuplicate->subjKeyId,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ PKIX_DUPLICATE(params->subjPubKey,
+ &paramsDuplicate->subjPubKey,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ PKIX_DUPLICATE(params->subjPKAlgId,
+ &paramsDuplicate->subjPKAlgId,
+ plContext,
+ PKIX_OBJECTDUPLICATEFAILED);
+
+ paramsDuplicate->leafCertFlag = params->leafCertFlag;
+
+ *pNewObject = (PKIX_PL_Object *)paramsDuplicate;
+
+cleanup:
+
+ if (PKIX_ERROR_RECEIVED){
+ PKIX_DECREF(paramsDuplicate);
+ }
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCertSelParams_RegisterSelf
+ * DESCRIPTION:
+ * Registers PKIX_COMCERTSELPARAMS_TYPE and its related functions with
+ * systemClasses[]
+ * THREAD SAFETY:
+ * Not Thread Safe - for performance and complexity reasons
+ *
+ * Since this function is only called by PKIX_PL_Initialize, which should
+ * only be called once, it is acceptable that this function is not
+ * thread-safe.
+ */
+PKIX_Error *
+pkix_ComCertSelParams_RegisterSelf(void *plContext)
+{
+ extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+ pkix_ClassTable_Entry* entry = &systemClasses[PKIX_COMCERTSELPARAMS_TYPE];
+
+ PKIX_ENTER(COMCERTSELPARAMS, "pkix_ComCertSelParams_RegisterSelf");
+
+ entry->description = "ComCertSelParams";
+ entry->typeObjectSize = sizeof(PKIX_ComCertSelParams);
+ entry->destructor = pkix_ComCertSelParams_Destroy;
+ entry->duplicateFunction = pkix_ComCertSelParams_Duplicate;
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_Create (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_Create(
+ PKIX_ComCertSelParams **pParams,
+ void *plContext)
+{
+ PKIX_ComCertSelParams *params = NULL;
+
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_Create");
+ PKIX_NULLCHECK_ONE(pParams);
+
+ PKIX_CHECK(PKIX_PL_Object_Alloc
+ (PKIX_COMCERTSELPARAMS_TYPE,
+ sizeof (PKIX_ComCertSelParams),
+ (PKIX_PL_Object **)&params,
+ plContext),
+ PKIX_COULDNOTCREATECOMMONCERTSELPARAMSOBJECT);
+
+ /* initialize fields */
+ params->version = 0xFFFFFFFF;
+ params->minPathLength = -1;
+ params->matchAllSubjAltNames = PKIX_TRUE;
+ params->subject = NULL;
+ params->policies = NULL;
+ params->cert = NULL;
+ params->nameConstraints = NULL;
+ params->pathToNames = NULL;
+ params->subjAltNames = NULL;
+ params->extKeyUsage = NULL;
+ params->keyUsage = 0;
+ params->extKeyUsage = NULL;
+ params->keyUsage = 0;
+ params->date = NULL;
+ params->certValid = NULL;
+ params->issuer = NULL;
+ params->serialNumber = NULL;
+ params->authKeyId = NULL;
+ params->subjKeyId = NULL;
+ params->subjPubKey = NULL;
+ params->subjPKAlgId = NULL;
+ params->leafCertFlag = PKIX_FALSE;
+
+ *pParams = params;
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubject (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubject(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_X500Name **pSubject,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSubject");
+ PKIX_NULLCHECK_TWO(params, pSubject);
+
+ PKIX_INCREF(params->subject);
+
+ *pSubject = params->subject;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubject (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubject(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_X500Name *subject,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetSubject");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->subject);
+
+ PKIX_INCREF(subject);
+
+ params->subject = subject;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetBasicConstraints
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetBasicConstraints(
+ PKIX_ComCertSelParams *params,
+ PKIX_Int32 *pMinPathLength,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_GetBasicConstraints");
+ PKIX_NULLCHECK_TWO(params, pMinPathLength);
+
+ *pMinPathLength = params->minPathLength;
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetBasicConstraints
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetBasicConstraints(
+ PKIX_ComCertSelParams *params,
+ PKIX_Int32 minPathLength,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_SetBasicConstraints");
+ PKIX_NULLCHECK_ONE(params);
+
+ params->minPathLength = minPathLength;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetPolicy (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetPolicy(
+ PKIX_ComCertSelParams *params,
+ PKIX_List **pPolicy, /* List of PKIX_PL_OID */
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetPolicy");
+ PKIX_NULLCHECK_TWO(params, pPolicy);
+
+ PKIX_INCREF(params->policies);
+ *pPolicy = params->policies;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetPolicy (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetPolicy(
+ PKIX_ComCertSelParams *params,
+ PKIX_List *policy, /* List of PKIX_PL_OID */
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetPolicy");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->policies);
+ PKIX_INCREF(policy);
+ params->policies = policy;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetCertificate
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetCertificate(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert **pCert,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetCertificate");
+ PKIX_NULLCHECK_TWO(params, pCert);
+
+ PKIX_INCREF(params->cert);
+ *pCert = params->cert;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetCertificate
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetCertificate(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Cert *cert,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetCertificate");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->cert);
+ PKIX_INCREF(cert);
+ params->cert = cert;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetCertificateValid
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetCertificateValid(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Date **pDate,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_GetCertificateValid");
+
+ PKIX_NULLCHECK_TWO(params, pDate);
+
+ PKIX_INCREF(params->date);
+ *pDate = params->date;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetCertificateValid
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetCertificateValid(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_Date *date,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_SetCertificateValid");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->date);
+ PKIX_INCREF(date);
+ params->date = date;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetNameConstraints
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetNameConstraints(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_CertNameConstraints **pNameConstraints,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_GetNameConstraints");
+ PKIX_NULLCHECK_TWO(params, pNameConstraints);
+
+ PKIX_INCREF(params->nameConstraints);
+
+ *pNameConstraints = params->nameConstraints;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetNameConstraints
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetNameConstraints(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_CertNameConstraints *nameConstraints,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_SetNameConstraints");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->nameConstraints);
+ PKIX_INCREF(nameConstraints);
+ params->nameConstraints = nameConstraints;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetPathToNames
+ * (see comments in pkix_certsel.h)
+ */PKIX_Error *
+PKIX_ComCertSelParams_GetPathToNames(
+ PKIX_ComCertSelParams *params,
+ PKIX_List **pNames, /* list of PKIX_PL_GeneralName */
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetPathToNames");
+ PKIX_NULLCHECK_TWO(params, pNames);
+
+ PKIX_INCREF(params->pathToNames);
+
+ *pNames = params->pathToNames;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetPathToNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetPathToNames(
+ PKIX_ComCertSelParams *params,
+ PKIX_List *names, /* list of PKIX_PL_GeneralName */
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetPathToNames");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->pathToNames);
+ PKIX_INCREF(names);
+
+ params->pathToNames = names;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_AddPathToName
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_AddPathToName(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_GeneralName *name,
+ void *plContext)
+{
+ PKIX_List *pathToNamesList = NULL;
+
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_AddPathToName");
+ PKIX_NULLCHECK_ONE(params);
+
+ if (name == NULL) {
+ goto cleanup;
+ }
+
+ if (params->pathToNames == NULL) {
+ /* Create a list for name item */
+ PKIX_CHECK(PKIX_List_Create(&pathToNamesList, plContext),
+ PKIX_LISTCREATEFAILED);
+
+ params->pathToNames = pathToNamesList;
+ }
+
+ PKIX_CHECK(PKIX_List_AppendItem
+ (params->pathToNames, (PKIX_PL_Object *)name, plContext),
+ PKIX_LISTAPPENDITEMFAILED);
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjAltNames(
+ PKIX_ComCertSelParams *params,
+ PKIX_List **pNames, /* list of PKIX_PL_GeneralName */
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSubjAltNames");
+ PKIX_NULLCHECK_TWO(params, pNames);
+
+ PKIX_INCREF(params->subjAltNames);
+
+ *pNames = params->subjAltNames;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjAltNames(
+ PKIX_ComCertSelParams *params,
+ PKIX_List *names, /* list of PKIX_PL_GeneralName */
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetSubjAltNames");
+ PKIX_NULLCHECK_TWO(params, names);
+
+ PKIX_DECREF(params->subjAltNames);
+ PKIX_INCREF(names);
+
+ params->subjAltNames = names;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_AddSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_AddSubjAltName(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_GeneralName *name,
+ void *plContext)
+{
+ PKIX_List *list = NULL;
+
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_AddSubjAltName");
+ PKIX_NULLCHECK_TWO(params, name);
+
+ if (params->subjAltNames == NULL) {
+ PKIX_CHECK(PKIX_List_Create(&list, plContext),
+ PKIX_LISTCREATEFAILED);
+ params->subjAltNames = list;
+ }
+
+ PKIX_CHECK(PKIX_List_AppendItem
+ (params->subjAltNames, (PKIX_PL_Object *)name, plContext),
+ PKIX_LISTAPPENDITEMFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS)
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetMatchAllSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetMatchAllSubjAltNames(
+ PKIX_ComCertSelParams *params,
+ PKIX_Boolean *pMatch,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_GetMatchAllSubjAltNames");
+ PKIX_NULLCHECK_TWO(params, pMatch);
+
+ *pMatch = params->matchAllSubjAltNames;
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetMatchAllSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetMatchAllSubjAltNames(
+ PKIX_ComCertSelParams *params,
+ PKIX_Boolean match,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
+ PKIX_NULLCHECK_ONE(params);
+
+ params->matchAllSubjAltNames = match;
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetExtendedKeyUsage
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetExtendedKeyUsage(
+ PKIX_ComCertSelParams *params,
+ PKIX_List **pExtKeyUsage, /* list of PKIX_PL_OID */
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_GetExtendedKeyUsage");
+ PKIX_NULLCHECK_TWO(params, pExtKeyUsage);
+
+ PKIX_INCREF(params->extKeyUsage);
+ *pExtKeyUsage = params->extKeyUsage;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetExtendedKeyUsage
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetExtendedKeyUsage(
+ PKIX_ComCertSelParams *params,
+ PKIX_List *extKeyUsage, /* list of PKIX_PL_OID */
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_SetExtendedKeyUsage");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->extKeyUsage);
+ PKIX_INCREF(extKeyUsage);
+
+ params->extKeyUsage = extKeyUsage;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetKeyUsage
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetKeyUsage(
+ PKIX_ComCertSelParams *params,
+ PKIX_UInt32 *pKeyUsage,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_GetKeyUsage");
+ PKIX_NULLCHECK_TWO(params, pKeyUsage);
+
+ *pKeyUsage = params->keyUsage;
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetKeyUsage
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetKeyUsage(
+ PKIX_ComCertSelParams *params,
+ PKIX_UInt32 keyUsage,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_SetKeyUsage");
+ PKIX_NULLCHECK_ONE(params);
+
+ params->keyUsage = keyUsage;
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetIssuer
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetIssuer(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_X500Name **pIssuer,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetIssuer");
+ PKIX_NULLCHECK_TWO(params, pIssuer);
+
+ PKIX_INCREF(params->issuer);
+ *pIssuer = params->issuer;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetIssuer
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetIssuer(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_X500Name *issuer,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetIssuer");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->issuer);
+ PKIX_INCREF(issuer);
+ params->issuer = issuer;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSerialNumber
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSerialNumber(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_BigInt **pSerialNumber,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSerialNumber");
+ PKIX_NULLCHECK_TWO(params, pSerialNumber);
+
+ PKIX_INCREF(params->serialNumber);
+ *pSerialNumber = params->serialNumber;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSerialNumber
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSerialNumber(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_BigInt *serialNumber,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetSerialNumber");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->serialNumber);
+ PKIX_INCREF(serialNumber);
+ params->serialNumber = serialNumber;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetVersion
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetVersion(
+ PKIX_ComCertSelParams *params,
+ PKIX_UInt32 *pVersion,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetVersion");
+ PKIX_NULLCHECK_TWO(params, pVersion);
+
+ *pVersion = params->version;
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetVersion
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetVersion(
+ PKIX_ComCertSelParams *params,
+ PKIX_Int32 version,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetVersion");
+ PKIX_NULLCHECK_ONE(params);
+
+ params->version = version;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjKeyIdentifier
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjKeyIdentifier(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_ByteArray **pSubjKeyId,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_GetSubjKeyIdentifier");
+ PKIX_NULLCHECK_TWO(params, pSubjKeyId);
+
+ PKIX_INCREF(params->subjKeyId);
+
+ *pSubjKeyId = params->subjKeyId;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjKeyIdentifier
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjKeyIdentifier(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_ByteArray *subjKeyId,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_SetSubjKeyIdentifier");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->subjKeyId);
+ PKIX_INCREF(subjKeyId);
+
+ params->subjKeyId = subjKeyId;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetAuthorityKeyIdentifier(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_ByteArray **pAuthKeyId,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_GetAuthorityKeyIdentifier");
+ PKIX_NULLCHECK_TWO(params, pAuthKeyId);
+
+ PKIX_INCREF(params->authKeyId);
+
+ *pAuthKeyId = params->authKeyId;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetAuthorityKeyIdentifier
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetAuthorityKeyIdentifier(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_ByteArray *authKeyId,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_SetAuthKeyIdentifier");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->authKeyId);
+ PKIX_INCREF(authKeyId);
+
+ params->authKeyId = authKeyId;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjPubKey
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjPubKey(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_PublicKey **pSubjPubKey,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSubjPubKey");
+ PKIX_NULLCHECK_TWO(params, pSubjPubKey);
+
+ PKIX_INCREF(params->subjPubKey);
+
+ *pSubjPubKey = params->subjPubKey;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjPubKey
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjPubKey(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_PublicKey *subjPubKey,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS,
+ "PKIX_ComCertSelParams_SetSubjPubKey");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->subjPubKey);
+ PKIX_INCREF(subjPubKey);
+
+ params->subjPubKey = subjPubKey;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjPKAlgId
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjPKAlgId(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_OID **pAlgId,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSubjPKAlgId");
+ PKIX_NULLCHECK_TWO(params, pAlgId);
+
+ PKIX_INCREF(params->subjPKAlgId);
+
+ *pAlgId = params->subjPKAlgId;
+
+cleanup:
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjPKAlgId
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjPKAlgId(
+ PKIX_ComCertSelParams *params,
+ PKIX_PL_OID *algId,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetSubjPKAlgId");
+ PKIX_NULLCHECK_ONE(params);
+
+ PKIX_DECREF(params->subjPKAlgId);
+ PKIX_INCREF(algId);
+
+ params->subjPKAlgId = algId;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error*
+PKIX_ComCertSelParams_GetLeafCertFlag(
+ PKIX_ComCertSelParams *params,
+ PKIX_Boolean *pLeafFlag,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetLeafCertFlag");
+ PKIX_NULLCHECK_TWO(params, pLeafFlag);
+
+ *pLeafFlag = params->leafCertFlag;
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetLeafCertFlag(
+ PKIX_ComCertSelParams *params,
+ PKIX_Boolean leafFlag,
+ void *plContext)
+{
+ PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetLeafCertFlag");
+ PKIX_NULLCHECK_ONE(params);
+
+ params->leafCertFlag = leafFlag;
+
+ PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+ ((PKIX_PL_Object *)params, plContext),
+ PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(COMCERTSELPARAMS);
+}
diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h
new file mode 100644
index 0000000000..935c639f0a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h
@@ -0,0 +1,57 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * pkix_comcertselparams.h
+ *
+ * ComCertSelParams Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_COMCERTSELPARAMS_H
+#define _PKIX_COMCERTSELPARAMS_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * pathToNamesConstraint is Name Constraints generated based on the
+ * pathToNames. We save a cached copy to save regeneration for each
+ * check. SubjAltNames also has its cache, since SubjAltNames are
+ * verified by checker, its cache copy is stored in checkerstate.
+ */
+struct PKIX_ComCertSelParamsStruct {
+ PKIX_Int32 version;
+ PKIX_Int32 minPathLength;
+ PKIX_Boolean matchAllSubjAltNames;
+ PKIX_PL_X500Name *subject;
+ PKIX_List *policies; /* List of PKIX_PL_OID */
+ PKIX_PL_Cert *cert;
+ PKIX_PL_CertNameConstraints *nameConstraints;
+ PKIX_List *pathToNames; /* List of PKIX_PL_GeneralNames */
+ PKIX_List *subjAltNames; /* List of PKIX_PL_GeneralNames */
+ PKIX_List *extKeyUsage; /* List of PKIX_PL_OID */
+ PKIX_UInt32 keyUsage;
+ PKIX_PL_Date *date;
+ PKIX_PL_Date *certValid;
+ PKIX_PL_X500Name *issuer;
+ PKIX_PL_BigInt *serialNumber;
+ PKIX_PL_ByteArray *authKeyId;
+ PKIX_PL_ByteArray *subjKeyId;
+ PKIX_PL_PublicKey *subjPubKey;
+ PKIX_PL_OID *subjPKAlgId;
+ PKIX_Boolean leafCertFlag;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_ComCertSelParams_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_COMCERTSELPARAMS_H */