summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/certdb/xbsconst.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/nss/lib/certdb/xbsconst.c
parentInitial commit. (diff)
downloadfirefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz
firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/lib/certdb/xbsconst.c')
-rw-r--r--security/nss/lib/certdb/xbsconst.c146
1 files changed, 146 insertions, 0 deletions
diff --git a/security/nss/lib/certdb/xbsconst.c b/security/nss/lib/certdb/xbsconst.c
new file mode 100644
index 0000000000..df70dbbefb
--- /dev/null
+++ b/security/nss/lib/certdb/xbsconst.c
@@ -0,0 +1,146 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * X.509 v3 Basic Constraints Extension
+ */
+
+#include "prtypes.h"
+#include <limits.h> /* for LONG_MAX */
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "certt.h"
+#include "secder.h"
+#include "prprf.h"
+#include "secerr.h"
+
+typedef struct EncodedContext {
+ SECItem isCA;
+ SECItem pathLenConstraint;
+ SECItem encodedValue;
+ PLArenaPool *arena;
+} EncodedContext;
+
+static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(EncodedContext) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */
+ offsetof(EncodedContext, isCA) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
+ offsetof(EncodedContext, pathLenConstraint) },
+ { 0 }
+};
+
+static unsigned char hexTrue = 0xff;
+static unsigned char hexFalse = 0x00;
+
+#define GEN_BREAK(status) \
+ rv = status; \
+ break;
+
+SECStatus
+CERT_EncodeBasicConstraintValue(PLArenaPool *arena, CERTBasicConstraints *value,
+ SECItem *encodedValue)
+{
+ EncodedContext encodeContext;
+ PLArenaPool *our_pool = NULL;
+ SECStatus rv = SECSuccess;
+
+ do {
+ PORT_Memset(&encodeContext, 0, sizeof(encodeContext));
+ if (!value->isCA && value->pathLenConstraint >= 0) {
+ PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
+ GEN_BREAK(SECFailure);
+ }
+
+ encodeContext.arena = arena;
+ if (value->isCA == PR_TRUE) {
+ encodeContext.isCA.data = &hexTrue;
+ encodeContext.isCA.len = 1;
+ }
+
+ /* If the pathLenConstraint is less than 0, then it should be
+ * omitted from the encoding.
+ */
+ if (value->isCA && value->pathLenConstraint >= 0) {
+ our_pool = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+ if (our_pool == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ GEN_BREAK(SECFailure);
+ }
+ if (SEC_ASN1EncodeUnsignedInteger(
+ our_pool, &encodeContext.pathLenConstraint,
+ (unsigned long)value->pathLenConstraint) == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ GEN_BREAK(SECFailure);
+ }
+ }
+ if (SEC_ASN1EncodeItem(arena, encodedValue, &encodeContext,
+ CERTBasicConstraintsTemplate) == NULL) {
+ GEN_BREAK(SECFailure);
+ }
+ } while (0);
+ if (our_pool)
+ PORT_FreeArena(our_pool, PR_FALSE);
+ return (rv);
+}
+
+SECStatus
+CERT_DecodeBasicConstraintValue(CERTBasicConstraints *value,
+ const SECItem *encodedValue)
+{
+ EncodedContext decodeContext;
+ PORTCheapArenaPool tmpArena;
+ SECStatus rv = SECSuccess;
+
+ do {
+ PORT_Memset(&decodeContext, 0, sizeof(decodeContext));
+ /* initialize the value just in case we got "0x30 00", or when the
+ pathLenConstraint is omitted.
+ */
+ decodeContext.isCA.data = &hexFalse;
+ decodeContext.isCA.len = 1;
+
+ PORT_InitCheapArena(&tmpArena, SEC_ASN1_DEFAULT_ARENA_SIZE);
+
+ rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &decodeContext,
+ CERTBasicConstraintsTemplate, encodedValue);
+ if (rv == SECFailure)
+ break;
+
+ value->isCA = decodeContext.isCA.data
+ ? (PRBool)(decodeContext.isCA.data[0] != 0)
+ : PR_FALSE;
+ if (decodeContext.pathLenConstraint.data == NULL) {
+ /* if the pathLenConstraint is not encoded, and the current setting
+ is CA, then the pathLenConstraint should be set to a negative
+ number
+ for unlimited certificate path.
+ */
+ if (value->isCA) {
+ value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
+ } else {
+ value->pathLenConstraint = 0;
+ }
+ } else if (value->isCA) {
+ long len = DER_GetInteger(&decodeContext.pathLenConstraint);
+ if (len < 0 || len == LONG_MAX) {
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ GEN_BREAK(SECFailure);
+ }
+ value->pathLenConstraint = len;
+ } else {
+ /* here we get an error where the subject is not a CA, but
+ the pathLenConstraint is set */
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ GEN_BREAK(SECFailure);
+ break;
+ }
+ } while (0);
+
+ PORT_DestroyCheapArena(&tmpArena);
+ return (rv);
+}