diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/nss/lib/libpkix/pkix/crlsel | |
parent | Initial commit. (diff) | |
download | firefox-esr-upstream.tar.xz firefox-esr-upstream.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/lib/libpkix/pkix/crlsel')
-rw-r--r-- | security/nss/lib/libpkix/pkix/crlsel/Makefile | 46 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix/crlsel/crlsel.gyp | 24 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix/crlsel/exports.gyp | 26 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix/crlsel/manifest.mn | 20 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.c | 826 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.h | 38 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c | 870 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.h | 40 |
8 files changed, 1890 insertions, 0 deletions
diff --git a/security/nss/lib/libpkix/pkix/crlsel/Makefile b/security/nss/lib/libpkix/pkix/crlsel/Makefile new file mode 100644 index 0000000000..d714361be7 --- /dev/null +++ b/security/nss/lib/libpkix/pkix/crlsel/Makefile @@ -0,0 +1,46 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + diff --git a/security/nss/lib/libpkix/pkix/crlsel/crlsel.gyp b/security/nss/lib/libpkix/pkix/crlsel/crlsel.gyp new file mode 100644 index 0000000000..894569ef6c --- /dev/null +++ b/security/nss/lib/libpkix/pkix/crlsel/crlsel.gyp @@ -0,0 +1,24 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'pkixcrlsel', + 'type': 'static_library', + 'sources': [ + 'pkix_comcrlselparams.c', + 'pkix_crlselector.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports' + ] + } + ], + 'variables': { + 'module': 'nss' + } +}
\ No newline at end of file diff --git a/security/nss/lib/libpkix/pkix/crlsel/exports.gyp b/security/nss/lib/libpkix/pkix/crlsel/exports.gyp new file mode 100644 index 0000000000..a7001ffed7 --- /dev/null +++ b/security/nss/lib/libpkix/pkix/crlsel/exports.gyp @@ -0,0 +1,26 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'lib_libpkix_pkix_crlsel_exports', + 'type': 'none', + 'copies': [ + { + 'files': [ + 'pkix_comcrlselparams.h', + 'pkix_crlselector.h' + ], + 'destination': '<(nss_private_dist_dir)/<(module)' + } + ] + } + ], + 'variables': { + 'module': 'nss' + } +} diff --git a/security/nss/lib/libpkix/pkix/crlsel/manifest.mn b/security/nss/lib/libpkix/pkix/crlsel/manifest.mn new file mode 100644 index 0000000000..fe84a2d62f --- /dev/null +++ b/security/nss/lib/libpkix/pkix/crlsel/manifest.mn @@ -0,0 +1,20 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +CORE_DEPTH = ../../../.. + +PRIVATE_EXPORTS = \ + pkix_comcrlselparams.h \ + pkix_crlselector.h \ + $(NULL) + +MODULE = nss + +CSRCS = \ + pkix_crlselector.c \ + pkix_comcrlselparams.c \ + $(NULL) + +LIBRARY_NAME = pkixcrlsel +SHARED_LIBRARY = $(NULL) diff --git a/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.c b/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.c new file mode 100644 index 0000000000..90380c5b2b --- /dev/null +++ b/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.c @@ -0,0 +1,826 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * pkix_comcrlselparams.c + * + * ComCRLSelParams Function Definitions + * + */ + +#include "pkix_comcrlselparams.h" + +/* --ComCRLSelParams-Private-Functions------------------------------------ */ + +/* + * FUNCTION: pkix_ComCrlSelParams_Destroy + * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_ComCRLSelParams_Destroy( + PKIX_PL_Object *object, + void *plContext) +{ + PKIX_ComCRLSelParams *params = NULL; + + PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_Destroy"); + PKIX_NULLCHECK_ONE(object); + + PKIX_CHECK(pkix_CheckType + (object, PKIX_COMCRLSELPARAMS_TYPE, plContext), + PKIX_OBJECTNOTCOMCRLSELPARAMS); + + params = (PKIX_ComCRLSelParams *)object; + + PKIX_DECREF(params->issuerNames); + PKIX_DECREF(params->cert); + PKIX_DECREF(params->date); + PKIX_DECREF(params->maxCRLNumber); + PKIX_DECREF(params->minCRLNumber); + PKIX_DECREF(params->crldpList); + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: pkix_ComCRLSelParams_ToString_Helper + * DESCRIPTION: + * + * Helper function that creates a string representation of ComCRLSelParams + * pointed to by "crlParams" and stores the result at "pString". + * + * PARAMETERS + * "crlParams" + * Address of ComCRLSelParams whose string representation is desired. + * Must be non-NULL. + * "pString" + * Address of object pointer's destination. Must be non-NULL. + * "plContext" - Platform-specific context pointer. + * + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLEntry Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +static PKIX_Error * +pkix_ComCRLSelParams_ToString_Helper( + PKIX_ComCRLSelParams *crlParams, + PKIX_PL_String **pString, + void *plContext) +{ + PKIX_PL_String *crlIssuerNamesString = NULL; + PKIX_PL_String *crlDateString = NULL; + PKIX_PL_String *crlMaxCRLNumberString = NULL; + PKIX_PL_String *crlMinCRLNumberString = NULL; + PKIX_PL_String *crlCertString = NULL; + PKIX_PL_String *crlParamsString = NULL; + char *asciiFormat = NULL; + PKIX_PL_String *formatString = NULL; + + PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_ToString_Helper"); + PKIX_NULLCHECK_TWO(crlParams, pString); + + asciiFormat = + "\n\t[\n" + "\tIssuerNames: %s\n" + "\tDate: %s\n" + "\tmaxCRLNumber: %s\n" + "\tminCRLNumber: %s\n" + "\tCertificate: %s\n" + "\t]\n"; + + PKIX_CHECK(PKIX_PL_String_Create + (PKIX_ESCASCII, + asciiFormat, + 0, + &formatString, + plContext), + PKIX_STRINGCREATEFAILED); + + PKIX_TOSTRING + (crlParams->issuerNames, &crlIssuerNamesString, plContext, + PKIX_LISTTOSTRINGFAILED); + + PKIX_TOSTRING(crlParams->date, &crlDateString, plContext, + PKIX_DATETOSTRINGFAILED); + + PKIX_TOSTRING + (crlParams->maxCRLNumber, &crlMaxCRLNumberString, plContext, + PKIX_BIGINTTOSTRINGFAILED); + + PKIX_TOSTRING + (crlParams->minCRLNumber, &crlMinCRLNumberString, plContext, + PKIX_BIGINTTOSTRINGFAILED); + + PKIX_TOSTRING(crlParams->cert, &crlCertString, plContext, + PKIX_CERTTOSTRINGFAILED); + + PKIX_CHECK(PKIX_PL_Sprintf + (&crlParamsString, + plContext, + formatString, + crlIssuerNamesString, + crlDateString, + crlMaxCRLNumberString, + crlMinCRLNumberString, + crlCertString), + PKIX_SPRINTFFAILED); + + *pString = crlParamsString; + +cleanup: + + PKIX_DECREF(crlIssuerNamesString); + PKIX_DECREF(crlDateString); + PKIX_DECREF(crlMaxCRLNumberString); + PKIX_DECREF(crlMinCRLNumberString); + PKIX_DECREF(crlCertString); + PKIX_DECREF(formatString); + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: pkix_ComCRLSelParams_ToString + * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_ComCRLSelParams_ToString( + PKIX_PL_Object *object, + PKIX_PL_String **pString, + void *plContext) +{ + PKIX_PL_String *crlParamsString = NULL; + PKIX_ComCRLSelParams *crlParams = NULL; + + PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_ToString"); + PKIX_NULLCHECK_TWO(object, pString); + + PKIX_CHECK(pkix_CheckType(object, PKIX_COMCRLSELPARAMS_TYPE, plContext), + PKIX_OBJECTNOTCOMCRLSELPARAMS); + + crlParams = (PKIX_ComCRLSelParams *) object; + + PKIX_CHECK(pkix_ComCRLSelParams_ToString_Helper + (crlParams, &crlParamsString, plContext), + PKIX_COMCRLSELPARAMSTOSTRINGHELPERFAILED); + + *pString = crlParamsString; + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: pkix_ComCRLSelParams_Hashcode + * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_ComCRLSelParams_Hashcode( + PKIX_PL_Object *object, + PKIX_UInt32 *pHashcode, + void *plContext) +{ + PKIX_ComCRLSelParams *crlParams = NULL; + PKIX_UInt32 namesHash = 0; + PKIX_UInt32 certHash = 0; + PKIX_UInt32 dateHash = 0; + PKIX_UInt32 maxCRLNumberHash = 0; + PKIX_UInt32 minCRLNumberHash = 0; + PKIX_UInt32 hash = 0; + + PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_Hashcode"); + PKIX_NULLCHECK_TWO(object, pHashcode); + + PKIX_CHECK(pkix_CheckType(object, PKIX_COMCRLSELPARAMS_TYPE, plContext), + PKIX_OBJECTNOTCOMCRLSELPARAMS); + + crlParams = (PKIX_ComCRLSelParams *)object; + + PKIX_HASHCODE(crlParams->issuerNames, &namesHash, plContext, + PKIX_OBJECTHASHCODEFAILED); + + PKIX_HASHCODE(crlParams->cert, &certHash, plContext, + PKIX_OBJECTHASHCODEFAILED); + + PKIX_HASHCODE(crlParams->date, &dateHash, plContext, + PKIX_OBJECTHASHCODEFAILED); + + PKIX_HASHCODE(crlParams->maxCRLNumber, &maxCRLNumberHash, plContext, + PKIX_OBJECTHASHCODEFAILED); + + PKIX_HASHCODE(crlParams->minCRLNumber, &minCRLNumberHash, plContext, + PKIX_OBJECTHASHCODEFAILED); + + + hash = (((namesHash << 3) + certHash) << 3) + dateHash; + hash = (hash << 3) + maxCRLNumberHash + minCRLNumberHash; + + *pHashcode = hash; + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: pkix_ComCRLSelParams_Equals + * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_ComCRLSelParams_Equals( + PKIX_PL_Object *firstObject, + PKIX_PL_Object *secondObject, + PKIX_Boolean *pResult, + void *plContext) +{ + PKIX_ComCRLSelParams *firstCrlParams = NULL; + PKIX_ComCRLSelParams *secondCrlParams = NULL; + PKIX_UInt32 secondType; + PKIX_Boolean cmpResult = PKIX_FALSE; + + PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_Equals"); + PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult); + + /* test that firstObject is a ComCRLSelParams */ + PKIX_CHECK(pkix_CheckType + (firstObject, PKIX_COMCRLSELPARAMS_TYPE, plContext), + PKIX_FIRSTOBJECTNOTCOMCRLSELPARAMS); + + firstCrlParams = (PKIX_ComCRLSelParams *)firstObject; + secondCrlParams = (PKIX_ComCRLSelParams *)secondObject; + + /* + * Since we know firstObject is a ComCRLSelParams, if both references + * are identical, they must be equal + */ + if (firstCrlParams == secondCrlParams){ + *pResult = PKIX_TRUE; + goto cleanup; + } + + /* + * If secondComCRLSelParams isn't a ComCRLSelParams, we don't + * throw an error. We simply return a Boolean result of FALSE + */ + *pResult = PKIX_FALSE; + PKIX_CHECK(PKIX_PL_Object_GetType + ((PKIX_PL_Object *)secondCrlParams, &secondType, plContext), + PKIX_COULDNOTGETTYPEOFSECONDARGUMENT); + + if (secondType != PKIX_COMCRLSELPARAMS_TYPE) { + goto cleanup; + } + + /* Compare Issuer Names */ + PKIX_EQUALS + (firstCrlParams->issuerNames, + secondCrlParams->issuerNames, + &cmpResult, + plContext, + PKIX_LISTEQUALSFAILED); + + if (cmpResult != PKIX_TRUE) { + goto cleanup; + } + + /* Compare Date */ + PKIX_EQUALS + (firstCrlParams->date, + secondCrlParams->date, + &cmpResult, + plContext, + PKIX_DATEEQUALSFAILED); + + if (cmpResult != PKIX_TRUE) { + goto cleanup; + } + + /* Compare Max CRL Number */ + PKIX_EQUALS + (firstCrlParams->maxCRLNumber, + secondCrlParams->maxCRLNumber, + &cmpResult, + plContext, + PKIX_BIGINTEQUALSFAILED); + + if (cmpResult != PKIX_TRUE) { + goto cleanup; + } + + /* Compare Min CRL Number */ + PKIX_EQUALS + (firstCrlParams->minCRLNumber, + secondCrlParams->minCRLNumber, + &cmpResult, + plContext, + PKIX_BIGINTEQUALSFAILED); + + if (cmpResult != PKIX_TRUE) { + goto cleanup; + } + + /* Compare Cert */ + PKIX_EQUALS + (firstCrlParams->cert, + secondCrlParams->cert, + &cmpResult, + plContext, + PKIX_CERTEQUALSFAILED); + + *pResult = cmpResult; + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: pkix_ComCRLSelParams_Duplicate + * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_ComCRLSelParams_Duplicate( + PKIX_PL_Object *object, + PKIX_PL_Object **pNewObject, + void *plContext) +{ + PKIX_ComCRLSelParams *old; + PKIX_ComCRLSelParams *new = NULL; + + PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_Duplicate"); + PKIX_NULLCHECK_TWO(object, pNewObject); + + PKIX_CHECK(pkix_CheckType(object, PKIX_COMCRLSELPARAMS_TYPE, plContext), + PKIX_OBJECTNOTCOMCRLSELPARAMS); + + old = (PKIX_ComCRLSelParams *)object; + + PKIX_CHECK(PKIX_PL_Object_Alloc + (PKIX_COMCRLSELPARAMS_TYPE, + (PKIX_UInt32)(sizeof (PKIX_ComCRLSelParams)), + (PKIX_PL_Object **)&new, + plContext), + PKIX_OBJECTALLOCFAILED); + + PKIX_DUPLICATE(old->cert, &new->cert, plContext, + PKIX_OBJECTDUPLICATECERTFAILED); + + PKIX_DUPLICATE(old->crldpList, &new->crldpList, plContext, + PKIX_OBJECTDUPLICATECERTFAILED); + + PKIX_DUPLICATE(old->issuerNames, &new->issuerNames, plContext, + PKIX_OBJECTDUPLICATEISSUERNAMESFAILED); + + PKIX_DUPLICATE(old->date, &new->date, plContext, + PKIX_OBJECTDUPLICATEDATEFAILED); + + PKIX_DUPLICATE(old->maxCRLNumber, &new->maxCRLNumber, plContext, + PKIX_OBJECTDUPLICATEMAXCRLNUMBERFAILED); + + PKIX_DUPLICATE(old->minCRLNumber, &new->minCRLNumber, plContext, + PKIX_OBJECTDUPLICATEMINCRLNUMBERFAILED); + + *pNewObject = (PKIX_PL_Object *)new; + +cleanup: + + if (PKIX_ERROR_RECEIVED){ + PKIX_DECREF(new); + } + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: pkix_ComCrlSelParams_RegisterSelf + * DESCRIPTION: + * Registers PKIX_COMCRLSELPARAMS_TYPE and its related functions with + * systemClasses[] + * THREAD SAFETY: + * Not Thread Safe - for performance and complexity reasons + * + * Since this function is only called by PKIX_PL_Initialize, which should + * only be called once, it is acceptable that this function is not + * thread-safe. + */ +PKIX_Error * +pkix_ComCRLSelParams_RegisterSelf(void *plContext) +{ + extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; + pkix_ClassTable_Entry entry; + + PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_RegisterSelf"); + + entry.description = "ComCRLSelParams"; + entry.objCounter = 0; + entry.typeObjectSize = sizeof(PKIX_ComCRLSelParams); + entry.destructor = pkix_ComCRLSelParams_Destroy; + entry.equalsFunction = pkix_ComCRLSelParams_Equals; + entry.hashcodeFunction = pkix_ComCRLSelParams_Hashcode; + entry.toStringFunction = pkix_ComCRLSelParams_ToString; + entry.comparator = NULL; + entry.duplicateFunction = pkix_ComCRLSelParams_Duplicate; + + systemClasses[PKIX_COMCRLSELPARAMS_TYPE] = entry; + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* --ComCRLSelParams-Public-Functions------------------------------------- */ + +/* + * FUNCTION: PKIX_ComCRLSelParams_Create (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_Create( + PKIX_ComCRLSelParams **pParams, + void *plContext) +{ + PKIX_ComCRLSelParams *params = NULL; + + PKIX_ENTER(COMCRLSELPARAMS, "PKIX_ComCRLSelParams_Create"); + PKIX_NULLCHECK_ONE(pParams); + + PKIX_CHECK(PKIX_PL_Object_Alloc + (PKIX_COMCRLSELPARAMS_TYPE, + sizeof (PKIX_ComCRLSelParams), + (PKIX_PL_Object **)¶ms, + plContext), + PKIX_COULDNOTCREATECOMMONCRLSELECTORPARAMSOBJECT); + + /* initialize fields */ + params->issuerNames = NULL; + params->cert = NULL; + params->crldpList = NULL; + params->date = NULL; + params->nistPolicyEnabled = PKIX_TRUE; + params->maxCRLNumber = NULL; + params->minCRLNumber = NULL; + + *pParams = params; + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetIssuerNames (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetIssuerNames( + PKIX_ComCRLSelParams *params, + PKIX_List **pIssuerNames, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, "PKIX_ComCRLSelParams_GetIssuerNames"); + PKIX_NULLCHECK_TWO(params, pIssuerNames); + + PKIX_INCREF(params->issuerNames); + + *pIssuerNames = params->issuerNames; + +cleanup: + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetIssuerNames (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetIssuerNames( + PKIX_ComCRLSelParams *params, + PKIX_List *names, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, "PKIX_ComCRLSelParams_SetIssuerNames"); + PKIX_NULLCHECK_ONE(params); /* allows null for names from spec */ + + PKIX_DECREF(params->issuerNames); + + PKIX_INCREF(names); /* if NULL, allows to reset for no action */ + + params->issuerNames = names; + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)params, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_AddIssuerName (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_AddIssuerName( + PKIX_ComCRLSelParams *params, + PKIX_PL_X500Name *name, + void *plContext) +{ + PKIX_List *list = NULL; + + PKIX_ENTER(COMCRLSELPARAMS, "PKIX_ComCRLSelParams_AddIssuerName"); + PKIX_NULLCHECK_ONE(params); + + if (name != NULL) { + + if (params->issuerNames == NULL) { + + PKIX_CHECK(PKIX_List_Create(&list, plContext), + PKIX_LISTCREATEFAILED); + params->issuerNames = list; + } + + PKIX_CHECK(PKIX_List_AppendItem + (params->issuerNames, (PKIX_PL_Object *)name, plContext), + PKIX_LISTAPPENDITEMFAILED); + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)params, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); + + } + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetCertificateChecking + * (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetCertificateChecking( + PKIX_ComCRLSelParams *params, + PKIX_PL_Cert **pCert, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_GetCertificateChecking"); + PKIX_NULLCHECK_TWO(params, pCert); + + PKIX_INCREF(params->cert); + + *pCert = params->cert; + +cleanup: + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetCertificateChecking + * (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetCertificateChecking( + PKIX_ComCRLSelParams *params, + PKIX_PL_Cert *cert, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_SetCertificateChecking"); + PKIX_NULLCHECK_ONE(params); /* allows cert to be NULL from spec */ + + PKIX_DECREF(params->cert); + + PKIX_INCREF(cert); + + params->cert = cert; + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)params, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetDateAndTime (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetDateAndTime( + PKIX_ComCRLSelParams *params, + PKIX_PL_Date **pDate, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_GetDateAndTime"); + PKIX_NULLCHECK_TWO(params, pDate); + + PKIX_INCREF(params->date); + + *pDate = params->date; + +cleanup: + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetDateAndTime (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetDateAndTime( + PKIX_ComCRLSelParams *params, + PKIX_PL_Date *date, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_SetDateAndTime"); + PKIX_NULLCHECK_ONE(params); /* allows date to be NULL from spec */ + + PKIX_DECREF (params->date); + + PKIX_INCREF(date); + + params->date = date; + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)params, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetDateAndTime (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetNISTPolicyEnabled( + PKIX_ComCRLSelParams *params, + PKIX_Boolean *pEnabled, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_GetNISTPolicyEnabled"); + PKIX_NULLCHECK_TWO(params, pEnabled); + + *pEnabled = params->nistPolicyEnabled; + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetDateAndTime (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetNISTPolicyEnabled( + PKIX_ComCRLSelParams *params, + PKIX_Boolean enabled, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_SetNISTPolicyEnabled"); + PKIX_NULLCHECK_ONE(params); /* allows date to be NULL from spec */ + + params->nistPolicyEnabled = enabled; + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)params, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetMaxCRLNumber + * (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetMaxCRLNumber( + PKIX_ComCRLSelParams *params, + PKIX_PL_BigInt **pMaxCRLNumber, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_GetMaxCRLNumber"); + PKIX_NULLCHECK_TWO(params, pMaxCRLNumber); + + PKIX_INCREF(params->maxCRLNumber); + + *pMaxCRLNumber = params->maxCRLNumber; + +cleanup: + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetMaxCRLNumber + * (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetMaxCRLNumber( + PKIX_ComCRLSelParams *params, + PKIX_PL_BigInt *maxCRLNumber, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_SetMaxCRLNumber"); + PKIX_NULLCHECK_ONE(params); /* maxCRLNumber can be NULL - from spec */ + + PKIX_DECREF(params->maxCRLNumber); + + PKIX_INCREF(maxCRLNumber); + + params->maxCRLNumber = maxCRLNumber; + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)params, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + + +/* + * FUNCTION: PKIX_ComCRLSelParams_GetMinCRLNumber + * (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_GetMinCRLNumber( + PKIX_ComCRLSelParams *params, + PKIX_PL_BigInt **pMinCRLNumber, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_GetMinCRLNumber"); + PKIX_NULLCHECK_TWO(params, pMinCRLNumber); + + PKIX_INCREF(params->minCRLNumber); + + *pMinCRLNumber = params->minCRLNumber; + +cleanup: + PKIX_RETURN(COMCRLSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCRLSelParams_SetMinCRLNumber + * (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_ComCRLSelParams_SetMinCRLNumber( + PKIX_ComCRLSelParams *params, + PKIX_PL_BigInt *minCRLNumber, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, + "PKIX_ComCRLSelParams_SetMinCRLNumber"); + PKIX_NULLCHECK_ONE(params); /* minCRLNumber can be NULL - from spec */ + + PKIX_DECREF(params->minCRLNumber); + + PKIX_INCREF(minCRLNumber); + + params->minCRLNumber = minCRLNumber; + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)params, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); + +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} + + +PKIX_Error* +PKIX_ComCRLSelParams_SetCrlDp( + PKIX_ComCRLSelParams *params, + PKIX_List *crldpList, + void *plContext) +{ + PKIX_ENTER(COMCRLSELPARAMS, "PKIX_ComCRLSelParams_SetCrlDp"); + PKIX_NULLCHECK_ONE(params); /* minCRLNumber can be NULL - from spec */ + + PKIX_INCREF(crldpList); + params->crldpList = crldpList; + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)params, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); +cleanup: + + PKIX_RETURN(COMCRLSELPARAMS); +} diff --git a/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.h b/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.h new file mode 100644 index 0000000000..08351375d9 --- /dev/null +++ b/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.h @@ -0,0 +1,38 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * pkix_comcrlselparams.h + * + * ComCrlSelParams Object Type Definition + * + */ + +#ifndef _PKIX_COMCRLSELPARAMS_H +#define _PKIX_COMCRLSELPARAMS_H + +#include "pkix_tools.h" + +#ifdef __cplusplus +extern "C" { +#endif + +struct PKIX_ComCRLSelParamsStruct { + PKIX_List *issuerNames; /* list of PKIX_PL_X500Name */ + PKIX_PL_Cert *cert; /* certificate being checked */ + PKIX_List *crldpList; + PKIX_PL_Date *date; + PKIX_Boolean nistPolicyEnabled; + PKIX_PL_BigInt *maxCRLNumber; + PKIX_PL_BigInt *minCRLNumber; +}; + +/* see source file for function documentation */ + +PKIX_Error *pkix_ComCRLSelParams_RegisterSelf(void *plContext); + +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_COMCRLSELPARAMS_H */ diff --git a/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c b/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c new file mode 100644 index 0000000000..e9a9c03dfd --- /dev/null +++ b/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c @@ -0,0 +1,870 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * pkix_crlselector.c + * + * CRLSelector Function Definitions + * + */ + +#include "pkix_crlselector.h" + +/* --CRLSelector Private-Functions-------------------------------------- */ + +/* + * FUNCTION: pkix_CRLSelector_Destroy + * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_CRLSelector_Destroy( + PKIX_PL_Object *object, + void *plContext) +{ + PKIX_CRLSelector *selector = NULL; + + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Destroy"); + PKIX_NULLCHECK_ONE(object); + + PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext), + PKIX_OBJECTNOTCRLSELECTOR); + + selector = (PKIX_CRLSelector *)object; + + selector->matchCallback = NULL; + + PKIX_DECREF(selector->params); + PKIX_DECREF(selector->context); + +cleanup: + + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: pkix_CRLSelector_ToString_Helper + * + * DESCRIPTION: + * Helper function that creates a string representation of CRLSelector + * pointed to by "crlParams" and stores its address in the object pointed to + * by "pString". + * + * PARAMETERS + * "list" + * Address of CRLSelector whose string representation is desired. + * Must be non-NULL. + * "pString" + * Address of object pointer's destination. Must be non-NULL. + * "plContext" - Platform-specific context pointer. + * + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +static PKIX_Error * +pkix_CRLSelector_ToString_Helper( + PKIX_CRLSelector *crlSelector, + PKIX_PL_String **pString, + void *plContext) +{ + PKIX_PL_String *crlSelectorString = NULL; + PKIX_PL_String *formatString = NULL; + PKIX_PL_String *crlParamsString = NULL; + PKIX_PL_String *crlContextString = NULL; + char *asciiFormat = NULL; + + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString_Helper"); + PKIX_NULLCHECK_TWO(crlSelector, pString); + PKIX_NULLCHECK_ONE(crlSelector->params); + + asciiFormat = + "\n\t[\n" + "\tMatchCallback: 0x%x\n" + "\tParams: %s\n" + "\tContext: %s\n" + "\t]\n"; + + PKIX_CHECK(PKIX_PL_String_Create + (PKIX_ESCASCII, + asciiFormat, + 0, + &formatString, + plContext), + PKIX_STRINGCREATEFAILED); + + /* Params */ + PKIX_TOSTRING + ((PKIX_PL_Object *)crlSelector->params, + &crlParamsString, + plContext, + PKIX_COMCRLSELPARAMSTOSTRINGFAILED); + + /* Context */ + PKIX_TOSTRING(crlSelector->context, &crlContextString, plContext, + PKIX_LISTTOSTRINGFAILED); + + PKIX_CHECK(PKIX_PL_Sprintf + (&crlSelectorString, + plContext, + formatString, + crlSelector->matchCallback, + crlParamsString, + crlContextString), + PKIX_SPRINTFFAILED); + + *pString = crlSelectorString; + +cleanup: + + PKIX_DECREF(crlParamsString); + PKIX_DECREF(crlContextString); + PKIX_DECREF(formatString); + + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: pkix_CRLSelector_ToString + * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_CRLSelector_ToString( + PKIX_PL_Object *object, + PKIX_PL_String **pString, + void *plContext) +{ + PKIX_PL_String *crlSelectorString = NULL; + PKIX_CRLSelector *crlSelector = NULL; + + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString"); + PKIX_NULLCHECK_TWO(object, pString); + + PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext), + PKIX_OBJECTNOTCRLSELECTOR); + + crlSelector = (PKIX_CRLSelector *) object; + + PKIX_CHECK(pkix_CRLSelector_ToString_Helper + (crlSelector, &crlSelectorString, plContext), + PKIX_CRLSELECTORTOSTRINGHELPERFAILED); + + *pString = crlSelectorString; + +cleanup: + + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: pkix_CRLSelector_Hashcode + * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_CRLSelector_Hashcode( + PKIX_PL_Object *object, + PKIX_UInt32 *pHashcode, + void *plContext) +{ + PKIX_UInt32 paramsHash = 0; + PKIX_UInt32 contextHash = 0; + PKIX_UInt32 hash = 0; + + PKIX_CRLSelector *crlSelector = NULL; + + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Hashcode"); + PKIX_NULLCHECK_TWO(object, pHashcode); + + PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext), + PKIX_OBJECTNOTCRLSELECTOR); + + crlSelector = (PKIX_CRLSelector *)object; + + PKIX_HASHCODE(crlSelector->params, ¶msHash, plContext, + PKIX_OBJECTHASHCODEFAILED); + + PKIX_HASHCODE(crlSelector->context, &contextHash, plContext, + PKIX_OBJECTHASHCODEFAILED); + + hash = 31 * ((PKIX_UInt32)((char *)crlSelector->matchCallback - (char *)NULL) + + (contextHash << 3)) + paramsHash; + + *pHashcode = hash; + +cleanup: + + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: pkix_CRLSelector_Equals + * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_CRLSelector_Equals( + PKIX_PL_Object *firstObject, + PKIX_PL_Object *secondObject, + PKIX_Boolean *pResult, + void *plContext) +{ + PKIX_CRLSelector *firstCrlSelector = NULL; + PKIX_CRLSelector *secondCrlSelector = NULL; + PKIX_UInt32 secondType; + PKIX_Boolean cmpResult = PKIX_FALSE; + + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Equals"); + PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult); + + /* test that firstObject is a CRLSelector */ + PKIX_CHECK(pkix_CheckType + (firstObject, PKIX_CRLSELECTOR_TYPE, plContext), + PKIX_FIRSTOBJECTNOTCRLSELECTOR); + + firstCrlSelector = (PKIX_CRLSelector *)firstObject; + secondCrlSelector = (PKIX_CRLSelector *)secondObject; + + /* + * Since we know firstObject is a CRLSelector, if both references are + * identical, they must be equal + */ + if (firstCrlSelector == secondCrlSelector){ + *pResult = PKIX_TRUE; + goto cleanup; + } + + /* + * If secondCRLSelector isn't a CRLSelector, we don't throw an error. + * We simply return a Boolean result of FALSE + */ + *pResult = PKIX_FALSE; + PKIX_CHECK(PKIX_PL_Object_GetType + ((PKIX_PL_Object *)secondCrlSelector, + &secondType, + plContext), + PKIX_COULDNOTGETTYPEOFSECONDARGUMENT); + + if (secondType != PKIX_CRLSELECTOR_TYPE) { + goto cleanup; + } + + /* Compare MatchCallback address */ + cmpResult = (firstCrlSelector->matchCallback == + secondCrlSelector->matchCallback); + + if (cmpResult == PKIX_FALSE) { + goto cleanup; + } + + /* Compare Common CRL Selector Params */ + PKIX_EQUALS + (firstCrlSelector->params, + secondCrlSelector->params, + &cmpResult, + plContext, + PKIX_COMCRLSELPARAMSEQUALSFAILED); + + + if (cmpResult == PKIX_FALSE) { + goto cleanup; + } + + /* Compare Context */ + PKIX_EQUALS + (firstCrlSelector->context, + secondCrlSelector->context, + &cmpResult, + plContext, + PKIX_COMCRLSELPARAMSEQUALSFAILED); + + *pResult = cmpResult; + +cleanup: + + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: pkix_CRLSelector_Duplicate + * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_CRLSelector_Duplicate( + PKIX_PL_Object *object, + PKIX_PL_Object **pNewObject, + void *plContext) +{ + PKIX_CRLSelector *old; + PKIX_CRLSelector *new = NULL; + + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Duplicate"); + PKIX_NULLCHECK_TWO(object, pNewObject); + + PKIX_CHECK(pkix_CheckType + (object, PKIX_CRLSELECTOR_TYPE, plContext), + PKIX_OBJECTNOTCRLSELECTOR); + + old = (PKIX_CRLSelector *)object; + + PKIX_CHECK(PKIX_PL_Object_Alloc + (PKIX_CRLSELECTOR_TYPE, + (PKIX_UInt32)(sizeof (PKIX_CRLSelector)), + (PKIX_PL_Object **)&new, + plContext), + PKIX_CREATECRLSELECTORDUPLICATEOBJECTFAILED); + + new->matchCallback = old->matchCallback; + + PKIX_DUPLICATE(old->params, &new->params, plContext, + PKIX_OBJECTDUPLICATEPARAMSFAILED); + + PKIX_DUPLICATE(old->context, &new->context, plContext, + PKIX_OBJECTDUPLICATECONTEXTFAILED); + + *pNewObject = (PKIX_PL_Object *)new; + +cleanup: + + if (PKIX_ERROR_RECEIVED){ + PKIX_DECREF(new); + } + + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: pkix_CRLSelector_DefaultMatch + * + * DESCRIPTION: + * This function compares the parameter values (Issuer, date, and CRL number) + * set in the ComCRLSelParams of the CRLSelector pointed to by "selector" with + * the corresponding values in the CRL pointed to by "crl". When all the + * criteria set in the parameter values match the values in "crl", PKIX_TRUE is + * stored at "pMatch". If the CRL does not match the CRLSelector's criteria, + * PKIX_FALSE is stored at "pMatch". + * + * PARAMETERS + * "selector" + * Address of CRLSelector which is verified for a match + * Must be non-NULL. + * "crl" + * Address of the CRL object to be verified. Must be non-NULL. + * "pMatch" + * Address at which Boolean result is stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +static PKIX_Error * +pkix_CRLSelector_DefaultMatch( + PKIX_CRLSelector *selector, + PKIX_PL_CRL *crl, + PKIX_Boolean *pMatch, + void *plContext) +{ + PKIX_ComCRLSelParams *params = NULL; + PKIX_PL_X500Name *crlIssuerName = NULL; + PKIX_PL_X500Name *issuerName = NULL; + PKIX_List *selIssuerNames = NULL; + PKIX_PL_Date *selDate = NULL; + PKIX_Boolean result = PKIX_TRUE; + PKIX_UInt32 numIssuers = 0; + PKIX_UInt32 i; + PKIX_PL_BigInt *minCRLNumber = NULL; + PKIX_PL_BigInt *maxCRLNumber = NULL; + PKIX_PL_BigInt *crlNumber = NULL; + PKIX_Boolean nistPolicyEnabled = PKIX_FALSE; + + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_DefaultMatch"); + PKIX_NULLCHECK_TWO(selector, crl); + + *pMatch = PKIX_TRUE; + params = selector->params; + + /* No matching parameter provided, just a match */ + if (params == NULL) { + goto cleanup; + } + + PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames + (params, &selIssuerNames, plContext), + PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED); + + /* Check for Issuers */ + if (selIssuerNames != NULL){ + + result = PKIX_FALSE; + + PKIX_CHECK(PKIX_PL_CRL_GetIssuer + (crl, &crlIssuerName, plContext), + PKIX_CRLGETISSUERFAILED); + + PKIX_CHECK(PKIX_List_GetLength + (selIssuerNames, &numIssuers, plContext), + PKIX_LISTGETLENGTHFAILED); + + for (i = 0; i < numIssuers; i++){ + + PKIX_CHECK(PKIX_List_GetItem + (selIssuerNames, + i, + (PKIX_PL_Object **)&issuerName, + plContext), + PKIX_LISTGETITEMFAILED); + + PKIX_CHECK(PKIX_PL_X500Name_Match + (crlIssuerName, + issuerName, + &result, + plContext), + PKIX_X500NAMEMATCHFAILED); + + PKIX_DECREF(issuerName); + + if (result == PKIX_TRUE) { + break; + } + } + + if (result == PKIX_FALSE) { + PKIX_CRLSELECTOR_DEBUG("Issuer Match Failed\N"); + *pMatch = PKIX_FALSE; + goto cleanup; + } + + } + + PKIX_CHECK(PKIX_ComCRLSelParams_GetDateAndTime + (params, &selDate, plContext), + PKIX_COMCRLSELPARAMSGETDATEANDTIMEFAILED); + + /* Check for Date */ + if (selDate != NULL){ + + PKIX_CHECK(PKIX_ComCRLSelParams_GetNISTPolicyEnabled + (params, &nistPolicyEnabled, plContext), + PKIX_COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED); + + /* check crl dates only for if NIST policies enforced */ + if (nistPolicyEnabled) { + result = PKIX_FALSE; + + PKIX_CHECK(PKIX_PL_CRL_VerifyUpdateTime + (crl, selDate, &result, plContext), + PKIX_CRLVERIFYUPDATETIMEFAILED); + + if (result == PKIX_FALSE) { + *pMatch = PKIX_FALSE; + goto cleanup; + } + } + + } + + /* Check for CRL number in range */ + PKIX_CHECK(PKIX_PL_CRL_GetCRLNumber(crl, &crlNumber, plContext), + PKIX_CRLGETCRLNUMBERFAILED); + + if (crlNumber != NULL) { + result = PKIX_FALSE; + + PKIX_CHECK(PKIX_ComCRLSelParams_GetMinCRLNumber + (params, &minCRLNumber, plContext), + PKIX_COMCRLSELPARAMSGETMINCRLNUMBERFAILED); + + if (minCRLNumber != NULL) { + + PKIX_CHECK(PKIX_PL_Object_Compare + ((PKIX_PL_Object *)minCRLNumber, + (PKIX_PL_Object *)crlNumber, + &result, + plContext), + PKIX_OBJECTCOMPARATORFAILED); + + if (result == 1) { + PKIX_CRLSELECTOR_DEBUG + ("CRL MinNumber Range Match Failed\n"); + *pMatch = PKIX_FALSE; + goto cleanup; + } + } + + PKIX_CHECK(PKIX_ComCRLSelParams_GetMaxCRLNumber + (params, &maxCRLNumber, plContext), + PKIX_COMCRLSELPARAMSGETMAXCRLNUMBERFAILED); + + if (maxCRLNumber != NULL) { + + PKIX_CHECK(PKIX_PL_Object_Compare + ((PKIX_PL_Object *)crlNumber, + (PKIX_PL_Object *)maxCRLNumber, + &result, + plContext), + PKIX_OBJECTCOMPARATORFAILED); + + if (result == 1) { + PKIX_CRLSELECTOR_DEBUG + (PKIX_CRLMAXNUMBERRANGEMATCHFAILED); + *pMatch = PKIX_FALSE; + goto cleanup; + } + } + } + +cleanup: + + PKIX_DECREF(selIssuerNames); + PKIX_DECREF(selDate); + PKIX_DECREF(crlIssuerName); + PKIX_DECREF(issuerName); + PKIX_DECREF(crlNumber); + PKIX_DECREF(minCRLNumber); + PKIX_DECREF(maxCRLNumber); + + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: pkix_CRLSelector_RegisterSelf + * DESCRIPTION: + * Registers PKIX_CRLSELECTOR_TYPE and its related functions with + * systemClasses[] + * THREAD SAFETY: + * Not Thread Safe - for performance and complexity reasons + * + * Since this function is only called by PKIX_PL_Initialize, which should + * only be called once, it is acceptable that this function is not + * thread-safe. + */ +PKIX_Error * +pkix_CRLSelector_RegisterSelf(void *plContext) +{ + extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; + pkix_ClassTable_Entry entry; + + PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_RegisterSelf"); + + entry.description = "CRLSelector"; + entry.objCounter = 0; + entry.typeObjectSize = sizeof(PKIX_CRLSelector); + entry.destructor = pkix_CRLSelector_Destroy; + entry.equalsFunction = pkix_CRLSelector_Equals; + entry.hashcodeFunction = pkix_CRLSelector_Hashcode; + entry.toStringFunction = pkix_CRLSelector_ToString; + entry.comparator = NULL; + entry.duplicateFunction = pkix_CRLSelector_Duplicate; + + systemClasses[PKIX_CRLSELECTOR_TYPE] = entry; + + PKIX_RETURN(CRLSELECTOR); +} + +/* --CRLSelector-Public-Functions---------------------------------------- */ +PKIX_Error * +pkix_CRLSelector_Create( + PKIX_CRLSelector_MatchCallback callback, + PKIX_PL_Object *crlSelectorContext, + PKIX_CRLSelector **pSelector, + void *plContext) +{ + PKIX_CRLSelector *selector = NULL; + + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Create"); + PKIX_NULLCHECK_ONE(pSelector); + + PKIX_CHECK(PKIX_PL_Object_Alloc + (PKIX_CRLSELECTOR_TYPE, + sizeof (PKIX_CRLSelector), + (PKIX_PL_Object **)&selector, + plContext), + PKIX_COULDNOTCREATECRLSELECTOROBJECT); + + /* + * if user specified a particular match callback, we use that one. + * otherwise, we use the default match provided. + */ + + if (callback != NULL){ + selector->matchCallback = callback; + } else { + selector->matchCallback = pkix_CRLSelector_DefaultMatch; + } + + /* initialize other fields */ + selector->params = NULL; + + PKIX_INCREF(crlSelectorContext); + selector->context = crlSelectorContext; + + *pSelector = selector; + selector = NULL; + +cleanup: + + PKIX_DECREF(selector); + + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: PKIX_CRLSelector_Create (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_CRLSelector_Create( + PKIX_PL_Cert *issuer, + PKIX_List *crldpList, + PKIX_PL_Date *date, + PKIX_CRLSelector **pCrlSelector, + void *plContext) +{ + PKIX_PL_X500Name *issuerName = NULL; + PKIX_PL_Date *nowDate = NULL; + PKIX_ComCRLSelParams *comCrlSelParams = NULL; + PKIX_CRLSelector *crlSelector = NULL; + + PKIX_ENTER(CERTCHAINCHECKER, "PKIX_CrlSelector_Create"); + PKIX_NULLCHECK_ONE(issuer); + + PKIX_CHECK( + PKIX_PL_Cert_GetSubject(issuer, &issuerName, plContext), + PKIX_CERTGETISSUERFAILED); + + if (date != NULL) { + PKIX_INCREF(date); + nowDate = date; + } else { + PKIX_CHECK( + PKIX_PL_Date_Create_UTCTime(NULL, &nowDate, plContext), + PKIX_DATECREATEUTCTIMEFAILED); + } + + PKIX_CHECK( + PKIX_ComCRLSelParams_Create(&comCrlSelParams, plContext), + PKIX_COMCRLSELPARAMSCREATEFAILED); + + PKIX_CHECK( + PKIX_ComCRLSelParams_AddIssuerName(comCrlSelParams, issuerName, + plContext), + PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED); + + PKIX_CHECK( + PKIX_ComCRLSelParams_SetCrlDp(comCrlSelParams, crldpList, + plContext), + PKIX_COMCRLSELPARAMSSETCERTFAILED); + + PKIX_CHECK( + PKIX_ComCRLSelParams_SetDateAndTime(comCrlSelParams, nowDate, + plContext), + PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED); + + PKIX_CHECK( + pkix_CRLSelector_Create(NULL, NULL, &crlSelector, plContext), + PKIX_CRLSELECTORCREATEFAILED); + + PKIX_CHECK( + PKIX_CRLSelector_SetCommonCRLSelectorParams(crlSelector, + comCrlSelParams, + plContext), + PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED); + + *pCrlSelector = crlSelector; + crlSelector = NULL; + +cleanup: + + PKIX_DECREF(issuerName); + PKIX_DECREF(nowDate); + PKIX_DECREF(comCrlSelParams); + PKIX_DECREF(crlSelector); + + PKIX_RETURN(CERTCHAINCHECKER); +} + +/* + * FUNCTION: PKIX_CRLSelector_GetMatchCallback (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_CRLSelector_GetMatchCallback( + PKIX_CRLSelector *selector, + PKIX_CRLSelector_MatchCallback *pCallback, + void *plContext) +{ + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetMatchCallback"); + PKIX_NULLCHECK_TWO(selector, pCallback); + + *pCallback = selector->matchCallback; + + PKIX_RETURN(CRLSELECTOR); +} + + +/* + * FUNCTION: PKIX_CRLSelector_GetCRLSelectorContext + * (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_CRLSelector_GetCRLSelectorContext( + PKIX_CRLSelector *selector, + void **pCrlSelectorContext, + void *plContext) +{ + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCRLSelectorContext"); + PKIX_NULLCHECK_TWO(selector, pCrlSelectorContext); + + PKIX_INCREF(selector->context); + + *pCrlSelectorContext = selector->context; + +cleanup: + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: PKIX_CRLSelector_GetCommonCRLSelectorParams + * (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_CRLSelector_GetCommonCRLSelectorParams( + PKIX_CRLSelector *selector, + PKIX_ComCRLSelParams **pParams, + void *plContext) +{ + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCommonCRLSelectorParams"); + PKIX_NULLCHECK_TWO(selector, pParams); + + PKIX_INCREF(selector->params); + + *pParams = selector->params; + +cleanup: + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: PKIX_CRLSelector_SetCommonCRLSelectorParams + * (see comments in pkix_crlsel.h) + */ +PKIX_Error * +PKIX_CRLSelector_SetCommonCRLSelectorParams( + PKIX_CRLSelector *selector, + PKIX_ComCRLSelParams *params, + void *plContext) +{ + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_SetCommonCRLSelectorParams"); + PKIX_NULLCHECK_TWO(selector, params); + + PKIX_DECREF(selector->params); + + PKIX_INCREF(params); + selector->params = params; + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)selector, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); + +cleanup: + + PKIX_RETURN(CRLSELECTOR); +} + +/* + * FUNCTION: pkix_CRLSelector_Select + * DESCRIPTION: + * + * This function applies the selector pointed to by "selector" to each CRL, + * in turn, in the List pointed to by "before", and creates a List containing + * all the CRLs that matched, or passed the selection process, storing that + * List at "pAfter". If no CRLs match, an empty List is stored at "pAfter". + * + * The List returned in "pAfter" is immutable. + * + * PARAMETERS: + * "selector" + * Address of CRLSelelector to be applied to the List. Must be non-NULL. + * "before" + * Address of List that is to be filtered. Must be non-NULL. + * "pAfter" + * Address at which resulting List, possibly empty, is stored. Must be + * non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CRLSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +pkix_CRLSelector_Select( + PKIX_CRLSelector *selector, + PKIX_List *before, + PKIX_List **pAfter, + void *plContext) +{ + PKIX_Boolean match = PKIX_FALSE; + PKIX_UInt32 numBefore = 0; + PKIX_UInt32 i = 0; + PKIX_List *filtered = NULL; + PKIX_PL_CRL *candidate = NULL; + + PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Select"); + PKIX_NULLCHECK_THREE(selector, before, pAfter); + + PKIX_CHECK(PKIX_List_Create(&filtered, plContext), + PKIX_LISTCREATEFAILED); + + PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext), + PKIX_LISTGETLENGTHFAILED); + + for (i = 0; i < numBefore; i++) { + + PKIX_CHECK(PKIX_List_GetItem + (before, i, (PKIX_PL_Object **)&candidate, plContext), + PKIX_LISTGETITEMFAILED); + + PKIX_CHECK_ONLY_FATAL(selector->matchCallback + (selector, candidate, &match, plContext), + PKIX_CRLSELECTORMATCHCALLBACKFAILED); + + if (!(PKIX_ERROR_RECEIVED) && match == PKIX_TRUE) { + + PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem + (filtered, + (PKIX_PL_Object *)candidate, + plContext), + PKIX_LISTAPPENDITEMFAILED); + } + + pkixTempErrorReceived = PKIX_FALSE; + PKIX_DECREF(candidate); + } + + PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext), + PKIX_LISTSETIMMUTABLEFAILED); + + /* Don't throw away the list if one CRL was bad! */ + pkixTempErrorReceived = PKIX_FALSE; + + *pAfter = filtered; + filtered = NULL; + +cleanup: + + PKIX_DECREF(filtered); + PKIX_DECREF(candidate); + + PKIX_RETURN(CRLSELECTOR); + +} diff --git a/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.h b/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.h new file mode 100644 index 0000000000..4f44cc7683 --- /dev/null +++ b/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.h @@ -0,0 +1,40 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * pkix_crlselector.h + * + * CrlSelector Object Type Definition + * + */ + +#ifndef _PKIX_CRLSELECTOR_H +#define _PKIX_CRLSELECTOR_H + +#include "pkix_tools.h" + +#ifdef __cplusplus +extern "C" { +#endif + +struct PKIX_CRLSelectorStruct { + PKIX_CRLSelector_MatchCallback matchCallback; + PKIX_ComCRLSelParams *params; + PKIX_PL_Object *context; +}; + +/* see source file for function documentation */ + +PKIX_Error *pkix_CRLSelector_RegisterSelf(void *plContext); + +PKIX_Error * +pkix_CRLSelector_Select( + PKIX_CRLSelector *selector, + PKIX_List *before, + PKIX_List **pAfter, + void *plContext); +#ifdef __cplusplus +} +#endif + +#endif /* _PKIX_CRLSELECTOR_H */ |