trustbridge/nss-cmake-static: nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl

comparison nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c @ 0:1e5118fa0cb1

This is NSS with a Cmake Buildsyste To compile a static NSS library for Windows we've used the Chromium-NSS fork and added a Cmake buildsystem to compile it statically for Windows. See README.chromium for chromium changes and README.trustbridge for our modifications.

author	Andre Heinecke <andre.heinecke@intevation.de>
date	Mon, 28 Jul 2014 10:47:06 +0200
parents
children

comparison

equal deleted inserted replaced

--1:000000000000
+:1e5118fa0cb1
+/* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this
+* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+* pkix_pl_nameconstraints.c
+*
+* Name Constraints Object Functions Definitions
+*
+*/
+#include "pkix_pl_nameconstraints.h"
+/* --Private-NameConstraints-Functions----------------------------- */
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_GetPermitted
+* DESCRIPTION:
+*
+*  This function retrieve name constraints permitted list from NSS
+*  data in "nameConstraints" and returns a PKIX_PL_GeneralName list
+*  in "pPermittedList".
+*
+* PARAMETERS
+*  "nameConstraints"
+*      Address of CertNameConstraints which has a pointer to
+*      CERTNameConstraints data. Must be non-NULL.
+*  "pPermittedList"
+*      Address where returned permitted name list is stored. Must be non-NULL.
+*  "plContext" - Platform-specific context pointer.
+* THREAD SAFETY:
+*  Conditionally Thread Safe
+*      (see Thread Safety Definitions in Programmer's Guide)
+* RETURNS:
+*  Returns NULL if the function succeeds.
+*  Returns a NameConstraints Error if the function fails in a
+*  non-fatal way.
+*  Returns a Fatal Error if the function fails in an unrecoverable way.
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_GetPermitted(
+PKIX_PL_CertNameConstraints *nameConstraints,
+PKIX_List **pPermittedList,
+void *plContext)
+{
+CERTNameConstraints *nssNameConstraints = NULL;
+CERTNameConstraints **nssNameConstraintsList = NULL;
+CERTNameConstraint *nssPermitted = NULL;
+CERTNameConstraint *firstPermitted = NULL;
+PKIX_List *permittedList = NULL;
+PKIX_PL_GeneralName *name = NULL;
+PKIX_UInt32 numItems = 0;
+PKIX_UInt32 i;
+PKIX_ENTER(CERTNAMECONSTRAINTS,
+"pkix_pl_CertNameConstraints_GetPermitted");
+PKIX_NULLCHECK_TWO(nameConstraints, pPermittedList);
+/*
+* nssNameConstraints is an array of CERTNameConstraints
+* pointers where CERTNameConstraints keep its permitted and excluded
+* lists as pointer array of CERTNameConstraint.
+*/
+if (nameConstraints->permittedList == NULL) {
+PKIX_OBJECT_LOCK(nameConstraints);
+if (nameConstraints->permittedList == NULL) {
+PKIX_CHECK(PKIX_List_Create(&permittedList, plContext),
+PKIX_LISTCREATEFAILED);
+numItems = nameConstraints->numNssNameConstraints;
+nssNameConstraintsList =
+nameConstraints->nssNameConstraintsList;
+for (i = 0; i < numItems; i++) {
+PKIX_NULLCHECK_ONE(nssNameConstraintsList);
+nssNameConstraints = *(nssNameConstraintsList + i);
+PKIX_NULLCHECK_ONE(nssNameConstraints);
+if (nssNameConstraints->permited != NULL) {
+nssPermitted = nssNameConstraints->permited;
+firstPermitted = nssPermitted;
+do {
+PKIX_CHECK(pkix_pl_GeneralName_Create
+(&nssPermitted->name, &name, plContext),
+PKIX_GENERALNAMECREATEFAILED);
+PKIX_CHECK(PKIX_List_AppendItem
+(permittedList,
+(PKIX_PL_Object *)name,
+plContext),
+PKIX_LISTAPPENDITEMFAILED);
+PKIX_DECREF(name);
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_GetNextNameConstraint\n");
+nssPermitted = CERT_GetNextNameConstraint
+(nssPermitted);
+} while (nssPermitted != firstPermitted);
+}
+}
+PKIX_CHECK(PKIX_List_SetImmutable(permittedList, plContext),
+PKIX_LISTSETIMMUTABLEFAILED);
+nameConstraints->permittedList = permittedList;
+}
+PKIX_OBJECT_UNLOCK(nameConstraints);
+}
+PKIX_INCREF(nameConstraints->permittedList);
+*pPermittedList = nameConstraints->permittedList;
+cleanup:
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_GetExcluded
+* DESCRIPTION:
+*
+*  This function retrieve name constraints excluded list from NSS
+*  data in "nameConstraints" and returns a PKIX_PL_GeneralName list
+*  in "pExcludedList".
+*
+* PARAMETERS
+*  "nameConstraints"
+*      Address of CertNameConstraints which has a pointer to NSS data.
+*      Must be non-NULL.
+*  "pPermittedList"
+*      Address where returned excluded name list is stored. Must be non-NULL.
+*  "plContext" - Platform-specific context pointer.
+* THREAD SAFETY:
+*  Conditionally Thread Safe
+*      (see Thread Safety Definitions in Programmer's Guide)
+* RETURNS:
+*  Returns NULL if the function succeeds.
+*  Returns a NameConstraints Error if the function fails in a
+*  non-fatal way.
+*  Returns a Fatal Error if the function fails in an unrecoverable way.
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_GetExcluded(
+PKIX_PL_CertNameConstraints *nameConstraints,
+PKIX_List **pExcludedList,
+void *plContext)
+{
+CERTNameConstraints *nssNameConstraints = NULL;
+CERTNameConstraints **nssNameConstraintsList = NULL;
+CERTNameConstraint *nssExcluded = NULL;
+CERTNameConstraint *firstExcluded = NULL;
+PKIX_List *excludedList = NULL;
+PKIX_PL_GeneralName *name = NULL;
+PKIX_UInt32 numItems = 0;
+PKIX_UInt32 i;
+PKIX_ENTER(CERTNAMECONSTRAINTS,
+"pkix_pl_CertNameConstraints_GetExcluded");
+PKIX_NULLCHECK_TWO(nameConstraints, pExcludedList);
+if (nameConstraints->excludedList == NULL) {
+PKIX_OBJECT_LOCK(nameConstraints);
+if (nameConstraints->excludedList == NULL) {
+PKIX_CHECK(PKIX_List_Create(&excludedList, plContext),
+PKIX_LISTCREATEFAILED);
+numItems = nameConstraints->numNssNameConstraints;
+nssNameConstraintsList =
+nameConstraints->nssNameConstraintsList;
+for (i = 0; i < numItems; i++) {
+PKIX_NULLCHECK_ONE(nssNameConstraintsList);
+nssNameConstraints = *(nssNameConstraintsList + i);
+PKIX_NULLCHECK_ONE(nssNameConstraints);
+if (nssNameConstraints->excluded != NULL) {
+nssExcluded = nssNameConstraints->excluded;
+firstExcluded = nssExcluded;
+do {
+PKIX_CHECK(pkix_pl_GeneralName_Create
+(&nssExcluded->name, &name, plContext),
+PKIX_GENERALNAMECREATEFAILED);
+PKIX_CHECK(PKIX_List_AppendItem
+(excludedList,
+(PKIX_PL_Object *)name,
+plContext),
+PKIX_LISTAPPENDITEMFAILED);
+PKIX_DECREF(name);
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_GetNextNameConstraint\n");
+nssExcluded = CERT_GetNextNameConstraint
+(nssExcluded);
+} while (nssExcluded != firstExcluded);
+}
+}
+PKIX_CHECK(PKIX_List_SetImmutable(excludedList, plContext),
+PKIX_LISTSETIMMUTABLEFAILED);
+nameConstraints->excludedList = excludedList;
+}
+PKIX_OBJECT_UNLOCK(nameConstraints);
+}
+PKIX_INCREF(nameConstraints->excludedList);
+*pExcludedList = nameConstraints->excludedList;
+cleanup:
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
+* DESCRIPTION:
+*
+*  This function checks if CERTGeneralNames in "nssSubjectNames" comply
+*  with the permitted and excluded names in "nameConstraints". It returns
+*  PKIX_TRUE in "pCheckPass", if the Names satify the name space of the
+*  permitted list and if the Names are not in the excluded list. Otherwise,
+*  it returns PKIX_FALSE.
+*
+* PARAMETERS
+*  "nssSubjectNames"
+*      List of CERTGeneralName that nameConstraints verification is based on.
+*  "nameConstraints"
+*      Address of CertNameConstraints that provides lists of permitted
+*      and excluded names. Must be non-NULL.
+*  "pCheckPass"
+*      Address where PKIX_TRUE is returned if the all names in "nameList" are
+*      valid.
+*  "plContext" - Platform-specific context pointer.
+* THREAD SAFETY:
+*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+* RETURNS:
+*  Returns NULL if the function succeeds.
+*  Returns a NameConstraints Error if the function fails in a
+*  non-fatal way.
+*  Returns a Fatal Error if the function fails in an unrecoverable way.
+*/
+PKIX_Error *
+pkix_pl_CertNameConstraints_CheckNameSpaceNssNames(
+CERTGeneralName *nssSubjectNames,
+PKIX_PL_CertNameConstraints *nameConstraints,
+PKIX_Boolean *pCheckPass,
+void *plContext)
+{
+CERTNameConstraints **nssNameConstraintsList = NULL;
+CERTNameConstraints *nssNameConstraints = NULL;
+CERTGeneralName *nssMatchName = NULL;
+PLArenaPool *arena = NULL;
+PKIX_UInt32 numItems = 0;
+PKIX_UInt32 i;
+SECStatus status = SECSuccess;
+PKIX_ENTER(CERTNAMECONSTRAINTS,
+"pkix_pl_CertNameConstraints_CheckNameSpaceNssNames");
+PKIX_NULLCHECK_THREE(nssSubjectNames, nameConstraints, pCheckPass);
+*pCheckPass = PKIX_TRUE;
+PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
+arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+if (arena == NULL) {
+PKIX_ERROR(PKIX_OUTOFMEMORY);
+}
+nssMatchName = nssSubjectNames;
+nssNameConstraintsList = nameConstraints->nssNameConstraintsList;
+/*
+* CERTNameConstraint items in each permitted or excluded list
+* is verified as OR condition. That means, if one item matched,
+* then the checking on the remaining items on the list is skipped.
+* (see NSS cert_CompareNameWithConstraints(...)).
+* Items on PKIX_PL_NameConstraint's nssNameConstraints are verified
+* as AND condition. PKIX_PL_NameConstraint keeps an array of pointers
+* of CERTNameConstraints resulting from merging multiple
+* PKIX_PL_NameConstraints. Since each CERTNameConstraint are created
+* for different entity, a union condition of these entities then is
+* performed.
+*/
+do {
+numItems = nameConstraints->numNssNameConstraints;
+for (i = 0; i < numItems; i++) {
+PKIX_NULLCHECK_ONE(nssNameConstraintsList);
+nssNameConstraints = *(nssNameConstraintsList + i);
+PKIX_NULLCHECK_ONE(nssNameConstraints);
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_CheckNameSpace\n");
+status = CERT_CheckNameSpace
+(arena, nssNameConstraints, nssMatchName);
+if (status != SECSuccess) {
+break;
+}
+}
+if (status != SECSuccess) {
+break;
+}
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_GetNextGeneralName\n");
+nssMatchName = CERT_GetNextGeneralName(nssMatchName);
+} while (nssMatchName != nssSubjectNames);
+if (status == SECFailure) {
+*pCheckPass = PKIX_FALSE;
+}
+cleanup:
+if (arena){
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling PORT_FreeArena).\n");
+PORT_FreeArena(arena, PR_FALSE);
+}
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_NameConstraints_Destroy
+* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_Destroy(
+PKIX_PL_Object *object,
+void *plContext)
+{
+PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Destroy");
+PKIX_NULLCHECK_ONE(object);
+PKIX_CHECK(pkix_CheckType
+(object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
+PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
+nameConstraints = (PKIX_PL_CertNameConstraints *)object;
+PKIX_CHECK(PKIX_PL_Free
+(nameConstraints->nssNameConstraintsList, plContext),
+PKIX_FREEFAILED);
+if (nameConstraints->arena){
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling PORT_FreeArena).\n");
+PORT_FreeArena(nameConstraints->arena, PR_FALSE);
+nameConstraints->arena = NULL;
+}
+PKIX_DECREF(nameConstraints->permittedList);
+PKIX_DECREF(nameConstraints->excludedList);
+cleanup:
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_ToString_Helper
+* DESCRIPTION:
+*
+*  Helper function that creates a string representation of the object
+*  NameConstraints and stores it at "pString".
+*
+* PARAMETERS
+*  "nameConstraints"
+*      Address of CertNameConstraints whose string representation is
+*      desired. Must be non-NULL.
+*  "pString"
+*      Address where string object pointer will be stored. Must be non-NULL.
+*  "plContext" - Platform-specific context pointer.
+* THREAD SAFETY:
+*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+* RETURNS:
+*  Returns NULL if the function succeeds.
+*  Returns a NameConstraints Error if the function fails in a
+*  non-fatal way.
+*  Returns a Fatal Error if the function fails in an unrecoverable way.
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_ToString_Helper(
+PKIX_PL_CertNameConstraints *nameConstraints,
+PKIX_PL_String **pString,
+void *plContext)
+{
+char *asciiFormat = NULL;
+PKIX_PL_String *formatString = NULL;
+PKIX_List *permittedList = NULL;
+PKIX_List *excludedList = NULL;
+PKIX_PL_String *permittedListString = NULL;
+PKIX_PL_String *excludedListString = NULL;
+PKIX_PL_String *nameConstraintsString = NULL;
+PKIX_ENTER(CERTNAMECONSTRAINTS,
+"pkix_pl_CertNameConstraints_ToString_Helper");
+PKIX_NULLCHECK_TWO(nameConstraints, pString);
+asciiFormat =
+"[\n"
+"\t\tPermitted Name:  %s\n"
+"\t\tExcluded Name:   %s\n"
+"\t]\n";
+PKIX_CHECK(PKIX_PL_String_Create
+(PKIX_ESCASCII,
+asciiFormat,
+0,
+&formatString,
+plContext),
+PKIX_STRINGCREATEFAILED);
+PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
+(nameConstraints, &permittedList, plContext),
+PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
+PKIX_TOSTRING(permittedList, &permittedListString, plContext,
+PKIX_LISTTOSTRINGFAILED);
+PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
+(nameConstraints, &excludedList, plContext),
+PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
+PKIX_TOSTRING(excludedList, &excludedListString, plContext,
+PKIX_LISTTOSTRINGFAILED);
+PKIX_CHECK(PKIX_PL_Sprintf
+(&nameConstraintsString,
+plContext,
+formatString,
+permittedListString,
+excludedListString),
+PKIX_SPRINTFFAILED);
+*pString = nameConstraintsString;
+cleanup:
+PKIX_DECREF(formatString);
+PKIX_DECREF(permittedList);
+PKIX_DECREF(excludedList);
+PKIX_DECREF(permittedListString);
+PKIX_DECREF(excludedListString);
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_ToString
+* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_ToString(
+PKIX_PL_Object *object,
+PKIX_PL_String **pString,
+void *plContext)
+{
+PKIX_PL_String *nameConstraintsString = NULL;
+PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_ToString");
+PKIX_NULLCHECK_TWO(object, pString);
+PKIX_CHECK(pkix_CheckType(
+object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
+PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
+nameConstraints = (PKIX_PL_CertNameConstraints *)object;
+PKIX_CHECK(pkix_pl_CertNameConstraints_ToString_Helper
+(nameConstraints, &nameConstraintsString, plContext),
+PKIX_CERTNAMECONSTRAINTSTOSTRINGHELPERFAILED);
+*pString = nameConstraintsString;
+cleanup:
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_Hashcode
+* (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_Hashcode(
+PKIX_PL_Object *object,
+PKIX_UInt32 *pHashcode,
+void *plContext)
+{
+PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+PKIX_List *permittedList = NULL;
+PKIX_List *excludedList = NULL;
+PKIX_UInt32 permitHash = 0;
+PKIX_UInt32 excludeHash = 0;
+PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Hashcode");
+PKIX_NULLCHECK_TWO(object, pHashcode);
+PKIX_CHECK(pkix_CheckType
+(object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
+PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
+nameConstraints = (PKIX_PL_CertNameConstraints *)object;
+PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
+(nameConstraints, &permittedList, plContext),
+PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
+PKIX_HASHCODE(permittedList, &permitHash, plContext,
+PKIX_OBJECTHASHCODEFAILED);
+PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
+(nameConstraints, &excludedList, plContext),
+PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
+PKIX_HASHCODE(excludedList, &excludeHash, plContext,
+PKIX_OBJECTHASHCODEFAILED);
+*pHashcode = (((permitHash << 7) + excludeHash) << 7) +
+nameConstraints->numNssNameConstraints;
+cleanup:
+PKIX_DECREF(permittedList);
+PKIX_DECREF(excludedList);
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_Equals
+* (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_Equals(
+PKIX_PL_Object *firstObject,
+PKIX_PL_Object *secondObject,
+PKIX_Boolean *pResult,
+void *plContext)
+{
+PKIX_PL_CertNameConstraints *firstNC = NULL;
+PKIX_PL_CertNameConstraints *secondNC = NULL;
+PKIX_List *firstPermittedList = NULL;
+PKIX_List *secondPermittedList = NULL;
+PKIX_List *firstExcludedList = NULL;
+PKIX_List *secondExcludedList = NULL;
+PKIX_UInt32 secondType;
+PKIX_Boolean cmpResult = PKIX_FALSE;
+PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Equals");
+PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+/* test that firstObject is a CertNameConstraints */
+PKIX_CHECK(pkix_CheckType
+(firstObject, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
+PKIX_FIRSTOBJECTNOTCERTNAMECONSTRAINTS);
+firstNC = (PKIX_PL_CertNameConstraints *)firstObject;
+secondNC = (PKIX_PL_CertNameConstraints *)secondObject;
+/*
+* Since we know firstObject is a CertNameConstraints, if both
+* references are identical, they must be equal
+*/
+if (firstNC == secondNC){
+*pResult = PKIX_TRUE;
+goto cleanup;
+}
+/*
+* If secondNC isn't a CertNameConstraints, we don't throw an error.
+* We simply return a Boolean result of FALSE
+*/
+*pResult = PKIX_FALSE;
+PKIX_CHECK(PKIX_PL_Object_GetType
+((PKIX_PL_Object *)secondNC, &secondType, plContext),
+PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+if (secondType != PKIX_CERTNAMECONSTRAINTS_TYPE) {
+goto cleanup;
+}
+PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
+(firstNC, &firstPermittedList, plContext),
+PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
+PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
+(secondNC, &secondPermittedList, plContext),
+PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
+PKIX_EQUALS
+(firstPermittedList, secondPermittedList, &cmpResult, plContext,
+PKIX_OBJECTEQUALSFAILED);
+if (cmpResult != PKIX_TRUE) {
+goto cleanup;
+}
+PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
+(firstNC, &firstExcludedList, plContext),
+PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
+PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
+(secondNC, &secondExcludedList, plContext),
+PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
+PKIX_EQUALS
+(firstExcludedList, secondExcludedList, &cmpResult, plContext,
+PKIX_OBJECTEQUALSFAILED);
+if (cmpResult != PKIX_TRUE) {
+goto cleanup;
+}
+/*
+* numNssNameConstraints is not checked because it is basically a
+* merge count, it cannot determine the data equality.
+*/
+*pResult = PKIX_TRUE;
+cleanup:
+PKIX_DECREF(firstPermittedList);
+PKIX_DECREF(secondPermittedList);
+PKIX_DECREF(firstExcludedList);
+PKIX_DECREF(secondExcludedList);
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_RegisterSelf
+* DESCRIPTION:
+*  Registers PKIX_CERTNAMECONSTRAINTS_TYPE and its related functions with
+*  systemClasses[]
+* THREAD SAFETY:
+*  Not Thread Safe - for performance and complexity reasons
+*
+*  Since this function is only called by PKIX_PL_Initialize, which should
+*  only be called once, it is acceptable that this function is not
+*  thread-safe.
+*/
+PKIX_Error *
+pkix_pl_CertNameConstraints_RegisterSelf(void *plContext)
+{
+extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+pkix_ClassTable_Entry entry;
+PKIX_ENTER(CERTNAMECONSTRAINTS,
+"pkix_pl_CertNameConstraints_RegisterSelf");
+entry.description = "CertNameConstraints";
+entry.objCounter = 0;
+entry.typeObjectSize = sizeof(PKIX_PL_CertNameConstraints);
+entry.destructor = pkix_pl_CertNameConstraints_Destroy;
+entry.equalsFunction = pkix_pl_CertNameConstraints_Equals;
+entry.hashcodeFunction = pkix_pl_CertNameConstraints_Hashcode;
+entry.toStringFunction = pkix_pl_CertNameConstraints_ToString;
+entry.comparator = NULL;
+entry.duplicateFunction = pkix_duplicateImmutable;
+systemClasses[PKIX_CERTNAMECONSTRAINTS_TYPE] = entry;
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_Create_Helper
+*
+* DESCRIPTION:
+*  This function retrieves name constraints in "nssNameConstraints",
+*  converts and stores the result in a PKIX_PL_CertNameConstraints object.
+*
+* PARAMETERS
+*  "nssNameConstraints"
+*      Address of CERTNameConstraints that contains this object's data.
+*      Must be non-NULL.
+*  "pNameConstraints"
+*      Address where object pointer will be stored. Must be non-NULL.
+*      A NULL value will be returned if there is no Name Constraints extension.
+*  "plContext" - Platform-specific context pointer.
+*
+* THREAD SAFETY:
+*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+*
+* RETURNS:
+*  Returns NULL if the function succeeds.
+*  Returns a NameConstraints Error if the function fails in a non-fatal way.
+*  Returns a Fatal Error if the function fails in an unrecoverable way.
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_Create_Helper(
+CERTNameConstraints *nssNameConstraints,
+PKIX_PL_CertNameConstraints **pNameConstraints,
+void *plContext)
+{
+PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+CERTNameConstraints **nssNameConstraintPtr = NULL;
+PKIX_ENTER(CERTNAMECONSTRAINTS,
+"pkix_pl_CertNameConstraints_Create_Helper");
+PKIX_NULLCHECK_TWO(nssNameConstraints, pNameConstraints);
+PKIX_CHECK(PKIX_PL_Object_Alloc
+(PKIX_CERTNAMECONSTRAINTS_TYPE,
+sizeof (PKIX_PL_CertNameConstraints),
+(PKIX_PL_Object **)&nameConstraints,
+plContext),
+PKIX_COULDNOTCREATECERTNAMECONSTRAINTSOBJECT);
+PKIX_CHECK(PKIX_PL_Malloc
+(sizeof (CERTNameConstraint *),
+(void *)&nssNameConstraintPtr,
+plContext),
+PKIX_MALLOCFAILED);
+nameConstraints->numNssNameConstraints = 1;
+nameConstraints->nssNameConstraintsList = nssNameConstraintPtr;
+*nssNameConstraintPtr = nssNameConstraints;
+nameConstraints->permittedList = NULL;
+nameConstraints->excludedList = NULL;
+nameConstraints->arena = NULL;
+*pNameConstraints = nameConstraints;
+cleanup:
+if (PKIX_ERROR_RECEIVED){
+PKIX_DECREF(nameConstraints);
+}
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_Create
+*
+* DESCRIPTION:
+*  function that allocates and initialize the object CertNameConstraints.
+*
+* PARAMETERS
+*  "nssCert"
+*      Address of CERT that contains this object's data.
+*      Must be non-NULL.
+*  "pNameConstraints"
+*      Address where object pointer will be stored. Must be non-NULL.
+*      A NULL value will be returned if there is no Name Constraints extension.
+*  "plContext" - Platform-specific context pointer.
+*
+* THREAD SAFETY:
+*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+*
+* RETURNS:
+*  Returns NULL if the function succeeds.
+*  Returns a NameConstraints Error if the function fails in a non-fatal way.
+*  Returns a Fatal Error if the function fails in an unrecoverable way.
+*/
+PKIX_Error *
+pkix_pl_CertNameConstraints_Create(
+CERTCertificate *nssCert,
+PKIX_PL_CertNameConstraints **pNameConstraints,
+void *plContext)
+{
+PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+CERTNameConstraints *nssNameConstraints = NULL;
+PLArenaPool *arena = NULL;
+SECStatus status;
+PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Create");
+PKIX_NULLCHECK_THREE(nssCert, pNameConstraints, nssCert->arena);
+PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
+arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+if (arena == NULL) {
+PKIX_ERROR(PKIX_OUTOFMEMORY);
+}
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_FindNameConstraintsExten\n");
+status = CERT_FindNameConstraintsExten
+(arena, nssCert, &nssNameConstraints);
+if (status != SECSuccess) {
+PKIX_ERROR(PKIX_DECODINGCERTNAMECONSTRAINTSFAILED);
+}
+if (nssNameConstraints == NULL) {
+*pNameConstraints = NULL;
+if (arena){
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling PORT_FreeArena).\n");
+PORT_FreeArena(arena, PR_FALSE);
+}
+goto cleanup;
+}
+PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
+(nssNameConstraints, &nameConstraints, plContext),
+PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
+nameConstraints->arena = arena;
+*pNameConstraints = nameConstraints;
+cleanup:
+if (PKIX_ERROR_RECEIVED){
+if (arena){
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling PORT_FreeArena).\n");
+PORT_FreeArena(arena, PR_FALSE);
+}
+}
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_CreateByMerge
+*
+* DESCRIPTION:
+*
+*  This function allocates and creates a PKIX_PL_NameConstraint object
+*  for merging. It also allocates CERTNameConstraints data space for the
+*  merged NSS NameConstraints data.
+*
+* PARAMETERS
+*  "pNameConstraints"
+*      Address where object pointer will be stored and returned.
+*      Must be non-NULL.
+*  "plContext" - Platform-specific context pointer.
+*
+* THREAD SAFETY:
+*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+*
+* RETURNS:
+*  Returns NULL if the function succeeds.
+*  Returns a NameConstraints Error if the function fails in a non-fatal way.
+*  Returns a Fatal Error if the function fails in an unrecoverable way.
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_CreateByMerge(
+PKIX_PL_CertNameConstraints **pNameConstraints,
+void *plContext)
+{
+PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+CERTNameConstraints *nssNameConstraints = NULL;
+PLArenaPool *arena = NULL;
+PKIX_ENTER(CERTNAMECONSTRAINTS,
+"pkix_pl_CertNameConstraints_CreateByMerge");
+PKIX_NULLCHECK_ONE(pNameConstraints);
+PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
+arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+if (arena == NULL) {
+PKIX_ERROR(PKIX_OUTOFMEMORY);
+}
+PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
+nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
+if (nssNameConstraints == NULL) {
+PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+}
+nssNameConstraints->permited = NULL;
+nssNameConstraints->excluded = NULL;
+nssNameConstraints->DERPermited = NULL;
+nssNameConstraints->DERExcluded = NULL;
+PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
+(nssNameConstraints, &nameConstraints, plContext),
+PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
+nameConstraints->arena = arena;
+*pNameConstraints = nameConstraints;
+cleanup:
+if (PKIX_ERROR_RECEIVED){
+if (arena){
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling PORT_FreeArena).\n");
+PORT_FreeArena(arena, PR_FALSE);
+}
+}
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_CopyNssNameConstraints
+*
+* DESCRIPTION:
+*
+*  This function allocates and copies data to a NSS CERTNameConstraints from
+*  the NameConstraints given by "srcNC" and stores the result at "pDestNC". It
+*  copies items on both the permitted and excluded lists, but not the
+*  DERPermited and DERExcluded.
+*
+* PARAMETERS
+*  "arena"
+*      Memory pool where object data is allocated from. Must be non-NULL.
+*  "srcNC"
+*      Address of the NameConstraints to copy from. Must be non-NULL.
+*  "pDestNC"
+*      Address where new copied object is stored and returned.
+*      Must be non-NULL.
+*  "plContext" - Platform-specific context pointer.
+*
+* THREAD SAFETY:
+*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+*
+* RETURNS:
+*  Returns NULL if the function succeeds.
+*  Returns a NameConstraints Error if the function fails in a non-fatal way.
+*  Returns a Fatal Error if the function fails in an unrecoverable way.
+*/
+static PKIX_Error *
+pkix_pl_CertNameConstraints_CopyNssNameConstraints(
+PLArenaPool *arena,
+CERTNameConstraints *srcNC,
+CERTNameConstraints **pDestNC,
+void *plContext)
+{
+CERTNameConstraints *nssNameConstraints = NULL;
+CERTNameConstraint *nssNameConstraintHead = NULL;
+CERTNameConstraint *nssCurrent = NULL;
+CERTNameConstraint *nssCopyTo = NULL;
+CERTNameConstraint *nssCopyFrom = NULL;
+PKIX_ENTER(CERTNAMECONSTRAINTS,
+"pkix_pl_CertNameConstraints_CopyNssNameConstraints");
+PKIX_NULLCHECK_THREE(arena, srcNC, pDestNC);
+PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
+nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
+if (nssNameConstraints == NULL) {
+PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+}
+if (srcNC->permited) {
+nssCopyFrom = srcNC->permited;
+do {
+nssCopyTo = NULL;
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_CopyNameConstraint).\n");
+nssCopyTo = CERT_CopyNameConstraint
+(arena, nssCopyTo, nssCopyFrom);
+if (nssCopyTo == NULL) {
+PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
+}
+if (nssCurrent == NULL) {
+nssCurrent = nssNameConstraintHead = nssCopyTo;
+} else {
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_AddNameConstraint).\n");
+nssCurrent = CERT_AddNameConstraint
+(nssCurrent, nssCopyTo);
+}
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_GetNextNameConstrain).\n");
+nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
+} while (nssCopyFrom != srcNC->permited);
+nssNameConstraints->permited = nssNameConstraintHead;
+}
+if (srcNC->excluded) {
+nssCurrent = NULL;
+nssCopyFrom = srcNC->excluded;
+do {
+/*
+* Cannot use CERT_DupGeneralNameList, which just increments
+* refcount. We need our own copy since arena is for each
+* PKIX_PL_NameConstraints. Perhaps contribute this code
+* as CERT_CopyGeneralNameList (in the future).
+*/
+nssCopyTo = NULL;
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_CopyNameConstraint).\n");
+nssCopyTo = CERT_CopyNameConstraint
+(arena, nssCopyTo, nssCopyFrom);
+if (nssCopyTo == NULL) {
+PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
+}
+if (nssCurrent == NULL) {
+nssCurrent = nssNameConstraintHead = nssCopyTo;
+} else {
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_AddNameConstraint).\n");
+nssCurrent = CERT_AddNameConstraint
+(nssCurrent, nssCopyTo);
+}
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_GetNextNameConstrain).\n");
+nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
+} while (nssCopyFrom != srcNC->excluded);
+nssNameConstraints->excluded = nssNameConstraintHead;
+}
+*pDestNC = nssNameConstraints;
+cleanup:
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/*
+* FUNCTION: pkix_pl_CertNameConstraints_Merge
+*
+* DESCRIPTION:
+*
+*  This function merges two NameConstraints pointed to by "firstNC" and
+*  "secondNC" and stores the result in "pMergedNC".
+*
+* PARAMETERS
+*  "firstNC"
+*      Address of the first NameConstraints to be merged. Must be non-NULL.
+*  "secondNC"
+*      Address of the second NameConstraints to be merged. Must be non-NULL.
+*  "pMergedNC"
+*      Address where the merge result is stored and returned. Must be non-NULL.
+*  "plContext" - Platform-specific context pointer.
+*
+* THREAD SAFETY:
+*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+*
+* RETURNS:
+*  Returns NULL if the function succeeds.
+*  Returns a NameConstraints Error if the function fails in a non-fatal way.
+*  Returns a Fatal Error if the function fails in an unrecoverable way.
+*/
+PKIX_Error *
+pkix_pl_CertNameConstraints_Merge(
+PKIX_PL_CertNameConstraints *firstNC,
+PKIX_PL_CertNameConstraints *secondNC,
+PKIX_PL_CertNameConstraints **pMergedNC,
+void *plContext)
+{
+PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+CERTNameConstraints **nssNCto = NULL;
+CERTNameConstraints **nssNCfrom = NULL;
+CERTNameConstraints *nssNameConstraints = NULL;
+PKIX_UInt32 numNssItems = 0;
+PKIX_UInt32 i;
+PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Merge");
+PKIX_NULLCHECK_THREE(firstNC, secondNC, pMergedNC);
+PKIX_CHECK(pkix_pl_CertNameConstraints_CreateByMerge
+(&nameConstraints, plContext),
+PKIX_CERTNAMECONSTRAINTSCREATEBYMERGEFAILED);
+/* Merge NSSCertConstraint lists */
+numNssItems = firstNC->numNssNameConstraints +
+secondNC->numNssNameConstraints;
+/* Free the default space (only one entry) allocated by create */
+PKIX_CHECK(PKIX_PL_Free
+(nameConstraints->nssNameConstraintsList, plContext),
+PKIX_FREEFAILED);
+/* Reallocate the size we need */
+PKIX_CHECK(PKIX_PL_Malloc
+(numNssItems * sizeof (CERTNameConstraint *),
+(void *)&nssNCto,
+plContext),
+PKIX_MALLOCFAILED);
+nameConstraints->nssNameConstraintsList = nssNCto;
+nssNCfrom = firstNC->nssNameConstraintsList;
+for (i = 0; i < firstNC->numNssNameConstraints; i++) {
+PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
+(nameConstraints->arena,
+*nssNCfrom,
+&nssNameConstraints,
+plContext),
+PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
+*nssNCto = nssNameConstraints;
+nssNCto++;
+nssNCfrom++;
+}
+nssNCfrom = secondNC->nssNameConstraintsList;
+for (i = 0; i < secondNC->numNssNameConstraints; i++) {
+PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
+(nameConstraints->arena,
+*nssNCfrom,
+&nssNameConstraints,
+plContext),
+PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
+*nssNCto = nssNameConstraints;
+nssNCto++;
+nssNCfrom++;
+}
+nameConstraints->numNssNameConstraints = numNssItems;
+nameConstraints->permittedList = NULL;
+nameConstraints->excludedList = NULL;
+*pMergedNC = nameConstraints;
+cleanup:
+if (PKIX_ERROR_RECEIVED){
+PKIX_DECREF(nameConstraints);
+}
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+/* --Public-NameConstraints-Functions-------------------------------- */
+/*
+* FUNCTION:  PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
+* (see comments in pkix_pl_system.h)
+*/
+PKIX_Error *
+PKIX_PL_CertNameConstraints_CheckNamesInNameSpace(
+PKIX_List *nameList, /* List of PKIX_PL_GeneralName */
+PKIX_PL_CertNameConstraints *nameConstraints,
+PKIX_Boolean *pCheckPass,
+void *plContext)
+{
+CERTNameConstraints **nssNameConstraintsList = NULL;
+CERTNameConstraints *nssNameConstraints = NULL;
+CERTGeneralName *nssMatchName = NULL;
+PLArenaPool *arena = NULL;
+PKIX_PL_GeneralName *name = NULL;
+PKIX_UInt32 numNameItems = 0;
+PKIX_UInt32 numNCItems = 0;
+PKIX_UInt32 i, j;
+SECStatus status = SECSuccess;
+PKIX_ENTER(CERTNAMECONSTRAINTS,
+"PKIX_PL_CertNameConstraints_CheckNamesInNameSpace");
+PKIX_NULLCHECK_TWO(nameConstraints, pCheckPass);
+*pCheckPass = PKIX_TRUE;
+if (nameList != NULL) {
+PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
+arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+if (arena == NULL) {
+PKIX_ERROR(PKIX_OUTOFMEMORY);
+}
+nssNameConstraintsList =
+nameConstraints->nssNameConstraintsList;
+PKIX_NULLCHECK_ONE(nssNameConstraintsList);
+numNCItems = nameConstraints->numNssNameConstraints;
+PKIX_CHECK(PKIX_List_GetLength
+(nameList, &numNameItems, plContext),
+PKIX_LISTGETLENGTHFAILED);
+for (i = 0; i < numNameItems; i++) {
+PKIX_CHECK(PKIX_List_GetItem
+(nameList,
+i,
+(PKIX_PL_Object **) &name,
+plContext),
+PKIX_LISTGETITEMFAILED);
+PKIX_CHECK(pkix_pl_GeneralName_GetNssGeneralName
+(name, &nssMatchName, plContext),
+PKIX_GENERALNAMEGETNSSGENERALNAMEFAILED);
+PKIX_DECREF(name);
+for (j = 0; j < numNCItems; j++) {
+nssNameConstraints = *(nssNameConstraintsList + j);
+PKIX_NULLCHECK_ONE(nssNameConstraints);
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling CERT_CheckNameSpace\n");
+status = CERT_CheckNameSpace
+(arena, nssNameConstraints, nssMatchName);
+if (status != SECSuccess) {
+break;
+}
+}
+if (status != SECSuccess) {
+break;
+}
+}
+}
+if (status == SECFailure) {
+*pCheckPass = PKIX_FALSE;
+}
+cleanup:
+if (arena){
+PKIX_CERTNAMECONSTRAINTS_DEBUG
+("\t\tCalling PORT_FreeArena).\n");
+PORT_FreeArena(arena, PR_FALSE);
+}
+PKIX_RETURN(CERTNAMECONSTRAINTS);
+}

Mercurial > trustbridge > nss-cmake-static

comparison nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c @ 0:1e5118fa0cb1