diff nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c @ 0:1e5118fa0cb1

This is NSS with a Cmake Buildsyste To compile a static NSS library for Windows we've used the Chromium-NSS fork and added a Cmake buildsystem to compile it statically for Windows. See README.chromium for chromium changes and README.trustbridge for our modifications.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 28 Jul 2014 10:47:06 +0200
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c	Mon Jul 28 10:47:06 2014 +0200
@@ -0,0 +1,306 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * pkix_basicconstraintschecker.c
+ *
+ * Functions for basic constraints validation
+ *
+ */
+
+#include "pkix_basicconstraintschecker.h"
+
+/* --Private-BasicConstraintsCheckerState-Functions------------------------- */
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BasicConstraintsCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_BasicConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+                    "pkix_BasicConstraintsCheckerState_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a basic constraints checker state */
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTBASICCONSTRAINTSCHECKERSTATE);
+
+        state = (pkix_BasicConstraintsCheckerState *)object;
+
+        PKIX_DECREF(state->basicConstraintsOID);
+
+cleanup:
+
+        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+                "pkix_BasicConstraintsCheckerState_RegisterSelf");
+
+        entry.description = "BasicConstraintsCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_BasicConstraintsCheckerState);
+        entry.destructor = pkix_BasicConstraintsCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new BasicConstraintsCheckerState using the number of certs in
+ *  the chain represented by "certsRemaining" and stores it at "pState".
+ *
+ * PARAMETERS:
+ *  "certsRemaining"
+ *      Number of certificates in the chain.
+ *  "pState"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a BasicConstraintsCheckerState Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_BasicConstraintsCheckerState_Create(
+        PKIX_UInt32 certsRemaining,
+        pkix_BasicConstraintsCheckerState **pState,
+        void *plContext)
+{
+        pkix_BasicConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+                    "pkix_BasicConstraintsCheckerState_Create");
+
+        PKIX_NULLCHECK_ONE(pState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE,
+                    sizeof (pkix_BasicConstraintsCheckerState),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT);
+
+        /* initialize fields */
+        state->certsRemaining = certsRemaining;
+        state->maxPathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_BASICCONSTRAINTS_OID,
+                    &state->basicConstraintsOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        *pState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/* --Private-BasicConstraintsChecker-Functions------------------------------ */
+
+/*
+ * FUNCTION: pkix_BasicConstraintsChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_BasicConstraintsChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,  /* list of PKIX_PL_OID */
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
+        pkix_BasicConstraintsCheckerState *state = NULL;
+        PKIX_Boolean caFlag = PKIX_FALSE;
+        PKIX_Int32 pathLength = 0;
+        PKIX_Int32 maxPathLength_now;
+        PKIX_Boolean isSelfIssued = PKIX_FALSE;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        state->certsRemaining--;
+
+        if (state->certsRemaining != 0) {
+
+                PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
+                    (cert, &basicConstraints, plContext),
+                    PKIX_CERTGETBASICCONSTRAINTSFAILED);
+
+                /* get CA Flag and path length */
+                if (basicConstraints != NULL) {
+                        PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
+                            (basicConstraints,
+                            &caFlag,
+                            plContext),
+                            PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
+
+                if (caFlag == PKIX_TRUE) {
+                        PKIX_CHECK
+                            (PKIX_PL_BasicConstraints_GetPathLenConstraint
+                            (basicConstraints,
+                            &pathLength,
+                            plContext),
+                            PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
+                }
+
+                }else{
+                        caFlag = PKIX_FALSE;
+                        pathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
+                }
+
+                PKIX_CHECK(pkix_IsCertSelfIssued
+                        (cert,
+                        &isSelfIssued,
+                        plContext),
+                        PKIX_ISCERTSELFISSUEDFAILED);
+
+                maxPathLength_now = state->maxPathLength;
+
+                if (isSelfIssued != PKIX_TRUE) {
+
+                    /* Not last CA Cert, but maxPathLength is down to zero */
+                    if (maxPathLength_now == 0) {
+                        PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDLN);
+                    }
+
+                    if (caFlag == PKIX_FALSE) {
+                        PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDCA);
+                    }
+
+                    if (maxPathLength_now > 0) { /* can be unlimited (-1) */
+                        maxPathLength_now--;
+                    }
+
+                }
+
+                if (caFlag == PKIX_TRUE) {
+                    if (maxPathLength_now == PKIX_UNLIMITED_PATH_CONSTRAINT){
+                            maxPathLength_now = pathLength;
+                    } else {
+                            /* If pathLength is not specified, don't set */
+                        if (pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) {
+                            maxPathLength_now =
+                                    (maxPathLength_now > pathLength)?
+                                    pathLength:maxPathLength_now;
+                        }
+                    }
+                }
+
+                state->maxPathLength = maxPathLength_now;
+        }
+
+        /* Remove Basic Constraints Extension OID from list */
+        if (unresolvedCriticalExtensions != NULL) {
+
+                PKIX_CHECK(pkix_List_Remove
+                            (unresolvedCriticalExtensions,
+                            (PKIX_PL_Object *) state->basicConstraintsOID,
+                            plContext),
+                            PKIX_LISTREMOVEFAILED);
+        }
+
+
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                    (checker, (PKIX_PL_Object *)state, plContext),
+                    PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+
+cleanup:
+        PKIX_DECREF(state);
+        PKIX_DECREF(basicConstraints);
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsChecker_Initialize
+ * DESCRIPTION:
+ *  Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_BasicConstraintsChecker_Initialize(
+        PKIX_UInt32 certsRemaining,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        pkix_BasicConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(pkix_BasicConstraintsCheckerState_Create
+                    (certsRemaining, &state, plContext),
+                    PKIX_BASICCONSTRAINTSCHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_BasicConstraintsChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *)state,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCHECKFAILED);
+
+cleanup:
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)