andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public
andre@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
andre@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
andre@0: /*
andre@0:  * pkix_namechainingchecker.c
andre@0:  *
andre@0:  * Functions for name chaining validation
andre@0:  *
andre@0:  */
andre@0: 
andre@0: 
andre@0: #include "pkix_namechainingchecker.h"
andre@0: 
andre@0: /* --Private-Functions-------------------------------------------- */
andre@0: 
andre@0: /*
andre@0:  * FUNCTION: pkix_NameChainingChecker_Check
andre@0:  * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
andre@0:  */
andre@0: PKIX_Error *
andre@0: pkix_NameChainingChecker_Check(
andre@0:         PKIX_CertChainChecker *checker,
andre@0:         PKIX_PL_Cert *cert,
andre@0:         PKIX_List *unresolvedCriticalExtensions,
andre@0:         void **pNBIOContext,
andre@0:         void *plContext)
andre@0: {
andre@0:         PKIX_PL_X500Name *prevSubject = NULL;
andre@0:         PKIX_PL_X500Name *currIssuer = NULL;
andre@0:         PKIX_PL_X500Name *currSubject = NULL;
andre@0:         PKIX_Boolean result;
andre@0: 
andre@0:         PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameChainingChecker_Check");
andre@0:         PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
andre@0: 
andre@0:         *pNBIOContext = NULL; /* we never block on pending I/O */
andre@0: 
andre@0:         PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
andre@0:                     (checker, (PKIX_PL_Object **)&prevSubject, plContext),
andre@0:                     PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
andre@0: 
andre@0:         PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &currIssuer, plContext),
andre@0:                     PKIX_CERTGETISSUERFAILED);
andre@0: 
andre@0:         if (prevSubject){
andre@0:                 PKIX_CHECK(PKIX_PL_X500Name_Match
andre@0:                             (prevSubject, currIssuer, &result, plContext),
andre@0:                             PKIX_X500NAMEMATCHFAILED);
andre@0:                 if (!result){
andre@0:                         PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
andre@0:                 }
andre@0:         } else {
andre@0:                 PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
andre@0:         }
andre@0: 
andre@0:         PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &currSubject, plContext),
andre@0:                     PKIX_CERTGETSUBJECTFAILED);
andre@0: 
andre@0:         PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
andre@0:                     (checker, (PKIX_PL_Object *)currSubject, plContext),
andre@0:                     PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
andre@0: 
andre@0: cleanup:
andre@0: 
andre@0:         PKIX_DECREF(prevSubject);
andre@0:         PKIX_DECREF(currIssuer);
andre@0:         PKIX_DECREF(currSubject);
andre@0: 
andre@0:         PKIX_RETURN(CERTCHAINCHECKER);
andre@0: 
andre@0: }
andre@0: 
andre@0: /*
andre@0:  * FUNCTION: pkix_NameChainingChecker_Initialize
andre@0:  * DESCRIPTION:
andre@0:  *
andre@0:  *  Creates a new CertChainChecker and stores it at "pChecker", where it will
andre@0:  *  be used by pkix_NameChainingChecker_Check to check that the issuer name
andre@0:  *  of the certificate matches the subject name in the checker's state. The
andre@0:  *  X500Name pointed to by "trustedCAName" is used to initialize the checker's
andre@0:  *  state.
andre@0:  *
andre@0:  * PARAMETERS:
andre@0:  *  "trustedCAName"
andre@0:  *      Address of X500Name representing the trusted CA Name used to
andre@0:  *      initialize the state of this checker. Must be non-NULL.
andre@0:  *  "pChecker"
andre@0:  *      Address where object pointer will be stored. Must be non-NULL.
andre@0:  *  "plContext"
andre@0:  *      Platform-specific context pointer.
andre@0:  * THREAD SAFETY:
andre@0:  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
andre@0:  * RETURNS:
andre@0:  *  Returns NULL if the function succeeds.
andre@0:  *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
andre@0:  *  Returns a Fatal Error if the function fails in an unrecoverable way.
andre@0:  */
andre@0: PKIX_Error *
andre@0: pkix_NameChainingChecker_Initialize(
andre@0:         PKIX_PL_X500Name *trustedCAName,
andre@0:         PKIX_CertChainChecker **pChecker,
andre@0:         void *plContext)
andre@0: {
andre@0:         PKIX_ENTER(CERTCHAINCHECKER, "PKIX_NameChainingChecker_Initialize");
andre@0:         PKIX_NULLCHECK_TWO(pChecker, trustedCAName);
andre@0: 
andre@0:         PKIX_CHECK(PKIX_CertChainChecker_Create
andre@0:                     (pkix_NameChainingChecker_Check,
andre@0:                     PKIX_FALSE,
andre@0:                     PKIX_FALSE,
andre@0:                     NULL,
andre@0:                     (PKIX_PL_Object *)trustedCAName,
andre@0:                     pChecker,
andre@0:                     plContext),
andre@0:                     PKIX_CERTCHAINCHECKERCREATEFAILED);
andre@0: 
andre@0: cleanup:
andre@0: 
andre@0:         PKIX_RETURN(CERTCHAINCHECKER);
andre@0: 
andre@0: }