andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public
andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this
andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
andre@0:
andre@0: /*
andre@0: * Moved from secpkcs7.c
andre@0: */
andre@0:
andre@0: #include "cert.h"
andre@0: #include "certi.h"
andre@0: #include "secder.h"
andre@0: #include "secasn1.h"
andre@0: #include "secoid.h"
andre@0: #include "certdb.h"
andre@0: #include "certxutl.h"
andre@0: #include "prtime.h"
andre@0: #include "secerr.h"
andre@0: #include "pk11func.h"
andre@0: #include "dev.h"
andre@0: #include "dev3hack.h"
andre@0: #include "nssbase.h"
andre@0: #if defined(DPC_RWLOCK) || defined(GLOBAL_RWLOCK)
andre@0: #include "nssrwlk.h"
andre@0: #endif
andre@0: #include "pk11priv.h"
andre@0:
andre@0: const SEC_ASN1Template SEC_CERTExtensionTemplate[] = {
andre@0: { SEC_ASN1_SEQUENCE,
andre@0: 0, NULL, sizeof(CERTCertExtension) },
andre@0: { SEC_ASN1_OBJECT_ID,
andre@0: offsetof(CERTCertExtension,id) },
andre@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */
andre@0: offsetof(CERTCertExtension,critical), },
andre@0: { SEC_ASN1_OCTET_STRING,
andre@0: offsetof(CERTCertExtension,value) },
andre@0: { 0, }
andre@0: };
andre@0:
andre@0: static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
andre@0: { SEC_ASN1_SEQUENCE_OF, 0, SEC_CERTExtensionTemplate}
andre@0: };
andre@0:
andre@0: /*
andre@0: * XXX Also, these templates need to be tested; Lisa did the obvious
andre@0: * translation but they still should be verified.
andre@0: */
andre@0:
andre@0: const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
andre@0: { SEC_ASN1_SEQUENCE,
andre@0: 0, NULL, sizeof(CERTIssuerAndSN) },
andre@0: { SEC_ASN1_SAVE,
andre@0: offsetof(CERTIssuerAndSN,derIssuer) },
andre@0: { SEC_ASN1_INLINE,
andre@0: offsetof(CERTIssuerAndSN,issuer),
andre@0: CERT_NameTemplate },
andre@0: { SEC_ASN1_INTEGER,
andre@0: offsetof(CERTIssuerAndSN,serialNumber) },
andre@0: { 0 }
andre@0: };
andre@0:
andre@0: SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
andre@0: SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
andre@0:
andre@0: static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
andre@0: { SEC_ASN1_SEQUENCE,
andre@0: 0, NULL, sizeof(CERTCrlKey) },
andre@0: { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof(CERTCrlKey,dummy) },
andre@0: { SEC_ASN1_SKIP },
andre@0: { SEC_ASN1_ANY, offsetof(CERTCrlKey,derName) },
andre@0: { SEC_ASN1_SKIP_REST },
andre@0: { 0 }
andre@0: };
andre@0:
andre@0: static const SEC_ASN1Template cert_CrlEntryTemplate[] = {
andre@0: { SEC_ASN1_SEQUENCE,
andre@0: 0, NULL, sizeof(CERTCrlEntry) },
andre@0: { SEC_ASN1_INTEGER,
andre@0: offsetof(CERTCrlEntry,serialNumber) },
andre@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
andre@0: offsetof(CERTCrlEntry,revocationDate),
andre@0: SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
andre@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
andre@0: offsetof(CERTCrlEntry, extensions),
andre@0: SEC_CERTExtensionTemplate},
andre@0: { 0 }
andre@0: };
andre@0:
andre@0: const SEC_ASN1Template CERT_CrlTemplate[] = {
andre@0: { SEC_ASN1_SEQUENCE,
andre@0: 0, NULL, sizeof(CERTCrl) },
andre@0: { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
andre@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
andre@0: offsetof(CERTCrl,signatureAlg),
andre@0: SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate)},
andre@0: { SEC_ASN1_SAVE,
andre@0: offsetof(CERTCrl,derName) },
andre@0: { SEC_ASN1_INLINE,
andre@0: offsetof(CERTCrl,name),
andre@0: CERT_NameTemplate },
andre@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
andre@0: offsetof(CERTCrl,lastUpdate),
andre@0: SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
andre@0: { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN,
andre@0: offsetof(CERTCrl,nextUpdate),
andre@0: SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
andre@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
andre@0: offsetof(CERTCrl,entries),
andre@0: cert_CrlEntryTemplate },
andre@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
andre@0: SEC_ASN1_EXPLICIT | 0,
andre@0: offsetof(CERTCrl,extensions),
andre@0: SEC_CERTExtensionsTemplate},
andre@0: { 0 }
andre@0: };
andre@0:
andre@0: const SEC_ASN1Template CERT_CrlTemplateNoEntries[] = {
andre@0: { SEC_ASN1_SEQUENCE,
andre@0: 0, NULL, sizeof(CERTCrl) },
andre@0: { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
andre@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
andre@0: offsetof(CERTCrl,signatureAlg),
andre@0: SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
andre@0: { SEC_ASN1_SAVE,
andre@0: offsetof(CERTCrl,derName) },
andre@0: { SEC_ASN1_INLINE,
andre@0: offsetof(CERTCrl,name),
andre@0: CERT_NameTemplate },
andre@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
andre@0: offsetof(CERTCrl,lastUpdate),
andre@0: SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
andre@0: { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN,
andre@0: offsetof(CERTCrl,nextUpdate),
andre@0: SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
andre@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF |
andre@0: SEC_ASN1_SKIP }, /* skip entries */
andre@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
andre@0: SEC_ASN1_EXPLICIT | 0,
andre@0: offsetof(CERTCrl,extensions),
andre@0: SEC_CERTExtensionsTemplate },
andre@0: { 0 }
andre@0: };
andre@0:
andre@0: const SEC_ASN1Template CERT_CrlTemplateEntriesOnly[] = {
andre@0: { SEC_ASN1_SEQUENCE,
andre@0: 0, NULL, sizeof(CERTCrl) },
andre@0: { SEC_ASN1_SKIP | SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL },
andre@0: { SEC_ASN1_SKIP },
andre@0: { SEC_ASN1_SKIP },
andre@0: { SEC_ASN1_SKIP | SEC_ASN1_INLINE | SEC_ASN1_XTRN,
andre@0: offsetof(CERTCrl,lastUpdate),
andre@0: SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
andre@0: { SEC_ASN1_SKIP | SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN,
andre@0: offsetof(CERTCrl,nextUpdate),
andre@0: SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
andre@0: { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
andre@0: offsetof(CERTCrl,entries),
andre@0: cert_CrlEntryTemplate }, /* decode entries */
andre@0: { SEC_ASN1_SKIP_REST },
andre@0: { 0 }
andre@0: };
andre@0:
andre@0: const SEC_ASN1Template CERT_SignedCrlTemplate[] = {
andre@0: { SEC_ASN1_SEQUENCE,
andre@0: 0, NULL, sizeof(CERTSignedCrl) },
andre@0: { SEC_ASN1_SAVE,
andre@0: offsetof(CERTSignedCrl,signatureWrap.data) },
andre@0: { SEC_ASN1_INLINE,
andre@0: offsetof(CERTSignedCrl,crl),
andre@0: CERT_CrlTemplate },
andre@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN ,
andre@0: offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
andre@0: SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
andre@0: { SEC_ASN1_BIT_STRING,
andre@0: offsetof(CERTSignedCrl,signatureWrap.signature) },
andre@0: { 0 }
andre@0: };
andre@0:
andre@0: static const SEC_ASN1Template cert_SignedCrlTemplateNoEntries[] = {
andre@0: { SEC_ASN1_SEQUENCE,
andre@0: 0, NULL, sizeof(CERTSignedCrl) },
andre@0: { SEC_ASN1_SAVE,
andre@0: offsetof(CERTSignedCrl,signatureWrap.data) },
andre@0: { SEC_ASN1_INLINE,
andre@0: offsetof(CERTSignedCrl,crl),
andre@0: CERT_CrlTemplateNoEntries },
andre@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
andre@0: offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
andre@0: SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
andre@0: { SEC_ASN1_BIT_STRING,
andre@0: offsetof(CERTSignedCrl,signatureWrap.signature) },
andre@0: { 0 }
andre@0: };
andre@0:
andre@0: const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[] = {
andre@0: { SEC_ASN1_SET_OF, 0, CERT_SignedCrlTemplate },
andre@0: };
andre@0:
andre@0: /* get CRL version */
andre@0: int cert_get_crl_version(CERTCrl * crl)
andre@0: {
andre@0: /* CRL version is defaulted to v1 */
andre@0: int version = SEC_CRL_VERSION_1;
andre@0: if (crl && crl->version.data != 0) {
andre@0: version = (int)DER_GetUInteger (&crl->version);
andre@0: }
andre@0: return version;
andre@0: }
andre@0:
andre@0:
andre@0: /* check the entries in the CRL */
andre@0: SECStatus cert_check_crl_entries (CERTCrl *crl)
andre@0: {
andre@0: CERTCrlEntry **entries;
andre@0: CERTCrlEntry *entry;
andre@0: PRBool hasCriticalExten = PR_FALSE;
andre@0: SECStatus rv = SECSuccess;
andre@0:
andre@0: if (!crl) {
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: if (crl->entries == NULL) {
andre@0: /* CRLs with no entries are valid */
andre@0: return (SECSuccess);
andre@0: }
andre@0:
andre@0: /* Look in the crl entry extensions. If there is a critical extension,
andre@0: then the crl version must be v2; otherwise, it should be v1.
andre@0: */
andre@0: entries = crl->entries;
andre@0: while (*entries) {
andre@0: entry = *entries;
andre@0: if (entry->extensions) {
andre@0: /* If there is a critical extension in the entries, then the
andre@0: CRL must be of version 2. If we already saw a critical extension,
andre@0: there is no need to check the version again.
andre@0: */
andre@0: if (hasCriticalExten == PR_FALSE) {
andre@0: hasCriticalExten = cert_HasCriticalExtension (entry->extensions);
andre@0: if (hasCriticalExten) {
andre@0: if (cert_get_crl_version(crl) != SEC_CRL_VERSION_2) {
andre@0: /* only CRL v2 critical extensions are supported */
andre@0: PORT_SetError(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION);
andre@0: rv = SECFailure;
andre@0: break;
andre@0: }
andre@0: }
andre@0: }
andre@0:
andre@0: /* For each entry, make sure that it does not contain an unknown
andre@0: critical extension. If it does, we must reject the CRL since
andre@0: we don't know how to process the extension.
andre@0: */
andre@0: if (cert_HasUnknownCriticalExten (entry->extensions) == PR_TRUE) {
andre@0: PORT_SetError (SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION);
andre@0: rv = SECFailure;
andre@0: break;
andre@0: }
andre@0: }
andre@0: ++entries;
andre@0: }
andre@0: return(rv);
andre@0: }
andre@0:
andre@0: /* Check the version of the CRL. If there is a critical extension in the crl
andre@0: or crl entry, then the version must be v2. Otherwise, it should be v1. If
andre@0: the crl contains critical extension(s), then we must recognized the
andre@0: extension's OID.
andre@0: */
andre@0: SECStatus cert_check_crl_version (CERTCrl *crl)
andre@0: {
andre@0: PRBool hasCriticalExten = PR_FALSE;
andre@0: int version = cert_get_crl_version(crl);
andre@0:
andre@0: if (version > SEC_CRL_VERSION_2) {
andre@0: PORT_SetError (SEC_ERROR_CRL_INVALID_VERSION);
andre@0: return (SECFailure);
andre@0: }
andre@0:
andre@0: /* Check the crl extensions for a critial extension. If one is found,
andre@0: and the version is not v2, then we are done.
andre@0: */
andre@0: if (crl->extensions) {
andre@0: hasCriticalExten = cert_HasCriticalExtension (crl->extensions);
andre@0: if (hasCriticalExten) {
andre@0: if (version != SEC_CRL_VERSION_2) {
andre@0: /* only CRL v2 critical extensions are supported */
andre@0: PORT_SetError(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION);
andre@0: return (SECFailure);
andre@0: }
andre@0: /* make sure that there is no unknown critical extension */
andre@0: if (cert_HasUnknownCriticalExten (crl->extensions) == PR_TRUE) {
andre@0: PORT_SetError (SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION);
andre@0: return (SECFailure);
andre@0: }
andre@0: }
andre@0: }
andre@0:
andre@0: return (SECSuccess);
andre@0: }
andre@0:
andre@0: /*
andre@0: * Generate a database key, based on the issuer name from a
andre@0: * DER crl.
andre@0: */
andre@0: SECStatus
andre@0: CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, SECItem *key)
andre@0: {
andre@0: SECStatus rv;
andre@0: CERTSignedData sd;
andre@0: CERTCrlKey crlkey;
andre@0: PLArenaPool* myArena;
andre@0:
andre@0: if (!arena) {
andre@0: /* arena needed for QuickDER */
andre@0: myArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
andre@0: } else {
andre@0: myArena = arena;
andre@0: }
andre@0: PORT_Memset (&sd, 0, sizeof (sd));
andre@0: rv = SEC_QuickDERDecodeItem (myArena, &sd, CERT_SignedDataTemplate, derCrl);
andre@0: if (SECSuccess == rv) {
andre@0: PORT_Memset (&crlkey, 0, sizeof (crlkey));
andre@0: rv = SEC_QuickDERDecodeItem(myArena, &crlkey, cert_CrlKeyTemplate, &sd.data);
andre@0: }
andre@0:
andre@0: /* make a copy so the data doesn't point to memory inside derCrl, which
andre@0: may be temporary */
andre@0: if (SECSuccess == rv) {
andre@0: rv = SECITEM_CopyItem(arena, key, &crlkey.derName);
andre@0: }
andre@0:
andre@0: if (myArena != arena) {
andre@0: PORT_FreeArena(myArena, PR_FALSE);
andre@0: }
andre@0:
andre@0: return rv;
andre@0: }
andre@0:
andre@0: #define GetOpaqueCRLFields(x) ((OpaqueCRLFields*)x->opaque)
andre@0:
andre@0: SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl)
andre@0: {
andre@0: SECStatus rv = SECSuccess;
andre@0: SECItem* crldata = NULL;
andre@0: OpaqueCRLFields* extended = NULL;
andre@0:
andre@0: if ( (!crl) ||
andre@0: (!(extended = (OpaqueCRLFields*) crl->opaque)) ||
andre@0: (PR_TRUE == extended->decodingError) ) {
andre@0: rv = SECFailure;
andre@0: } else {
andre@0: if (PR_FALSE == extended->partial) {
andre@0: /* the CRL has already been fully decoded */
andre@0: return SECSuccess;
andre@0: }
andre@0: if (PR_TRUE == extended->badEntries) {
andre@0: /* the entries decoding already failed */
andre@0: return SECFailure;
andre@0: }
andre@0: crldata = &crl->signatureWrap.data;
andre@0: if (!crldata) {
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0:
andre@0: if (SECSuccess == rv) {
andre@0: rv = SEC_QuickDERDecodeItem(crl->arena,
andre@0: &crl->crl,
andre@0: CERT_CrlTemplateEntriesOnly,
andre@0: crldata);
andre@0: if (SECSuccess == rv) {
andre@0: extended->partial = PR_FALSE; /* successful decode, avoid
andre@0: decoding again */
andre@0: } else {
andre@0: extended->decodingError = PR_TRUE;
andre@0: extended->badEntries = PR_TRUE;
andre@0: /* cache the decoding failure. If it fails the first time,
andre@0: it will fail again, which will grow the arena and leak
andre@0: memory, so we want to avoid it */
andre@0: }
andre@0: rv = cert_check_crl_entries(&crl->crl);
andre@0: if (rv != SECSuccess) {
andre@0: extended->badExtensions = PR_TRUE;
andre@0: }
andre@0: }
andre@0: return rv;
andre@0: }
andre@0:
andre@0: /*
andre@0: * take a DER CRL and decode it into a CRL structure
andre@0: * allow reusing the input DER without making a copy
andre@0: */
andre@0: CERTSignedCrl *
andre@0: CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, SECItem *derSignedCrl,
andre@0: int type, PRInt32 options)
andre@0: {
andre@0: PLArenaPool *arena;
andre@0: CERTSignedCrl *crl;
andre@0: SECStatus rv;
andre@0: OpaqueCRLFields* extended = NULL;
andre@0: const SEC_ASN1Template* crlTemplate = CERT_SignedCrlTemplate;
andre@0: PRInt32 testOptions = options;
andre@0:
andre@0: PORT_Assert(derSignedCrl);
andre@0: if (!derSignedCrl) {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return NULL;
andre@0: }
andre@0:
andre@0: /* Adopting DER requires not copying it. Code that sets ADOPT flag
andre@0: * but doesn't set DONT_COPY probably doesn't know What it is doing.
andre@0: * That condition is a programming error in the caller.
andre@0: */
andre@0: testOptions &= (CRL_DECODE_ADOPT_HEAP_DER | CRL_DECODE_DONT_COPY_DER);
andre@0: PORT_Assert(testOptions != CRL_DECODE_ADOPT_HEAP_DER);
andre@0: if (testOptions == CRL_DECODE_ADOPT_HEAP_DER) {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return NULL;
andre@0: }
andre@0:
andre@0: /* make a new arena if needed */
andre@0: if (narena == NULL) {
andre@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
andre@0: if ( !arena ) {
andre@0: return NULL;
andre@0: }
andre@0: } else {
andre@0: arena = narena;
andre@0: }
andre@0:
andre@0: /* allocate the CRL structure */
andre@0: crl = (CERTSignedCrl *)PORT_ArenaZAlloc(arena, sizeof(CERTSignedCrl));
andre@0: if ( !crl ) {
andre@0: PORT_SetError(SEC_ERROR_NO_MEMORY);
andre@0: goto loser;
andre@0: }
andre@0:
andre@0: crl->arena = arena;
andre@0:
andre@0: /* allocate opaque fields */
andre@0: crl->opaque = (void*)PORT_ArenaZAlloc(arena, sizeof(OpaqueCRLFields));
andre@0: if ( !crl->opaque ) {
andre@0: goto loser;
andre@0: }
andre@0: extended = (OpaqueCRLFields*) crl->opaque;
andre@0: if (options & CRL_DECODE_ADOPT_HEAP_DER) {
andre@0: extended->heapDER = PR_TRUE;
andre@0: }
andre@0: if (options & CRL_DECODE_DONT_COPY_DER) {
andre@0: crl->derCrl = derSignedCrl; /* DER is not copied . The application
andre@0: must keep derSignedCrl until it
andre@0: destroys the CRL */
andre@0: } else {
andre@0: crl->derCrl = (SECItem *)PORT_ArenaZAlloc(arena,sizeof(SECItem));
andre@0: if (crl->derCrl == NULL) {
andre@0: goto loser;
andre@0: }
andre@0: rv = SECITEM_CopyItem(arena, crl->derCrl, derSignedCrl);
andre@0: if (rv != SECSuccess) {
andre@0: goto loser;
andre@0: }
andre@0: }
andre@0:
andre@0: /* Save the arena in the inner crl for CRL extensions support */
andre@0: crl->crl.arena = arena;
andre@0: if (options & CRL_DECODE_SKIP_ENTRIES) {
andre@0: crlTemplate = cert_SignedCrlTemplateNoEntries;
andre@0: extended->partial = PR_TRUE;
andre@0: }
andre@0:
andre@0: /* decode the CRL info */
andre@0: switch (type) {
andre@0: case SEC_CRL_TYPE:
andre@0: rv = SEC_QuickDERDecodeItem(arena, crl, crlTemplate, crl->derCrl);
andre@0: if (rv != SECSuccess) {
andre@0: extended->badDER = PR_TRUE;
andre@0: break;
andre@0: }
andre@0: /* check for critical extensions */
andre@0: rv = cert_check_crl_version (&crl->crl);
andre@0: if (rv != SECSuccess) {
andre@0: extended->badExtensions = PR_TRUE;
andre@0: break;
andre@0: }
andre@0:
andre@0: if (PR_TRUE == extended->partial) {
andre@0: /* partial decoding, don't verify entries */
andre@0: break;
andre@0: }
andre@0:
andre@0: rv = cert_check_crl_entries(&crl->crl);
andre@0: if (rv != SECSuccess) {
andre@0: extended->badExtensions = PR_TRUE;
andre@0: }
andre@0:
andre@0: break;
andre@0:
andre@0: default:
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: rv = SECFailure;
andre@0: break;
andre@0: }
andre@0:
andre@0: if (rv != SECSuccess) {
andre@0: goto loser;
andre@0: }
andre@0:
andre@0: crl->referenceCount = 1;
andre@0:
andre@0: return(crl);
andre@0:
andre@0: loser:
andre@0: if (options & CRL_DECODE_KEEP_BAD_CRL) {
andre@0: if (extended) {
andre@0: extended->decodingError = PR_TRUE;
andre@0: }
andre@0: if (crl) {
andre@0: crl->referenceCount = 1;
andre@0: return(crl);
andre@0: }
andre@0: }
andre@0:
andre@0: if ((narena == NULL) && arena ) {
andre@0: PORT_FreeArena(arena, PR_FALSE);
andre@0: }
andre@0:
andre@0: return(0);
andre@0: }
andre@0:
andre@0: /*
andre@0: * take a DER CRL and decode it into a CRL structure
andre@0: */
andre@0: CERTSignedCrl *
andre@0: CERT_DecodeDERCrl(PLArenaPool *narena, SECItem *derSignedCrl, int type)
andre@0: {
andre@0: return CERT_DecodeDERCrlWithFlags(narena, derSignedCrl, type,
andre@0: CRL_DECODE_DEFAULT_OPTIONS);
andre@0: }
andre@0:
andre@0: /*
andre@0: * Lookup a CRL in the databases. We mirror the same fast caching data base
andre@0: * caching stuff used by certificates....?
andre@0: * return values :
andre@0: *
andre@0: * SECSuccess means we got a valid decodable DER CRL, or no CRL at all.
andre@0: * Caller may distinguish those cases by the value returned in "decoded".
andre@0: * When DER CRL is not found, error code will be SEC_ERROR_CRL_NOT_FOUND.
andre@0: *
andre@0: * SECFailure means we got a fatal error - most likely, we found a CRL,
andre@0: * and it failed decoding, or there was an out of memory error. Do NOT ignore
andre@0: * it and specifically do NOT treat it the same as having no CRL, as this
andre@0: * can compromise security !!! Ideally, you should treat this case as if you
andre@0: * received a "catch-all" CRL where all certs you were looking up are
andre@0: * considered to be revoked
andre@0: */
andre@0: static SECStatus
andre@0: SEC_FindCrlByKeyOnSlot(PK11SlotInfo *slot, SECItem *crlKey, int type,
andre@0: CERTSignedCrl** decoded, PRInt32 decodeoptions)
andre@0: {
andre@0: SECStatus rv = SECSuccess;
andre@0: CERTSignedCrl *crl = NULL;
andre@0: SECItem *derCrl = NULL;
andre@0: CK_OBJECT_HANDLE crlHandle = 0;
andre@0: char *url = NULL;
andre@0:
andre@0: PORT_Assert(decoded);
andre@0: if (!decoded) {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: derCrl = PK11_FindCrlByName(&slot, &crlHandle, crlKey, type, &url);
andre@0: if (derCrl == NULL) {
andre@0: /* if we had a problem other than the CRL just didn't exist, return
andre@0: * a failure to the upper level */
andre@0: int nsserror = PORT_GetError();
andre@0: if (nsserror != SEC_ERROR_CRL_NOT_FOUND) {
andre@0: rv = SECFailure;
andre@0: }
andre@0: goto loser;
andre@0: }
andre@0: PORT_Assert(crlHandle != CK_INVALID_HANDLE);
andre@0: /* PK11_FindCrlByName obtained a slot reference. */
andre@0:
andre@0: /* derCRL is a fresh HEAP copy made for us by PK11_FindCrlByName.
andre@0: Force adoption of the DER CRL from the heap - this will cause it
andre@0: to be automatically freed when SEC_DestroyCrl is invoked */
andre@0: decodeoptions |= (CRL_DECODE_ADOPT_HEAP_DER | CRL_DECODE_DONT_COPY_DER);
andre@0:
andre@0: crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl, type, decodeoptions);
andre@0: if (crl) {
andre@0: crl->slot = slot;
andre@0: slot = NULL; /* adopt it */
andre@0: derCrl = NULL; /* adopted by the crl struct */
andre@0: crl->pkcs11ID = crlHandle;
andre@0: if (url) {
andre@0: crl->url = PORT_ArenaStrdup(crl->arena,url);
andre@0: }
andre@0: } else {
andre@0: rv = SECFailure;
andre@0: }
andre@0:
andre@0: if (url) {
andre@0: PORT_Free(url);
andre@0: }
andre@0:
andre@0: if (slot) {
andre@0: PK11_FreeSlot(slot);
andre@0: }
andre@0:
andre@0: loser:
andre@0: if (derCrl) {
andre@0: SECITEM_FreeItem(derCrl, PR_TRUE);
andre@0: }
andre@0:
andre@0: *decoded = crl;
andre@0:
andre@0: return rv;
andre@0: }
andre@0:
andre@0:
andre@0: CERTSignedCrl *
andre@0: crl_storeCRL (PK11SlotInfo *slot,char *url,
andre@0: CERTSignedCrl *newCrl, SECItem *derCrl, int type)
andre@0: {
andre@0: CERTSignedCrl *oldCrl = NULL, *crl = NULL;
andre@0: PRBool deleteOldCrl = PR_FALSE;
andre@0: CK_OBJECT_HANDLE crlHandle = CK_INVALID_HANDLE;
andre@0: SECStatus rv;
andre@0:
andre@0: PORT_Assert(newCrl);
andre@0: PORT_Assert(derCrl);
andre@0: PORT_Assert(type == SEC_CRL_TYPE);
andre@0:
andre@0: if (type != SEC_CRL_TYPE) {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return NULL;
andre@0: }
andre@0:
andre@0: /* we can't use the cache here because we must look in the same
andre@0: token */
andre@0: rv = SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
andre@0: &oldCrl, CRL_DECODE_SKIP_ENTRIES);
andre@0: /* if there is an old crl on the token, make sure the one we are
andre@0: installing is newer. If not, exit out, otherwise delete the
andre@0: old crl.
andre@0: */
andre@0: if (oldCrl != NULL) {
andre@0: /* if it's already there, quietly continue */
andre@0: if (SECITEM_CompareItem(newCrl->derCrl, oldCrl->derCrl)
andre@0: == SECEqual) {
andre@0: crl = newCrl;
andre@0: crl->slot = PK11_ReferenceSlot(slot);
andre@0: crl->pkcs11ID = oldCrl->pkcs11ID;
andre@0: if (oldCrl->url && !url)
andre@0: url = oldCrl->url;
andre@0: if (url)
andre@0: crl->url = PORT_ArenaStrdup(crl->arena, url);
andre@0: goto done;
andre@0: }
andre@0: if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
andre@0: PORT_SetError(SEC_ERROR_OLD_CRL);
andre@0: goto done;
andre@0: }
andre@0:
andre@0: /* if we have a url in the database, use that one */
andre@0: if (oldCrl->url && !url) {
andre@0: url = oldCrl->url;
andre@0: }
andre@0:
andre@0: /* really destroy this crl */
andre@0: /* first drum it out of the permanment Data base */
andre@0: deleteOldCrl = PR_TRUE;
andre@0: }
andre@0:
andre@0: /* invalidate CRL cache for this issuer */
andre@0: CERT_CRLCacheRefreshIssuer(NULL, &newCrl->crl.derName);
andre@0: /* Write the new entry into the data base */
andre@0: crlHandle = PK11_PutCrl(slot, derCrl, &newCrl->crl.derName, url, type);
andre@0: if (crlHandle != CK_INVALID_HANDLE) {
andre@0: crl = newCrl;
andre@0: crl->slot = PK11_ReferenceSlot(slot);
andre@0: crl->pkcs11ID = crlHandle;
andre@0: if (url) {
andre@0: crl->url = PORT_ArenaStrdup(crl->arena,url);
andre@0: }
andre@0: }
andre@0:
andre@0: done:
andre@0: if (oldCrl) {
andre@0: if (deleteOldCrl && crlHandle != CK_INVALID_HANDLE) {
andre@0: SEC_DeletePermCRL(oldCrl);
andre@0: }
andre@0: SEC_DestroyCrl(oldCrl);
andre@0: }
andre@0:
andre@0: return crl;
andre@0: }
andre@0:
andre@0: /*
andre@0: *
andre@0: * create a new CRL from DER material.
andre@0: *
andre@0: * The signature on this CRL must be checked before you
andre@0: * load it. ???
andre@0: */
andre@0: CERTSignedCrl *
andre@0: SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type)
andre@0: {
andre@0: CERTSignedCrl* retCrl = NULL;
andre@0: PK11SlotInfo* slot = PK11_GetInternalKeySlot();
andre@0: retCrl = PK11_ImportCRL(slot, derCrl, url, type, NULL,
andre@0: CRL_IMPORT_BYPASS_CHECKS, NULL, CRL_DECODE_DEFAULT_OPTIONS);
andre@0: PK11_FreeSlot(slot);
andre@0:
andre@0: return retCrl;
andre@0: }
andre@0:
andre@0: CERTSignedCrl *
andre@0: SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type)
andre@0: {
andre@0: PLArenaPool *arena;
andre@0: SECItem crlKey;
andre@0: SECStatus rv;
andre@0: CERTSignedCrl *crl = NULL;
andre@0:
andre@0: /* create a scratch arena */
andre@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
andre@0: if ( arena == NULL ) {
andre@0: return(NULL);
andre@0: }
andre@0:
andre@0: /* extract the database key from the cert */
andre@0: rv = CERT_KeyFromDERCrl(arena, derCrl, &crlKey);
andre@0: if ( rv != SECSuccess ) {
andre@0: goto loser;
andre@0: }
andre@0:
andre@0: /* find the crl */
andre@0: crl = SEC_FindCrlByName(handle, &crlKey, type);
andre@0:
andre@0: loser:
andre@0: PORT_FreeArena(arena, PR_FALSE);
andre@0: return(crl);
andre@0: }
andre@0:
andre@0: CERTSignedCrl* SEC_DupCrl(CERTSignedCrl* acrl)
andre@0: {
andre@0: if (acrl)
andre@0: {
andre@0: PR_ATOMIC_INCREMENT(&acrl->referenceCount);
andre@0: return acrl;
andre@0: }
andre@0: return NULL;
andre@0: }
andre@0:
andre@0: SECStatus
andre@0: SEC_DestroyCrl(CERTSignedCrl *crl)
andre@0: {
andre@0: if (crl) {
andre@0: if (PR_ATOMIC_DECREMENT(&crl->referenceCount) < 1) {
andre@0: if (crl->slot) {
andre@0: PK11_FreeSlot(crl->slot);
andre@0: }
andre@0: if (GetOpaqueCRLFields(crl) &&
andre@0: PR_TRUE == GetOpaqueCRLFields(crl)->heapDER) {
andre@0: SECITEM_FreeItem(crl->derCrl, PR_TRUE);
andre@0: }
andre@0: if (crl->arena) {
andre@0: PORT_FreeArena(crl->arena, PR_FALSE);
andre@0: }
andre@0: }
andre@0: return SECSuccess;
andre@0: } else {
andre@0: return SECFailure;
andre@0: }
andre@0: }
andre@0:
andre@0: SECStatus
andre@0: SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type)
andre@0: {
andre@0: CERTCrlHeadNode *head;
andre@0: PLArenaPool *arena = NULL;
andre@0: SECStatus rv;
andre@0:
andre@0: *nodes = NULL;
andre@0:
andre@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
andre@0: if ( arena == NULL ) {
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: /* build a head structure */
andre@0: head = (CERTCrlHeadNode *)PORT_ArenaAlloc(arena, sizeof(CERTCrlHeadNode));
andre@0: head->arena = arena;
andre@0: head->first = NULL;
andre@0: head->last = NULL;
andre@0: head->dbhandle = handle;
andre@0:
andre@0: /* Look up the proper crl types */
andre@0: *nodes = head;
andre@0:
andre@0: rv = PK11_LookupCrls(head, type, NULL);
andre@0:
andre@0: if (rv != SECSuccess) {
andre@0: if ( arena ) {
andre@0: PORT_FreeArena(arena, PR_FALSE);
andre@0: *nodes = NULL;
andre@0: }
andre@0: }
andre@0:
andre@0: return rv;
andre@0: }
andre@0:
andre@0: /* These functions simply return the address of the above-declared templates.
andre@0: ** This is necessary for Windows DLLs. Sigh.
andre@0: */
andre@0: SEC_ASN1_CHOOSER_IMPLEMENT(CERT_IssuerAndSNTemplate)
andre@0: SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CrlTemplate)
andre@0: SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedCrlTemplate)
andre@0: SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SetOfSignedCrlTemplate)
andre@0:
andre@0: /* CRL cache code starts here */
andre@0:
andre@0: /* constructor */
andre@0: static SECStatus CachedCrl_Create(CachedCrl** returned, CERTSignedCrl* crl,
andre@0: CRLOrigin origin);
andre@0: /* destructor */
andre@0: static SECStatus CachedCrl_Destroy(CachedCrl* crl);
andre@0:
andre@0: /* create hash table of CRL entries */
andre@0: static SECStatus CachedCrl_Populate(CachedCrl* crlobject);
andre@0:
andre@0: /* empty the cache content */
andre@0: static SECStatus CachedCrl_Depopulate(CachedCrl* crl);
andre@0:
andre@0: /* are these CRLs the same, as far as the cache is concerned ?
andre@0: Or are they the same token object, but with different DER ? */
andre@0:
andre@0: static SECStatus CachedCrl_Compare(CachedCrl* a, CachedCrl* b, PRBool* isDupe,
andre@0: PRBool* isUpdated);
andre@0:
andre@0: /* create a DPCache object */
andre@0: static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer,
andre@0: const SECItem* subject, SECItem* dp);
andre@0:
andre@0: /* destructor for CRL DPCache object */
andre@0: static SECStatus DPCache_Destroy(CRLDPCache* cache);
andre@0:
andre@0: /* add a new CRL object to the dynamic array of CRLs of the DPCache, and
andre@0: returns the cached CRL object . Needs write access to DPCache. */
andre@0: static SECStatus DPCache_AddCRL(CRLDPCache* cache, CachedCrl* crl,
andre@0: PRBool* added);
andre@0:
andre@0: /* fetch the CRL for this DP from the PKCS#11 tokens */
andre@0: static SECStatus DPCache_FetchFromTokens(CRLDPCache* cache, PRTime vfdate,
andre@0: void* wincx);
andre@0:
andre@0: /* update the content of the CRL cache, including fetching of CRLs, and
andre@0: reprocessing with specified issuer and date */
andre@0: static SECStatus DPCache_GetUpToDate(CRLDPCache* cache, CERTCertificate* issuer,
andre@0: PRBool readlocked, PRTime vfdate, void* wincx);
andre@0:
andre@0: /* returns true if there are CRLs from PKCS#11 slots */
andre@0: static PRBool DPCache_HasTokenCRLs(CRLDPCache* cache);
andre@0:
andre@0: /* remove CRL at offset specified */
andre@0: static SECStatus DPCache_RemoveCRL(CRLDPCache* cache, PRUint32 offset);
andre@0:
andre@0: /* Pick best CRL to use . needs write access */
andre@0: static SECStatus DPCache_SelectCRL(CRLDPCache* cache);
andre@0:
andre@0: /* create an issuer cache object (per CA subject ) */
andre@0: static SECStatus IssuerCache_Create(CRLIssuerCache** returned,
andre@0: CERTCertificate* issuer,
andre@0: const SECItem* subject, const SECItem* dp);
andre@0:
andre@0: /* destructor for CRL IssuerCache object */
andre@0: SECStatus IssuerCache_Destroy(CRLIssuerCache* cache);
andre@0:
andre@0: /* add a DPCache to the issuer cache */
andre@0: static SECStatus IssuerCache_AddDP(CRLIssuerCache* cache,
andre@0: CERTCertificate* issuer,
andre@0: const SECItem* subject,
andre@0: const SECItem* dp, CRLDPCache** newdpc);
andre@0:
andre@0: /* get a particular DPCache object from an IssuerCache */
andre@0: static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache,
andre@0: const SECItem* dp);
andre@0:
andre@0: /*
andre@0: ** Pre-allocator hash allocator ops.
andre@0: */
andre@0:
andre@0: /* allocate memory for hash table */
andre@0: static void * PR_CALLBACK
andre@0: PreAllocTable(void *pool, PRSize size)
andre@0: {
andre@0: PreAllocator* alloc = (PreAllocator*)pool;
andre@0: PORT_Assert(alloc);
andre@0: if (!alloc)
andre@0: {
andre@0: /* no allocator, or buffer full */
andre@0: return NULL;
andre@0: }
andre@0: if (size > (alloc->len - alloc->used))
andre@0: {
andre@0: /* initial buffer full, let's use the arena */
andre@0: alloc->extra += size;
andre@0: return PORT_ArenaAlloc(alloc->arena, size);
andre@0: }
andre@0: /* use the initial buffer */
andre@0: alloc->used += size;
andre@0: return (char*) alloc->data + alloc->used - size;
andre@0: }
andre@0:
andre@0: /* free hash table memory.
andre@0: Individual PreAllocator elements cannot be freed, so this is a no-op. */
andre@0: static void PR_CALLBACK
andre@0: PreFreeTable(void *pool, void *item)
andre@0: {
andre@0: }
andre@0:
andre@0: /* allocate memory for hash table */
andre@0: static PLHashEntry * PR_CALLBACK
andre@0: PreAllocEntry(void *pool, const void *key)
andre@0: {
andre@0: return PreAllocTable(pool, sizeof(PLHashEntry));
andre@0: }
andre@0:
andre@0: /* free hash table entry.
andre@0: Individual PreAllocator elements cannot be freed, so this is a no-op. */
andre@0: static void PR_CALLBACK
andre@0: PreFreeEntry(void *pool, PLHashEntry *he, PRUintn flag)
andre@0: {
andre@0: }
andre@0:
andre@0: /* methods required for PL hash table functions */
andre@0: static PLHashAllocOps preAllocOps =
andre@0: {
andre@0: PreAllocTable, PreFreeTable,
andre@0: PreAllocEntry, PreFreeEntry
andre@0: };
andre@0:
andre@0: /* destructor for PreAllocator object */
andre@0: void PreAllocator_Destroy(PreAllocator* PreAllocator)
andre@0: {
andre@0: if (!PreAllocator)
andre@0: {
andre@0: return;
andre@0: }
andre@0: if (PreAllocator->arena)
andre@0: {
andre@0: PORT_FreeArena(PreAllocator->arena, PR_TRUE);
andre@0: }
andre@0: }
andre@0:
andre@0: /* constructor for PreAllocator object */
andre@0: PreAllocator* PreAllocator_Create(PRSize size)
andre@0: {
andre@0: PLArenaPool* arena = NULL;
andre@0: PreAllocator* prebuffer = NULL;
andre@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
andre@0: if (!arena)
andre@0: {
andre@0: return NULL;
andre@0: }
andre@0: prebuffer = (PreAllocator*)PORT_ArenaZAlloc(arena,
andre@0: sizeof(PreAllocator));
andre@0: if (!prebuffer)
andre@0: {
andre@0: PORT_FreeArena(arena, PR_TRUE);
andre@0: return NULL;
andre@0: }
andre@0: prebuffer->arena = arena;
andre@0:
andre@0: if (size)
andre@0: {
andre@0: prebuffer->len = size;
andre@0: prebuffer->data = PORT_ArenaAlloc(arena, size);
andre@0: if (!prebuffer->data)
andre@0: {
andre@0: PORT_FreeArena(arena, PR_TRUE);
andre@0: return NULL;
andre@0: }
andre@0: }
andre@0: return prebuffer;
andre@0: }
andre@0:
andre@0: /* global Named CRL cache object */
andre@0: static NamedCRLCache namedCRLCache = { NULL, NULL };
andre@0:
andre@0: /* global CRL cache object */
andre@0: static CRLCache crlcache = { NULL, NULL };
andre@0:
andre@0: /* initial state is off */
andre@0: static PRBool crlcache_initialized = PR_FALSE;
andre@0:
andre@0: PRTime CRLCache_Empty_TokenFetch_Interval = 60 * 1000000; /* how often
andre@0: to query the tokens for CRL objects, in order to discover new objects, if
andre@0: the cache does not contain any token CRLs . In microseconds */
andre@0:
andre@0: PRTime CRLCache_TokenRefetch_Interval = 600 * 1000000 ; /* how often
andre@0: to query the tokens for CRL objects, in order to discover new objects, if
andre@0: the cache already contains token CRLs In microseconds */
andre@0:
andre@0: PRTime CRLCache_ExistenceCheck_Interval = 60 * 1000000; /* how often to check
andre@0: if a token CRL object still exists. In microseconds */
andre@0:
andre@0: /* this function is called at NSS initialization time */
andre@0: SECStatus InitCRLCache(void)
andre@0: {
andre@0: if (PR_FALSE == crlcache_initialized)
andre@0: {
andre@0: PORT_Assert(NULL == crlcache.lock);
andre@0: PORT_Assert(NULL == crlcache.issuers);
andre@0: PORT_Assert(NULL == namedCRLCache.lock);
andre@0: PORT_Assert(NULL == namedCRLCache.entries);
andre@0: if (crlcache.lock || crlcache.issuers || namedCRLCache.lock ||
andre@0: namedCRLCache.entries)
andre@0: {
andre@0: /* CRL cache already partially initialized */
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: crlcache.lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
andre@0: #else
andre@0: crlcache.lock = PR_NewLock();
andre@0: #endif
andre@0: namedCRLCache.lock = PR_NewLock();
andre@0: crlcache.issuers = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
andre@0: PL_CompareValues, NULL, NULL);
andre@0: namedCRLCache.entries = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
andre@0: PL_CompareValues, NULL, NULL);
andre@0: if (!crlcache.lock || !namedCRLCache.lock || !crlcache.issuers ||
andre@0: !namedCRLCache.entries)
andre@0: {
andre@0: if (crlcache.lock)
andre@0: {
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: NSSRWLock_Destroy(crlcache.lock);
andre@0: #else
andre@0: PR_DestroyLock(crlcache.lock);
andre@0: #endif
andre@0: crlcache.lock = NULL;
andre@0: }
andre@0: if (namedCRLCache.lock)
andre@0: {
andre@0: PR_DestroyLock(namedCRLCache.lock);
andre@0: namedCRLCache.lock = NULL;
andre@0: }
andre@0: if (crlcache.issuers)
andre@0: {
andre@0: PL_HashTableDestroy(crlcache.issuers);
andre@0: crlcache.issuers = NULL;
andre@0: }
andre@0: if (namedCRLCache.entries)
andre@0: {
andre@0: PL_HashTableDestroy(namedCRLCache.entries);
andre@0: namedCRLCache.entries = NULL;
andre@0: }
andre@0:
andre@0: return SECFailure;
andre@0: }
andre@0: crlcache_initialized = PR_TRUE;
andre@0: return SECSuccess;
andre@0: }
andre@0: else
andre@0: {
andre@0: PORT_Assert(crlcache.lock);
andre@0: PORT_Assert(crlcache.issuers);
andre@0: if ( (NULL == crlcache.lock) || (NULL == crlcache.issuers) )
andre@0: {
andre@0: /* CRL cache not fully initialized */
andre@0: return SECFailure;
andre@0: }
andre@0: else
andre@0: {
andre@0: /* CRL cache already initialized */
andre@0: return SECSuccess;
andre@0: }
andre@0: }
andre@0: }
andre@0:
andre@0: /* destructor for CRL DPCache object */
andre@0: static SECStatus DPCache_Destroy(CRLDPCache* cache)
andre@0: {
andre@0: PRUint32 i = 0;
andre@0: PORT_Assert(cache);
andre@0: if (!cache)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: if (cache->lock)
andre@0: {
andre@0: #ifdef DPC_RWLOCK
andre@0: NSSRWLock_Destroy(cache->lock);
andre@0: #else
andre@0: PR_DestroyLock(cache->lock);
andre@0: #endif
andre@0: }
andre@0: else
andre@0: {
andre@0: PORT_Assert(0);
andre@0: return SECFailure;
andre@0: }
andre@0: /* destroy all our CRL objects */
andre@0: for (i=0;i<cache->ncrls;i++)
andre@0: {
andre@0: if (!cache->crls || !cache->crls[i] ||
andre@0: SECSuccess != CachedCrl_Destroy(cache->crls[i]))
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: }
andre@0: /* free the array of CRLs */
andre@0: if (cache->crls)
andre@0: {
andre@0: PORT_Free(cache->crls);
andre@0: }
andre@0: /* destroy the cert */
andre@0: if (cache->issuer)
andre@0: {
andre@0: CERT_DestroyCertificate(cache->issuer);
andre@0: }
andre@0: /* free the subject */
andre@0: if (cache->subject)
andre@0: {
andre@0: SECITEM_FreeItem(cache->subject, PR_TRUE);
andre@0: }
andre@0: /* free the distribution points */
andre@0: if (cache->distributionPoint)
andre@0: {
andre@0: SECITEM_FreeItem(cache->distributionPoint, PR_TRUE);
andre@0: }
andre@0: PORT_Free(cache);
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* destructor for CRL IssuerCache object */
andre@0: SECStatus IssuerCache_Destroy(CRLIssuerCache* cache)
andre@0: {
andre@0: PORT_Assert(cache);
andre@0: if (!cache)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: #ifdef XCRL
andre@0: if (cache->lock)
andre@0: {
andre@0: NSSRWLock_Destroy(cache->lock);
andre@0: }
andre@0: else
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: if (cache->issuer)
andre@0: {
andre@0: CERT_DestroyCertificate(cache->issuer);
andre@0: }
andre@0: #endif
andre@0: /* free the subject */
andre@0: if (cache->subject)
andre@0: {
andre@0: SECITEM_FreeItem(cache->subject, PR_TRUE);
andre@0: }
andre@0: if (SECSuccess != DPCache_Destroy(cache->dpp))
andre@0: {
andre@0: PORT_Assert(0);
andre@0: return SECFailure;
andre@0: }
andre@0: PORT_Free(cache);
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* create a named CRL entry object */
andre@0: static SECStatus NamedCRLCacheEntry_Create(NamedCRLCacheEntry** returned)
andre@0: {
andre@0: NamedCRLCacheEntry* entry = NULL;
andre@0: if (!returned)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: *returned = NULL;
andre@0: entry = (NamedCRLCacheEntry*) PORT_ZAlloc(sizeof(NamedCRLCacheEntry));
andre@0: if (!entry)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: *returned = entry;
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* destroy a named CRL entry object */
andre@0: static SECStatus NamedCRLCacheEntry_Destroy(NamedCRLCacheEntry* entry)
andre@0: {
andre@0: if (!entry)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: if (entry->crl)
andre@0: {
andre@0: /* named CRL cache owns DER memory */
andre@0: SECITEM_ZfreeItem(entry->crl, PR_TRUE);
andre@0: }
andre@0: if (entry->canonicalizedName)
andre@0: {
andre@0: SECITEM_FreeItem(entry->canonicalizedName, PR_TRUE);
andre@0: }
andre@0: PORT_Free(entry);
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* callback function used in hash table destructor */
andre@0: static PRIntn PR_CALLBACK FreeIssuer(PLHashEntry *he, PRIntn i, void *arg)
andre@0: {
andre@0: CRLIssuerCache* issuer = NULL;
andre@0: SECStatus* rv = (SECStatus*) arg;
andre@0:
andre@0: PORT_Assert(he);
andre@0: if (!he)
andre@0: {
andre@0: return HT_ENUMERATE_NEXT;
andre@0: }
andre@0: issuer = (CRLIssuerCache*) he->value;
andre@0: PORT_Assert(issuer);
andre@0: if (issuer)
andre@0: {
andre@0: if (SECSuccess != IssuerCache_Destroy(issuer))
andre@0: {
andre@0: PORT_Assert(rv);
andre@0: if (rv)
andre@0: {
andre@0: *rv = SECFailure;
andre@0: }
andre@0: return HT_ENUMERATE_NEXT;
andre@0: }
andre@0: }
andre@0: return HT_ENUMERATE_NEXT;
andre@0: }
andre@0:
andre@0: /* callback function used in hash table destructor */
andre@0: static PRIntn PR_CALLBACK FreeNamedEntries(PLHashEntry *he, PRIntn i, void *arg)
andre@0: {
andre@0: NamedCRLCacheEntry* entry = NULL;
andre@0: SECStatus* rv = (SECStatus*) arg;
andre@0:
andre@0: PORT_Assert(he);
andre@0: if (!he)
andre@0: {
andre@0: return HT_ENUMERATE_NEXT;
andre@0: }
andre@0: entry = (NamedCRLCacheEntry*) he->value;
andre@0: PORT_Assert(entry);
andre@0: if (entry)
andre@0: {
andre@0: if (SECSuccess != NamedCRLCacheEntry_Destroy(entry))
andre@0: {
andre@0: PORT_Assert(rv);
andre@0: if (rv)
andre@0: {
andre@0: *rv = SECFailure;
andre@0: }
andre@0: return HT_ENUMERATE_NEXT;
andre@0: }
andre@0: }
andre@0: return HT_ENUMERATE_NEXT;
andre@0: }
andre@0:
andre@0: /* needs to be called at NSS shutdown time
andre@0: This will destroy the global CRL cache, including
andre@0: - the hash table of issuer cache objects
andre@0: - the issuer cache objects
andre@0: - DPCache objects in issuer cache objects */
andre@0: SECStatus ShutdownCRLCache(void)
andre@0: {
andre@0: SECStatus rv = SECSuccess;
andre@0: if (PR_FALSE == crlcache_initialized &&
andre@0: !crlcache.lock && !crlcache.issuers)
andre@0: {
andre@0: /* CRL cache has already been shut down */
andre@0: return SECSuccess;
andre@0: }
andre@0: if (PR_TRUE == crlcache_initialized &&
andre@0: (!crlcache.lock || !crlcache.issuers || !namedCRLCache.lock ||
andre@0: !namedCRLCache.entries))
andre@0: {
andre@0: /* CRL cache has partially been shut down */
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: /* empty the CRL cache */
andre@0: /* free the issuers */
andre@0: PL_HashTableEnumerateEntries(crlcache.issuers, &FreeIssuer, &rv);
andre@0: /* free the hash table of issuers */
andre@0: PL_HashTableDestroy(crlcache.issuers);
andre@0: crlcache.issuers = NULL;
andre@0: /* free the global lock */
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: NSSRWLock_Destroy(crlcache.lock);
andre@0: #else
andre@0: PR_DestroyLock(crlcache.lock);
andre@0: #endif
andre@0: crlcache.lock = NULL;
andre@0:
andre@0: /* empty the named CRL cache. This must be done after freeing the CRL
andre@0: * cache, since some CRLs in this cache are in the memory for the other */
andre@0: /* free the entries */
andre@0: PL_HashTableEnumerateEntries(namedCRLCache.entries, &FreeNamedEntries, &rv);
andre@0: /* free the hash table of issuers */
andre@0: PL_HashTableDestroy(namedCRLCache.entries);
andre@0: namedCRLCache.entries = NULL;
andre@0: /* free the global lock */
andre@0: PR_DestroyLock(namedCRLCache.lock);
andre@0: namedCRLCache.lock = NULL;
andre@0:
andre@0: crlcache_initialized = PR_FALSE;
andre@0: return rv;
andre@0: }
andre@0:
andre@0: /* add a new CRL object to the dynamic array of CRLs of the DPCache, and
andre@0: returns the cached CRL object . Needs write access to DPCache. */
andre@0: static SECStatus DPCache_AddCRL(CRLDPCache* cache, CachedCrl* newcrl,
andre@0: PRBool* added)
andre@0: {
andre@0: CachedCrl** newcrls = NULL;
andre@0: PRUint32 i = 0;
andre@0: PORT_Assert(cache);
andre@0: PORT_Assert(newcrl);
andre@0: PORT_Assert(added);
andre@0: if (!cache || !newcrl || !added)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: *added = PR_FALSE;
andre@0: /* before adding a new CRL, check if it is a duplicate */
andre@0: for (i=0;i<cache->ncrls;i++)
andre@0: {
andre@0: CachedCrl* existing = NULL;
andre@0: SECStatus rv = SECSuccess;
andre@0: PRBool dupe = PR_FALSE, updated = PR_FALSE;
andre@0: if (!cache->crls)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: return SECFailure;
andre@0: }
andre@0: existing = cache->crls[i];
andre@0: if (!existing)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: return SECFailure;
andre@0: }
andre@0: rv = CachedCrl_Compare(existing, newcrl, &dupe, &updated);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: if (PR_TRUE == dupe)
andre@0: {
andre@0: /* dupe */
andre@0: PORT_SetError(SEC_ERROR_CRL_ALREADY_EXISTS);
andre@0: return SECSuccess;
andre@0: }
andre@0: if (PR_TRUE == updated)
andre@0: {
andre@0: /* this token CRL is in the same slot and has the same object ID,
andre@0: but different content. We need to remove the old object */
andre@0: if (SECSuccess != DPCache_RemoveCRL(cache, i))
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return PR_FALSE;
andre@0: }
andre@0: }
andre@0: }
andre@0:
andre@0: newcrls = (CachedCrl**)PORT_Realloc(cache->crls,
andre@0: (cache->ncrls+1)*sizeof(CachedCrl*));
andre@0: if (!newcrls)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: cache->crls = newcrls;
andre@0: cache->ncrls++;
andre@0: cache->crls[cache->ncrls-1] = newcrl;
andre@0: *added = PR_TRUE;
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* remove CRL at offset specified */
andre@0: static SECStatus DPCache_RemoveCRL(CRLDPCache* cache, PRUint32 offset)
andre@0: {
andre@0: CachedCrl* acrl = NULL;
andre@0: PORT_Assert(cache);
andre@0: if (!cache || (!cache->crls) || (!(offset<cache->ncrls)) )
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: acrl = cache->crls[offset];
andre@0: PORT_Assert(acrl);
andre@0: if (!acrl)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: cache->crls[offset] = cache->crls[cache->ncrls-1];
andre@0: cache->crls[cache->ncrls-1] = NULL;
andre@0: cache->ncrls--;
andre@0: if (cache->selected == acrl) {
andre@0: cache->selected = NULL;
andre@0: }
andre@0: if (SECSuccess != CachedCrl_Destroy(acrl))
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* check whether a CRL object stored in a PKCS#11 token still exists in
andre@0: that token . This has to be efficient (the entire CRL value cannot be
andre@0: transferred accross the token boundaries), so this is accomplished by
andre@0: simply fetching the subject attribute and making sure it hasn't changed .
andre@0: Note that technically, the CRL object could have been replaced with a new
andre@0: PKCS#11 object of the same ID and subject (which actually happens in
andre@0: softoken), but this function has no way of knowing that the object
andre@0: value changed, since CKA_VALUE isn't checked. */
andre@0: static PRBool TokenCRLStillExists(CERTSignedCrl* crl)
andre@0: {
andre@0: NSSItem newsubject;
andre@0: SECItem subject;
andre@0: CK_ULONG crl_class;
andre@0: PRStatus status;
andre@0: PK11SlotInfo* slot = NULL;
andre@0: nssCryptokiObject instance;
andre@0: NSSArena* arena;
andre@0: PRBool xstatus = PR_TRUE;
andre@0: SECItem* oldSubject = NULL;
andre@0:
andre@0: PORT_Assert(crl);
andre@0: if (!crl)
andre@0: {
andre@0: return PR_FALSE;
andre@0: }
andre@0: slot = crl->slot;
andre@0: PORT_Assert(crl->slot);
andre@0: if (!slot)
andre@0: {
andre@0: return PR_FALSE;
andre@0: }
andre@0: oldSubject = &crl->crl.derName;
andre@0: PORT_Assert(oldSubject);
andre@0: if (!oldSubject)
andre@0: {
andre@0: return PR_FALSE;
andre@0: }
andre@0:
andre@0: /* query subject and type attributes in order to determine if the
andre@0: object has been deleted */
andre@0:
andre@0: /* first, make an nssCryptokiObject */
andre@0: instance.handle = crl->pkcs11ID;
andre@0: PORT_Assert(instance.handle);
andre@0: if (!instance.handle)
andre@0: {
andre@0: return PR_FALSE;
andre@0: }
andre@0: instance.token = PK11Slot_GetNSSToken(slot);
andre@0: PORT_Assert(instance.token);
andre@0: if (!instance.token)
andre@0: {
andre@0: return PR_FALSE;
andre@0: }
andre@0: instance.isTokenObject = PR_TRUE;
andre@0: instance.label = NULL;
andre@0:
andre@0: arena = NSSArena_Create();
andre@0: PORT_Assert(arena);
andre@0: if (!arena)
andre@0: {
andre@0: return PR_FALSE;
andre@0: }
andre@0:
andre@0: status = nssCryptokiCRL_GetAttributes(&instance,
andre@0: NULL, /* XXX sessionOpt */
andre@0: arena,
andre@0: NULL,
andre@0: &newsubject, /* subject */
andre@0: &crl_class, /* class */
andre@0: NULL,
andre@0: NULL);
andre@0: if (PR_SUCCESS == status)
andre@0: {
andre@0: subject.data = newsubject.data;
andre@0: subject.len = newsubject.size;
andre@0: if (SECITEM_CompareItem(oldSubject, &subject) != SECEqual)
andre@0: {
andre@0: xstatus = PR_FALSE;
andre@0: }
andre@0: if (CKO_NETSCAPE_CRL != crl_class)
andre@0: {
andre@0: xstatus = PR_FALSE;
andre@0: }
andre@0: }
andre@0: else
andre@0: {
andre@0: xstatus = PR_FALSE;
andre@0: }
andre@0: NSSArena_Destroy(arena);
andre@0: return xstatus;
andre@0: }
andre@0:
andre@0: /* verify the signature of a CRL against its issuer at a given date */
andre@0: static SECStatus CERT_VerifyCRL(
andre@0: CERTSignedCrl* crlobject,
andre@0: CERTCertificate* issuer,
andre@0: PRTime vfdate,
andre@0: void* wincx)
andre@0: {
andre@0: return CERT_VerifySignedData(&crlobject->signatureWrap,
andre@0: issuer, vfdate, wincx);
andre@0: }
andre@0:
andre@0: /* verify a CRL and update cache state */
andre@0: static SECStatus CachedCrl_Verify(CRLDPCache* cache, CachedCrl* crlobject,
andre@0: PRTime vfdate, void* wincx)
andre@0: {
andre@0: /* Check if it is an invalid CRL
andre@0: if we got a bad CRL, we want to cache it in order to avoid
andre@0: subsequent fetches of this same identical bad CRL. We set
andre@0: the cache to the invalid state to ensure that all certs on this
andre@0: DP are considered to have unknown status from now on. The cache
andre@0: object will remain in this state until the bad CRL object
andre@0: is removed from the token it was fetched from. If the cause
andre@0: of the failure is that we didn't have the issuer cert to
andre@0: verify the signature, this state can be cleared when
andre@0: the issuer certificate becomes available if that causes the
andre@0: signature to verify */
andre@0:
andre@0: if (!cache || !crlobject)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: if (PR_TRUE == GetOpaqueCRLFields(crlobject->crl)->decodingError)
andre@0: {
andre@0: crlobject->sigChecked = PR_TRUE; /* we can never verify a CRL
andre@0: with bogus DER. Mark it checked so we won't try again */
andre@0: PORT_SetError(SEC_ERROR_BAD_DER);
andre@0: return SECSuccess;
andre@0: }
andre@0: else
andre@0: {
andre@0: SECStatus signstatus = SECFailure;
andre@0: if (cache->issuer)
andre@0: {
andre@0: signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
andre@0: wincx);
andre@0: }
andre@0: if (SECSuccess != signstatus)
andre@0: {
andre@0: if (!cache->issuer)
andre@0: {
andre@0: /* we tried to verify without an issuer cert . This is
andre@0: because this CRL came through a call to SEC_FindCrlByName.
andre@0: So, we don't cache this verification failure. We'll try
andre@0: to verify the CRL again when a certificate from that issuer
andre@0: becomes available */
andre@0: } else
andre@0: {
andre@0: crlobject->sigChecked = PR_TRUE;
andre@0: }
andre@0: PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
andre@0: return SECSuccess;
andre@0: } else
andre@0: {
andre@0: crlobject->sigChecked = PR_TRUE;
andre@0: crlobject->sigValid = PR_TRUE;
andre@0: }
andre@0: }
andre@0:
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* fetch the CRLs for this DP from the PKCS#11 tokens */
andre@0: static SECStatus DPCache_FetchFromTokens(CRLDPCache* cache, PRTime vfdate,
andre@0: void* wincx)
andre@0: {
andre@0: SECStatus rv = SECSuccess;
andre@0: CERTCrlHeadNode head;
andre@0: if (!cache)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: /* first, initialize list */
andre@0: memset(&head, 0, sizeof(head));
andre@0: head.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
andre@0: rv = pk11_RetrieveCrls(&head, cache->subject, wincx);
andre@0:
andre@0: /* if this function fails, something very wrong happened, such as an out
andre@0: of memory error during CRL decoding. We don't want to proceed and must
andre@0: mark the cache object invalid */
andre@0: if (SECFailure == rv)
andre@0: {
andre@0: /* fetch failed, add error bit */
andre@0: cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
andre@0: } else
andre@0: {
andre@0: /* fetch was successful, clear this error bit */
andre@0: cache->invalid &= (~CRL_CACHE_LAST_FETCH_FAILED);
andre@0: }
andre@0:
andre@0: /* add any CRLs found to our array */
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: CERTCrlNode* crlNode = NULL;
andre@0:
andre@0: for (crlNode = head.first; crlNode ; crlNode = crlNode->next)
andre@0: {
andre@0: CachedCrl* returned = NULL;
andre@0: CERTSignedCrl* crlobject = crlNode->crl;
andre@0: if (!crlobject)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: continue;
andre@0: }
andre@0: rv = CachedCrl_Create(&returned, crlobject, CRL_OriginToken);
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: PRBool added = PR_FALSE;
andre@0: rv = DPCache_AddCRL(cache, returned, &added);
andre@0: if (PR_TRUE != added)
andre@0: {
andre@0: rv = CachedCrl_Destroy(returned);
andre@0: returned = NULL;
andre@0: }
andre@0: else if (vfdate)
andre@0: {
andre@0: rv = CachedCrl_Verify(cache, returned, vfdate, wincx);
andre@0: }
andre@0: }
andre@0: else
andre@0: {
andre@0: /* not enough memory to add the CRL to the cache. mark it
andre@0: invalid so we will try again . */
andre@0: cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
andre@0: }
andre@0: if (SECFailure == rv)
andre@0: {
andre@0: break;
andre@0: }
andre@0: }
andre@0: }
andre@0:
andre@0: if (head.arena)
andre@0: {
andre@0: CERTCrlNode* crlNode = NULL;
andre@0: /* clean up the CRL list in case we got a partial one
andre@0: during a failed fetch */
andre@0: for (crlNode = head.first; crlNode ; crlNode = crlNode->next)
andre@0: {
andre@0: if (crlNode->crl)
andre@0: {
andre@0: SEC_DestroyCrl(crlNode->crl); /* free the CRL. Either it got
andre@0: added to the cache and the refcount got bumped, or not, and
andre@0: thus we need to free its RAM */
andre@0: }
andre@0: }
andre@0: PORT_FreeArena(head.arena, PR_FALSE); /* destroy CRL list */
andre@0: }
andre@0:
andre@0: return rv;
andre@0: }
andre@0:
andre@0: static SECStatus CachedCrl_GetEntry(CachedCrl* crl, const SECItem* sn,
andre@0: CERTCrlEntry** returned)
andre@0: {
andre@0: CERTCrlEntry* acrlEntry;
andre@0:
andre@0: PORT_Assert(crl);
andre@0: PORT_Assert(crl->entries);
andre@0: PORT_Assert(sn);
andre@0: PORT_Assert(returned);
andre@0: if (!crl || !sn || !returned || !crl->entries)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return SECFailure;
andre@0: }
andre@0: acrlEntry = PL_HashTableLookup(crl->entries, (void*)sn);
andre@0: if (acrlEntry)
andre@0: {
andre@0: *returned = acrlEntry;
andre@0: }
andre@0: else
andre@0: {
andre@0: *returned = NULL;
andre@0: }
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* check if a particular SN is in the CRL cache and return its entry */
andre@0: dpcacheStatus DPCache_Lookup(CRLDPCache* cache, const SECItem* sn,
andre@0: CERTCrlEntry** returned)
andre@0: {
andre@0: SECStatus rv;
andre@0: if (!cache || !sn || !returned)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: /* no cache or SN to look up, or no way to return entry */
andre@0: return dpcacheCallerError;
andre@0: }
andre@0: *returned = NULL;
andre@0: if (0 != cache->invalid)
andre@0: {
andre@0: /* the cache contains a bad CRL, or there was a CRL fetching error. */
andre@0: PORT_SetError(SEC_ERROR_CRL_INVALID);
andre@0: return dpcacheInvalidCacheError;
andre@0: }
andre@0: if (!cache->selected)
andre@0: {
andre@0: /* no CRL means no entry to return. This is OK, except for
andre@0: * NIST policy */
andre@0: return dpcacheEmpty;
andre@0: }
andre@0: rv = CachedCrl_GetEntry(cache->selected, sn, returned);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: return dpcacheLookupError;
andre@0: }
andre@0: else
andre@0: {
andre@0: if (*returned)
andre@0: {
andre@0: return dpcacheFoundEntry;
andre@0: }
andre@0: else
andre@0: {
andre@0: return dpcacheNoEntry;
andre@0: }
andre@0: }
andre@0: }
andre@0:
andre@0: #if defined(DPC_RWLOCK)
andre@0:
andre@0: #define DPCache_LockWrite() \
andre@0: { \
andre@0: if (readlocked) \
andre@0: { \
andre@0: NSSRWLock_UnlockRead(cache->lock); \
andre@0: } \
andre@0: NSSRWLock_LockWrite(cache->lock); \
andre@0: }
andre@0:
andre@0: #define DPCache_UnlockWrite() \
andre@0: { \
andre@0: if (readlocked) \
andre@0: { \
andre@0: NSSRWLock_LockRead(cache->lock); \
andre@0: } \
andre@0: NSSRWLock_UnlockWrite(cache->lock); \
andre@0: }
andre@0:
andre@0: #else
andre@0:
andre@0: /* with a global lock, we are always locked for read before we need write
andre@0: access, so do nothing */
andre@0:
andre@0: #define DPCache_LockWrite() \
andre@0: { \
andre@0: }
andre@0:
andre@0: #define DPCache_UnlockWrite() \
andre@0: { \
andre@0: }
andre@0:
andre@0: #endif
andre@0:
andre@0: /* update the content of the CRL cache, including fetching of CRLs, and
andre@0: reprocessing with specified issuer and date . We are always holding
andre@0: either the read or write lock on DPCache upon entry. */
andre@0: static SECStatus DPCache_GetUpToDate(CRLDPCache* cache, CERTCertificate*
andre@0: issuer, PRBool readlocked, PRTime vfdate,
andre@0: void* wincx)
andre@0: {
andre@0: /* Update the CRLDPCache now. We don't cache token CRL lookup misses
andre@0: yet, as we have no way of getting notified of new PKCS#11 object
andre@0: creation that happens in a token */
andre@0: SECStatus rv = SECSuccess;
andre@0: PRUint32 i = 0;
andre@0: PRBool forcedrefresh = PR_FALSE;
andre@0: PRBool dirty = PR_FALSE; /* whether something was changed in the
andre@0: cache state during this update cycle */
andre@0: PRBool hastokenCRLs = PR_FALSE;
andre@0: PRTime now = 0;
andre@0: PRTime lastfetch = 0;
andre@0: PRBool mustunlock = PR_FALSE;
andre@0:
andre@0: if (!cache)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: /* first, make sure we have obtained all the CRLs we need.
andre@0: We do an expensive token fetch in the following cases :
andre@0: 1) cache is empty because no fetch was ever performed yet
andre@0: 2) cache is explicitly set to refresh state
andre@0: 3) cache is in invalid state because last fetch failed
andre@0: 4) cache contains no token CRLs, and it's been more than one minute
andre@0: since the last fetch
andre@0: 5) cache contains token CRLs, and it's been more than 10 minutes since
andre@0: the last fetch
andre@0: */
andre@0: forcedrefresh = cache->refresh;
andre@0: lastfetch = cache->lastfetch;
andre@0: if (PR_TRUE != forcedrefresh &&
andre@0: (!(cache->invalid & CRL_CACHE_LAST_FETCH_FAILED)))
andre@0: {
andre@0: now = PR_Now();
andre@0: hastokenCRLs = DPCache_HasTokenCRLs(cache);
andre@0: }
andre@0: if ( (0 == lastfetch) ||
andre@0:
andre@0: (PR_TRUE == forcedrefresh) ||
andre@0:
andre@0: (cache->invalid & CRL_CACHE_LAST_FETCH_FAILED) ||
andre@0:
andre@0: ( (PR_FALSE == hastokenCRLs) &&
andre@0: ( (now - cache->lastfetch > CRLCache_Empty_TokenFetch_Interval) ||
andre@0: (now < cache->lastfetch)) ) ||
andre@0:
andre@0: ( (PR_TRUE == hastokenCRLs) &&
andre@0: ((now - cache->lastfetch > CRLCache_TokenRefetch_Interval) ||
andre@0: (now < cache->lastfetch)) ) )
andre@0: {
andre@0: /* the cache needs to be refreshed, and/or we had zero CRL for this
andre@0: DP. Try to get one from PKCS#11 tokens */
andre@0: DPCache_LockWrite();
andre@0: /* check if another thread updated before us, and skip update if so */
andre@0: if (lastfetch == cache->lastfetch)
andre@0: {
andre@0: /* we are the first */
andre@0: rv = DPCache_FetchFromTokens(cache, vfdate, wincx);
andre@0: if (PR_TRUE == cache->refresh)
andre@0: {
andre@0: cache->refresh = PR_FALSE; /* clear refresh state */
andre@0: }
andre@0: dirty = PR_TRUE;
andre@0: cache->lastfetch = PR_Now();
andre@0: }
andre@0: DPCache_UnlockWrite();
andre@0: }
andre@0:
andre@0: /* now, make sure we have no extraneous CRLs (deleted token objects)
andre@0: we'll do this inexpensive existence check either
andre@0: 1) if there was a token object fetch
andre@0: 2) every minute */
andre@0: if (( PR_TRUE != dirty) && (!now) )
andre@0: {
andre@0: now = PR_Now();
andre@0: }
andre@0: if ( (PR_TRUE == dirty) ||
andre@0: ( (now - cache->lastcheck > CRLCache_ExistenceCheck_Interval) ||
andre@0: (now < cache->lastcheck)) )
andre@0: {
andre@0: PRTime lastcheck = cache->lastcheck;
andre@0: mustunlock = PR_FALSE;
andre@0: /* check if all CRLs still exist */
andre@0: for (i = 0; (i < cache->ncrls) ; i++)
andre@0: {
andre@0: CachedCrl* savcrl = cache->crls[i];
andre@0: if ( (!savcrl) || (savcrl && CRL_OriginToken != savcrl->origin))
andre@0: {
andre@0: /* we only want to check token CRLs */
andre@0: continue;
andre@0: }
andre@0: if ((PR_TRUE != TokenCRLStillExists(savcrl->crl)))
andre@0: {
andre@0:
andre@0: /* this CRL is gone */
andre@0: if (PR_TRUE != mustunlock)
andre@0: {
andre@0: DPCache_LockWrite();
andre@0: mustunlock = PR_TRUE;
andre@0: }
andre@0: /* first, we need to check if another thread did an update
andre@0: before we did */
andre@0: if (lastcheck == cache->lastcheck)
andre@0: {
andre@0: /* the CRL is gone. And we are the one to do the update */
andre@0: DPCache_RemoveCRL(cache, i);
andre@0: dirty = PR_TRUE;
andre@0: }
andre@0: /* stay locked here intentionally so we do all the other
andre@0: updates in this thread for the remaining CRLs */
andre@0: }
andre@0: }
andre@0: if (PR_TRUE == mustunlock)
andre@0: {
andre@0: cache->lastcheck = PR_Now();
andre@0: DPCache_UnlockWrite();
andre@0: mustunlock = PR_FALSE;
andre@0: }
andre@0: }
andre@0:
andre@0: /* add issuer certificate if it was previously unavailable */
andre@0: if (issuer && (NULL == cache->issuer) &&
andre@0: (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
andre@0: {
andre@0: /* if we didn't have a valid issuer cert yet, but we do now. add it */
andre@0: DPCache_LockWrite();
andre@0: if (!cache->issuer)
andre@0: {
andre@0: dirty = PR_TRUE;
andre@0: cache->issuer = CERT_DupCertificate(issuer);
andre@0: }
andre@0: DPCache_UnlockWrite();
andre@0: }
andre@0:
andre@0: /* verify CRLs that couldn't be checked when inserted into the cache
andre@0: because the issuer cert or a verification date was unavailable.
andre@0: These are CRLs that were inserted into the cache through
andre@0: SEC_FindCrlByName, or through manual insertion, rather than through a
andre@0: certificate verification (CERT_CheckCRL) */
andre@0:
andre@0: if (cache->issuer && vfdate )
andre@0: {
andre@0: mustunlock = PR_FALSE;
andre@0: /* re-process all unverified CRLs */
andre@0: for (i = 0; i < cache->ncrls ; i++)
andre@0: {
andre@0: CachedCrl* savcrl = cache->crls[i];
andre@0: if (!savcrl)
andre@0: {
andre@0: continue;
andre@0: }
andre@0: if (PR_TRUE != savcrl->sigChecked)
andre@0: {
andre@0: if (!mustunlock)
andre@0: {
andre@0: DPCache_LockWrite();
andre@0: mustunlock = PR_TRUE;
andre@0: }
andre@0: /* first, we need to check if another thread updated
andre@0: it before we did, and abort if it has been modified since
andre@0: we acquired the lock. Make sure first that the CRL is still
andre@0: in the array at the same position */
andre@0: if ( (i<cache->ncrls) && (savcrl == cache->crls[i]) &&
andre@0: (PR_TRUE != savcrl->sigChecked) )
andre@0: {
andre@0: /* the CRL is still there, unverified. Do it */
andre@0: CachedCrl_Verify(cache, savcrl, vfdate, wincx);
andre@0: dirty = PR_TRUE;
andre@0: }
andre@0: /* stay locked here intentionally so we do all the other
andre@0: updates in this thread for the remaining CRLs */
andre@0: }
andre@0: if (mustunlock && !dirty)
andre@0: {
andre@0: DPCache_UnlockWrite();
andre@0: mustunlock = PR_FALSE;
andre@0: }
andre@0: }
andre@0: }
andre@0:
andre@0: if (dirty || cache->mustchoose)
andre@0: {
andre@0: /* changes to the content of the CRL cache necessitate examining all
andre@0: CRLs for selection of the most appropriate one to cache */
andre@0: if (!mustunlock)
andre@0: {
andre@0: DPCache_LockWrite();
andre@0: mustunlock = PR_TRUE;
andre@0: }
andre@0: DPCache_SelectCRL(cache);
andre@0: cache->mustchoose = PR_FALSE;
andre@0: }
andre@0: if (mustunlock)
andre@0: DPCache_UnlockWrite();
andre@0:
andre@0: return rv;
andre@0: }
andre@0:
andre@0: /* callback for qsort to sort by thisUpdate */
andre@0: static int SortCRLsByThisUpdate(const void* arg1, const void* arg2)
andre@0: {
andre@0: PRTime timea, timeb;
andre@0: SECStatus rv = SECSuccess;
andre@0: CachedCrl* a, *b;
andre@0:
andre@0: a = *(CachedCrl**) arg1;
andre@0: b = *(CachedCrl**) arg2;
andre@0:
andre@0: if (!a || !b)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: rv = SECFailure;
andre@0: }
andre@0:
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: rv = DER_DecodeTimeChoice(&timea, &a->crl->crl.lastUpdate);
andre@0: }
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: rv = DER_DecodeTimeChoice(&timeb, &b->crl->crl.lastUpdate);
andre@0: }
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: if (timea > timeb)
andre@0: {
andre@0: return 1; /* a is better than b */
andre@0: }
andre@0: if (timea < timeb )
andre@0: {
andre@0: return -1; /* a is not as good as b */
andre@0: }
andre@0: }
andre@0:
andre@0: /* if they are equal, or if all else fails, use pointer differences */
andre@0: PORT_Assert(a != b); /* they should never be equal */
andre@0: return a>b?1:-1;
andre@0: }
andre@0:
andre@0: /* callback for qsort to sort a set of disparate CRLs, some of which are
andre@0: invalid DER or failed signature check.
andre@0:
andre@0: Validated CRLs are differentiated by thisUpdate .
andre@0: Validated CRLs are preferred over non-validated CRLs .
andre@0: Proper DER CRLs are preferred over non-DER data .
andre@0: */
andre@0: static int SortImperfectCRLs(const void* arg1, const void* arg2)
andre@0: {
andre@0: CachedCrl* a, *b;
andre@0:
andre@0: a = *(CachedCrl**) arg1;
andre@0: b = *(CachedCrl**) arg2;
andre@0:
andre@0: if (!a || !b)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: PORT_Assert(0);
andre@0: }
andre@0: else
andre@0: {
andre@0: PRBool aDecoded = PR_FALSE, bDecoded = PR_FALSE;
andre@0: if ( (PR_TRUE == a->sigValid) && (PR_TRUE == b->sigValid) )
andre@0: {
andre@0: /* both CRLs have been validated, choose the latest one */
andre@0: return SortCRLsByThisUpdate(arg1, arg2);
andre@0: }
andre@0: if (PR_TRUE == a->sigValid)
andre@0: {
andre@0: return 1; /* a is greater than b */
andre@0: }
andre@0: if (PR_TRUE == b->sigValid)
andre@0: {
andre@0: return -1; /* a is not as good as b */
andre@0: }
andre@0: aDecoded = GetOpaqueCRLFields(a->crl)->decodingError;
andre@0: bDecoded = GetOpaqueCRLFields(b->crl)->decodingError;
andre@0: /* neither CRL had its signature check pass */
andre@0: if ( (PR_FALSE == aDecoded) && (PR_FALSE == bDecoded) )
andre@0: {
andre@0: /* both CRLs are proper DER, choose the latest one */
andre@0: return SortCRLsByThisUpdate(arg1, arg2);
andre@0: }
andre@0: if (PR_FALSE == aDecoded)
andre@0: {
andre@0: return 1; /* a is better than b */
andre@0: }
andre@0: if (PR_FALSE == bDecoded)
andre@0: {
andre@0: return -1; /* a is not as good as b */
andre@0: }
andre@0: /* both are invalid DER. sigh. */
andre@0: }
andre@0: /* if they are equal, or if all else fails, use pointer differences */
andre@0: PORT_Assert(a != b); /* they should never be equal */
andre@0: return a>b?1:-1;
andre@0: }
andre@0:
andre@0:
andre@0: /* Pick best CRL to use . needs write access */
andre@0: static SECStatus DPCache_SelectCRL(CRLDPCache* cache)
andre@0: {
andre@0: PRUint32 i;
andre@0: PRBool valid = PR_TRUE;
andre@0: CachedCrl* selected = NULL;
andre@0:
andre@0: PORT_Assert(cache);
andre@0: if (!cache)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: /* if any invalid CRL is present, then the CRL cache is
andre@0: considered invalid, for security reasons */
andre@0: for (i = 0 ; i<cache->ncrls; i++)
andre@0: {
andre@0: if (!cache->crls[i] || !cache->crls[i]->sigChecked ||
andre@0: !cache->crls[i]->sigValid)
andre@0: {
andre@0: valid = PR_FALSE;
andre@0: break;
andre@0: }
andre@0: }
andre@0: if (PR_TRUE == valid)
andre@0: {
andre@0: /* all CRLs are valid, clear this error */
andre@0: cache->invalid &= (~CRL_CACHE_INVALID_CRLS);
andre@0: } else
andre@0: {
andre@0: /* some CRLs are invalid, set this error */
andre@0: cache->invalid |= CRL_CACHE_INVALID_CRLS;
andre@0: }
andre@0:
andre@0: if (cache->invalid)
andre@0: {
andre@0: /* cache is in an invalid state, so reset it */
andre@0: if (cache->selected)
andre@0: {
andre@0: cache->selected = NULL;
andre@0: }
andre@0: /* also sort the CRLs imperfectly */
andre@0: qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*),
andre@0: SortImperfectCRLs);
andre@0: return SECSuccess;
andre@0: }
andre@0: /* all CRLs are good, sort them by thisUpdate */
andre@0: qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*),
andre@0: SortCRLsByThisUpdate);
andre@0:
andre@0: if (cache->ncrls)
andre@0: {
andre@0: /* pick the newest CRL */
andre@0: selected = cache->crls[cache->ncrls-1];
andre@0:
andre@0: /* and populate the cache */
andre@0: if (SECSuccess != CachedCrl_Populate(selected))
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: }
andre@0:
andre@0: cache->selected = selected;
andre@0:
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* initialize a DPCache object */
andre@0: static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer,
andre@0: const SECItem* subject, SECItem* dp)
andre@0: {
andre@0: CRLDPCache* cache = NULL;
andre@0: PORT_Assert(returned);
andre@0: /* issuer and dp are allowed to be NULL */
andre@0: if (!returned || !subject)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: *returned = NULL;
andre@0: cache = PORT_ZAlloc(sizeof(CRLDPCache));
andre@0: if (!cache)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: #ifdef DPC_RWLOCK
andre@0: cache->lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
andre@0: #else
andre@0: cache->lock = PR_NewLock();
andre@0: #endif
andre@0: if (!cache->lock)
andre@0: {
andre@0: PORT_Free(cache);
andre@0: return SECFailure;
andre@0: }
andre@0: if (issuer)
andre@0: {
andre@0: cache->issuer = CERT_DupCertificate(issuer);
andre@0: }
andre@0: cache->distributionPoint = SECITEM_DupItem(dp);
andre@0: cache->subject = SECITEM_DupItem(subject);
andre@0: cache->lastfetch = 0;
andre@0: cache->lastcheck = 0;
andre@0: *returned = cache;
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* create an issuer cache object (per CA subject ) */
andre@0: static SECStatus IssuerCache_Create(CRLIssuerCache** returned,
andre@0: CERTCertificate* issuer,
andre@0: const SECItem* subject, const SECItem* dp)
andre@0: {
andre@0: SECStatus rv = SECSuccess;
andre@0: CRLIssuerCache* cache = NULL;
andre@0: PORT_Assert(returned);
andre@0: PORT_Assert(subject);
andre@0: /* issuer and dp are allowed to be NULL */
andre@0: if (!returned || !subject)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: *returned = NULL;
andre@0: cache = (CRLIssuerCache*) PORT_ZAlloc(sizeof(CRLIssuerCache));
andre@0: if (!cache)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: cache->subject = SECITEM_DupItem(subject);
andre@0: #ifdef XCRL
andre@0: cache->lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
andre@0: if (!cache->lock)
andre@0: {
andre@0: rv = SECFailure;
andre@0: }
andre@0: if (SECSuccess == rv && issuer)
andre@0: {
andre@0: cache->issuer = CERT_DupCertificate(issuer);
andre@0: if (!cache->issuer)
andre@0: {
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0: #endif
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: PORT_Assert(SECSuccess == IssuerCache_Destroy(cache));
andre@0: return SECFailure;
andre@0: }
andre@0: *returned = cache;
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* add a DPCache to the issuer cache */
andre@0: static SECStatus IssuerCache_AddDP(CRLIssuerCache* cache,
andre@0: CERTCertificate* issuer,
andre@0: const SECItem* subject,
andre@0: const SECItem* dp,
andre@0: CRLDPCache** newdpc)
andre@0: {
andre@0: /* now create the required DP cache object */
andre@0: if (!cache || !subject || !newdpc)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: if (!dp)
andre@0: {
andre@0: /* default distribution point */
andre@0: SECStatus rv = DPCache_Create(&cache->dpp, issuer, subject, NULL);
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: *newdpc = cache->dpp;
andre@0: return SECSuccess;
andre@0: }
andre@0: }
andre@0: else
andre@0: {
andre@0: /* we should never hit this until we support multiple DPs */
andre@0: PORT_Assert(dp);
andre@0: /* XCRL allocate a new distribution point cache object, initialize it,
andre@0: and add it to the hash table of DPs */
andre@0: }
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: /* add an IssuerCache to the global hash table of issuers */
andre@0: static SECStatus CRLCache_AddIssuer(CRLIssuerCache* issuer)
andre@0: {
andre@0: PORT_Assert(issuer);
andre@0: PORT_Assert(crlcache.issuers);
andre@0: if (!issuer || !crlcache.issuers)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: if (NULL == PL_HashTableAdd(crlcache.issuers, (void*) issuer->subject,
andre@0: (void*) issuer))
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* retrieve the issuer cache object for a given issuer subject */
andre@0: static SECStatus CRLCache_GetIssuerCache(CRLCache* cache,
andre@0: const SECItem* subject,
andre@0: CRLIssuerCache** returned)
andre@0: {
andre@0: /* we need to look up the issuer in the hash table */
andre@0: SECStatus rv = SECSuccess;
andre@0: PORT_Assert(cache);
andre@0: PORT_Assert(subject);
andre@0: PORT_Assert(returned);
andre@0: PORT_Assert(crlcache.issuers);
andre@0: if (!cache || !subject || !returned || !crlcache.issuers)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: rv = SECFailure;
andre@0: }
andre@0:
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: *returned = (CRLIssuerCache*) PL_HashTableLookup(crlcache.issuers,
andre@0: (void*) subject);
andre@0: }
andre@0:
andre@0: return rv;
andre@0: }
andre@0:
andre@0: /* retrieve the full CRL object that best matches the content of a DPCache */
andre@0: static CERTSignedCrl* GetBestCRL(CRLDPCache* cache, PRBool entries)
andre@0: {
andre@0: CachedCrl* acrl = NULL;
andre@0:
andre@0: PORT_Assert(cache);
andre@0: if (!cache)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return NULL;
andre@0: }
andre@0:
andre@0: if (0 == cache->ncrls)
andre@0: {
andre@0: /* empty cache*/
andre@0: PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
andre@0: return NULL;
andre@0: }
andre@0:
andre@0: /* if we have a valid full CRL selected, return it */
andre@0: if (cache->selected)
andre@0: {
andre@0: return SEC_DupCrl(cache->selected->crl);
andre@0: }
andre@0:
andre@0: /* otherwise, use latest valid DER CRL */
andre@0: acrl = cache->crls[cache->ncrls-1];
andre@0:
andre@0: if (acrl && (PR_FALSE == GetOpaqueCRLFields(acrl->crl)->decodingError) )
andre@0: {
andre@0: SECStatus rv = SECSuccess;
andre@0: if (PR_TRUE == entries)
andre@0: {
andre@0: rv = CERT_CompleteCRLDecodeEntries(acrl->crl);
andre@0: }
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: return SEC_DupCrl(acrl->crl);
andre@0: }
andre@0: }
andre@0:
andre@0: PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
andre@0: return NULL;
andre@0: }
andre@0:
andre@0: /* get a particular DPCache object from an IssuerCache */
andre@0: static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache, const SECItem* dp)
andre@0: {
andre@0: CRLDPCache* dpp = NULL;
andre@0: PORT_Assert(cache);
andre@0: /* XCRL for now we only support the "default" DP, ie. the
andre@0: full CRL. So we can return the global one without locking. In
andre@0: the future we will have a lock */
andre@0: PORT_Assert(NULL == dp);
andre@0: if (!cache || dp)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return NULL;
andre@0: }
andre@0: #ifdef XCRL
andre@0: NSSRWLock_LockRead(cache->lock);
andre@0: #endif
andre@0: dpp = cache->dpp;
andre@0: #ifdef XCRL
andre@0: NSSRWLock_UnlockRead(cache->lock);
andre@0: #endif
andre@0: return dpp;
andre@0: }
andre@0:
andre@0: /* get a DPCache object for the given issuer subject and dp
andre@0: Automatically creates the cache object if it doesn't exist yet.
andre@0: */
andre@0: SECStatus AcquireDPCache(CERTCertificate* issuer, const SECItem* subject,
andre@0: const SECItem* dp, PRTime t, void* wincx,
andre@0: CRLDPCache** dpcache, PRBool* writeLocked)
andre@0: {
andre@0: SECStatus rv = SECSuccess;
andre@0: CRLIssuerCache* issuercache = NULL;
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: PRBool globalwrite = PR_FALSE;
andre@0: #endif
andre@0: PORT_Assert(crlcache.lock);
andre@0: if (!crlcache.lock)
andre@0: {
andre@0: /* CRL cache is not initialized */
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: NSSRWLock_LockRead(crlcache.lock);
andre@0: #else
andre@0: PR_Lock(crlcache.lock);
andre@0: #endif
andre@0: rv = CRLCache_GetIssuerCache(&crlcache, subject, &issuercache);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: NSSRWLock_UnlockRead(crlcache.lock);
andre@0: #else
andre@0: PR_Unlock(crlcache.lock);
andre@0: #endif
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: if (!issuercache)
andre@0: {
andre@0: /* there is no cache for this issuer yet. This means this is the
andre@0: first time we look up a cert from that issuer, and we need to
andre@0: create the cache. */
andre@0:
andre@0: rv = IssuerCache_Create(&issuercache, issuer, subject, dp);
andre@0: if (SECSuccess == rv && !issuercache)
andre@0: {
andre@0: PORT_Assert(issuercache);
andre@0: rv = SECFailure;
andre@0: }
andre@0:
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: /* This is the first time we look up a cert of this issuer.
andre@0: Create the DPCache for this DP . */
andre@0: rv = IssuerCache_AddDP(issuercache, issuer, subject, dp, dpcache);
andre@0: }
andre@0:
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: /* lock the DPCache for write to ensure the update happens in this
andre@0: thread */
andre@0: *writeLocked = PR_TRUE;
andre@0: #ifdef DPC_RWLOCK
andre@0: NSSRWLock_LockWrite((*dpcache)->lock);
andre@0: #else
andre@0: PR_Lock((*dpcache)->lock);
andre@0: #endif
andre@0: }
andre@0:
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: /* now add the new issuer cache to the global hash table of
andre@0: issuers */
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: CRLIssuerCache* existing = NULL;
andre@0: NSSRWLock_UnlockRead(crlcache.lock);
andre@0: /* when using a r/w lock for the global cache, check if the issuer
andre@0: already exists before adding to the hash table */
andre@0: NSSRWLock_LockWrite(crlcache.lock);
andre@0: globalwrite = PR_TRUE;
andre@0: rv = CRLCache_GetIssuerCache(&crlcache, subject, &existing);
andre@0: if (!existing)
andre@0: {
andre@0: #endif
andre@0: rv = CRLCache_AddIssuer(issuercache);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: /* failure */
andre@0: rv = SECFailure;
andre@0: }
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: }
andre@0: else
andre@0: {
andre@0: /* somebody else updated before we did */
andre@0: IssuerCache_Destroy(issuercache); /* destroy the new object */
andre@0: issuercache = existing; /* use the existing one */
andre@0: *dpcache = IssuerCache_GetDPCache(issuercache, dp);
andre@0: }
andre@0: #endif
andre@0: }
andre@0:
andre@0: /* now unlock the global cache. We only want to lock the issuer hash
andre@0: table addition. Holding it longer would hurt scalability */
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: if (PR_TRUE == globalwrite)
andre@0: {
andre@0: NSSRWLock_UnlockWrite(crlcache.lock);
andre@0: globalwrite = PR_FALSE;
andre@0: }
andre@0: else
andre@0: {
andre@0: NSSRWLock_UnlockRead(crlcache.lock);
andre@0: }
andre@0: #else
andre@0: PR_Unlock(crlcache.lock);
andre@0: #endif
andre@0:
andre@0: /* if there was a failure adding an issuer cache object, destroy it */
andre@0: if (SECSuccess != rv && issuercache)
andre@0: {
andre@0: if (PR_TRUE == *writeLocked)
andre@0: {
andre@0: #ifdef DPC_RWLOCK
andre@0: NSSRWLock_UnlockWrite((*dpcache)->lock);
andre@0: #else
andre@0: PR_Unlock((*dpcache)->lock);
andre@0: #endif
andre@0: }
andre@0: IssuerCache_Destroy(issuercache);
andre@0: issuercache = NULL;
andre@0: }
andre@0:
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: } else
andre@0: {
andre@0: #ifdef GLOBAL_RWLOCK
andre@0: NSSRWLock_UnlockRead(crlcache.lock);
andre@0: #else
andre@0: PR_Unlock(crlcache.lock);
andre@0: #endif
andre@0: *dpcache = IssuerCache_GetDPCache(issuercache, dp);
andre@0: }
andre@0: /* we now have a DPCache that we can use for lookups */
andre@0: /* lock it for read, unless we already locked for write */
andre@0: if (PR_FALSE == *writeLocked)
andre@0: {
andre@0: #ifdef DPC_RWLOCK
andre@0: NSSRWLock_LockRead((*dpcache)->lock);
andre@0: #else
andre@0: PR_Lock((*dpcache)->lock);
andre@0: #endif
andre@0: }
andre@0:
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: /* currently there is always one and only one DPCache per issuer */
andre@0: PORT_Assert(*dpcache);
andre@0: if (*dpcache)
andre@0: {
andre@0: /* make sure the DP cache is up to date before using it */
andre@0: rv = DPCache_GetUpToDate(*dpcache, issuer, PR_FALSE == *writeLocked,
andre@0: t, wincx);
andre@0: }
andre@0: else
andre@0: {
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0: return rv;
andre@0: }
andre@0:
andre@0: /* unlock access to the DPCache */
andre@0: void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked)
andre@0: {
andre@0: if (!dpcache)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return;
andre@0: }
andre@0: #ifdef DPC_RWLOCK
andre@0: if (PR_TRUE == writeLocked)
andre@0: {
andre@0: NSSRWLock_UnlockWrite(dpcache->lock);
andre@0: }
andre@0: else
andre@0: {
andre@0: NSSRWLock_UnlockRead(dpcache->lock);
andre@0: }
andre@0: #else
andre@0: PR_Unlock(dpcache->lock);
andre@0: #endif
andre@0: }
andre@0:
andre@0: SECStatus
andre@0: cert_CheckCertRevocationStatus(CERTCertificate* cert, CERTCertificate* issuer,
andre@0: const SECItem* dp, PRTime t, void *wincx,
andre@0: CERTRevocationStatus *revStatus,
andre@0: CERTCRLEntryReasonCode *revReason)
andre@0: {
andre@0: PRBool lockedwrite = PR_FALSE;
andre@0: SECStatus rv = SECSuccess;
andre@0: CRLDPCache* dpcache = NULL;
andre@0: CERTRevocationStatus status = certRevocationStatusRevoked;
andre@0: CERTCRLEntryReasonCode reason = crlEntryReasonUnspecified;
andre@0: CERTCrlEntry* entry = NULL;
andre@0: dpcacheStatus ds;
andre@0:
andre@0: if (!cert || !issuer)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: if (revStatus)
andre@0: {
andre@0: *revStatus = status;
andre@0: }
andre@0: if (revReason)
andre@0: {
andre@0: *revReason = reason;
andre@0: }
andre@0:
andre@0: if (t && secCertTimeValid != CERT_CheckCertValidTimes(issuer, t, PR_FALSE))
andre@0: {
andre@0: /* we won't be able to check the CRL's signature if the issuer cert
andre@0: is expired as of the time we are verifying. This may cause a valid
andre@0: CRL to be cached as bad. short-circuit to avoid this case. */
andre@0: PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: rv = AcquireDPCache(issuer, &issuer->derSubject, dp, t, wincx, &dpcache,
andre@0: &lockedwrite);
andre@0: PORT_Assert(SECSuccess == rv);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: /* now look up the certificate SN in the DP cache's CRL */
andre@0: ds = DPCache_Lookup(dpcache, &cert->serialNumber, &entry);
andre@0: switch (ds)
andre@0: {
andre@0: case dpcacheFoundEntry:
andre@0: PORT_Assert(entry);
andre@0: /* check the time if we have one */
andre@0: if (entry->revocationDate.data && entry->revocationDate.len)
andre@0: {
andre@0: PRTime revocationDate = 0;
andre@0: if (SECSuccess == DER_DecodeTimeChoice(&revocationDate,
andre@0: &entry->revocationDate))
andre@0: {
andre@0: /* we got a good revocation date, only consider the
andre@0: certificate revoked if the time we are inquiring about
andre@0: is past the revocation date */
andre@0: if (t>=revocationDate)
andre@0: {
andre@0: rv = SECFailure;
andre@0: }
andre@0: else
andre@0: {
andre@0: status = certRevocationStatusValid;
andre@0: }
andre@0: }
andre@0: else
andre@0: {
andre@0: /* invalid revocation date, consider the certificate
andre@0: permanently revoked */
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0: else
andre@0: {
andre@0: /* no revocation date, certificate is permanently revoked */
andre@0: rv = SECFailure;
andre@0: }
andre@0: if (SECFailure == rv)
andre@0: {
andre@0: SECStatus rv2 = CERT_FindCRLEntryReasonExten(entry, &reason);
andre@0: PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
andre@0: }
andre@0: break;
andre@0:
andre@0: case dpcacheEmpty:
andre@0: /* useful for NIST policy */
andre@0: status = certRevocationStatusUnknown;
andre@0: break;
andre@0:
andre@0: case dpcacheNoEntry:
andre@0: status = certRevocationStatusValid;
andre@0: break;
andre@0:
andre@0: case dpcacheInvalidCacheError:
andre@0: /* treat it as unknown and let the caller decide based on
andre@0: the policy */
andre@0: status = certRevocationStatusUnknown;
andre@0: break;
andre@0:
andre@0: default:
andre@0: /* leave status as revoked */
andre@0: break;
andre@0: }
andre@0:
andre@0: ReleaseDPCache(dpcache, lockedwrite);
andre@0: if (revStatus)
andre@0: {
andre@0: *revStatus = status;
andre@0: }
andre@0: if (revReason)
andre@0: {
andre@0: *revReason = reason;
andre@0: }
andre@0: return rv;
andre@0: }
andre@0:
andre@0: /* check CRL revocation status of given certificate and issuer */
andre@0: SECStatus
andre@0: CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
andre@0: const SECItem* dp, PRTime t, void* wincx)
andre@0: {
andre@0: return cert_CheckCertRevocationStatus(cert, issuer, dp, t, wincx,
andre@0: NULL, NULL);
andre@0: }
andre@0:
andre@0: /* retrieve full CRL object that best matches the cache status */
andre@0: CERTSignedCrl *
andre@0: SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type)
andre@0: {
andre@0: CERTSignedCrl* acrl = NULL;
andre@0: CRLDPCache* dpcache = NULL;
andre@0: SECStatus rv = SECSuccess;
andre@0: PRBool writeLocked = PR_FALSE;
andre@0:
andre@0: if (!crlKey)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return NULL;
andre@0: }
andre@0:
andre@0: rv = AcquireDPCache(NULL, crlKey, NULL, 0, NULL, &dpcache, &writeLocked);
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: acrl = GetBestCRL(dpcache, PR_TRUE); /* decode entries, because
andre@0: SEC_FindCrlByName always returned fully decoded CRLs in the past */
andre@0: ReleaseDPCache(dpcache, writeLocked);
andre@0: }
andre@0: return acrl;
andre@0: }
andre@0:
andre@0: /* invalidate the CRL cache for a given issuer, which forces a refetch of
andre@0: CRL objects from PKCS#11 tokens */
andre@0: void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey)
andre@0: {
andre@0: CRLDPCache* cache = NULL;
andre@0: SECStatus rv = SECSuccess;
andre@0: PRBool writeLocked = PR_FALSE;
andre@0: PRBool readlocked;
andre@0:
andre@0: (void) dbhandle; /* silence compiler warnings */
andre@0:
andre@0: /* XCRL we will need to refresh all the DPs of the issuer in the future,
andre@0: not just the default one */
andre@0: rv = AcquireDPCache(NULL, crlKey, NULL, 0, NULL, &cache, &writeLocked);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: return;
andre@0: }
andre@0: /* we need to invalidate the DPCache here */
andre@0: readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
andre@0: DPCache_LockWrite();
andre@0: cache->refresh = PR_TRUE;
andre@0: DPCache_UnlockWrite();
andre@0: ReleaseDPCache(cache, writeLocked);
andre@0: return;
andre@0: }
andre@0:
andre@0: /* add the specified RAM CRL object to the cache */
andre@0: SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newdercrl)
andre@0: {
andre@0: CRLDPCache* cache = NULL;
andre@0: SECStatus rv = SECSuccess;
andre@0: PRBool writeLocked = PR_FALSE;
andre@0: PRBool readlocked;
andre@0: CachedCrl* returned = NULL;
andre@0: PRBool added = PR_FALSE;
andre@0: CERTSignedCrl* newcrl = NULL;
andre@0: int realerror = 0;
andre@0:
andre@0: if (!dbhandle || !newdercrl)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: /* first decode the DER CRL to make sure it's OK */
andre@0: newcrl = CERT_DecodeDERCrlWithFlags(NULL, newdercrl, SEC_CRL_TYPE,
andre@0: CRL_DECODE_DONT_COPY_DER |
andre@0: CRL_DECODE_SKIP_ENTRIES);
andre@0:
andre@0: if (!newcrl)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: /* XXX check if it has IDP extension. If so, do not proceed and set error */
andre@0:
andre@0: rv = AcquireDPCache(NULL,
andre@0: &newcrl->crl.derName,
andre@0: NULL, 0, NULL, &cache, &writeLocked);
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
andre@0:
andre@0: rv = CachedCrl_Create(&returned, newcrl, CRL_OriginExplicit);
andre@0: if (SECSuccess == rv && returned)
andre@0: {
andre@0: DPCache_LockWrite();
andre@0: rv = DPCache_AddCRL(cache, returned, &added);
andre@0: if (PR_TRUE != added)
andre@0: {
andre@0: realerror = PORT_GetError();
andre@0: CachedCrl_Destroy(returned);
andre@0: returned = NULL;
andre@0: }
andre@0: DPCache_UnlockWrite();
andre@0: }
andre@0:
andre@0: ReleaseDPCache(cache, writeLocked);
andre@0:
andre@0: if (!added)
andre@0: {
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0: SEC_DestroyCrl(newcrl); /* free the CRL. Either it got added to the cache
andre@0: and the refcount got bumped, or not, and thus we need to free its
andre@0: RAM */
andre@0: if (realerror)
andre@0: {
andre@0: PORT_SetError(realerror);
andre@0: }
andre@0: return rv;
andre@0: }
andre@0:
andre@0: /* remove the specified RAM CRL object from the cache */
andre@0: SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* olddercrl)
andre@0: {
andre@0: CRLDPCache* cache = NULL;
andre@0: SECStatus rv = SECSuccess;
andre@0: PRBool writeLocked = PR_FALSE;
andre@0: PRBool readlocked;
andre@0: PRBool removed = PR_FALSE;
andre@0: PRUint32 i;
andre@0: CERTSignedCrl* oldcrl = NULL;
andre@0:
andre@0: if (!dbhandle || !olddercrl)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: /* first decode the DER CRL to make sure it's OK */
andre@0: oldcrl = CERT_DecodeDERCrlWithFlags(NULL, olddercrl, SEC_CRL_TYPE,
andre@0: CRL_DECODE_DONT_COPY_DER |
andre@0: CRL_DECODE_SKIP_ENTRIES);
andre@0:
andre@0: if (!oldcrl)
andre@0: {
andre@0: /* if this DER CRL can't decode, it can't be in the cache */
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: rv = AcquireDPCache(NULL,
andre@0: &oldcrl->crl.derName,
andre@0: NULL, 0, NULL, &cache, &writeLocked);
andre@0: if (SECSuccess == rv)
andre@0: {
andre@0: CachedCrl* returned = NULL;
andre@0:
andre@0: readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
andre@0:
andre@0: rv = CachedCrl_Create(&returned, oldcrl, CRL_OriginExplicit);
andre@0: if (SECSuccess == rv && returned)
andre@0: {
andre@0: DPCache_LockWrite();
andre@0: for (i=0;i<cache->ncrls;i++)
andre@0: {
andre@0: PRBool dupe = PR_FALSE, updated = PR_FALSE;
andre@0: rv = CachedCrl_Compare(returned, cache->crls[i],
andre@0: &dupe, &updated);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: break;
andre@0: }
andre@0: if (PR_TRUE == dupe)
andre@0: {
andre@0: rv = DPCache_RemoveCRL(cache, i); /* got a match */
andre@0: if (SECSuccess == rv) {
andre@0: cache->mustchoose = PR_TRUE;
andre@0: removed = PR_TRUE;
andre@0: }
andre@0: break;
andre@0: }
andre@0: }
andre@0:
andre@0: DPCache_UnlockWrite();
andre@0:
andre@0: if (SECSuccess != CachedCrl_Destroy(returned) ) {
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0:
andre@0: ReleaseDPCache(cache, writeLocked);
andre@0: }
andre@0: if (SECSuccess != SEC_DestroyCrl(oldcrl) ) {
andre@0: /* need to do this because object is refcounted */
andre@0: rv = SECFailure;
andre@0: }
andre@0: if (SECSuccess == rv && PR_TRUE != removed)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
andre@0: }
andre@0: return rv;
andre@0: }
andre@0:
andre@0: SECStatus cert_AcquireNamedCRLCache(NamedCRLCache** returned)
andre@0: {
andre@0: PORT_Assert(returned);
andre@0: if (!namedCRLCache.lock)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: return SECFailure;
andre@0: }
andre@0: PR_Lock(namedCRLCache.lock);
andre@0: *returned = &namedCRLCache;
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* This must be called only while cache is acquired, and the entry is only
andre@0: * valid until cache is released.
andre@0: */
andre@0: SECStatus cert_FindCRLByGeneralName(NamedCRLCache* ncc,
andre@0: const SECItem* canonicalizedName,
andre@0: NamedCRLCacheEntry** retEntry)
andre@0: {
andre@0: if (!ncc || !canonicalizedName || !retEntry)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return SECFailure;
andre@0: }
andre@0: *retEntry = (NamedCRLCacheEntry*) PL_HashTableLookup(namedCRLCache.entries,
andre@0: (void*) canonicalizedName);
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: SECStatus cert_ReleaseNamedCRLCache(NamedCRLCache* ncc)
andre@0: {
andre@0: if (!ncc)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: if (!ncc->lock)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: return SECFailure;
andre@0: }
andre@0: PR_Unlock(namedCRLCache.lock);
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* creates new named cache entry from CRL, and tries to add it to CRL cache */
andre@0: static SECStatus addCRLToCache(CERTCertDBHandle* dbhandle, SECItem* crl,
andre@0: const SECItem* canonicalizedName,
andre@0: NamedCRLCacheEntry** newEntry)
andre@0: {
andre@0: SECStatus rv = SECSuccess;
andre@0: NamedCRLCacheEntry* entry = NULL;
andre@0:
andre@0: /* create new named entry */
andre@0: if (SECSuccess != NamedCRLCacheEntry_Create(newEntry) || !*newEntry)
andre@0: {
andre@0: /* no need to keep unused CRL around */
andre@0: SECITEM_ZfreeItem(crl, PR_TRUE);
andre@0: return SECFailure;
andre@0: }
andre@0: entry = *newEntry;
andre@0: entry->crl = crl; /* named CRL cache owns DER */
andre@0: entry->lastAttemptTime = PR_Now();
andre@0: entry->canonicalizedName = SECITEM_DupItem(canonicalizedName);
andre@0: if (!entry->canonicalizedName)
andre@0: {
andre@0: rv = NamedCRLCacheEntry_Destroy(entry); /* destroys CRL too */
andre@0: PORT_Assert(SECSuccess == rv);
andre@0: return SECFailure;
andre@0: }
andre@0: /* now, attempt to insert CRL into CRL cache */
andre@0: if (SECSuccess == CERT_CacheCRL(dbhandle, entry->crl))
andre@0: {
andre@0: entry->inCRLCache = PR_TRUE;
andre@0: entry->successfulInsertionTime = entry->lastAttemptTime;
andre@0: }
andre@0: else
andre@0: {
andre@0: switch (PR_GetError())
andre@0: {
andre@0: case SEC_ERROR_CRL_ALREADY_EXISTS:
andre@0: entry->dupe = PR_TRUE;
andre@0: break;
andre@0:
andre@0: case SEC_ERROR_BAD_DER:
andre@0: entry->badDER = PR_TRUE;
andre@0: break;
andre@0:
andre@0: /* all other reasons */
andre@0: default:
andre@0: entry->unsupported = PR_TRUE;
andre@0: break;
andre@0: }
andre@0: rv = SECFailure;
andre@0: /* no need to keep unused CRL around */
andre@0: SECITEM_ZfreeItem(entry->crl, PR_TRUE);
andre@0: entry->crl = NULL;
andre@0: }
andre@0: return rv;
andre@0: }
andre@0:
andre@0: /* take ownership of CRL, and insert it into the named CRL cache
andre@0: * and indexed CRL cache
andre@0: */
andre@0: SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
andre@0: const SECItem* canonicalizedName)
andre@0: {
andre@0: NamedCRLCacheEntry* oldEntry, * newEntry = NULL;
andre@0: NamedCRLCache* ncc = NULL;
andre@0: SECStatus rv = SECSuccess, rv2;
andre@0:
andre@0: PORT_Assert(namedCRLCache.lock);
andre@0: PORT_Assert(namedCRLCache.entries);
andre@0:
andre@0: if (!crl || !canonicalizedName)
andre@0: {
andre@0: PORT_Assert(0);
andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS);
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: rv = cert_AcquireNamedCRLCache(&ncc);
andre@0: PORT_Assert(SECSuccess == rv);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: SECITEM_ZfreeItem(crl, PR_TRUE);
andre@0: return SECFailure;
andre@0: }
andre@0: rv = cert_FindCRLByGeneralName(ncc, canonicalizedName, &oldEntry);
andre@0: PORT_Assert(SECSuccess == rv);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: rv = cert_ReleaseNamedCRLCache(ncc);
andre@0: SECITEM_ZfreeItem(crl, PR_TRUE);
andre@0: return SECFailure;
andre@0: }
andre@0: if (SECSuccess == addCRLToCache(dbhandle, crl, canonicalizedName,
andre@0: &newEntry) )
andre@0: {
andre@0: if (!oldEntry)
andre@0: {
andre@0: /* add new good entry to the hash table */
andre@0: if (NULL == PL_HashTableAdd(namedCRLCache.entries,
andre@0: (void*) newEntry->canonicalizedName,
andre@0: (void*) newEntry))
andre@0: {
andre@0: PORT_Assert(0);
andre@0: rv2 = NamedCRLCacheEntry_Destroy(newEntry);
andre@0: PORT_Assert(SECSuccess == rv2);
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0: else
andre@0: {
andre@0: PRBool removed;
andre@0: /* remove the old CRL from the cache if needed */
andre@0: if (oldEntry->inCRLCache)
andre@0: {
andre@0: rv = CERT_UncacheCRL(dbhandle, oldEntry->crl);
andre@0: PORT_Assert(SECSuccess == rv);
andre@0: }
andre@0: removed = PL_HashTableRemove(namedCRLCache.entries,
andre@0: (void*) oldEntry->canonicalizedName);
andre@0: PORT_Assert(removed);
andre@0: if (!removed)
andre@0: {
andre@0: rv = SECFailure;
andre@0: /* leak old entry since we couldn't remove it from the hash table */
andre@0: }
andre@0: else
andre@0: {
andre@0: rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
andre@0: PORT_Assert(SECSuccess == rv2);
andre@0: }
andre@0: if (NULL == PL_HashTableAdd(namedCRLCache.entries,
andre@0: (void*) newEntry->canonicalizedName,
andre@0: (void*) newEntry))
andre@0: {
andre@0: PORT_Assert(0);
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0: } else
andre@0: {
andre@0: /* error adding new CRL to cache */
andre@0: if (!oldEntry)
andre@0: {
andre@0: /* no old cache entry, use the new one even though it's bad */
andre@0: if (NULL == PL_HashTableAdd(namedCRLCache.entries,
andre@0: (void*) newEntry->canonicalizedName,
andre@0: (void*) newEntry))
andre@0: {
andre@0: PORT_Assert(0);
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0: else
andre@0: {
andre@0: if (oldEntry->inCRLCache)
andre@0: {
andre@0: /* previous cache entry was good, keep it and update time */
andre@0: oldEntry-> lastAttemptTime = newEntry->lastAttemptTime;
andre@0: /* throw away new bad entry */
andre@0: rv = NamedCRLCacheEntry_Destroy(newEntry);
andre@0: PORT_Assert(SECSuccess == rv);
andre@0: }
andre@0: else
andre@0: {
andre@0: /* previous cache entry was bad, just replace it */
andre@0: PRBool removed = PL_HashTableRemove(namedCRLCache.entries,
andre@0: (void*) oldEntry->canonicalizedName);
andre@0: PORT_Assert(removed);
andre@0: if (!removed)
andre@0: {
andre@0: /* leak old entry since we couldn't remove it from the hash table */
andre@0: rv = SECFailure;
andre@0: }
andre@0: else
andre@0: {
andre@0: rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
andre@0: PORT_Assert(SECSuccess == rv2);
andre@0: }
andre@0: if (NULL == PL_HashTableAdd(namedCRLCache.entries,
andre@0: (void*) newEntry->canonicalizedName,
andre@0: (void*) newEntry))
andre@0: {
andre@0: PORT_Assert(0);
andre@0: rv = SECFailure;
andre@0: }
andre@0: }
andre@0: }
andre@0: }
andre@0: rv2 = cert_ReleaseNamedCRLCache(ncc);
andre@0: PORT_Assert(SECSuccess == rv2);
andre@0:
andre@0: return rv;
andre@0: }
andre@0:
andre@0: static SECStatus CachedCrl_Create(CachedCrl** returned, CERTSignedCrl* crl,
andre@0: CRLOrigin origin)
andre@0: {
andre@0: CachedCrl* newcrl = NULL;
andre@0: if (!returned)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: newcrl = PORT_ZAlloc(sizeof(CachedCrl));
andre@0: if (!newcrl)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: newcrl->crl = SEC_DupCrl(crl);
andre@0: newcrl->origin = origin;
andre@0: *returned = newcrl;
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* empty the cache content */
andre@0: static SECStatus CachedCrl_Depopulate(CachedCrl* crl)
andre@0: {
andre@0: if (!crl)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: /* destroy the hash table */
andre@0: if (crl->entries)
andre@0: {
andre@0: PL_HashTableDestroy(crl->entries);
andre@0: crl->entries = NULL;
andre@0: }
andre@0:
andre@0: /* free the pre buffer */
andre@0: if (crl->prebuffer)
andre@0: {
andre@0: PreAllocator_Destroy(crl->prebuffer);
andre@0: crl->prebuffer = NULL;
andre@0: }
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: static SECStatus CachedCrl_Destroy(CachedCrl* crl)
andre@0: {
andre@0: if (!crl)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: CachedCrl_Depopulate(crl);
andre@0: SEC_DestroyCrl(crl->crl);
andre@0: PORT_Free(crl);
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* create hash table of CRL entries */
andre@0: static SECStatus CachedCrl_Populate(CachedCrl* crlobject)
andre@0: {
andre@0: SECStatus rv = SECFailure;
andre@0: CERTCrlEntry** crlEntry = NULL;
andre@0: PRUint32 numEntries = 0;
andre@0:
andre@0: if (!crlobject)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0: /* complete the entry decoding . XXX thread-safety of CRL object */
andre@0: rv = CERT_CompleteCRLDecodeEntries(crlobject->crl);
andre@0: if (SECSuccess != rv)
andre@0: {
andre@0: crlobject->unbuildable = PR_TRUE; /* don't try to build this again */
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: if (crlobject->entries && crlobject->prebuffer)
andre@0: {
andre@0: /* cache is already built */
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* build the hash table from the full CRL */
andre@0: /* count CRL entries so we can pre-allocate space for hash table entries */
andre@0: for (crlEntry = crlobject->crl->crl.entries; crlEntry && *crlEntry;
andre@0: crlEntry++)
andre@0: {
andre@0: numEntries++;
andre@0: }
andre@0: crlobject->prebuffer = PreAllocator_Create(numEntries*sizeof(PLHashEntry));
andre@0: PORT_Assert(crlobject->prebuffer);
andre@0: if (!crlobject->prebuffer)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: /* create a new hash table */
andre@0: crlobject->entries = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
andre@0: PL_CompareValues, &preAllocOps, crlobject->prebuffer);
andre@0: PORT_Assert(crlobject->entries);
andre@0: if (!crlobject->entries)
andre@0: {
andre@0: return SECFailure;
andre@0: }
andre@0: /* add all serial numbers to the hash table */
andre@0: for (crlEntry = crlobject->crl->crl.entries; crlEntry && *crlEntry;
andre@0: crlEntry++)
andre@0: {
andre@0: PL_HashTableAdd(crlobject->entries, &(*crlEntry)->serialNumber,
andre@0: *crlEntry);
andre@0: }
andre@0:
andre@0: return SECSuccess;
andre@0: }
andre@0:
andre@0: /* returns true if there are CRLs from PKCS#11 slots */
andre@0: static PRBool DPCache_HasTokenCRLs(CRLDPCache* cache)
andre@0: {
andre@0: PRBool answer = PR_FALSE;
andre@0: PRUint32 i;
andre@0: for (i=0;i<cache->ncrls;i++)
andre@0: {
andre@0: if (cache->crls[i] && (CRL_OriginToken == cache->crls[i]->origin) )
andre@0: {
andre@0: answer = PR_TRUE;
andre@0: break;
andre@0: }
andre@0: }
andre@0: return answer;
andre@0: }
andre@0:
andre@0: /* are these CRLs the same, as far as the cache is concerned ? */
andre@0: /* are these CRLs the same token object but with different DER ?
andre@0: This can happen if the DER CRL got updated in the token, but the PKCS#11
andre@0: object ID did not change. NSS softoken has the unfortunate property to
andre@0: never change the object ID for CRL objects. */
andre@0: static SECStatus CachedCrl_Compare(CachedCrl* a, CachedCrl* b, PRBool* isDupe,
andre@0: PRBool* isUpdated)
andre@0: {
andre@0: PORT_Assert(a);
andre@0: PORT_Assert(b);
andre@0: PORT_Assert(isDupe);
andre@0: PORT_Assert(isUpdated);
andre@0: if (!a || !b || !isDupe || !isUpdated || !a->crl || !b->crl)
andre@0: {
andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
andre@0: return SECFailure;
andre@0: }
andre@0:
andre@0: *isDupe = *isUpdated = PR_FALSE;
andre@0:
andre@0: if (a == b)
andre@0: {
andre@0: /* dupe */
andre@0: *isDupe = PR_TRUE;
andre@0: *isUpdated = PR_FALSE;
andre@0: return SECSuccess;
andre@0: }
andre@0: if (b->origin != a->origin)
andre@0: {
andre@0: /* CRLs of different origins are not considered dupes,
andre@0: and can't be updated either */
andre@0: return SECSuccess;
andre@0: }
andre@0: if (CRL_OriginToken == b->origin)
andre@0: {
andre@0: /* for token CRLs, slot and PKCS#11 object handle must match for CRL
andre@0: to truly be a dupe */
andre@0: if ( (b->crl->slot == a->crl->slot) &&
andre@0: (b->crl->pkcs11ID == a->crl->pkcs11ID) )
andre@0: {
andre@0: /* ASN.1 DER needs to match for dupe check */
andre@0: /* could optimize by just checking a few fields like thisUpdate */
andre@0: if ( SECEqual == SECITEM_CompareItem(b->crl->derCrl,
andre@0: a->crl->derCrl) )
andre@0: {
andre@0: *isDupe = PR_TRUE;
andre@0: }
andre@0: else
andre@0: {
andre@0: *isUpdated = PR_TRUE;
andre@0: }
andre@0: }
andre@0: return SECSuccess;
andre@0: }
andre@0: if (CRL_OriginExplicit == b->origin)
andre@0: {
andre@0: /* We need to make sure this is the same object that the user provided
andre@0: to CERT_CacheCRL previously. That API takes a SECItem*, thus, we
andre@0: just do a pointer comparison here.
andre@0: */
andre@0: if (b->crl->derCrl == a->crl->derCrl)
andre@0: {
andre@0: *isDupe = PR_TRUE;
andre@0: }
andre@0: }
andre@0: return SECSuccess;
andre@0: }