andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: /* andre@0: * pkix_validate.c andre@0: * andre@0: * Top level validateChain function andre@0: * andre@0: */ andre@0: andre@0: #include "pkix_validate.h" andre@0: #include "pkix_pl_common.h" andre@0: andre@0: /* --Private-Functions-------------------------------------------- */ andre@0: andre@0: /* andre@0: * FUNCTION: pkix_AddToVerifyLog andre@0: * DESCRIPTION: andre@0: * andre@0: * This function returns immediately if the address for the VerifyNode tree andre@0: * pointed to by "pVerifyTree" is NULL. Otherwise it creates a new VerifyNode andre@0: * from the Cert pointed to by "cert" and the Error pointed to by "error", andre@0: * and inserts it at the depth in the VerifyNode tree determined by "depth". A andre@0: * depth of zero means that this function creates the root node of a new tree. andre@0: * andre@0: * Note: this function does not include the means of choosing among branches andre@0: * of a tree. It is intended for non-branching trees, that is, where each andre@0: * parent node has only a single child node. andre@0: * andre@0: * PARAMETERS: andre@0: * "cert" andre@0: * The address of the Cert to be included in the new VerifyNode. Must be andre@0: * non-NULL. andre@0: * "depth" andre@0: * The UInt32 value of the depth. andre@0: * "error" andre@0: * The address of the Error to be included in the new VerifyNode. andre@0: * "pVerifyTree" andre@0: * The address of the VerifyNode tree into which the created VerifyNode andre@0: * is to be inserted. The node is not created if VerifyTree is NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a Validate Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: static PKIX_Error * andre@0: pkix_AddToVerifyLog( andre@0: PKIX_PL_Cert *cert, andre@0: PKIX_UInt32 depth, andre@0: PKIX_Error *error, andre@0: PKIX_VerifyNode **pVerifyTree, andre@0: void *plContext) andre@0: { andre@0: andre@0: PKIX_VerifyNode *verifyNode = NULL; andre@0: andre@0: PKIX_ENTER(VALIDATE, "pkix_AddToVerifyLog"); andre@0: PKIX_NULLCHECK_ONE(cert); andre@0: andre@0: if (pVerifyTree) { /* nothing to do if no address given for log */ andre@0: andre@0: PKIX_CHECK(pkix_VerifyNode_Create andre@0: (cert, depth, error, &verifyNode, plContext), andre@0: PKIX_VERIFYNODECREATEFAILED); andre@0: andre@0: if (depth == 0) { andre@0: /* We just created the root node */ andre@0: *pVerifyTree = verifyNode; andre@0: } else { andre@0: PKIX_CHECK(pkix_VerifyNode_AddToChain andre@0: (*pVerifyTree, verifyNode, plContext), andre@0: PKIX_VERIFYNODEADDTOCHAINFAILED); andre@0: } andre@0: } andre@0: andre@0: cleanup: andre@0: andre@0: PKIX_RETURN(VALIDATE); andre@0: andre@0: } andre@0: andre@0: /* andre@0: * FUNCTION: pkix_CheckCert andre@0: * DESCRIPTION: andre@0: * andre@0: * Checks whether the Cert pointed to by "cert" successfully validates andre@0: * using the List of CertChainCheckers pointed to by "checkers". If the andre@0: * certificate does not validate, an Error pointer is returned. andre@0: * andre@0: * This function should be called initially with the UInt32 pointed to by andre@0: * "pCheckerIndex" containing zero, and the pointer at "pNBIOContext" andre@0: * containing NULL. If a checker does non-blocking I/O, this function will andre@0: * return with the index of that checker stored at "pCheckerIndex" and a andre@0: * platform-dependent non-blocking I/O context stored at "pNBIOContext". andre@0: * A subsequent call to this function with those values intact will allow the andre@0: * checking to resume where it left off. This should be repeated until the andre@0: * function returns with NULL stored at "pNBIOContext". andre@0: * andre@0: * PARAMETERS: andre@0: * "cert" andre@0: * Address of Cert to validate. Must be non-NULL. andre@0: * "checkers" andre@0: * List of CertChainCheckers which must each validate the certificate. andre@0: * Must be non-NULL. andre@0: * "checkedExtOIDs" andre@0: * List of PKIX_PL_OID that has been processed. If called from building andre@0: * chain, it is the list of critical extension OIDs that has been andre@0: * processed prior to validation. May be NULL. andre@0: * "pCheckerIndex" andre@0: * Address at which is stored the the index, within the List "checkers", andre@0: * of a checker whose processing was interrupted by non-blocking I/O. andre@0: * Must be non-NULL. andre@0: * "pNBIOContext" andre@0: * Address at which is stored platform-specific non-blocking I/O context. andre@0: * Must be non-NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a Validate Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: static PKIX_Error * andre@0: pkix_CheckCert( andre@0: PKIX_PL_Cert *cert, andre@0: PKIX_List *checkers, andre@0: PKIX_List *checkedExtOIDsList, andre@0: PKIX_UInt32 *pCheckerIndex, andre@0: void **pNBIOContext, andre@0: void *plContext) andre@0: { andre@0: PKIX_CertChainChecker_CheckCallback checkerCheck = NULL; andre@0: PKIX_CertChainChecker *checker = NULL; andre@0: PKIX_List *unresCritExtOIDs = NULL; andre@0: PKIX_UInt32 numCheckers; andre@0: PKIX_UInt32 numUnresCritExtOIDs = 0; andre@0: PKIX_UInt32 checkerIndex = 0; andre@0: void *nbioContext = NULL; andre@0: andre@0: PKIX_ENTER(VALIDATE, "pkix_CheckCert"); andre@0: PKIX_NULLCHECK_FOUR(cert, checkers, pCheckerIndex, pNBIOContext); andre@0: andre@0: nbioContext = *pNBIOContext; andre@0: *pNBIOContext = NULL; /* prepare for case of error exit */ andre@0: andre@0: PKIX_CHECK(PKIX_PL_Cert_GetCriticalExtensionOIDs andre@0: (cert, &unresCritExtOIDs, plContext), andre@0: PKIX_CERTGETCRITICALEXTENSIONOIDSFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_GetLength(checkers, &numCheckers, plContext), andre@0: PKIX_LISTGETLENGTHFAILED); andre@0: andre@0: for (checkerIndex = *pCheckerIndex; andre@0: checkerIndex < numCheckers; andre@0: checkerIndex++) { andre@0: andre@0: PKIX_CHECK(PKIX_List_GetItem andre@0: (checkers, andre@0: checkerIndex, andre@0: (PKIX_PL_Object **)&checker, andre@0: plContext), andre@0: PKIX_LISTGETITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_CertChainChecker_GetCheckCallback andre@0: (checker, &checkerCheck, plContext), andre@0: PKIX_CERTCHAINCHECKERGETCHECKCALLBACKFAILED); andre@0: andre@0: PKIX_CHECK(checkerCheck(checker, cert, unresCritExtOIDs, andre@0: &nbioContext, plContext), andre@0: PKIX_CERTCHAINCHECKERCHECKFAILED); andre@0: andre@0: if (nbioContext != NULL) { andre@0: *pCheckerIndex = checkerIndex; andre@0: *pNBIOContext = nbioContext; andre@0: goto cleanup; andre@0: } andre@0: andre@0: PKIX_DECREF(checker); andre@0: } andre@0: andre@0: if (unresCritExtOIDs){ andre@0: andre@0: #ifdef PKIX_VALIDATEDEBUG andre@0: { andre@0: PKIX_PL_String *oidString = NULL; andre@0: PKIX_UInt32 length; andre@0: char *oidAscii = NULL; andre@0: PKIX_TOSTRING(unresCritExtOIDs, &oidString, plContext, andre@0: PKIX_LISTTOSTRINGFAILED); andre@0: PKIX_CHECK(PKIX_PL_String_GetEncoded andre@0: (oidString, andre@0: PKIX_ESCASCII, andre@0: (void **) &oidAscii, andre@0: &length, andre@0: plContext), andre@0: PKIX_STRINGGETENCODEDFAILED); andre@0: PKIX_VALIDATE_DEBUG_ARG andre@0: ("unrecognized critical extension OIDs:" andre@0: " %s\n", oidAscii); andre@0: PKIX_DECREF(oidString); andre@0: PKIX_PL_Free(oidAscii, plContext); andre@0: } andre@0: #endif andre@0: andre@0: if (checkedExtOIDsList != NULL) { andre@0: /* Take out OID's that had been processed, if any */ andre@0: PKIX_CHECK(pkix_List_RemoveItems andre@0: (unresCritExtOIDs, andre@0: checkedExtOIDsList, andre@0: plContext), andre@0: PKIX_LISTREMOVEITEMSFAILED); andre@0: } andre@0: andre@0: PKIX_CHECK(PKIX_List_GetLength andre@0: (unresCritExtOIDs, &numUnresCritExtOIDs, plContext), andre@0: PKIX_LISTGETLENGTHFAILED); andre@0: andre@0: if (numUnresCritExtOIDs != 0){ andre@0: PKIX_ERROR(PKIX_UNRECOGNIZEDCRITICALEXTENSION); andre@0: } andre@0: andre@0: } andre@0: andre@0: cleanup: andre@0: andre@0: PKIX_DECREF(checker); andre@0: PKIX_DECREF(unresCritExtOIDs); andre@0: andre@0: PKIX_RETURN(VALIDATE); andre@0: andre@0: } andre@0: andre@0: /* andre@0: * FUNCTION: pkix_InitializeCheckers andre@0: * DESCRIPTION: andre@0: * andre@0: * Creates several checkers and initializes them with values derived from the andre@0: * TrustAnchor pointed to by "anchor", the ProcessingParams pointed to by andre@0: * "procParams", and the number of Certs in the Chain, represented by andre@0: * "numCerts". The List of checkers is stored at "pCheckers". andre@0: * andre@0: * PARAMETERS: andre@0: * "anchor" andre@0: * Address of TrustAnchor used to initialize the SignatureChecker and andre@0: * NameChainingChecker. Must be non-NULL. andre@0: * "procParams" andre@0: * Address of ProcessingParams used to initialize the ExpirationChecker andre@0: * and TargetCertChecker. Must be non-NULL. andre@0: * "numCerts" andre@0: * Number of certificates in the CertChain. andre@0: * "pCheckers" andre@0: * Address where object pointer will be stored. Must be non-NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a Validate Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: static PKIX_Error * andre@0: pkix_InitializeCheckers( andre@0: PKIX_TrustAnchor *anchor, andre@0: PKIX_ProcessingParams *procParams, andre@0: PKIX_UInt32 numCerts, andre@0: PKIX_List **pCheckers, andre@0: void *plContext) andre@0: { andre@0: PKIX_CertChainChecker *targetCertChecker = NULL; andre@0: PKIX_CertChainChecker *expirationChecker = NULL; andre@0: PKIX_CertChainChecker *nameChainingChecker = NULL; andre@0: PKIX_CertChainChecker *nameConstraintsChecker = NULL; andre@0: PKIX_CertChainChecker *basicConstraintsChecker = NULL; andre@0: PKIX_CertChainChecker *policyChecker = NULL; andre@0: PKIX_CertChainChecker *sigChecker = NULL; andre@0: PKIX_CertChainChecker *defaultCrlChecker = NULL; andre@0: PKIX_CertChainChecker *userChecker = NULL; andre@0: PKIX_PL_X500Name *trustedCAName = NULL; andre@0: PKIX_PL_PublicKey *trustedPubKey = NULL; andre@0: PKIX_List *checkers = NULL; andre@0: PKIX_PL_Date *testDate = NULL; andre@0: PKIX_CertSelector *certSelector = NULL; andre@0: PKIX_PL_Cert *trustedCert = NULL; andre@0: PKIX_PL_CertNameConstraints *trustedNC = NULL; andre@0: PKIX_List *initialPolicies = NULL; andre@0: PKIX_Boolean policyQualifiersRejected = PKIX_FALSE; andre@0: PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE; andre@0: PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE; andre@0: PKIX_Boolean initialExplicitPolicy = PKIX_FALSE; andre@0: PKIX_List *userCheckersList = NULL; andre@0: PKIX_List *certStores = NULL; andre@0: PKIX_UInt32 numCertCheckers = 0; andre@0: PKIX_UInt32 i; andre@0: andre@0: PKIX_ENTER(VALIDATE, "pkix_InitializeCheckers"); andre@0: PKIX_NULLCHECK_THREE(anchor, procParams, pCheckers); andre@0: PKIX_CHECK(PKIX_List_Create(&checkers, plContext), andre@0: PKIX_LISTCREATEFAILED); andre@0: andre@0: /* andre@0: * The TrustAnchor may have been created using CreateWithCert andre@0: * (in which case GetCAPublicKey and GetCAName will return NULL) andre@0: * or may have been created using CreateWithNameKeyPair (in which andre@0: * case GetTrustedCert will return NULL. So we call GetTrustedCert andre@0: * and populate trustedPubKey and trustedCAName accordingly. andre@0: */ andre@0: andre@0: PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert andre@0: (anchor, &trustedCert, plContext), andre@0: PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); andre@0: andre@0: if (trustedCert){ andre@0: PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey andre@0: (trustedCert, &trustedPubKey, plContext), andre@0: PKIX_CERTGETSUBJECTPUBLICKEYFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_PL_Cert_GetSubject andre@0: (trustedCert, &trustedCAName, plContext), andre@0: PKIX_CERTGETSUBJECTFAILED); andre@0: } else { andre@0: PKIX_CHECK(PKIX_TrustAnchor_GetCAPublicKey andre@0: (anchor, &trustedPubKey, plContext), andre@0: PKIX_TRUSTANCHORGETCAPUBLICKEYFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_TrustAnchor_GetCAName andre@0: (anchor, &trustedCAName, plContext), andre@0: PKIX_TRUSTANCHORGETCANAMEFAILED); andre@0: } andre@0: andre@0: PKIX_NULLCHECK_TWO(trustedPubKey, trustedCAName); andre@0: andre@0: PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints andre@0: (anchor, &trustedNC, plContext), andre@0: PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints andre@0: (procParams, &certSelector, plContext), andre@0: PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetDate andre@0: (procParams, &testDate, plContext), andre@0: PKIX_PROCESSINGPARAMSGETDATEFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetInitialPolicies andre@0: (procParams, &initialPolicies, plContext), andre@0: PKIX_PROCESSINGPARAMSGETINITIALPOLICIESFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetPolicyQualifiersRejected andre@0: (procParams, &policyQualifiersRejected, plContext), andre@0: PKIX_PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_IsPolicyMappingInhibited andre@0: (procParams, &initialPolicyMappingInhibit, plContext), andre@0: PKIX_PROCESSINGPARAMSISPOLICYMAPPINGINHIBITEDFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_IsAnyPolicyInhibited andre@0: (procParams, &initialAnyPolicyInhibit, plContext), andre@0: PKIX_PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_IsExplicitPolicyRequired andre@0: (procParams, &initialExplicitPolicy, plContext), andre@0: PKIX_PROCESSINGPARAMSISEXPLICITPOLICYREQUIREDFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetCertStores andre@0: (procParams, &certStores, plContext), andre@0: PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers andre@0: (procParams, &userCheckersList, plContext), andre@0: PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED); andre@0: andre@0: /* now, initialize all the checkers */ andre@0: PKIX_CHECK(pkix_TargetCertChecker_Initialize andre@0: (certSelector, numCerts, &targetCertChecker, plContext), andre@0: PKIX_TARGETCERTCHECKERINITIALIZEFAILED); andre@0: andre@0: PKIX_CHECK(pkix_ExpirationChecker_Initialize andre@0: (testDate, &expirationChecker, plContext), andre@0: PKIX_EXPIRATIONCHECKERINITIALIZEFAILED); andre@0: andre@0: PKIX_CHECK(pkix_NameChainingChecker_Initialize andre@0: (trustedCAName, &nameChainingChecker, plContext), andre@0: PKIX_NAMECHAININGCHECKERINITIALIZEFAILED); andre@0: andre@0: PKIX_CHECK(pkix_NameConstraintsChecker_Initialize andre@0: (trustedNC, numCerts, &nameConstraintsChecker, plContext), andre@0: PKIX_NAMECONSTRAINTSCHECKERINITIALIZEFAILED); andre@0: andre@0: PKIX_CHECK(pkix_BasicConstraintsChecker_Initialize andre@0: (numCerts, &basicConstraintsChecker, plContext), andre@0: PKIX_BASICCONSTRAINTSCHECKERINITIALIZEFAILED); andre@0: andre@0: PKIX_CHECK(pkix_PolicyChecker_Initialize andre@0: (initialPolicies, andre@0: policyQualifiersRejected, andre@0: initialPolicyMappingInhibit, andre@0: initialExplicitPolicy, andre@0: initialAnyPolicyInhibit, andre@0: numCerts, andre@0: &policyChecker, andre@0: plContext), andre@0: PKIX_POLICYCHECKERINITIALIZEFAILED); andre@0: andre@0: PKIX_CHECK(pkix_SignatureChecker_Initialize andre@0: (trustedPubKey, numCerts, &sigChecker, plContext), andre@0: PKIX_SIGNATURECHECKERINITIALIZEFAILED); andre@0: andre@0: if (userCheckersList != NULL) { andre@0: andre@0: PKIX_CHECK(PKIX_List_GetLength andre@0: (userCheckersList, &numCertCheckers, plContext), andre@0: PKIX_LISTGETLENGTHFAILED); andre@0: andre@0: for (i = 0; i < numCertCheckers; i++) { andre@0: andre@0: PKIX_CHECK(PKIX_List_GetItem andre@0: (userCheckersList, andre@0: i, andre@0: (PKIX_PL_Object **) &userChecker, andre@0: plContext), andre@0: PKIX_LISTGETITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_AppendItem andre@0: (checkers, andre@0: (PKIX_PL_Object *)userChecker, andre@0: plContext), andre@0: PKIX_LISTAPPENDITEMFAILED); andre@0: andre@0: PKIX_DECREF(userChecker); andre@0: } andre@0: } andre@0: andre@0: PKIX_CHECK(PKIX_List_AppendItem andre@0: (checkers, (PKIX_PL_Object *)targetCertChecker, plContext), andre@0: PKIX_LISTAPPENDITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_AppendItem andre@0: (checkers, (PKIX_PL_Object *)expirationChecker, plContext), andre@0: PKIX_LISTAPPENDITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_AppendItem andre@0: (checkers, (PKIX_PL_Object *)nameChainingChecker, plContext), andre@0: PKIX_LISTAPPENDITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_AppendItem andre@0: (checkers, (PKIX_PL_Object *)nameConstraintsChecker, plContext), andre@0: PKIX_LISTAPPENDITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_AppendItem andre@0: (checkers, (PKIX_PL_Object *)basicConstraintsChecker, plContext), andre@0: PKIX_LISTAPPENDITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_AppendItem andre@0: (checkers, (PKIX_PL_Object *)policyChecker, plContext), andre@0: PKIX_LISTAPPENDITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_AppendItem andre@0: (checkers, (PKIX_PL_Object *)sigChecker, plContext), andre@0: PKIX_LISTAPPENDITEMFAILED); andre@0: andre@0: *pCheckers = checkers; andre@0: andre@0: cleanup: andre@0: andre@0: if (PKIX_ERROR_RECEIVED){ andre@0: PKIX_DECREF(checkers); andre@0: } andre@0: andre@0: PKIX_DECREF(certSelector); andre@0: PKIX_DECREF(testDate); andre@0: PKIX_DECREF(initialPolicies); andre@0: PKIX_DECREF(targetCertChecker); andre@0: PKIX_DECREF(expirationChecker); andre@0: PKIX_DECREF(nameChainingChecker); andre@0: PKIX_DECREF(nameConstraintsChecker); andre@0: PKIX_DECREF(basicConstraintsChecker); andre@0: PKIX_DECREF(policyChecker); andre@0: PKIX_DECREF(sigChecker); andre@0: PKIX_DECREF(trustedCAName); andre@0: PKIX_DECREF(trustedPubKey); andre@0: PKIX_DECREF(trustedNC); andre@0: PKIX_DECREF(trustedCert); andre@0: PKIX_DECREF(defaultCrlChecker); andre@0: PKIX_DECREF(userCheckersList); andre@0: PKIX_DECREF(certStores); andre@0: PKIX_DECREF(userChecker); andre@0: andre@0: PKIX_RETURN(VALIDATE); andre@0: } andre@0: andre@0: /* andre@0: * FUNCTION: pkix_RetrieveOutputs andre@0: * DESCRIPTION: andre@0: * andre@0: * This function queries the respective states of the List of checkers in andre@0: * "checkers" to to obtain the final public key from the SignatureChecker andre@0: * and the policy tree from the PolicyChecker, storing those values at andre@0: * "pFinalSubjPubKey" and "pPolicyTree", respectively. andre@0: * andre@0: * PARAMETERS: andre@0: * "checkers" andre@0: * Address of List of checkers to be queried. Must be non-NULL. andre@0: * "pFinalSubjPubKey" andre@0: * Address where final public key will be stored. Must be non-NULL. andre@0: * "pPolicyTree" andre@0: * Address where policy tree will be stored. Must be non-NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a Validate Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: static PKIX_Error * andre@0: pkix_RetrieveOutputs( andre@0: PKIX_List *checkers, andre@0: PKIX_PL_PublicKey **pFinalSubjPubKey, andre@0: PKIX_PolicyNode **pPolicyTree, andre@0: void *plContext) andre@0: { andre@0: PKIX_PL_PublicKey *finalSubjPubKey = NULL; andre@0: PKIX_PolicyNode *validPolicyTree = NULL; andre@0: PKIX_CertChainChecker *checker = NULL; andre@0: PKIX_PL_Object *state = NULL; andre@0: PKIX_UInt32 numCheckers = 0; andre@0: PKIX_UInt32 type; andre@0: PKIX_Int32 j; andre@0: andre@0: PKIX_ENTER(VALIDATE, "pkix_RetrieveOutputs"); andre@0: andre@0: PKIX_NULLCHECK_TWO(checkers, pPolicyTree); andre@0: andre@0: /* andre@0: * To optimize the search, we guess that the sigChecker is andre@0: * last in the tree and is preceded by the policyChecker. We andre@0: * search toward the front of the chain. Remember that List andre@0: * items are indexed 0..(numItems - 1). andre@0: */ andre@0: andre@0: PKIX_CHECK(PKIX_List_GetLength(checkers, &numCheckers, plContext), andre@0: PKIX_LISTGETLENGTHFAILED); andre@0: andre@0: for (j = numCheckers - 1; j >= 0; j--){ andre@0: PKIX_CHECK(PKIX_List_GetItem andre@0: (checkers, j, (PKIX_PL_Object **)&checker, plContext), andre@0: PKIX_LISTGETITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState andre@0: (checker, &state, plContext), andre@0: PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); andre@0: andre@0: /* user defined checker may have no state */ andre@0: if (state != NULL) { andre@0: andre@0: PKIX_CHECK(PKIX_PL_Object_GetType(state, &type, plContext), andre@0: PKIX_OBJECTGETTYPEFAILED); andre@0: andre@0: if (type == PKIX_SIGNATURECHECKERSTATE_TYPE){ andre@0: /* final pubKey will include any inherited DSA params */ andre@0: finalSubjPubKey = andre@0: ((pkix_SignatureCheckerState *)state)-> andre@0: prevPublicKey; andre@0: PKIX_INCREF(finalSubjPubKey); andre@0: *pFinalSubjPubKey = finalSubjPubKey; andre@0: } andre@0: andre@0: if (type == PKIX_CERTPOLICYCHECKERSTATE_TYPE) { andre@0: validPolicyTree = andre@0: ((PKIX_PolicyCheckerState *)state)->validPolicyTree; andre@0: break; andre@0: } andre@0: } andre@0: andre@0: PKIX_DECREF(checker); andre@0: PKIX_DECREF(state); andre@0: } andre@0: andre@0: PKIX_INCREF(validPolicyTree); andre@0: *pPolicyTree = validPolicyTree; andre@0: andre@0: cleanup: andre@0: andre@0: PKIX_DECREF(checker); andre@0: PKIX_DECREF(state); andre@0: andre@0: PKIX_RETURN(VALIDATE); andre@0: andre@0: } andre@0: andre@0: /* andre@0: * FUNCTION: pkix_CheckChain andre@0: * DESCRIPTION: andre@0: * andre@0: * Checks whether the List of Certs pointed to by "certs", containing andre@0: * "numCerts" entries, successfully validates using each CertChainChecker in andre@0: * the List pointed to by "checkers" and has not been revoked, according to any andre@0: * of the Revocation Checkers in the List pointed to by "revChecker". Checkers andre@0: * are expected to remove from "removeCheckedExtOIDs" and extensions that they andre@0: * process. Indices to the certChain and the checkerChain are obtained and andre@0: * returned in "pCertCheckedIndex" and "pCheckerIndex", respectively. These andre@0: * should be set to zero prior to the initial call, but may be changed (and andre@0: * must be supplied on subsequent calls) if processing is suspended for non- andre@0: * blocking I/O. Each time a Cert passes from being validated by one of the andre@0: * CertChainCheckers to being checked by a Revocation Checker, the Boolean andre@0: * stored at "pRevChecking" is changed from FALSE to TRUE. If the Cert is andre@0: * rejected by a Revocation Checker, its reason code is returned at andre@0: * "pReasonCode. If the List of Certs successfully validates, the public key i andre@0: * the final certificate is obtained and stored at "pFinalSubjPubKey" and the andre@0: * validPolicyTree, which could be NULL, is stored at pPolicyTree. If the List andre@0: * of Certs fails to validate, an Error pointer is returned. andre@0: * andre@0: * If "pVerifyTree" is non-NULL, a chain of VerifyNodes is created which andre@0: * tracks the results of the validation. That is, either each node in the andre@0: * chain has a NULL Error component, or the last node contains an Error andre@0: * which indicates why the validation failed. andre@0: * andre@0: * The number of Certs in the List, represented by "numCerts", is used to andre@0: * determine which Cert is the final Cert. andre@0: * andre@0: * PARAMETERS: andre@0: * "certs" andre@0: * Address of List of Certs to validate. Must be non-NULL. andre@0: * "numCerts" andre@0: * Number of certificates in the List of certificates. andre@0: * "checkers" andre@0: * List of CertChainCheckers which must each validate the List of andre@0: * certificates. Must be non-NULL. andre@0: * "revChecker" andre@0: * List of RevocationCheckers which must each not reject the List of andre@0: * certificates. May be empty, but must be non-NULL. andre@0: * "removeCheckedExtOIDs" andre@0: * List of PKIX_PL_OID that has been processed. If called from building andre@0: * chain, it is the list of critical extension OIDs that has been andre@0: * processed prior to validation. Extension OIDs that may be processed by andre@0: * user defined checker processes are also in the list. May be NULL. andre@0: * "procParams" andre@0: * Address of ProcessingParams used to initialize various checkers. Must andre@0: * be non-NULL. andre@0: * "pCertCheckedIndex" andre@0: * Address where Int32 index to the Cert chain is obtained and andre@0: * returned. Must be non-NULL. andre@0: * "pCheckerIndex" andre@0: * Address where Int32 index to the CheckerChain is obtained and andre@0: * returned. Must be non-NULL. andre@0: * "pRevChecking" andre@0: * Address where Boolean is obtained and returned, indicating, if FALSE, andre@0: * that CertChainCheckers are being called; or, if TRUE, that RevChecker andre@0: * are being called. Must be non-NULL. andre@0: * "pReasonCode" andre@0: * Address where UInt32 results of revocation checking are stored. Must be andre@0: * non-NULL. andre@0: * "pNBIOContext" andre@0: * Address where platform-dependent context is stored if checking is andre@0: * suspended for non-blocking I/O. Must be non-NULL. andre@0: * "pFinalSubjPubKey" andre@0: * Address where the final public key will be stored. Must be non-NULL. andre@0: * "pPolicyTree" andre@0: * Address where the final validPolicyTree is stored. Must be non-NULL. andre@0: * "pVerifyTree" andre@0: * Address where a VerifyTree is stored, if non-NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a Validate Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: PKIX_Error * andre@0: pkix_CheckChain( andre@0: PKIX_List *certs, andre@0: PKIX_UInt32 numCerts, andre@0: PKIX_TrustAnchor *anchor, andre@0: PKIX_List *checkers, andre@0: PKIX_RevocationChecker *revChecker, andre@0: PKIX_List *removeCheckedExtOIDs, andre@0: PKIX_ProcessingParams *procParams, andre@0: PKIX_UInt32 *pCertCheckedIndex, andre@0: PKIX_UInt32 *pCheckerIndex, andre@0: PKIX_Boolean *pRevChecking, andre@0: PKIX_UInt32 *pReasonCode, andre@0: void **pNBIOContext, andre@0: PKIX_PL_PublicKey **pFinalSubjPubKey, andre@0: PKIX_PolicyNode **pPolicyTree, andre@0: PKIX_VerifyNode **pVerifyTree, andre@0: void *plContext) andre@0: { andre@0: PKIX_UInt32 j = 0; andre@0: PKIX_Boolean revChecking = PKIX_FALSE; andre@0: PKIX_Error *checkCertError = NULL; andre@0: void *nbioContext = NULL; andre@0: PKIX_PL_Cert *cert = NULL; andre@0: PKIX_PL_Cert *issuer = NULL; andre@0: PKIX_PL_NssContext *nssContext = NULL; andre@0: CERTCertList *certList = NULL; andre@0: const CERTChainVerifyCallback *chainVerifyCallback = NULL; andre@0: CERTCertificate *nssCert = NULL; andre@0: andre@0: PKIX_ENTER(VALIDATE, "pkix_CheckChain"); andre@0: PKIX_NULLCHECK_FOUR(certs, checkers, revChecker, pCertCheckedIndex); andre@0: PKIX_NULLCHECK_FOUR(pCheckerIndex, pRevChecking, pReasonCode, anchor); andre@0: PKIX_NULLCHECK_THREE(pNBIOContext, pFinalSubjPubKey, pPolicyTree); andre@0: andre@0: nbioContext = *pNBIOContext; andre@0: *pNBIOContext = NULL; andre@0: revChecking = *pRevChecking; andre@0: nssContext = (PKIX_PL_NssContext *)plContext; andre@0: chainVerifyCallback = &nssContext->chainVerifyCallback; andre@0: andre@0: if (chainVerifyCallback->isChainValid != NULL) { andre@0: PRBool chainOK = PR_FALSE; /*assume failure*/ andre@0: SECStatus rv; andre@0: andre@0: certList = CERT_NewCertList(); andre@0: if (certList == NULL) { andre@0: PKIX_ERROR_ALLOC_ERROR(); andre@0: } andre@0: andre@0: /* Add the trust anchor to the list */ andre@0: PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert andre@0: (anchor, &cert, plContext), andre@0: PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); andre@0: andre@0: PKIX_CHECK( andre@0: PKIX_PL_Cert_GetCERTCertificate(cert, &nssCert, plContext), andre@0: PKIX_CERTGETCERTCERTIFICATEFAILED); andre@0: andre@0: rv = CERT_AddCertToListHead(certList, nssCert); andre@0: if (rv != SECSuccess) { andre@0: PKIX_ERROR_ALLOC_ERROR(); andre@0: } andre@0: /* the certList takes ownership of nssCert on success */ andre@0: nssCert = NULL; andre@0: PKIX_DECREF(cert); andre@0: andre@0: /* Add the rest of the chain to the list */ andre@0: for (j = *pCertCheckedIndex; j < numCerts; j++) { andre@0: PKIX_CHECK(PKIX_List_GetItem( andre@0: certs, j, (PKIX_PL_Object **)&cert, plContext), andre@0: PKIX_LISTGETITEMFAILED); andre@0: andre@0: PKIX_CHECK( andre@0: PKIX_PL_Cert_GetCERTCertificate(cert, &nssCert, plContext), andre@0: PKIX_CERTGETCERTCERTIFICATEFAILED); andre@0: andre@0: rv = CERT_AddCertToListHead(certList, nssCert); andre@0: if (rv != SECSuccess) { andre@0: PKIX_ERROR_ALLOC_ERROR(); andre@0: } andre@0: /* the certList takes ownership of nssCert on success */ andre@0: nssCert = NULL; andre@0: PKIX_DECREF(cert); andre@0: } andre@0: andre@0: rv = (*chainVerifyCallback->isChainValid) andre@0: (chainVerifyCallback->isChainValidArg, certList, &chainOK); andre@0: if (rv != SECSuccess) { andre@0: PKIX_ERROR_FATAL(PKIX_CHAINVERIFYCALLBACKFAILED); andre@0: } andre@0: andre@0: if (!chainOK) { andre@0: PKIX_ERROR(PKIX_CHAINVERIFYCALLBACKFAILED); andre@0: } andre@0: andre@0: } andre@0: andre@0: PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert andre@0: (anchor, &cert, plContext), andre@0: PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); andre@0: andre@0: for (j = *pCertCheckedIndex; j < numCerts; j++) { andre@0: andre@0: PORT_Assert(cert); andre@0: PKIX_DECREF(issuer); andre@0: issuer = cert; andre@0: cert = NULL; andre@0: andre@0: PKIX_CHECK(PKIX_List_GetItem( andre@0: certs, j, (PKIX_PL_Object **)&cert, plContext), andre@0: PKIX_LISTGETITEMFAILED); andre@0: andre@0: /* check if cert pointer is valid */ andre@0: PORT_Assert(cert); andre@0: if (cert == NULL) { andre@0: continue; andre@0: } andre@0: andre@0: if (revChecking == PKIX_FALSE) { andre@0: andre@0: PKIX_CHECK(pkix_CheckCert andre@0: (cert, andre@0: checkers, andre@0: removeCheckedExtOIDs, andre@0: pCheckerIndex, andre@0: &nbioContext, andre@0: plContext), andre@0: PKIX_CHECKCERTFAILED); andre@0: andre@0: if (nbioContext != NULL) { andre@0: *pCertCheckedIndex = j; andre@0: *pRevChecking = revChecking; andre@0: *pNBIOContext = nbioContext; andre@0: goto cleanup; andre@0: } andre@0: andre@0: revChecking = PKIX_TRUE; andre@0: *pCheckerIndex = 0; andre@0: } andre@0: andre@0: if (revChecking == PKIX_TRUE) { andre@0: PKIX_RevocationStatus revStatus; andre@0: pkixErrorResult = andre@0: PKIX_RevocationChecker_Check( andre@0: cert, issuer, revChecker, andre@0: procParams, PKIX_TRUE, andre@0: (j == numCerts - 1) ? PKIX_TRUE : PKIX_FALSE, andre@0: &revStatus, pReasonCode, andre@0: &nbioContext, plContext); andre@0: if (nbioContext != NULL) { andre@0: *pCertCheckedIndex = j; andre@0: *pRevChecking = revChecking; andre@0: *pNBIOContext = nbioContext; andre@0: goto cleanup; andre@0: } andre@0: if (revStatus == PKIX_RevStatus_Revoked || andre@0: pkixErrorResult) { andre@0: if (!pkixErrorResult) { andre@0: /* if pkixErrorResult is returned then andre@0: * use it as it has a detailed revocation andre@0: * error code. Otherwise create a new error */ andre@0: PKIX_ERROR_CREATE(VALIDATE, andre@0: PKIX_CERTIFICATEREVOKED, andre@0: pkixErrorResult); andre@0: } andre@0: goto cleanup; andre@0: } andre@0: revChecking = PKIX_FALSE; andre@0: *pCheckerIndex = 0; andre@0: } andre@0: andre@0: PKIX_CHECK(pkix_AddToVerifyLog andre@0: (cert, j, NULL, pVerifyTree, plContext), andre@0: PKIX_ADDTOVERIFYLOGFAILED); andre@0: } andre@0: andre@0: PKIX_CHECK(pkix_RetrieveOutputs andre@0: (checkers, pFinalSubjPubKey, pPolicyTree, plContext), andre@0: PKIX_RETRIEVEOUTPUTSFAILED); andre@0: andre@0: *pNBIOContext = NULL; andre@0: andre@0: cleanup: andre@0: if (PKIX_ERROR_RECEIVED && cert) { andre@0: checkCertError = pkixErrorResult; andre@0: andre@0: PKIX_CHECK_FATAL( andre@0: pkix_AddToVerifyLog(cert, j, checkCertError, pVerifyTree, andre@0: plContext), andre@0: PKIX_ADDTOVERIFYLOGFAILED); andre@0: pkixErrorResult = checkCertError; andre@0: pkixErrorCode = pkixErrorResult->errCode; andre@0: checkCertError = NULL; andre@0: } andre@0: andre@0: fatal: andre@0: if (nssCert) { andre@0: CERT_DestroyCertificate(nssCert); andre@0: } andre@0: andre@0: if (certList) { andre@0: CERT_DestroyCertList(certList); andre@0: } andre@0: andre@0: PKIX_DECREF(checkCertError); andre@0: PKIX_DECREF(cert); andre@0: PKIX_DECREF(issuer); andre@0: andre@0: PKIX_RETURN(VALIDATE); andre@0: } andre@0: andre@0: /* andre@0: * FUNCTION: pkix_ExtractParameters andre@0: * DESCRIPTION: andre@0: * andre@0: * Extracts several parameters from the ValidateParams object pointed to by andre@0: * "valParams" and stores the CertChain at "pChain", the List of Certs at andre@0: * "pCerts", the number of Certs in the chain at "pNumCerts", the andre@0: * ProcessingParams object at "pProcParams", the List of TrustAnchors at andre@0: * "pAnchors", and the number of TrustAnchors at "pNumAnchors". andre@0: * andre@0: * PARAMETERS: andre@0: * "valParams" andre@0: * Address of ValidateParams from which the parameters are extracted. andre@0: * Must be non-NULL. andre@0: * "pCerts" andre@0: * Address where object pointer for List of Certs will be stored. andre@0: * Must be non-NULL. andre@0: * "pNumCerts" andre@0: * Address where number of Certs will be stored. Must be non-NULL. andre@0: * "pProcParams" andre@0: * Address where object pointer for ProcessingParams will be stored. andre@0: * Must be non-NULL. andre@0: * "pAnchors" andre@0: * Address where object pointer for List of Anchors will be stored. andre@0: * Must be non-NULL. andre@0: * "pNumAnchors" andre@0: * Address where number of Anchors will be stored. Must be non-NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a Validate Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: static PKIX_Error * andre@0: pkix_ExtractParameters( andre@0: PKIX_ValidateParams *valParams, andre@0: PKIX_List **pCerts, andre@0: PKIX_UInt32 *pNumCerts, andre@0: PKIX_ProcessingParams **pProcParams, andre@0: PKIX_List **pAnchors, andre@0: PKIX_UInt32 *pNumAnchors, andre@0: void *plContext) andre@0: { andre@0: PKIX_ENTER(VALIDATE, "pkix_ExtractParameters"); andre@0: PKIX_NULLCHECK_THREE(valParams, pCerts, pNumCerts); andre@0: PKIX_NULLCHECK_THREE(pProcParams, pAnchors, pNumAnchors); andre@0: andre@0: /* extract relevant parameters from chain */ andre@0: PKIX_CHECK(PKIX_ValidateParams_GetCertChain andre@0: (valParams, pCerts, plContext), andre@0: PKIX_VALIDATEPARAMSGETCERTCHAINFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_GetLength(*pCerts, pNumCerts, plContext), andre@0: PKIX_LISTGETLENGTHFAILED); andre@0: andre@0: /* extract relevant parameters from procParams */ andre@0: PKIX_CHECK(PKIX_ValidateParams_GetProcessingParams andre@0: (valParams, pProcParams, plContext), andre@0: PKIX_VALIDATEPARAMSGETPROCESSINGPARAMSFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetTrustAnchors andre@0: (*pProcParams, pAnchors, plContext), andre@0: PKIX_PROCESSINGPARAMSGETTRUSTANCHORSFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_GetLength(*pAnchors, pNumAnchors, plContext), andre@0: PKIX_LISTGETLENGTHFAILED); andre@0: andre@0: cleanup: andre@0: andre@0: PKIX_RETURN(VALIDATE); andre@0: } andre@0: andre@0: /* --Public-Functions--------------------------------------------- */ andre@0: andre@0: /* andre@0: * FUNCTION: PKIX_ValidateChain (see comments in pkix.h) andre@0: */ andre@0: PKIX_Error * andre@0: PKIX_ValidateChain( andre@0: PKIX_ValidateParams *valParams, andre@0: PKIX_ValidateResult **pResult, andre@0: PKIX_VerifyNode **pVerifyTree, andre@0: void *plContext) andre@0: { andre@0: PKIX_Error *chainFailed = NULL; andre@0: andre@0: PKIX_ProcessingParams *procParams = NULL; andre@0: PKIX_CertChainChecker *userChecker = NULL; andre@0: PKIX_RevocationChecker *revChecker = NULL; andre@0: PKIX_List *certs = NULL; andre@0: PKIX_List *checkers = NULL; andre@0: PKIX_List *anchors = NULL; andre@0: PKIX_List *userCheckers = NULL; andre@0: PKIX_List *userCheckerExtOIDs = NULL; andre@0: PKIX_List *validateCheckedCritExtOIDsList = NULL; andre@0: PKIX_TrustAnchor *anchor = NULL; andre@0: PKIX_ValidateResult *valResult = NULL; andre@0: PKIX_PL_PublicKey *finalPubKey = NULL; andre@0: PKIX_PolicyNode *validPolicyTree = NULL; andre@0: PKIX_Boolean supportForwarding = PKIX_FALSE; andre@0: PKIX_Boolean revChecking = PKIX_FALSE; andre@0: PKIX_UInt32 i, numCerts, numAnchors; andre@0: PKIX_UInt32 numUserCheckers = 0; andre@0: PKIX_UInt32 certCheckedIndex = 0; andre@0: PKIX_UInt32 checkerIndex = 0; andre@0: PKIX_UInt32 reasonCode = 0; andre@0: void *nbioContext = NULL; andre@0: andre@0: PKIX_ENTER(VALIDATE, "PKIX_ValidateChain"); andre@0: PKIX_NULLCHECK_TWO(valParams, pResult); andre@0: andre@0: /* extract various parameters from valParams */ andre@0: PKIX_CHECK(pkix_ExtractParameters andre@0: (valParams, andre@0: &certs, andre@0: &numCerts, andre@0: &procParams, andre@0: &anchors, andre@0: &numAnchors, andre@0: plContext), andre@0: PKIX_EXTRACTPARAMETERSFAILED); andre@0: andre@0: /* andre@0: * setup an extension OID list that user had defined for his checker andre@0: * processing. User checker is not responsible for taking out OIDs andre@0: * from unresolved critical extension list as the libpkix checker andre@0: * is doing. Here we add those user checkers' OIDs to the removal andre@0: * list to be taken out by CheckChain andre@0: */ andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers andre@0: (procParams, &userCheckers, plContext), andre@0: PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED); andre@0: andre@0: if (userCheckers != NULL) { andre@0: andre@0: PKIX_CHECK(PKIX_List_Create andre@0: (&validateCheckedCritExtOIDsList, andre@0: plContext), andre@0: PKIX_LISTCREATEFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_GetLength andre@0: (userCheckers, &numUserCheckers, plContext), andre@0: PKIX_LISTGETLENGTHFAILED); andre@0: andre@0: for (i = 0; i < numUserCheckers; i++) { andre@0: andre@0: PKIX_CHECK(PKIX_List_GetItem andre@0: (userCheckers, andre@0: i, andre@0: (PKIX_PL_Object **) &userChecker, andre@0: plContext), andre@0: PKIX_LISTGETITEMFAILED); andre@0: andre@0: PKIX_CHECK andre@0: (PKIX_CertChainChecker_IsForwardCheckingSupported andre@0: (userChecker, &supportForwarding, plContext), andre@0: PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED); andre@0: andre@0: if (supportForwarding == PKIX_FALSE) { andre@0: andre@0: PKIX_CHECK andre@0: (PKIX_CertChainChecker_GetSupportedExtensions andre@0: (userChecker, &userCheckerExtOIDs, plContext), andre@0: PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED); andre@0: andre@0: if (userCheckerExtOIDs != NULL) { andre@0: PKIX_CHECK(pkix_List_AppendList andre@0: (validateCheckedCritExtOIDsList, andre@0: userCheckerExtOIDs, andre@0: plContext), andre@0: PKIX_LISTAPPENDLISTFAILED); andre@0: } andre@0: } andre@0: andre@0: PKIX_DECREF(userCheckerExtOIDs); andre@0: PKIX_DECREF(userChecker); andre@0: } andre@0: } andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetRevocationChecker andre@0: (procParams, &revChecker, plContext), andre@0: PKIX_PROCESSINGPARAMSGETREVOCATIONCHECKERFAILED); andre@0: andre@0: /* try to validate the chain with each anchor */ andre@0: for (i = 0; i < numAnchors; i++){ andre@0: andre@0: /* get trust anchor */ andre@0: PKIX_CHECK(PKIX_List_GetItem andre@0: (anchors, i, (PKIX_PL_Object **)&anchor, plContext), andre@0: PKIX_LISTGETITEMFAILED); andre@0: andre@0: /* initialize checkers using information from trust anchor */ andre@0: PKIX_CHECK(pkix_InitializeCheckers andre@0: (anchor, procParams, numCerts, &checkers, plContext), andre@0: PKIX_INITIALIZECHECKERSFAILED); andre@0: andre@0: /* andre@0: * Validate the chain using this trust anchor and these andre@0: * checkers. (WARNING: checkers that use non-blocking I/O andre@0: * are not currently supported.) andre@0: */ andre@0: certCheckedIndex = 0; andre@0: checkerIndex = 0; andre@0: revChecking = PKIX_FALSE; andre@0: chainFailed = pkix_CheckChain andre@0: (certs, andre@0: numCerts, andre@0: anchor, andre@0: checkers, andre@0: revChecker, andre@0: validateCheckedCritExtOIDsList, andre@0: procParams, andre@0: &certCheckedIndex, andre@0: &checkerIndex, andre@0: &revChecking, andre@0: &reasonCode, andre@0: &nbioContext, andre@0: &finalPubKey, andre@0: &validPolicyTree, andre@0: pVerifyTree, andre@0: plContext); andre@0: andre@0: if (chainFailed) { andre@0: andre@0: /* cert chain failed to validate */ andre@0: andre@0: PKIX_DECREF(chainFailed); andre@0: PKIX_DECREF(anchor); andre@0: PKIX_DECREF(checkers); andre@0: PKIX_DECREF(validPolicyTree); andre@0: andre@0: /* if last anchor, we fail; else, we try next anchor */ andre@0: if (i == (numAnchors - 1)) { /* last anchor */ andre@0: PKIX_ERROR(PKIX_VALIDATECHAINFAILED); andre@0: } andre@0: andre@0: } else { andre@0: andre@0: /* XXX Remove this assertion after 2014-12-31. andre@0: * See bug 946984. */ andre@0: PORT_Assert(reasonCode == 0); andre@0: andre@0: /* cert chain successfully validated! */ andre@0: PKIX_CHECK(pkix_ValidateResult_Create andre@0: (finalPubKey, andre@0: anchor, andre@0: validPolicyTree, andre@0: &valResult, andre@0: plContext), andre@0: PKIX_VALIDATERESULTCREATEFAILED); andre@0: andre@0: *pResult = valResult; andre@0: andre@0: /* no need to try any more anchors in the loop */ andre@0: goto cleanup; andre@0: } andre@0: } andre@0: andre@0: cleanup: andre@0: andre@0: PKIX_DECREF(finalPubKey); andre@0: PKIX_DECREF(certs); andre@0: PKIX_DECREF(anchors); andre@0: PKIX_DECREF(anchor); andre@0: PKIX_DECREF(checkers); andre@0: PKIX_DECREF(revChecker); andre@0: PKIX_DECREF(validPolicyTree); andre@0: PKIX_DECREF(chainFailed); andre@0: PKIX_DECREF(procParams); andre@0: PKIX_DECREF(userCheckers); andre@0: PKIX_DECREF(validateCheckedCritExtOIDsList); andre@0: andre@0: PKIX_RETURN(VALIDATE); andre@0: } andre@0: andre@0: /* andre@0: * FUNCTION: pkix_Validate_BuildUserOIDs andre@0: * DESCRIPTION: andre@0: * andre@0: * This function creates a List of the OIDs that are processed by the user andre@0: * checkers in the List pointed to by "userCheckers", storing the resulting andre@0: * List at "pUserCritOIDs". If the List of userCheckers is NULL, the output andre@0: * List will be NULL. Otherwise the output List will be non-NULL, but may be andre@0: * empty. andre@0: * andre@0: * PARAMETERS: andre@0: * "userCheckers" andre@0: * The address of the List of userCheckers. andre@0: * "pUserCritOIDs" andre@0: * The address at which the List is stored. Must be non-NULL. andre@0: * "plContext" andre@0: * Platform-specific context pointer. andre@0: * THREAD SAFETY: andre@0: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) andre@0: * RETURNS: andre@0: * Returns NULL if the function succeeds. andre@0: * Returns a VALIDATE Error if the function fails in a non-fatal way. andre@0: * Returns a Fatal Error if the function fails in an unrecoverable way. andre@0: */ andre@0: static PKIX_Error * andre@0: pkix_Validate_BuildUserOIDs( andre@0: PKIX_List *userCheckers, andre@0: PKIX_List **pUserCritOIDs, andre@0: void *plContext) andre@0: { andre@0: PKIX_UInt32 numUserCheckers = 0; andre@0: PKIX_UInt32 i = 0; andre@0: PKIX_List *userCritOIDs = NULL; andre@0: PKIX_List *userCheckerExtOIDs = NULL; andre@0: PKIX_Boolean supportForwarding = PKIX_FALSE; andre@0: PKIX_CertChainChecker *userChecker = NULL; andre@0: andre@0: PKIX_ENTER(VALIDATE, "pkix_Validate_BuildUserOIDs"); andre@0: PKIX_NULLCHECK_ONE(pUserCritOIDs); andre@0: andre@0: if (userCheckers != NULL) { andre@0: PKIX_CHECK(PKIX_List_Create(&userCritOIDs, plContext), andre@0: PKIX_LISTCREATEFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_List_GetLength andre@0: (userCheckers, &numUserCheckers, plContext), andre@0: PKIX_LISTGETLENGTHFAILED); andre@0: andre@0: for (i = 0; i < numUserCheckers; i++) { andre@0: PKIX_CHECK(PKIX_List_GetItem andre@0: (userCheckers, andre@0: i, andre@0: (PKIX_PL_Object **) &userChecker, andre@0: plContext), andre@0: PKIX_LISTGETITEMFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_CertChainChecker_IsForwardCheckingSupported andre@0: (userChecker, &supportForwarding, plContext), andre@0: PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED); andre@0: andre@0: if (supportForwarding == PKIX_FALSE) { andre@0: andre@0: PKIX_CHECK(PKIX_CertChainChecker_GetSupportedExtensions andre@0: (userChecker, &userCheckerExtOIDs, plContext), andre@0: PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED); andre@0: andre@0: if (userCheckerExtOIDs != NULL) { andre@0: PKIX_CHECK(pkix_List_AppendList andre@0: (userCritOIDs, userCheckerExtOIDs, plContext), andre@0: PKIX_LISTAPPENDLISTFAILED); andre@0: } andre@0: } andre@0: andre@0: PKIX_DECREF(userCheckerExtOIDs); andre@0: PKIX_DECREF(userChecker); andre@0: } andre@0: } andre@0: andre@0: *pUserCritOIDs = userCritOIDs; andre@0: andre@0: cleanup: andre@0: andre@0: if (PKIX_ERROR_RECEIVED){ andre@0: PKIX_DECREF(userCritOIDs); andre@0: } andre@0: andre@0: PKIX_DECREF(userCheckerExtOIDs); andre@0: PKIX_DECREF(userChecker); andre@0: andre@0: PKIX_RETURN(VALIDATE); andre@0: } andre@0: andre@0: /* andre@0: * FUNCTION: PKIX_ValidateChain_nb (see comments in pkix.h) andre@0: */ andre@0: PKIX_Error * andre@0: PKIX_ValidateChain_NB( andre@0: PKIX_ValidateParams *valParams, andre@0: PKIX_UInt32 *pCertIndex, andre@0: PKIX_UInt32 *pAnchorIndex, andre@0: PKIX_UInt32 *pCheckerIndex, andre@0: PKIX_Boolean *pRevChecking, andre@0: PKIX_List **pCheckers, andre@0: void **pNBIOContext, andre@0: PKIX_ValidateResult **pResult, andre@0: PKIX_VerifyNode **pVerifyTree, andre@0: void *plContext) andre@0: { andre@0: PKIX_UInt32 numCerts = 0; andre@0: PKIX_UInt32 numAnchors = 0; andre@0: PKIX_UInt32 i = 0; andre@0: PKIX_UInt32 certIndex = 0; andre@0: PKIX_UInt32 anchorIndex = 0; andre@0: PKIX_UInt32 checkerIndex = 0; andre@0: PKIX_UInt32 reasonCode = 0; andre@0: PKIX_Boolean revChecking = PKIX_FALSE; andre@0: PKIX_List *certs = NULL; andre@0: PKIX_List *anchors = NULL; andre@0: PKIX_List *checkers = NULL; andre@0: PKIX_List *userCheckers = NULL; andre@0: PKIX_List *validateCheckedCritExtOIDsList = NULL; andre@0: PKIX_TrustAnchor *anchor = NULL; andre@0: PKIX_ValidateResult *valResult = NULL; andre@0: PKIX_PL_PublicKey *finalPubKey = NULL; andre@0: PKIX_PolicyNode *validPolicyTree = NULL; andre@0: PKIX_ProcessingParams *procParams = NULL; andre@0: PKIX_RevocationChecker *revChecker = NULL; andre@0: PKIX_Error *chainFailed = NULL; andre@0: void *nbioContext = NULL; andre@0: andre@0: PKIX_ENTER(VALIDATE, "PKIX_ValidateChain_NB"); andre@0: PKIX_NULLCHECK_FOUR andre@0: (valParams, pCertIndex, pAnchorIndex, pCheckerIndex); andre@0: PKIX_NULLCHECK_FOUR(pRevChecking, pCheckers, pNBIOContext, pResult); andre@0: andre@0: nbioContext = *pNBIOContext; andre@0: *pNBIOContext = NULL; andre@0: andre@0: /* extract various parameters from valParams */ andre@0: PKIX_CHECK(pkix_ExtractParameters andre@0: (valParams, andre@0: &certs, andre@0: &numCerts, andre@0: &procParams, andre@0: &anchors, andre@0: &numAnchors, andre@0: plContext), andre@0: PKIX_EXTRACTPARAMETERSFAILED); andre@0: andre@0: /* andre@0: * Create a List of the OIDs that will be processed by the user andre@0: * checkers. User checkers are not responsible for removing OIDs from andre@0: * the List of unresolved critical extensions, as libpkix checkers are. andre@0: * So we add those user checkers' OIDs to the removal list to be taken andre@0: * out by CheckChain. andre@0: */ andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers andre@0: (procParams, &userCheckers, plContext), andre@0: PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED); andre@0: andre@0: PKIX_CHECK(pkix_Validate_BuildUserOIDs andre@0: (userCheckers, &validateCheckedCritExtOIDsList, plContext), andre@0: PKIX_VALIDATEBUILDUSEROIDSFAILED); andre@0: andre@0: PKIX_CHECK(PKIX_ProcessingParams_GetRevocationChecker andre@0: (procParams, &revChecker, plContext), andre@0: PKIX_PROCESSINGPARAMSGETREVOCATIONCHECKERFAILED); andre@0: andre@0: /* Are we resuming after a WOULDBLOCK return, or starting anew ? */ andre@0: if (nbioContext != NULL) { andre@0: /* Resuming */ andre@0: certIndex = *pCertIndex; andre@0: anchorIndex = *pAnchorIndex; andre@0: checkerIndex = *pCheckerIndex; andre@0: revChecking = *pRevChecking; andre@0: checkers = *pCheckers; andre@0: *pCheckers = NULL; andre@0: } andre@0: andre@0: /* try to validate the chain with each anchor */ andre@0: for (i = anchorIndex; i < numAnchors; i++) { andre@0: andre@0: /* get trust anchor */ andre@0: PKIX_CHECK(PKIX_List_GetItem andre@0: (anchors, i, (PKIX_PL_Object **)&anchor, plContext), andre@0: PKIX_LISTGETITEMFAILED); andre@0: andre@0: /* initialize checkers using information from trust anchor */ andre@0: if (nbioContext == NULL) { andre@0: PKIX_CHECK(pkix_InitializeCheckers andre@0: (anchor, andre@0: procParams, andre@0: numCerts, andre@0: &checkers, andre@0: plContext), andre@0: PKIX_INITIALIZECHECKERSFAILED); andre@0: } andre@0: andre@0: /* andre@0: * Validate the chain using this trust anchor and these andre@0: * checkers. andre@0: */ andre@0: chainFailed = pkix_CheckChain andre@0: (certs, andre@0: numCerts, andre@0: anchor, andre@0: checkers, andre@0: revChecker, andre@0: validateCheckedCritExtOIDsList, andre@0: procParams, andre@0: &certIndex, andre@0: &checkerIndex, andre@0: &revChecking, andre@0: &reasonCode, andre@0: &nbioContext, andre@0: &finalPubKey, andre@0: &validPolicyTree, andre@0: pVerifyTree, andre@0: plContext); andre@0: andre@0: if (nbioContext != NULL) { andre@0: *pCertIndex = certIndex; andre@0: *pAnchorIndex = anchorIndex; andre@0: *pCheckerIndex = checkerIndex; andre@0: *pRevChecking = revChecking; andre@0: PKIX_INCREF(checkers); andre@0: *pCheckers = checkers; andre@0: *pNBIOContext = nbioContext; andre@0: goto cleanup; andre@0: } andre@0: andre@0: if (chainFailed) { andre@0: andre@0: /* cert chain failed to validate */ andre@0: andre@0: PKIX_DECREF(chainFailed); andre@0: PKIX_DECREF(anchor); andre@0: PKIX_DECREF(checkers); andre@0: PKIX_DECREF(validPolicyTree); andre@0: andre@0: /* if last anchor, we fail; else, we try next anchor */ andre@0: if (i == (numAnchors - 1)) { /* last anchor */ andre@0: PKIX_ERROR(PKIX_VALIDATECHAINFAILED); andre@0: } andre@0: andre@0: } else { andre@0: andre@0: /* XXX Remove this assertion after 2014-12-31. andre@0: * See bug 946984. */ andre@0: PORT_Assert(reasonCode == 0); andre@0: andre@0: /* cert chain successfully validated! */ andre@0: PKIX_CHECK(pkix_ValidateResult_Create andre@0: (finalPubKey, andre@0: anchor, andre@0: validPolicyTree, andre@0: &valResult, andre@0: plContext), andre@0: PKIX_VALIDATERESULTCREATEFAILED); andre@0: andre@0: *pResult = valResult; andre@0: andre@0: /* no need to try any more anchors in the loop */ andre@0: goto cleanup; andre@0: } andre@0: } andre@0: andre@0: cleanup: andre@0: andre@0: PKIX_DECREF(finalPubKey); andre@0: PKIX_DECREF(certs); andre@0: PKIX_DECREF(anchors); andre@0: PKIX_DECREF(anchor); andre@0: PKIX_DECREF(checkers); andre@0: PKIX_DECREF(revChecker); andre@0: PKIX_DECREF(validPolicyTree); andre@0: PKIX_DECREF(chainFailed); andre@0: PKIX_DECREF(procParams); andre@0: PKIX_DECREF(userCheckers); andre@0: PKIX_DECREF(validateCheckedCritExtOIDsList); andre@0: andre@0: PKIX_RETURN(VALIDATE); andre@0: }