/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* pkix_build.c
*
* Top level buildChain function
*
*/
/* #define PKIX_BUILDDEBUG 1 */
/* #define PKIX_FORWARDBUILDERSTATEDEBUG 1 */
#include "pkix_build.h"
extern PRLogModuleInfo *pkixLog;
/*
* List of critical extension OIDs associate with what build chain has
* checked. Those OIDs need to be removed from the unresolved critical
* extension OIDs list manually (instead of by checker automatically).
*/
static SECOidTag buildCheckedCritExtOIDs[] = {
PKIX_CERTKEYUSAGE_OID,
PKIX_CERTSUBJALTNAME_OID,
PKIX_BASICCONSTRAINTS_OID,
PKIX_NAMECONSTRAINTS_OID,
PKIX_EXTENDEDKEYUSAGE_OID,
PKIX_NSCERTTYPE_OID,
PKIX_UNKNOWN_OID
};
/* --Private-ForwardBuilderState-Functions---------------------------------- */
/*
* FUNCTION: pkix_ForwardBuilderState_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_ForwardBuilderState_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_ForwardBuilderState *state = NULL;
PKIX_ENTER(FORWARDBUILDERSTATE,
"pkix_ForwardBuilderState_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType
(object, PKIX_FORWARDBUILDERSTATE_TYPE, plContext),
PKIX_OBJECTNOTFORWARDBUILDERSTATE);
state = (PKIX_ForwardBuilderState *)object;
state->status = BUILD_INITIAL;
state->traversedCACerts = 0;
state->certStoreIndex = 0;
state->numCerts = 0;
state->numAias = 0;
state->certIndex = 0;
state->aiaIndex = 0;
state->certCheckedIndex = 0;
state->checkerIndex = 0;
state->hintCertIndex = 0;
state->numFanout = 0;
state->numDepth = 0;
state->reasonCode = 0;
state->canBeCached = PKIX_FALSE;
state->useOnlyLocal = PKIX_FALSE;
state->revChecking = PKIX_FALSE;
state->usingHintCerts = PKIX_FALSE;
state->certLoopingDetected = PKIX_FALSE;
PKIX_DECREF(state->validityDate);
PKIX_DECREF(state->prevCert);
PKIX_DECREF(state->candidateCert);
PKIX_DECREF(state->traversedSubjNames);
PKIX_DECREF(state->trustChain);
PKIX_DECREF(state->aia);
PKIX_DECREF(state->candidateCerts);
PKIX_DECREF(state->reversedCertChain);
PKIX_DECREF(state->checkedCritExtOIDs);
PKIX_DECREF(state->checkerChain);
PKIX_DECREF(state->certSel);
PKIX_DECREF(state->verifyNode);
PKIX_DECREF(state->client);
/*
* If we ever add a child link we have to be careful not to have loops
* in the Destroy process. But with one-way links we should be okay.
*/
if (state->parentState == NULL) {
state->buildConstants.numAnchors = 0;
state->buildConstants.numCertStores = 0;
state->buildConstants.numHintCerts = 0;
state->buildConstants.procParams = 0;
PKIX_DECREF(state->buildConstants.testDate);
PKIX_DECREF(state->buildConstants.timeLimit);
PKIX_DECREF(state->buildConstants.targetCert);
PKIX_DECREF(state->buildConstants.targetPubKey);
PKIX_DECREF(state->buildConstants.certStores);
PKIX_DECREF(state->buildConstants.anchors);
PKIX_DECREF(state->buildConstants.userCheckers);
PKIX_DECREF(state->buildConstants.hintCerts);
PKIX_DECREF(state->buildConstants.revChecker);
PKIX_DECREF(state->buildConstants.aiaMgr);
}
else {
PKIX_DECREF(state->parentState);
}
cleanup:
PKIX_RETURN(FORWARDBUILDERSTATE);
}
/*
* FUNCTION: pkix_ForwardBuilderState_Create
*
* DESCRIPTION:
* Allocate and initialize a ForwardBuilderState.
*
* PARAMETERS
* "traversedCACerts"
* Number of CA certificates traversed.
* "numFanout"
* Number of Certs that can be considered at this level (0 = no limit)
* "numDepth"
* Number of additional levels that can be searched (0 = no limit)
* "canBeCached"
* Boolean value indicating whether all certs on the chain can be cached.
* "validityDate"
* Address of Date at which build chain Certs' most restricted validity
* time is kept. May be NULL.
* "prevCert"
* Address of Cert just traversed. Must be non-NULL.
* "traversedSubjNames"
* Address of List of GeneralNames that have been traversed.
* Must be non-NULL.
* "trustChain"
* Address of List of certificates traversed. Must be non-NULL.
* "parentState"
* Address of previous ForwardBuilderState
* "pState"
* Address where ForwardBuilderState will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_ForwardBuilderState_Create(
PKIX_Int32 traversedCACerts,
PKIX_UInt32 numFanout,
PKIX_UInt32 numDepth,
PKIX_Boolean canBeCached,
PKIX_PL_Date *validityDate,
PKIX_PL_Cert *prevCert,
PKIX_List *traversedSubjNames,
PKIX_List *trustChain,
PKIX_ForwardBuilderState *parentState,
PKIX_ForwardBuilderState **pState,
void *plContext)
{
PKIX_ForwardBuilderState *state = NULL;
PKIX_ENTER(FORWARDBUILDERSTATE,
"pkix_ForwardBuilderState_Create");
PKIX_NULLCHECK_FOUR(prevCert, traversedSubjNames, pState, trustChain);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_FORWARDBUILDERSTATE_TYPE,
sizeof (PKIX_ForwardBuilderState),
(PKIX_PL_Object **)&state,
plContext),
PKIX_COULDNOTCREATEFORWARDBUILDERSTATEOBJECT);
state->status = BUILD_INITIAL;
state->traversedCACerts = traversedCACerts;
state->certStoreIndex = 0;
state->numCerts = 0;
state->numAias = 0;
state->certIndex = 0;
state->aiaIndex = 0;
state->certCheckedIndex = 0;
state->checkerIndex = 0;
state->hintCertIndex = 0;
state->numFanout = numFanout;
state->numDepth = numDepth;
state->reasonCode = 0;
state->revChecking = numDepth;
state->canBeCached = canBeCached;
state->useOnlyLocal = PKIX_TRUE;
state->revChecking = PKIX_FALSE;
state->usingHintCerts = PKIX_FALSE;
state->certLoopingDetected = PKIX_FALSE;
PKIX_INCREF(validityDate);
state->validityDate = validityDate;
PKIX_INCREF(prevCert);
state->prevCert = prevCert;
state->candidateCert = NULL;
PKIX_INCREF(traversedSubjNames);
state->traversedSubjNames = traversedSubjNames;
PKIX_INCREF(trustChain);
state->trustChain = trustChain;
state->aia = NULL;
state->candidateCerts = NULL;
state->reversedCertChain = NULL;
state->checkedCritExtOIDs = NULL;
state->checkerChain = NULL;
state->certSel = NULL;
state->verifyNode = NULL;
state->client = NULL;
PKIX_INCREF(parentState);
state->parentState = parentState;
if (parentState != NULL) {
state->buildConstants.numAnchors =
parentState->buildConstants.numAnchors;
state->buildConstants.numCertStores =
parentState->buildConstants.numCertStores;
state->buildConstants.numHintCerts =
parentState->buildConstants.numHintCerts;
state->buildConstants.maxFanout =
parentState->buildConstants.maxFanout;
state->buildConstants.maxDepth =
parentState->buildConstants.maxDepth;
state->buildConstants.maxTime =
parentState->buildConstants.maxTime;
state->buildConstants.procParams =
parentState->buildConstants.procParams;
state->buildConstants.testDate =
parentState->buildConstants.testDate;
state->buildConstants.timeLimit =
parentState->buildConstants.timeLimit;
state->buildConstants.targetCert =
parentState->buildConstants.targetCert;
state->buildConstants.targetPubKey =
parentState->buildConstants.targetPubKey;
state->buildConstants.certStores =
parentState->buildConstants.certStores;
state->buildConstants.anchors =
parentState->buildConstants.anchors;
state->buildConstants.userCheckers =
parentState->buildConstants.userCheckers;
state->buildConstants.hintCerts =
parentState->buildConstants.hintCerts;
state->buildConstants.revChecker =
parentState->buildConstants.revChecker;
state->buildConstants.aiaMgr =
parentState->buildConstants.aiaMgr;
state->buildConstants.trustOnlyUserAnchors =
parentState->buildConstants.trustOnlyUserAnchors;
}
*pState = state;
state = NULL;
cleanup:
PKIX_DECREF(state);
PKIX_RETURN(FORWARDBUILDERSTATE);
}
/*
* FUNCTION: pkix_Build_GetResourceLimits
*
* DESCRIPTION:
* Retrieve Resource Limits from ProcessingParams and initialize them in
* BuildConstants.
*
* PARAMETERS
* "buildConstants"
* Address of a BuildConstants structure containing objects and values
* that remain constant throughout the building of a chain. Must be
* non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_Build_GetResourceLimits(
BuildConstants *buildConstants,
void *plContext)
{
PKIX_ResourceLimits *resourceLimits = NULL;
PKIX_ENTER(BUILD,
"pkix_Build_GetResourceLimits");
PKIX_NULLCHECK_ONE(buildConstants);
PKIX_CHECK(PKIX_ProcessingParams_GetResourceLimits
(buildConstants->procParams, &resourceLimits, plContext),
PKIX_PROCESSINGPARAMSGETRESOURCELIMITSFAILED);
buildConstants->maxFanout = 0;
buildConstants->maxDepth = 0;
buildConstants->maxTime = 0;
if (resourceLimits) {
PKIX_CHECK(PKIX_ResourceLimits_GetMaxFanout
(resourceLimits, &buildConstants->maxFanout, plContext),
PKIX_RESOURCELIMITSGETMAXFANOUTFAILED);
PKIX_CHECK(PKIX_ResourceLimits_GetMaxDepth
(resourceLimits, &buildConstants->maxDepth, plContext),
PKIX_RESOURCELIMITSGETMAXDEPTHFAILED);
PKIX_CHECK(PKIX_ResourceLimits_GetMaxTime
(resourceLimits, &buildConstants->maxTime, plContext),
PKIX_RESOURCELIMITSGETMAXTIMEFAILED);
}
cleanup:
PKIX_DECREF(resourceLimits);
PKIX_RETURN(BUILD);
}
/*
* FUNCTION: pkix_ForwardBuilderState_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_ForwardBuilderState_ToString
(PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_ForwardBuilderState *state = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *resultString = NULL;
PKIX_PL_String *buildStatusString = NULL;
PKIX_PL_String *validityDateString = NULL;
PKIX_PL_String *prevCertString = NULL;
PKIX_PL_String *candidateCertString = NULL;
PKIX_PL_String *traversedSubjNamesString = NULL;
PKIX_PL_String *trustChainString = NULL;
PKIX_PL_String *candidateCertsString = NULL;
PKIX_PL_String *certSelString = NULL;
PKIX_PL_String *verifyNodeString = NULL;
PKIX_PL_String *parentStateString = NULL;
char *asciiFormat =
"\n"
"\t{buildStatus: \t%s\n"
"\ttraversedCACerts: \t%d\n"
"\tcertStoreIndex: \t%d\n"
"\tnumCerts: \t%d\n"
"\tnumAias: \t%d\n"
"\tcertIndex: \t%d\n"
"\taiaIndex: \t%d\n"
"\tnumFanout: \t%d\n"
"\tnumDepth: \t%d\n"
"\treasonCode: \t%d\n"
"\tcanBeCached: \t%d\n"
"\tuseOnlyLocal: \t%d\n"
"\trevChecking: \t%d\n"
"\tvalidityDate: \t%s\n"
"\tprevCert: \t%s\n"
"\tcandidateCert: \t%s\n"
"\ttraversedSubjNames: \t%s\n"
"\ttrustChain: \t%s\n"
"\tcandidateCerts: \t%s\n"
"\tcertSel: \t%s\n"
"\tverifyNode: \t%s\n"
"\tparentState: \t%s}\n";
char *asciiStatus = NULL;
PKIX_ENTER(FORWARDBUILDERSTATE,
"pkix_ForwardBuilderState_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType
(object, PKIX_FORWARDBUILDERSTATE_TYPE, plContext),
PKIX_OBJECTNOTFORWARDBUILDERSTATE);
state = (PKIX_ForwardBuilderState *)object;
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
PKIX_STRINGCREATEFAILED);
switch (state->status) {
case BUILD_SHORTCUTPENDING: asciiStatus =
"BUILD_SHORTCUTPENDING";
break;
case BUILD_INITIAL: asciiStatus =
"BUILD_INITIAL";
break;
case BUILD_TRYAIA: asciiStatus =
"BUILD_TRYAIA";
break;
case BUILD_AIAPENDING: asciiStatus =
"BUILD_AIAPENDING";
break;
case BUILD_COLLECTINGCERTS: asciiStatus =
"BUILD_COLLECTINGCERTS";
break;
case BUILD_GATHERPENDING: asciiStatus =
"BUILD_GATHERPENDING";
break;
case BUILD_CERTVALIDATING: asciiStatus =
"BUILD_CERTVALIDATING";
break;
case BUILD_ABANDONNODE: asciiStatus =
"BUILD_ABANDONNODE";
break;
case BUILD_DATEPREP: asciiStatus =
"BUILD_DATEPREP";
break;
case BUILD_CHECKTRUSTED: asciiStatus =
"BUILD_CHECKTRUSTED";
break;
case BUILD_CHECKTRUSTED2: asciiStatus =
"BUILD_CHECKTRUSTED2";
break;
case BUILD_ADDTOCHAIN: asciiStatus =
"BUILD_ADDTOCHAIN";
break;
case BUILD_VALCHAIN: asciiStatus =
"BUILD_VALCHAIN";
break;
case BUILD_VALCHAIN2: asciiStatus =
"BUILD_VALCHAIN2";
break;
case BUILD_EXTENDCHAIN: asciiStatus =
"BUILD_EXTENDCHAIN";
break;
case BUILD_GETNEXTCERT: asciiStatus =
"BUILD_GETNEXTCERT";
break;
default: asciiStatus =
"INVALID STATUS";
break;
}
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, asciiStatus, 0, &buildStatusString, plContext),
PKIX_STRINGCREATEFAILED);
PKIX_TOSTRING
(state->validityDate, &validityDateString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->prevCert, &prevCertString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->candidateCert, &candidateCertString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->traversedSubjNames,
&traversedSubjNamesString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->trustChain, &trustChainString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->candidateCerts, &candidateCertsString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->certSel, &certSelString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->verifyNode, &verifyNodeString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->parentState, &parentStateString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(&resultString,
plContext,
formatString,
buildStatusString,
(PKIX_Int32)state->traversedCACerts,
(PKIX_UInt32)state->certStoreIndex,
(PKIX_UInt32)state->numCerts,
(PKIX_UInt32)state->numAias,
(PKIX_UInt32)state->certIndex,
(PKIX_UInt32)state->aiaIndex,
(PKIX_UInt32)state->numFanout,
(PKIX_UInt32)state->numDepth,
(PKIX_UInt32)state->reasonCode,
state->canBeCached,
state->useOnlyLocal,
state->revChecking,
validityDateString,
prevCertString,
candidateCertString,
traversedSubjNamesString,
trustChainString,
candidateCertsString,
certSelString,
verifyNodeString,
parentStateString),
PKIX_SPRINTFFAILED);
*pString = resultString;
cleanup:
PKIX_DECREF(formatString);
PKIX_DECREF(buildStatusString);
PKIX_DECREF(validityDateString);
PKIX_DECREF(prevCertString);
PKIX_DECREF(candidateCertString);
PKIX_DECREF(traversedSubjNamesString);
PKIX_DECREF(trustChainString);
PKIX_DECREF(candidateCertsString);
PKIX_DECREF(certSelString);
PKIX_DECREF(verifyNodeString);
PKIX_DECREF(parentStateString);
PKIX_RETURN(FORWARDBUILDERSTATE);
}
/*
* FUNCTION: pkix_ForwardBuilderState_RegisterSelf
*
* DESCRIPTION:
* Registers PKIX_FORWARDBUILDERSTATE_TYPE and its related functions
* with systemClasses[]
*
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
*
* Since this function is only called by PKIX_PL_Initialize, which should
* only be called once, it is acceptable that this function is not
* thread-safe.
*/
PKIX_Error *
pkix_ForwardBuilderState_RegisterSelf(
void *plContext)
{
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
pkix_ClassTable_Entry entry;
PKIX_ENTER(FORWARDBUILDERSTATE,
"pkix_ForwardBuilderState_RegisterSelf");
entry.description =
"ForwardBuilderState";
entry.objCounter = 0;
entry.typeObjectSize =
sizeof(PKIX_ForwardBuilderState);
entry.destructor = pkix_ForwardBuilderState_Destroy;
entry.equalsFunction = NULL;
entry.hashcodeFunction = NULL;
entry.toStringFunction = pkix_ForwardBuilderState_ToString;
entry.comparator = NULL;
entry.duplicateFunction = NULL;
systemClasses[PKIX_FORWARDBUILDERSTATE_TYPE] = entry;
PKIX_RETURN(FORWARDBUILDERSTATE);
}
#if PKIX_FORWARDBUILDERSTATEDEBUG
/*
* FUNCTION: pkix_ForwardBuilderState_DumpState
*
* DESCRIPTION:
* This function invokes the ToString function on the argument pointed to
* by "state".
* PARAMETERS:
* "state"
* The address of the ForwardBuilderState object. Must be non-NULL.
*
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
*/
PKIX_Error *
pkix_ForwardBuilderState_DumpState(
PKIX_ForwardBuilderState *state,
void *plContext)
{
PKIX_PL_String *stateString = NULL;
char *stateAscii = NULL;
PKIX_UInt32 length;
PKIX_ENTER(FORWARDBUILDERSTATE,
"pkix_ForwardBuilderState_DumpState");
PKIX_NULLCHECK_ONE(state);
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object*)state, &stateString, plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_GetEncoded
(stateString,
PKIX_ESCASCII,
(
void **)&stateAscii,
&length,
plContext),
PKIX_STRINGGETENCODEDFAILED);
PKIX_DEBUG_ARG(
"In Phase 1: state = %s\n", stateAscii);
PKIX_FREE(stateAscii);
PKIX_DECREF(stateString);
cleanup:
PKIX_RETURN(FORWARDBUILDERSTATE);
}
#endif
/*
* FUNCTION: pkix_ForwardBuilderState_IsIOPending
* DESCRIPTION:
*
* This function determines whether the state of the ForwardBuilderState
* pointed to by "state" indicates I/O is in progress, and stores the Boolean
* result at "pPending".
*
* PARAMETERS:
* "state"
* The address of the ForwardBuilderState object. Must be non-NULL.
* "pPending"
* The address at which the result is stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a ForwardBuilderState Error if the function fails in a
* non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error*
pkix_ForwardBuilderState_IsIOPending(
PKIX_ForwardBuilderState *state,
PKIX_Boolean *pPending,
void *plContext)
{
PKIX_ENTER(FORWARDBUILDERSTATE,
"pkix_ForwardBuilderState_IsIOPending");
PKIX_NULLCHECK_TWO(state, pPending);
if ((state->status == BUILD_GATHERPENDING) ||
(state->status == BUILD_CHECKTRUSTED2) ||
(state->status == BUILD_VALCHAIN2) ||
(state->status == BUILD_AIAPENDING)) {
*pPending = PKIX_TRUE;
}
else {
*pPending = PKIX_FALSE;
}
PKIX_RETURN(FORWARDBUILDERSTATE);
}
/* --Private-BuildChain-Functions------------------------------------------- */
/*
* FUNCTION: pkix_Build_SortCertComparator
* DESCRIPTION:
*
* This Function takes two Certificates cast in "obj1" and "obj2",
* compares them to determine which is a more preferable certificate
* for chain building. This Function is suitable for use as a
* comparator callback for pkix_List_BubbleSort, setting "*pResult" to
* > 0 if "obj1" is less desirable than "obj2" and < 0 if "obj1"
* is more desirable than "obj2".
*
* PARAMETERS:
* "obj1"
* Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
* Must be non-NULL.
* "obj2"
* Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
* Must be non-NULL.
* "pResult"
* Address where the comparison result is returned. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_Build_SortCertComparator(
PKIX_PL_Object *obj1,
PKIX_PL_Object *obj2,
PKIX_Int32 *pResult,
void *plContext)
{
PKIX_PL_Date *date1 = NULL;
PKIX_PL_Date *date2 = NULL;
PKIX_Int32 result = 0;
PKIX_ENTER(BUILD,
"pkix_Build_SortCertComparator");
PKIX_NULLCHECK_THREE(obj1, obj2, pResult);
/*
* For sorting candidate certificates, we use NotAfter date as the
* comparison key for now (can be expanded if desired in the future).
*
* In PKIX_BuildChain, the List of CertStores was reordered so that
* trusted CertStores are ahead of untrusted CertStores. That sort, or
* this one, could be taken out if it is determined that it doesn't help
* performance, or in some way hinders the solution of choosing desired
* candidates.
*/
PKIX_CHECK(pkix_CheckType(obj1, PKIX_CERT_TYPE, plContext),
PKIX_OBJECTNOTCERT);
PKIX_CHECK(pkix_CheckType(obj2, PKIX_CERT_TYPE, plContext),
PKIX_OBJECTNOTCERT);
PKIX_CHECK(PKIX_PL_Cert_GetValidityNotAfter
((PKIX_PL_Cert *)obj1, &date1, plContext),
PKIX_CERTGETVALIDITYNOTAFTERFAILED);
PKIX_CHECK(PKIX_PL_Cert_GetValidityNotAfter
((PKIX_PL_Cert *)obj2, &date2, plContext),
PKIX_CERTGETVALIDITYNOTAFTERFAILED);
PKIX_CHECK(PKIX_PL_Object_Compare
((PKIX_PL_Object *)date1,
(PKIX_PL_Object *)date2,
&result,
plContext),
PKIX_OBJECTCOMPARATORFAILED);
/*
* Invert the result, so that if date1 is greater than date2,
* obj1 is sorted before obj2. This is because pkix_List_BubbleSort
* sorts in ascending order.
*/
*pResult = -result;
cleanup:
PKIX_DECREF(date1);
PKIX_DECREF(date2);
PKIX_RETURN(BUILD);
}
/* This local error check macro */
#define ERROR_CHECK(errCode) \
if (pkixErrorResult) { \
if (pkixLog) { \
PR_LOG(pkixLog, PR_LOG_DEBUG, (
"====> ERROR_CHECK code %s\n",
#errCode)); \
} \
pkixTempErrorReceived = PKIX_TRUE; \
pkixErrorClass = pkixErrorResult->errClass; \
if (pkixErrorClass == PKIX_FATAL_ERROR) { \
goto cleanup; \
} \
if (verifyNode) { \
PKIX_DECREF(verifyNode->error); \
PKIX_INCREF(pkixErrorResult); \
verifyNode->error = pkixErrorResult; \
} \
pkixErrorCode = errCode; \
goto cleanup; \
}
/*
* FUNCTION: pkix_Build_VerifyCertificate
* DESCRIPTION:
*
* Checks whether the previous Cert stored in the ForwardBuilderState pointed
* to by "state" successfully chains, including signature verification, to the
* candidate Cert also stored in "state", using the Boolean value in "trusted"
* to determine whether "candidateCert" is trusted.
*
* First it checks whether "candidateCert" has already been traversed by
* determining whether it is contained in the List of traversed Certs. It then
* checks the candidate Cert with user checkers, if any, in the List pointed to
* by "userCheckers". Finally, it runs the signature validation.
*
* If this Certificate fails verification, and state->verifyNode is non-NULL,
* this function sets the Error code into the verifyNode.
*
* PARAMETERS:
* "state"
* Address of ForwardBuilderState to be used. Must be non-NULL.
* "userCheckers"
* Address of a List of CertChainCheckers to be used, if present, to
* validate the candidateCert.
* "trusted"
* Boolean value of trust for the candidate Cert
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_Build_VerifyCertificate(
PKIX_ForwardBuilderState *state,
PKIX_List *userCheckers,
PKIX_Boolean *pTrusted,
PKIX_VerifyNode *verifyNode,
void *plContext)
{
PKIX_UInt32 numUserCheckers = 0;
PKIX_UInt32 i = 0;
PKIX_Boolean loopFound = PKIX_FALSE;
PKIX_Boolean supportForwardChecking = PKIX_FALSE;
PKIX_Boolean trusted = PKIX_FALSE;
PKIX_PL_Cert *candidateCert = NULL;
PKIX_PL_PublicKey *candidatePubKey = NULL;
PKIX_CertChainChecker *userChecker = NULL;
PKIX_CertChainChecker_CheckCallback checkerCheck = NULL;
PKIX_PL_TrustAnchorMode trustAnchorMode =
PKIX_PL_TrustAnchorMode_Ignore;
void *nbioContext = NULL;
PKIX_ENTER(BUILD,
"pkix_Build_VerifyCertificate");
PKIX_NULLCHECK_TWO(state, pTrusted);
PKIX_NULLCHECK_THREE
(state->candidateCerts, state->prevCert, state->trustChain);
PKIX_INCREF(state->candidateCert);
candidateCert = state->candidateCert;
if (state->buildConstants.numAnchors) {
if (state->buildConstants.trustOnlyUserAnchors) {
trustAnchorMode = PKIX_PL_TrustAnchorMode_Exclusive;
}
else {
trustAnchorMode = PKIX_PL_TrustAnchorMode_Additive;
}
}
else {
trustAnchorMode = PKIX_PL_TrustAnchorMode_Ignore;
}
PKIX_CHECK(
PKIX_PL_Cert_IsCertTrusted(candidateCert, trustAnchorMode,
&trusted, plContext),
PKIX_CERTISCERTTRUSTEDFAILED);
*pTrusted = trusted;
/* check for loops */
PKIX_CHECK(pkix_List_Contains
(state->trustChain,
(PKIX_PL_Object *)candidateCert,
&loopFound,
plContext),
PKIX_LISTCONTAINSFAILED);
if (loopFound) {
if (verifyNode != NULL) {
PKIX_Error *verifyError = NULL;
PKIX_ERROR_CREATE
(BUILD,
PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED,
verifyError);
PKIX_DECREF(verifyNode->error);
verifyNode->error = verifyError;
}
/* Even if error logged, still need to abort
* if cert is not trusted. */
if (!trusted) {
PKIX_ERROR(PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
}
state->certLoopingDetected = PKIX_TRUE;
}
if (userCheckers != NULL) {
PKIX_CHECK(PKIX_List_GetLength
(userCheckers, &numUserCheckers, plContext),
PKIX_LISTGETLENGTHFAILED);
for (i = 0; i < numUserCheckers; i++) {
PKIX_CHECK(PKIX_List_GetItem
(userCheckers,
i,
(PKIX_PL_Object **) &userChecker,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK
(PKIX_CertChainChecker_IsForwardCheckingSupported
(userChecker, &supportForwardChecking, plContext),
PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED);
if (supportForwardChecking == PKIX_TRUE) {
PKIX_CHECK(PKIX_CertChainChecker_GetCheckCallback
(userChecker, &checkerCheck, plContext),
PKIX_CERTCHAINCHECKERGETCHECKCALLBACKFAILED);
pkixErrorResult =
checkerCheck(userChecker, candidateCert, NULL,
&nbioContext, plContext);
ERROR_CHECK(PKIX_USERCHECKERCHECKFAILED);
}
PKIX_DECREF(userChecker);
}
}
/* Check that public key of the trusted dsa cert has
* dsa parameters */
if (trusted) {
PKIX_Boolean paramsNeeded = PKIX_FALSE;
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
(candidateCert, &candidatePubKey, plContext),
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters
(candidatePubKey, ¶msNeeded, plContext),
PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED);
if (paramsNeeded) {
PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS);
}
}
cleanup:
PKIX_DECREF(candidateCert);
PKIX_DECREF(candidatePubKey);
PKIX_DECREF(userChecker);
PKIX_RETURN(BUILD);
}
/*
* FUNCTION: pkix_Build_ValidationCheckers
* DESCRIPTION:
*
* Creates a List of Objects to be used in determining whether the List of
* Certs pointed to by "certChain" successfully validates using the
* ForwardBuilderState pointed to by "state", and the TrustAnchor pointed to by
* "anchor". These objects are a reversed Cert Chain, consisting of the certs
* in "certChain" in reversed order, suitable for presenting to the
* CertChainCheckers; a List of critical extension OIDS that have already been
* processed in forward building; a List of CertChainCheckers to be called, and
* a List of RevocationCheckers to be called. These results are stored in
* fields of "state".
*
* PARAMETERS:
* "state"
* Address of ForwardBuilderState to be used. Must be non-NULL.
* "certChain"
* Address of List of Certs to be validated. Must be non-NULL.
* "anchor"
* Address of TrustAnchor to be used. Must be non-NULL.
* "addEkuChecker"
* Boolean flags that tells to add eku checker to the list
* of checkers. Only needs to be done for existing chain revalidation.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_Build_ValidationCheckers(
PKIX_ForwardBuilderState *state,
PKIX_List *certChain,
PKIX_TrustAnchor *anchor,
PKIX_Boolean chainRevalidationStage,
void *plContext)
{
PKIX_List *checkers = NULL;
PKIX_List *initialPolicies = NULL;
PKIX_List *reversedCertChain = NULL;
PKIX_List *buildCheckedCritExtOIDsList = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_PublicKey *trustedPubKey = NULL;
PKIX_PL_CertNameConstraints *trustedNC = NULL;
PKIX_CertChainChecker *sigChecker = NULL;
PKIX_CertChainChecker *policyChecker = NULL;
PKIX_CertChainChecker *userChecker = NULL;
PKIX_CertChainChecker *nameConstraintsChecker = NULL;
PKIX_CertChainChecker *checker = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_List *userCheckerExtOIDs = NULL;
PKIX_PL_OID *oid = NULL;
PKIX_Boolean supportForwardChecking = PKIX_FALSE;
PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
PKIX_UInt32 numChainCerts;
PKIX_UInt32 numCertCheckers;
PKIX_UInt32 i;
PKIX_ENTER(BUILD,
"pkix_Build_ValidationCheckers");
PKIX_NULLCHECK_THREE(state, certChain, anchor);
PKIX_CHECK(PKIX_List_Create(&checkers, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_ReverseList
(certChain, &reversedCertChain, plContext),
PKIX_LISTREVERSELISTFAILED);
PKIX_CHECK(PKIX_List_GetLength
(reversedCertChain, &numChainCerts, plContext),
PKIX_LISTGETLENGTHFAILED);
procParams = state->buildConstants.procParams;
/* Do need to add a number of checker to revalidate
* a built chain. KU, EKU, CertType and Validity Date
* get checked by certificate selector during chain
* construction, but needed to be checked for chain from
* the cache.*/
if (chainRevalidationStage) {
PKIX_CHECK(pkix_ExpirationChecker_Initialize
(state->buildConstants.testDate, &checker, plContext),
PKIX_EXPIRATIONCHECKERINITIALIZEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(checkers, (PKIX_PL_Object *)checker, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(checker);
PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
(procParams, &certSelector, plContext),
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
PKIX_CHECK(pkix_TargetCertChecker_Initialize
(certSelector, numChainCerts, &checker, plContext),
PKIX_EXPIRATIONCHECKERINITIALIZEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(checkers, (PKIX_PL_Object *)checker, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(checker);
}
PKIX_CHECK(PKIX_ProcessingParams_GetInitialPolicies
(procParams, &initialPolicies, plContext),
PKIX_PROCESSINGPARAMSGETINITIALPOLICIESFAILED);
PKIX_CHECK(PKIX_ProcessingParams_GetPolicyQualifiersRejected
(procParams, &policyQualifiersRejected, plContext),
PKIX_PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED);
PKIX_CHECK(PKIX_ProcessingParams_IsPolicyMappingInhibited
(procParams, &initialPolicyMappingInhibit, plContext),
PKIX_PROCESSINGPARAMSISPOLICYMAPPINGINHIBITEDFAILED);
PKIX_CHECK(PKIX_ProcessingParams_IsAnyPolicyInhibited
(procParams, &initialAnyPolicyInhibit, plContext),
PKIX_PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED);
PKIX_CHECK(PKIX_ProcessingParams_IsExplicitPolicyRequired
(procParams, &initialExplicitPolicy, plContext),
PKIX_PROCESSINGPARAMSISEXPLICITPOLICYREQUIREDFAILED);
PKIX_CHECK(pkix_PolicyChecker_Initialize
(initialPolicies,
policyQualifiersRejected,
initialPolicyMappingInhibit,
initialExplicitPolicy,
initialAnyPolicyInhibit,
numChainCerts,
&policyChecker,
plContext),
PKIX_POLICYCHECKERINITIALIZEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(checkers, (PKIX_PL_Object *)policyChecker, plContext),
PKIX_LISTAPPENDITEMFAILED);
/*
* Create an OID list that contains critical extensions processed
* by BuildChain. These are specified in a static const array.
*/
PKIX_CHECK(PKIX_List_Create(&buildCheckedCritExtOIDsList, plContext),
PKIX_LISTCREATEFAILED);
for (i = 0; buildCheckedCritExtOIDs[i] != PKIX_UNKNOWN_OID; i++) {
PKIX_CHECK(PKIX_PL_OID_Create
(buildCheckedCritExtOIDs[i], &oid, plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(buildCheckedCritExtOIDsList,
(PKIX_PL_Object *) oid,
plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(oid);
}
if (state->buildConstants.userCheckers != NULL) {
PKIX_CHECK(PKIX_List_GetLength
(state->buildConstants.userCheckers,
&numCertCheckers,
plContext),
PKIX_LISTGETLENGTHFAILED);
for (i = 0; i < numCertCheckers; i++) {
PKIX_CHECK(PKIX_List_GetItem
(state->buildConstants.userCheckers,
i,
(PKIX_PL_Object **) &userChecker,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK
(PKIX_CertChainChecker_IsForwardCheckingSupported
(userChecker, &supportForwardChecking, plContext),
PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED);
/*
* If this userChecker supports forwardChecking then it
* should have been checked during build chain. Skip
* checking but need to add checker's extension OIDs
* to buildCheckedCritExtOIDsList.
*/
if (supportForwardChecking == PKIX_TRUE) {
PKIX_CHECK
(PKIX_CertChainChecker_GetSupportedExtensions
(userChecker, &userCheckerExtOIDs, plContext),
PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED);
if (userCheckerExtOIDs != NULL) {
PKIX_CHECK(pkix_List_AppendList
(buildCheckedCritExtOIDsList,
userCheckerExtOIDs,
plContext),
PKIX_LISTAPPENDLISTFAILED);
}
}
else {
PKIX_CHECK(PKIX_List_AppendItem
(checkers,
(PKIX_PL_Object *)userChecker,
plContext),
PKIX_LISTAPPENDITEMFAILED);
}
PKIX_DECREF(userCheckerExtOIDs);
PKIX_DECREF(userChecker);
}
}
/* Enabling post chain building signature check on the certs. */
PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
(anchor, &trustedCert, plContext),
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
(trustedCert, &trustedPubKey, plContext),
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
PKIX_CHECK(pkix_SignatureChecker_Initialize
(trustedPubKey,
numChainCerts,
&sigChecker,
plContext),
PKIX_SIGNATURECHECKERINITIALIZEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(checkers,
(PKIX_PL_Object *)sigChecker,
plContext),
PKIX_LISTAPPENDITEMFAILED);
/* Enabling post chain building name constraints check on the certs. */
PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints
(anchor, &trustedNC, plContext),
PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED);
PKIX_CHECK(pkix_NameConstraintsChecker_Initialize
(trustedNC, numChainCerts, &nameConstraintsChecker,
plContext),
PKIX_NAMECONSTRAINTSCHECKERINITIALIZEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(checkers,
(PKIX_PL_Object *)nameConstraintsChecker,
plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(state->reversedCertChain);
PKIX_INCREF(reversedCertChain);
state->reversedCertChain = reversedCertChain;
PKIX_DECREF(state->checkedCritExtOIDs);
PKIX_INCREF(buildCheckedCritExtOIDsList);
state->checkedCritExtOIDs = buildCheckedCritExtOIDsList;
PKIX_DECREF(state->checkerChain);
state->checkerChain = checkers;
checkers = NULL;
state->certCheckedIndex = 0;
state->checkerIndex = 0;
state->revChecking = PKIX_FALSE;
cleanup:
PKIX_DECREF(oid);
PKIX_DECREF(reversedCertChain);
PKIX_DECREF(buildCheckedCritExtOIDsList);
PKIX_DECREF(checker);
PKIX_DECREF(checkers);
PKIX_DECREF(initialPolicies);
PKIX_DECREF(trustedCert);
PKIX_DECREF(trustedPubKey);
PKIX_DECREF(certSelector);
PKIX_DECREF(sigChecker);
PKIX_DECREF(trustedNC);
PKIX_DECREF(nameConstraintsChecker);
PKIX_DECREF(policyChecker);
PKIX_DECREF(userChecker);
PKIX_DECREF(userCheckerExtOIDs);
PKIX_RETURN(BUILD);
}
/*
* FUNCTION: pkix_Build_ValidateEntireChain
* DESCRIPTION:
*
* Checks whether the current List of Certs successfully validates using the
* TrustAnchor pointed to by "anchor" and other parameters contained, as was
* the Cert List, in "state".
*
* If a checker using non-blocking I/O returns with a non-NULL non-blocking I/O
* context (NBIOContext), an indication that I/O is in progress and the
* checking has not been completed, this function stores that context at
* "pNBIOContext". Otherwise, it stores NULL at "pNBIOContext".
*
* If not awaiting I/O and if successful, a ValidateResult is created
* containing the Public Key of the target certificate (including DSA parameter
* inheritance, if any) and the PolicyNode representing the policy tree output
* by the validation algorithm. If not successful, an Error pointer is
* returned.
*
* PARAMETERS:
* "state"
* Address of ForwardBuilderState to be used. Must be non-NULL.
* "anchor"
* Address of TrustAnchor to be used. Must be non-NULL.
* "pNBIOContext"
* Address at which the NBIOContext is stored indicating whether the
* validation is complete. Must be non-NULL.
* "pValResult"
* Address at which the ValidateResult is stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_Build_ValidateEntireChain(
PKIX_ForwardBuilderState *state,
PKIX_TrustAnchor *anchor,
void **pNBIOContext,
PKIX_ValidateResult **pValResult,
PKIX_VerifyNode *verifyNode,
void *plContext)
{
PKIX_UInt32 numChainCerts = 0;
PKIX_PL_PublicKey *subjPubKey = NULL;
PKIX_PolicyNode *policyTree = NULL;
PKIX_ValidateResult *valResult = NULL;
void *nbioContext = NULL;
PKIX_ENTER(BUILD,
"pkix_Build_ValidateEntireChain");
PKIX_NULLCHECK_FOUR(state, anchor, pNBIOContext, pValResult);
*pNBIOContext = NULL;
/* prepare for case of error exit */
PKIX_CHECK(PKIX_List_GetLength
(state->reversedCertChain, &numChainCerts, plContext),
PKIX_LISTGETLENGTHFAILED);
pkixErrorResult =
pkix_CheckChain(state->reversedCertChain, numChainCerts, anchor,
state->checkerChain,
state->buildConstants.revChecker,
state->checkedCritExtOIDs,
state->buildConstants.procParams,
&state->certCheckedIndex, &state->checkerIndex,
&state->revChecking, &state->reasonCode,
&nbioContext, &subjPubKey, &policyTree, NULL,
plContext);
if (nbioContext != NULL) {
*pNBIOContext = nbioContext;
goto cleanup;
}
ERROR_CHECK(PKIX_CHECKCHAINFAILED);
/* XXX Remove this assertion after 2014-12-31. See bug 946984. */
PORT_Assert(state->reasonCode == 0);
PKIX_CHECK(pkix_ValidateResult_Create
(subjPubKey, anchor, policyTree, &valResult, plContext),
PKIX_VALIDATERESULTCREATEFAILED);
*pValResult = valResult;
valResult = NULL;
cleanup:
PKIX_DECREF(subjPubKey);
PKIX_DECREF(policyTree);
PKIX_DECREF(valResult);
PKIX_RETURN(BUILD);
}
/*
* FUNCTION: pkix_Build_SortCandidateCerts
* DESCRIPTION:
*
* This function sorts a List of candidate Certs pointed to by "candidates"
* using an algorithm that places Certs most likely to produce a successful
* chain at the front of the list, storing the resulting sorted List at
* "pSortedCandidates".
*
* At present the only sort criterion is that trusted Certs go ahead of
* untrusted Certs.
*
* PARAMETERS:
* "candidates"
* Address of List of Candidate Certs to be sorted. Must be non-NULL.
* "pSortedCandidates"
* Address at which sorted List is stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_Build_SortCandidateCerts(
PKIX_List *candidates,
PKIX_List **pSortedCandidates,
void *plContext)
{
PKIX_List *sortedList = NULL;
PKIX_ENTER(BUILD,
"pkix_Build_SortCandidateCerts");
PKIX_NULLCHECK_TWO(candidates, pSortedCandidates);
/*
* Both bubble and quick sort algorithms are available.
* For a list of fewer than around 100 items, the bubble sort is more
* efficient. (This number was determined by experimenting with both
* algorithms on a Java List.)
* If the candidate list is very small, using the sort can drag down
* the performance a little bit.
*/
PKIX_CHECK(pkix_List_BubbleSort
(candidates,
pkix_Build_SortCertComparator,
&sortedList,
plContext),
PKIX_LISTBUBBLESORTFAILED);
*pSortedCandidates = sortedList;
cleanup:
PKIX_RETURN(BUILD);
}
/*
* FUNCTION: pkix_Build_BuildSelectorAndParams
* DESCRIPTION:
*
* This function creates a CertSelector, initialized with an appropriate
* ComCertSelParams, using the variables provided in the ForwardBuilderState
* pointed to by "state". The CertSelector created is stored in the certsel
* element of "state".
*
* PARAMETERS:
* "state"
* Address of ForwardBuilderState to be used. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_Build_BuildSelectorAndParams(
PKIX_ForwardBuilderState *state,
void *plContext)
{
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSel = NULL;
PKIX_PL_X500Name *currentIssuer = NULL;
PKIX_PL_ByteArray *authKeyId = NULL;
PKIX_PL_Date *testDate = NULL;
PKIX_CertSelector *callerCertSelector = NULL;
PKIX_ComCertSelParams *callerComCertSelParams = NULL;
PKIX_UInt32 reqKu = 0;
PKIX_List *reqEkuOids = NULL;
PKIX_ENTER(BUILD,
"pkix_Build_BuildSelectorAndParams");
PKIX_NULLCHECK_THREE(state, state->prevCert, state->traversedSubjNames);
PKIX_CHECK(PKIX_PL_Cert_GetIssuer
(state->prevCert, ¤tIssuer, plContext),
PKIX_CERTGETISSUERFAILED);
PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier
(state->prevCert, &authKeyId, plContext),
PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
PKIX_CHECK(PKIX_ComCertSelParams_Create(&certSelParams, plContext),
PKIX_COMCERTSELPARAMSCREATEFAILED);
PKIX_CHECK(PKIX_ComCertSelParams_SetSubject
(certSelParams, currentIssuer, plContext),
PKIX_COMCERTSELPARAMSSETSUBJECTFAILED);
if (authKeyId != NULL) {
PKIX_CHECK(PKIX_ComCertSelParams_SetSubjKeyIdentifier
(certSelParams, authKeyId, plContext),
PKIX_COMCERTSELPARAMSSETSUBJKEYIDENTIFIERFAILED);
}
PKIX_INCREF(state->buildConstants.testDate);
testDate = state->buildConstants.testDate;
PKIX_CHECK(PKIX_ComCertSelParams_SetCertificateValid
(certSelParams, testDate, plContext),
PKIX_COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED);
PKIX_CHECK(PKIX_ComCertSelParams_SetBasicConstraints
(certSelParams, state->traversedCACerts, plContext),
PKIX_COMCERTSELPARAMSSETBASICCONSTRAINTSFAILED);
PKIX_CHECK(PKIX_ComCertSelParams_SetPathToNames
(certSelParams, state->traversedSubjNames, plContext),
PKIX_COMCERTSELPARAMSSETPATHTONAMESFAILED);
PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
(state->buildConstants.procParams,
&callerCertSelector, plContext),
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
if (callerCertSelector != NULL) {
/* Get initial EKU OIDs from ComCertSelParams, if set */
PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
(callerCertSelector, &callerComCertSelParams, plContext),
PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
if (callerComCertSelParams != NULL) {
PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
(callerComCertSelParams, &reqEkuOids, plContext),
PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
(callerComCertSelParams, &reqKu, plContext),
PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
}
}
PKIX_CHECK(
PKIX_ComCertSelParams_SetKeyUsage(certSelParams, reqKu,
plContext),
PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED);
PKIX_CHECK(
PKIX_ComCertSelParams_SetExtendedKeyUsage(certSelParams,
reqEkuOids,
plContext),
PKIX_COMCERTSELPARAMSSETEXTKEYUSAGEFAILED);
PKIX_CHECK(PKIX_CertSelector_Create
(NULL, NULL, &state->certSel, plContext),
PKIX_CERTSELECTORCREATEFAILED);
PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
(state->certSel, certSelParams, plContext),
PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
PKIX_CHECK(PKIX_List_Create(&state->candidateCerts, plContext),
PKIX_LISTCREATEFAILED);
state->certStoreIndex = 0;
cleanup:
PKIX_DECREF(certSelParams);
PKIX_DECREF(certSel);
PKIX_DECREF(currentIssuer);
PKIX_DECREF(authKeyId);
PKIX_DECREF(testDate);
PKIX_DECREF(reqEkuOids);
PKIX_DECREF(callerComCertSelParams);
PKIX_DECREF(callerCertSelector);
PKIX_RETURN(BUILD);
}
/* Match trust anchor to select params in order to find next cert. */
static PKIX_Error*
pkix_Build_SelectCertsFromTrustAnchors(
PKIX_List *trustAnchorsList,
PKIX_ComCertSelParams *certSelParams,
PKIX_List **pMatchList,
void *plContext)
{
unsigned int anchorIndex = 0;
PKIX_TrustAnchor *anchor = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_List *matchList = NULL;
PKIX_CertSelector *certSel = NULL;
PKIX_CertSelector_MatchCallback selectorMatchCB = NULL;
PKIX_ENTER(BUILD,
"pkix_Build_SelectCertsFromTrustAnchors");
PKIX_CHECK(PKIX_CertSelector_Create
(NULL, NULL, &certSel, plContext),
PKIX_CERTSELECTORCREATEFAILED);
PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
(certSel, certSelParams, plContext),
PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
(certSel, &selectorMatchCB, plContext),
PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
for (anchorIndex = 0;anchorIndex < trustAnchorsList->length; anchorIndex++) {
PKIX_CHECK(
PKIX_List_GetItem(trustAnchorsList,
anchorIndex,
(PKIX_PL_Object **)&anchor,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
(anchor, &trustedCert, plContext),
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
pkixErrorResult =
(*selectorMatchCB)(certSel, trustedCert, plContext);
if (!pkixErrorResult) {
if (!matchList) {
PKIX_CHECK(PKIX_List_Create(&matchList,
plContext),
PKIX_LISTCREATEFAILED);
}
PKIX_CHECK(
PKIX_List_AppendItem(matchList,
(PKIX_PL_Object*)trustedCert,
plContext),
PKIX_LISTAPPENDITEMFAILED);
}
else {
PKIX_DECREF(pkixErrorResult);
}
PKIX_DECREF(trustedCert);
PKIX_DECREF(anchor);
}
*pMatchList = matchList;
matchList = NULL;
cleanup:
PKIX_DECREF(matchList);
PKIX_DECREF(trustedCert);
PKIX_DECREF(anchor);
PKIX_DECREF(certSel);
PKIX_RETURN(BUILD);
}
static PKIX_Error*
pkix_Build_RemoveDupUntrustedCerts(
PKIX_List *trustedCertList,
PKIX_List *certsFound,
void *plContext)
{
PKIX_UInt32 trustIndex;
PKIX_PL_Cert *trustCert = NULL, *cert = NULL;
PKIX_ENTER(BUILD,
"pkix_Build_RemoveDupUntrustedCerts");
if (trustedCertList == NULL || certsFound == NULL) {
goto cleanup;
}
for (trustIndex = 0;trustIndex < trustedCertList->length;
trustIndex++) {
PKIX_UInt32 certIndex = 0;
PKIX_CHECK(
PKIX_List_GetItem(trustedCertList,
trustIndex,
(PKIX_PL_Object **)&trustCert,
plContext),
PKIX_LISTGETITEMFAILED);
while (certIndex < certsFound->length) {
PKIX_Boolean result = PKIX_FALSE;
PKIX_DECREF(cert);
PKIX_CHECK(
PKIX_List_GetItem(certsFound, certIndex,
(PKIX_PL_Object **)&cert,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(
PKIX_PL_Object_Equals((PKIX_PL_Object *)trustCert,
(PKIX_PL_Object *)cert,
&result,
plContext),
PKIX_OBJECTEQUALSFAILED);
if (!result) {
certIndex += 1;
continue;
}
PKIX_CHECK(
PKIX_List_DeleteItem(certsFound, certIndex,
plContext),
PKIX_LISTDELETEITEMFAILED);
}
PKIX_DECREF(trustCert);
}
cleanup:
PKIX_DECREF(cert);
PKIX_DECREF(trustCert);
PKIX_RETURN(BUILD);
}
/*
* FUNCTION: pkix_Build_GatherCerts
* DESCRIPTION:
*
* This function traverses the CertStores in the List of CertStores contained
* in "state", using the certSelector and other parameters contained in
* "state", to obtain a List of all available Certs that satisfy the criteria.
* If a CertStore has a cache, "certSelParams" is used both to query the cache
* and, if an actual CertStore search occurred, to update the cache. (Behavior
* is undefined if "certSelParams" is different from the parameters that were
* used to initialize the certSelector in "state".)
*
* If a CertStore using non-blocking I/O returns with an indication that I/O is
* in progress and the checking has not been completed, this function stores
* platform-dependent information at "pNBIOContext". Otherwise it stores NULL
* at "pNBIOContext", and state is updated with the results of the search.
*
* PARAMETERS:
* "state"
* Address of ForwardBuilderState to be used. Must be non-NULL.
* "certSelParams"
* Address of ComCertSelParams which were used in creating the current
* CertSelector, and to be used in querying and updating any caches that
* may be associated with with the CertStores.
* "pNBIOContext"
* Address at which platform-dependent information is returned if request
* is suspended for non-blocking I/O. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Build Error if the function fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
/* return NULL if wouldblock, empty list if none found, else list of found */
static PKIX_Error *
pkix_Build_GatherCerts(
PKIX_ForwardBuilderState *state,
PKIX_ComCertSelParams *certSelParams,
void **pNBIOContext,
void *plContext)
{
PKIX_Boolean certStoreIsCached = PKIX_FALSE;
PKIX_Boolean certStoreIsLocal = PKIX_FALSE;
PKIX_Boolean foundInCache = PKIX_FALSE;
PKIX_CertStore *certStore = NULL;
PKIX_CertStore_CertCallback getCerts = NULL;
PKIX_List *certsFound = NULL;
PKIX_List *trustedCertList = NULL;
void *nbioContext = NULL;
PKIX_ENTER(BUILD,
"pkix_Build_GatherCerts");
PKIX_NULLCHECK_THREE(state, certSelParams, pNBIOContext);
nbioContext = *pNBIOContext;
*pNBIOContext = NULL;
PKIX_DECREF(state->candidateCerts);
while (state->certStoreIndex < state->buildConstants.numCertStores) {
/* Get the current CertStore */
PKIX_CHECK(PKIX_List_GetItem
(state->buildConstants.certStores,
state->certStoreIndex,
(PKIX_PL_Object **)&certStore,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(PKIX_CertStore_GetLocalFlag
(certStore, &certStoreIsLocal, plContext),
PKIX_CERTSTOREGETLOCALFLAGFAILED);
if (state->useOnlyLocal == certStoreIsLocal) {
/* If GATHERPENDING, we've already checked the cache */
if (state->status == BUILD_GATHERPENDING) {
certStoreIsCached = PKIX_FALSE;
foundInCache = PKIX_FALSE;
}
else {
PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
(certStore, &certStoreIsCached, plContext),
PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
if (certStoreIsCached) {
/*
* Look for Certs in the cache, using the SubjectName as
* the key. Then the ComCertSelParams are used to filter
* for qualified certs. If none are found, then the
* certStores are queried. When we eventually add items
--> --------------------
--> maximum size reached
--> --------------------
