Google Git
Sign in
nest-open-source / manifest_repos / nss / 4c27b2c95aa58cee220d6d993f969b63a7261e83 / . / nss-3.41 / nss / lib / libpkix / pkix / checker / pkix_basicconstraintschecker.c
blob: 0e7a87997d49527a984921df0f900fe28cbebbcf [file] [log] [blame]
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* pkix_basicconstraintschecker.c
*
* Functions for basic constraints validation
*
*/
#include "pkix_basicconstraintschecker.h"
/* --Private-BasicConstraintsCheckerState-Functions------------------------- */
/*
* FUNCTION: pkix_BasicConstraintsCheckerState_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_BasicConstraintsCheckerState_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
pkix_BasicConstraintsCheckerState *state = NULL;
PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
"pkix_BasicConstraintsCheckerState_Destroy");
PKIX_NULLCHECK_ONE(object);
/* Check that this object is a basic constraints checker state */
PKIX_CHECK(pkix_CheckType
(object, PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE, plContext),
PKIX_OBJECTNOTBASICCONSTRAINTSCHECKERSTATE);
state = (pkix_BasicConstraintsCheckerState *)object;
PKIX_DECREF(state->basicConstraintsOID);
cleanup:
PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
}
/*
* FUNCTION: pkix_BasicConstraintsCheckerState_RegisterSelf
* DESCRIPTION:
* Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
* THREAD SAFETY:
* Not Thread Safe - for performance and complexity reasons
*
* Since this function is only called by PKIX_PL_Initialize, which should
* only be called once, it is acceptable that this function is not
* thread-safe.
*/
PKIX_Error *
pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext)
{
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
pkix_ClassTable_Entry entry;
PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
"pkix_BasicConstraintsCheckerState_RegisterSelf");
entry.description = "BasicConstraintsCheckerState";
entry.objCounter = 0;
entry.typeObjectSize = sizeof(pkix_BasicConstraintsCheckerState);
entry.destructor = pkix_BasicConstraintsCheckerState_Destroy;
entry.equalsFunction = NULL;
entry.hashcodeFunction = NULL;
entry.toStringFunction = NULL;
entry.comparator = NULL;
entry.duplicateFunction = NULL;
systemClasses[PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE] = entry;
PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
}
/*
* FUNCTION: pkix_BasicConstraintsCheckerState_Create
* DESCRIPTION:
*
* Creates a new BasicConstraintsCheckerState using the number of certs in
* the chain represented by "certsRemaining" and stores it at "pState".
*
* PARAMETERS:
* "certsRemaining"
* Number of certificates in the chain.
* "pState"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a BasicConstraintsCheckerState Error if the function fails in a
* non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_BasicConstraintsCheckerState_Create(
PKIX_UInt32 certsRemaining,
pkix_BasicConstraintsCheckerState **pState,
void *plContext)
{
pkix_BasicConstraintsCheckerState *state = NULL;
PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
"pkix_BasicConstraintsCheckerState_Create");
PKIX_NULLCHECK_ONE(pState);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE,
sizeof (pkix_BasicConstraintsCheckerState),
(PKIX_PL_Object **)&state,
plContext),
PKIX_COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT);
/* initialize fields */
state->certsRemaining = certsRemaining;
state->maxPathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_BASICCONSTRAINTS_OID,
&state->basicConstraintsOID,
plContext),
PKIX_OIDCREATEFAILED);
*pState = state;
state = NULL;
cleanup:
PKIX_DECREF(state);
PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
}
/* --Private-BasicConstraintsChecker-Functions------------------------------ */
/*
* FUNCTION: pkix_BasicConstraintsChecker_Check
* (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
*/
PKIX_Error *
pkix_BasicConstraintsChecker_Check(
PKIX_CertChainChecker *checker,
PKIX_PL_Cert *cert,
PKIX_List *unresolvedCriticalExtensions, /* list of PKIX_PL_OID */
void **pNBIOContext,
void *plContext)
{
PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
pkix_BasicConstraintsCheckerState *state = NULL;
PKIX_Boolean caFlag = PKIX_FALSE;
PKIX_Int32 pathLength = 0;
PKIX_Int32 maxPathLength_now;
PKIX_Boolean isSelfIssued = PKIX_FALSE;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Check");
PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
*pNBIOContext = NULL; /* we never block on pending I/O */
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
(checker, (PKIX_PL_Object **)&state, plContext),
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
state->certsRemaining--;
if (state->certsRemaining != 0) {
PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
(cert, &basicConstraints, plContext),
PKIX_CERTGETBASICCONSTRAINTSFAILED);
/* get CA Flag and path length */
if (basicConstraints != NULL) {
PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
(basicConstraints,
&caFlag,
plContext),
PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
if (caFlag == PKIX_TRUE) {
PKIX_CHECK
(PKIX_PL_BasicConstraints_GetPathLenConstraint
(basicConstraints,
&pathLength,
plContext),
PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
}
}else{
caFlag = PKIX_FALSE;
pathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
}
PKIX_CHECK(pkix_IsCertSelfIssued
(cert,
&isSelfIssued,
plContext),
PKIX_ISCERTSELFISSUEDFAILED);
maxPathLength_now = state->maxPathLength;
if (isSelfIssued != PKIX_TRUE) {
/* Not last CA Cert, but maxPathLength is down to zero */
if (maxPathLength_now == 0) {
PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDLN);
}
if (caFlag == PKIX_FALSE) {
PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDCA);
}
if (maxPathLength_now > 0) { /* can be unlimited (-1) */
maxPathLength_now--;
}
}
if (caFlag == PKIX_TRUE) {
if (maxPathLength_now == PKIX_UNLIMITED_PATH_CONSTRAINT){
maxPathLength_now = pathLength;
} else {
/* If pathLength is not specified, don't set */
if (pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) {
maxPathLength_now =
(maxPathLength_now > pathLength)?
pathLength:maxPathLength_now;
}
}
}
state->maxPathLength = maxPathLength_now;
}
/* Remove Basic Constraints Extension OID from list */
if (unresolvedCriticalExtensions != NULL) {
PKIX_CHECK(pkix_List_Remove
(unresolvedCriticalExtensions,
(PKIX_PL_Object *) state->basicConstraintsOID,
plContext),
PKIX_LISTREMOVEFAILED);
}
PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
(checker, (PKIX_PL_Object *)state, plContext),
PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
cleanup:
PKIX_DECREF(state);
PKIX_DECREF(basicConstraints);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_BasicConstraintsChecker_Initialize
* DESCRIPTION:
* Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
* THREAD SAFETY:
* Not Thread Safe - for performance and complexity reasons
*
* Since this function is only called by PKIX_PL_Initialize, which should
* only be called once, it is acceptable that this function is not
* thread-safe.
*/
PKIX_Error *
pkix_BasicConstraintsChecker_Initialize(
PKIX_UInt32 certsRemaining,
PKIX_CertChainChecker **pChecker,
void *plContext)
{
pkix_BasicConstraintsCheckerState *state = NULL;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Initialize");
PKIX_NULLCHECK_ONE(pChecker);
PKIX_CHECK(pkix_BasicConstraintsCheckerState_Create
(certsRemaining, &state, plContext),
PKIX_BASICCONSTRAINTSCHECKERSTATECREATEFAILED);
PKIX_CHECK(PKIX_CertChainChecker_Create
(pkix_BasicConstraintsChecker_Check,
PKIX_FALSE,
PKIX_FALSE,
NULL,
(PKIX_PL_Object *)state,
pChecker,
plContext),
PKIX_CERTCHAINCHECKERCHECKFAILED);
cleanup:
PKIX_DECREF(state);
PKIX_RETURN(CERTCHAINCHECKER);
}