Google Git
Sign in
nest-open-source / manifest_repos / nss / 4c27b2c95aa58cee220d6d993f969b63a7261e83 / . / nss-3.41 / nss / lib / libpkix / pkix / checker / pkix_revocationchecker.c
blob: 7bed9b88601593500e153dd80792f2e99d6baff2 [file] [log] [blame]
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* pkix_revocationchecker.c
*
* RevocationChecker Object Functions
*
*/
#include "pkix_revocationchecker.h"
#include "pkix_tools.h"
/* --Private-Functions-------------------------------------------- */
/*
* FUNCTION: pkix_RevocationChecker_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_RevocationChecker_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_RevocationChecker *checker = NULL;
PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Destroy");
PKIX_NULLCHECK_ONE(object);
/* Check that this object is a revocation checker */
PKIX_CHECK(pkix_CheckType
(object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
PKIX_OBJECTNOTREVOCATIONCHECKER);
checker = (PKIX_RevocationChecker *)object;
PKIX_DECREF(checker->leafMethodList);
PKIX_DECREF(checker->chainMethodList);
cleanup:
PKIX_RETURN(REVOCATIONCHECKER);
}
/*
* FUNCTION: pkix_RevocationChecker_Duplicate
* (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_RevocationChecker_Duplicate(
PKIX_PL_Object *object,
PKIX_PL_Object **pNewObject,
void *plContext)
{
PKIX_RevocationChecker *checker = NULL;
PKIX_RevocationChecker *checkerDuplicate = NULL;
PKIX_List *dupLeafList = NULL;
PKIX_List *dupChainList = NULL;
PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Duplicate");
PKIX_NULLCHECK_TWO(object, pNewObject);
PKIX_CHECK(pkix_CheckType
(object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
PKIX_OBJECTNOTCERTCHAINCHECKER);
checker = (PKIX_RevocationChecker *)object;
if (checker->leafMethodList){
PKIX_CHECK(PKIX_PL_Object_Duplicate
((PKIX_PL_Object *)checker->leafMethodList,
(PKIX_PL_Object **)&dupLeafList,
plContext),
PKIX_OBJECTDUPLICATEFAILED);
}
if (checker->chainMethodList){
PKIX_CHECK(PKIX_PL_Object_Duplicate
((PKIX_PL_Object *)checker->chainMethodList,
(PKIX_PL_Object **)&dupChainList,
plContext),
PKIX_OBJECTDUPLICATEFAILED);
}
PKIX_CHECK(
PKIX_RevocationChecker_Create(checker->leafMethodListFlags,
checker->chainMethodListFlags,
&checkerDuplicate,
plContext),
PKIX_REVOCATIONCHECKERCREATEFAILED);
checkerDuplicate->leafMethodList = dupLeafList;
checkerDuplicate->chainMethodList = dupChainList;
dupLeafList = NULL;
dupChainList = NULL;
*pNewObject = (PKIX_PL_Object *)checkerDuplicate;
cleanup:
PKIX_DECREF(dupLeafList);
PKIX_DECREF(dupChainList);
PKIX_RETURN(REVOCATIONCHECKER);
}
/*
* FUNCTION: pkix_RevocationChecker_RegisterSelf
* DESCRIPTION:
* Registers PKIX_REVOCATIONCHECKER_TYPE and its related functions with
* systemClasses[]
* THREAD SAFETY:
* Not Thread Safe - for performance and complexity reasons
*
* Since this function is only called by PKIX_PL_Initialize, which should
* only be called once, it is acceptable that this function is not
* thread-safe.
*/
PKIX_Error *
pkix_RevocationChecker_RegisterSelf(void *plContext)
{
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
pkix_ClassTable_Entry entry;
PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_RegisterSelf");
entry.description = "RevocationChecker";
entry.objCounter = 0;
entry.typeObjectSize = sizeof(PKIX_RevocationChecker);
entry.destructor = pkix_RevocationChecker_Destroy;
entry.equalsFunction = NULL;
entry.hashcodeFunction = NULL;
entry.toStringFunction = NULL;
entry.comparator = NULL;
entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
PKIX_RETURN(REVOCATIONCHECKER);
}
/* Sort methods by their priorities (lower priority = higher preference) */
static PKIX_Error *
pkix_RevocationChecker_SortComparator(
PKIX_PL_Object *obj1,
PKIX_PL_Object *obj2,
PKIX_Int32 *pResult,
void *plContext)
{
pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
method1 = (pkix_RevocationMethod *)obj1;
method2 = (pkix_RevocationMethod *)obj2;
if (method1->priority < method2->priority) {
*pResult = -1;
} else if (method1->priority > method2->priority) {
*pResult = 1;
} else {
*pResult = 0;
}
PKIX_RETURN(BUILD);
}
/* --Public-Functions--------------------------------------------- */
/*
* FUNCTION: PKIX_RevocationChecker_Create (see comments in pkix_revchecker.h)
*/
PKIX_Error *
PKIX_RevocationChecker_Create(
PKIX_UInt32 leafMethodListFlags,
PKIX_UInt32 chainMethodListFlags,
PKIX_RevocationChecker **pChecker,
void *plContext)
{
PKIX_RevocationChecker *checker = NULL;
PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Create");
PKIX_NULLCHECK_ONE(pChecker);
PKIX_CHECK(
PKIX_PL_Object_Alloc(PKIX_REVOCATIONCHECKER_TYPE,
sizeof (PKIX_RevocationChecker),
(PKIX_PL_Object **)&checker,
plContext),
PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT);
checker->leafMethodListFlags = leafMethodListFlags;
checker->chainMethodListFlags = chainMethodListFlags;
checker->leafMethodList = NULL;
checker->chainMethodList = NULL;
*pChecker = checker;
checker = NULL;
cleanup:
PKIX_DECREF(checker);
PKIX_RETURN(REVOCATIONCHECKER);
}
/*
* FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod
*/
PKIX_Error *
PKIX_RevocationChecker_CreateAndAddMethod(
PKIX_RevocationChecker *revChecker,
PKIX_ProcessingParams *params,
PKIX_RevocationMethodType methodType,
PKIX_UInt32 flags,
PKIX_UInt32 priority,
PKIX_PL_VerifyCallback verificationFn,
PKIX_Boolean isLeafMethod,
void *plContext)
{
PKIX_List **methodList = NULL;
PKIX_List *unsortedList = NULL;
PKIX_List *certStores = NULL;
pkix_RevocationMethod *method = NULL;
pkix_LocalRevocationCheckFn *localRevChecker = NULL;
pkix_ExternalRevocationCheckFn *externRevChecker = NULL;
PKIX_UInt32 miFlags;
PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_CreateAndAddMethod");
PKIX_NULLCHECK_ONE(revChecker);
/* If the caller has said "Either one is sufficient, then don't let the
* absence of any one method's info lead to an overall failure.
*/
miFlags = isLeafMethod ? revChecker->leafMethodListFlags
: revChecker->chainMethodListFlags;
if (miFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE)
flags &= ~PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
switch (methodType) {
case PKIX_RevocationMethod_CRL:
localRevChecker = pkix_CrlChecker_CheckLocal;
externRevChecker = pkix_CrlChecker_CheckExternal;
PKIX_CHECK(
PKIX_ProcessingParams_GetCertStores(params, &certStores,
plContext),
PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
PKIX_CHECK(
pkix_CrlChecker_Create(methodType, flags, priority,
localRevChecker, externRevChecker,
certStores, verificationFn,
&method,
plContext),
PKIX_COULDNOTCREATECRLCHECKEROBJECT);
break;
case PKIX_RevocationMethod_OCSP:
localRevChecker = pkix_OcspChecker_CheckLocal;
externRevChecker = pkix_OcspChecker_CheckExternal;
PKIX_CHECK(
pkix_OcspChecker_Create(methodType, flags, priority,
localRevChecker, externRevChecker,
verificationFn,
&method,
plContext),
PKIX_COULDNOTCREATEOCSPCHECKEROBJECT);
break;
default:
PKIX_ERROR(PKIX_INVALIDREVOCATIONMETHOD);
}
if (isLeafMethod) {
methodList = &revChecker->leafMethodList;
} else {
methodList = &revChecker->chainMethodList;
}
if (*methodList == NULL) {
PKIX_CHECK(
PKIX_List_Create(methodList, plContext),
PKIX_LISTCREATEFAILED);
}
unsortedList = *methodList;
PKIX_CHECK(
PKIX_List_AppendItem(unsortedList, (PKIX_PL_Object*)method, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_CHECK(
pkix_List_BubbleSort(unsortedList,
pkix_RevocationChecker_SortComparator,
methodList, plContext),
PKIX_LISTBUBBLESORTFAILED);
cleanup:
PKIX_DECREF(method);
PKIX_DECREF(unsortedList);
PKIX_DECREF(certStores);
PKIX_RETURN(REVOCATIONCHECKER);
}
/*
* FUNCTION: PKIX_RevocationChecker_Check
*/
PKIX_Error *
PKIX_RevocationChecker_Check(
PKIX_PL_Cert *cert,
PKIX_PL_Cert *issuer,
PKIX_RevocationChecker *revChecker,
PKIX_ProcessingParams *procParams,
PKIX_Boolean chainVerificationState,
PKIX_Boolean testingLeafCert,
PKIX_RevocationStatus *pRevStatus,
PKIX_UInt32 *pReasonCode,
void **pNbioContext,
void *plContext)
{
PKIX_RevocationStatus overallStatus = PKIX_RevStatus_NoInfo;
PKIX_RevocationStatus methodStatus[PKIX_RevocationMethod_MAX];
PKIX_Boolean onlyUseRemoteMethods = PKIX_FALSE;
PKIX_UInt32 revFlags = 0;
PKIX_List *revList = NULL;
PKIX_PL_Date *date = NULL;
pkix_RevocationMethod *method = NULL;
void *nbioContext;
int tries;
PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Check");
PKIX_NULLCHECK_TWO(revChecker, procParams);
nbioContext = *pNbioContext;
*pNbioContext = NULL;
if (testingLeafCert) {
revList = revChecker->leafMethodList;
revFlags = revChecker->leafMethodListFlags;
} else {
revList = revChecker->chainMethodList;
revFlags = revChecker->chainMethodListFlags;
}
if (!revList) {
/* Return NoInfo status */
goto cleanup;
}
PORT_Memset(methodStatus, PKIX_RevStatus_NoInfo,
sizeof(PKIX_RevocationStatus) * PKIX_RevocationMethod_MAX);
date = procParams->date;
/* Need to have two loops if we testing all local info first:
* first we are going to test all local(cached) info
* second, all remote info(fetching) */
for (tries = 0;tries < 2;tries++) {
unsigned int methodNum = 0;
for (;methodNum < revList->length;methodNum++) {
PKIX_UInt32 methodFlags = 0;
PKIX_DECREF(method);
PKIX_CHECK(
PKIX_List_GetItem(revList, methodNum,
(PKIX_PL_Object**)&method, plContext),
PKIX_LISTGETITEMFAILED);
methodFlags = method->flags;
if (!(methodFlags & PKIX_REV_M_TEST_USING_THIS_METHOD)) {
/* Will not check with this method. Skipping... */
continue;
}
if (!onlyUseRemoteMethods &&
methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
PKIX_CHECK_NO_GOTO(
(*method->localRevChecker)(cert, issuer, date,
method, procParams,
methodFlags,
chainVerificationState,
&revStatus,
(CERTCRLEntryReasonCode *)pReasonCode,
plContext),
PKIX_REVCHECKERCHECKFAILED);
methodStatus[methodNum] = revStatus;
if (revStatus == PKIX_RevStatus_Revoked) {
/* if error was generated use it as final error. */
overallStatus = PKIX_RevStatus_Revoked;
goto cleanup;
}
if (pkixErrorResult) {
/* Disregard errors. Only returned revStatus matters. */
PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
plContext);
pkixErrorResult = NULL;
}
}
if ((!(revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST) ||
onlyUseRemoteMethods) &&
chainVerificationState &&
methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
if (!(methodFlags & PKIX_REV_M_FORBID_NETWORK_FETCHING)) {
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
PKIX_CHECK_NO_GOTO(
(*method->externalRevChecker)(cert, issuer, date,
method,
procParams, methodFlags,
&revStatus,
(CERTCRLEntryReasonCode *)pReasonCode,
&nbioContext, plContext),
PKIX_REVCHECKERCHECKFAILED);
methodStatus[methodNum] = revStatus;
if (revStatus == PKIX_RevStatus_Revoked) {
/* if error was generated use it as final error. */
overallStatus = PKIX_RevStatus_Revoked;
goto cleanup;
}
if (pkixErrorResult) {
/* Disregard errors. Only returned revStatus matters. */
PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
plContext);
pkixErrorResult = NULL;
}
} else if (methodFlags &
PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
/* Info is not in the local cache. Network fetching is not
* allowed. If need to fail on missing fresh info for the
* the method, then we should fail right here.*/
overallStatus = PKIX_RevStatus_Revoked;
goto cleanup;
}
}
/* If success and we should not check the next method, then
* return a success. */
if (methodStatus[methodNum] == PKIX_RevStatus_Success &&
!(methodFlags & PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO)) {
overallStatus = PKIX_RevStatus_Success;
goto cleanup;
}
} /* inner loop */
if (!onlyUseRemoteMethods &&
revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST &&
chainVerificationState) {
onlyUseRemoteMethods = PKIX_TRUE;
continue;
}
break;
} /* outer loop */
if (overallStatus == PKIX_RevStatus_NoInfo &&
chainVerificationState) {
/* The following check makes sence only for chain
* validation step, sinse we do not fetch info while
* in the process of finding trusted anchor.
* For chain building step it is enough to know, that
* the cert was not directly revoked by any of the
* methods. */
/* Still have no info. But one of the method could
* have returned success status(possible if CONTINUE
* TESTING ON FRESH INFO flag was used).
* If any of the methods have returned Success status,
* the overallStatus should be success. */
int methodNum = 0;
for (;methodNum < PKIX_RevocationMethod_MAX;methodNum++) {
if (methodStatus[methodNum] == PKIX_RevStatus_Success) {
overallStatus = PKIX_RevStatus_Success;
goto cleanup;
}
}
if (revFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE) {
overallStatus = PKIX_RevStatus_Revoked;
}
}
cleanup:
*pRevStatus = overallStatus;
PKIX_DECREF(method);
PKIX_RETURN(REVOCATIONCHECKER);
}