net/third_party/nss/ssl/cmpcert.c

   1 /*
   2  * NSS utility functions
   3  *
   4  * This Source Code Form is subject to the terms of the Mozilla Public
   5  * License, v. 2.0. If a copy of the MPL was not distributed with this
   6  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   7 /* $Id: cmpcert.c,v 1.7 2012/04/25 14:50:12 gerv%gerv.net Exp $ */
   8
   9 #include <stdio.h>
  10 #include <string.h>
  11 #include "prerror.h"
  12 #include "secitem.h"
  13 #include "prnetdb.h"
  14 #include "cert.h"
  15 #include "nspr.h"
  16 #include "secder.h"
  17 #include "key.h"
  18 #include "nss.h"
  19
  20 /*
  21  * Look to see if any of the signers in the cert chain for "cert" are found
  22  * in the list of caNames.
  23  * Returns SECSuccess if so, SECFailure if not.
  24  */
  25 SECStatus
  26 NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
  27 {
  28   SECItem *         caname;
  29   CERTCertificate * curcert;
  30   CERTCertificate * oldcert;
  31   PRInt32           contentlen;
  32   int               j;
  33   int               headerlen;
  34   int               depth;
  35   SECStatus         rv;
  36   SECItem           issuerName;
  37   SECItem           compatIssuerName;
  38
  39   if (!cert || !caNames || !caNames->nnames || !caNames->names ||
  40       !caNames->names->data)
  41     return SECFailure;
  42   depth=0;
  43   curcert = CERT_DupCertificate(cert);
  44
  45   while( curcert ) {
  46     issuerName = curcert->derIssuer;
  47
  48     /* compute an alternate issuer name for compatibility with 2.0
  49      * enterprise server, which send the CA names without
  50      * the outer layer of DER header
  51      */
  52     rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
  53     if ( rv == SECSuccess ) {
  54       compatIssuerName.data = &issuerName.data[headerlen];
  55       compatIssuerName.len = issuerName.len - headerlen;
  56     } else {
  57       compatIssuerName.data = NULL;
  58       compatIssuerName.len = 0;
  59     }
  60
  61     for (j = 0; j < caNames->nnames; j++) {
  62       caname = &caNames->names[j];
  63       if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
  64         rv = SECSuccess;
  65         CERT_DestroyCertificate(curcert);
  66         goto done;
  67       } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
  68         rv = SECSuccess;
  69         CERT_DestroyCertificate(curcert);
  70         goto done;
  71       }
  72     }
  73     if ( ( depth <= 20 ) &&
  74          ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject)
  75            != SECEqual ) ) {
  76       oldcert = curcert;
  77       curcert = CERT_FindCertByName(curcert->dbhandle,
  78                                     &curcert->derIssuer);
  79       CERT_DestroyCertificate(oldcert);
  80       depth++;
  81     } else {
  82       CERT_DestroyCertificate(curcert);
  83       curcert = NULL;
  84     }
  85   }
  86   rv = SECFailure;
  87
  88 done:
  89   return rv;
  90 }
  91