security/nss/lib/ssl/cmpcert.c

   1 /*
   2  * NSS utility functions
   3  *
   4  * ***** BEGIN LICENSE BLOCK *****
   5  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
   6  *
   7  * The contents of this file are subject to the Mozilla Public License Version
   8  * 1.1 (the "License"); you may not use this file except in compliance with
   9  * the License. You may obtain a copy of the License at
  10  * http://www.mozilla.org/MPL/
  11  *
  12  * Software distributed under the License is distributed on an "AS IS" basis,
  13  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  14  * for the specific language governing rights and limitations under the
  15  * License.
  16  *
  17  * The Original Code is the Netscape security libraries.
  18  *
  19  * The Initial Developer of the Original Code is
  20  * Netscape Communications Corporation.
  21  * Portions created by the Initial Developer are Copyright (C) 1994-2000
  22  * the Initial Developer. All Rights Reserved.
  23  *
  24  * Contributor(s):
  25  *
  26  * Alternatively, the contents of this file may be used under the terms of
  27  * either the GNU General Public License Version 2 or later (the "GPL"), or
  28  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  29  * in which case the provisions of the GPL or the LGPL are applicable instead
  30  * of those above. If you wish to allow use of your version of this file only
  31  * under the terms of either the GPL or the LGPL, and not to allow others to
  32  * use your version of this file under the terms of the MPL, indicate your
  33  * decision by deleting the provisions above and replace them with the notice
  34  * and other provisions required by the GPL or the LGPL. If you do not delete
  35  * the provisions above, a recipient may use your version of this file under
  36  * the terms of any one of the MPL, the GPL or the LGPL.
  37  *
  38  * ***** END LICENSE BLOCK ***** */
  39 /* $Id: cmpcert.c,v 1.6 2008/02/01 22:09:09 julien.pierre.boogz%sun.com Exp $ */
  40
  41 #include <stdio.h>
  42 #include <string.h>
  43 #include "prerror.h"
  44 #include "secitem.h"
  45 #include "prnetdb.h"
  46 #include "cert.h"
  47 #include "nspr.h"
  48 #include "secder.h"
  49 #include "key.h"
  50 #include "nss.h"
  51
  52 /*
  53  * Look to see if any of the signers in the cert chain for "cert" are found
  54  * in the list of caNames.
  55  * Returns SECSuccess if so, SECFailure if not.
  56  */
  57 SECStatus
  58 NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
  59 {
  60   SECItem *         caname;
  61   CERTCertificate * curcert;
  62   CERTCertificate * oldcert;
  63   PRInt32           contentlen;
  64   int               j;
  65   int               headerlen;
  66   int               depth;
  67   SECStatus         rv;
  68   SECItem           issuerName;
  69   SECItem           compatIssuerName;
  70
  71   if (!cert || !caNames || !caNames->nnames || !caNames->names ||
  72       !caNames->names->data)
  73     return SECFailure;
  74   depth=0;
  75   curcert = CERT_DupCertificate(cert);
  76
  77   while( curcert ) {
  78     issuerName = curcert->derIssuer;
  79
  80     /* compute an alternate issuer name for compatibility with 2.0
  81      * enterprise server, which send the CA names without
  82      * the outer layer of DER header
  83      */
  84     rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
  85     if ( rv == SECSuccess ) {
  86       compatIssuerName.data = &issuerName.data[headerlen];
  87       compatIssuerName.len = issuerName.len - headerlen;
  88     } else {
  89       compatIssuerName.data = NULL;
  90       compatIssuerName.len = 0;
  91     }
  92
  93     for (j = 0; j < caNames->nnames; j++) {
  94       caname = &caNames->names[j];
  95       if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
  96         rv = SECSuccess;
  97         CERT_DestroyCertificate(curcert);
  98         goto done;
  99       } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
 100         rv = SECSuccess;
 101         CERT_DestroyCertificate(curcert);
 102         goto done;
 103       }
 104     }
 105     if ( ( depth <= 20 ) &&
 106          ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject)
 107            != SECEqual ) ) {
 108       oldcert = curcert;
 109       curcert = CERT_FindCertByName(curcert->dbhandle,
 110                                     &curcert->derIssuer);
 111       CERT_DestroyCertificate(oldcert);
 112       depth++;
 113     } else {
 114       CERT_DestroyCertificate(curcert);
 115       curcert = NULL;
 116     }
 117   }
 118   rv = SECFailure;
 119
 120 done:
 121   return rv;
 122 }
 123