search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import from 1.9a8 tarball
[mozilla-nss.git] / security / nss / lib / libpkix / pkix / certsel / pkix_certselector.c
blob37e538132bf2bd6613013b6447e4025eb7de1e12
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Sun Microsystems
23 *
24 * Alternatively, the contents of this file may be used under the terms of
25 * either the GNU General Public License Version 2 or later (the "GPL"), or
26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 * in which case the provisions of the GPL or the LGPL are applicable instead
28 * of those above. If you wish to allow use of your version of this file only
29 * under the terms of either the GPL or the LGPL, and not to allow others to
30 * use your version of this file under the terms of the MPL, indicate your
31 * decision by deleting the provisions above and replace them with the notice
32 * and other provisions required by the GPL or the LGPL. If you do not delete
33 * the provisions above, a recipient may use your version of this file under
34 * the terms of any one of the MPL, the GPL or the LGPL.
35 *
36 * ***** END LICENSE BLOCK ***** */
37 /*
38 * pkix_certselector.c
39 *
40 * CertSelector Object Functions
41 *
42 */
43
44 #include "pkix_certselector.h"
45
46 /* --Private-Functions-------------------------------------------- */
47
48 /*
49 * FUNCTION: pkix_CertSelector_Destroy
50 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
51 */
52 static PKIX_Error *
53 pkix_CertSelector_Destroy(
54 PKIX_PL_Object *object,
55 void *plContext)
56 {
57 PKIX_CertSelector *selector = NULL;
58
59 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Destroy");
60 PKIX_NULLCHECK_ONE(object);
61
62 /* Check that this object is a cert selector */
63 PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
64 PKIX_OBJECTNOTCERTSELECTOR);
65
66 selector = (PKIX_CertSelector *)object;
67 PKIX_DECREF(selector->params);
68 PKIX_DECREF(selector->context);
69
70 cleanup:
71
72 PKIX_RETURN(CERTSELECTOR);
73 }
74
75 /*
76 * FUNCTION: pkix_CertSelector_Duplicate
77 * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
78 */
79 static PKIX_Error *
80 pkix_CertSelector_Duplicate(
81 PKIX_PL_Object *object,
82 PKIX_PL_Object **pNewObject,
83 void *plContext)
84 {
85 PKIX_CertSelector *certSelector = NULL;
86 PKIX_CertSelector *certSelectorDuplicate = NULL;
87
88 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Duplicate");
89 PKIX_NULLCHECK_TWO(object, pNewObject);
90
91 PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
92 PKIX_OBJECTNOTCERTSELECTOR);
93
94 certSelector = (PKIX_CertSelector *)object;
95
96 PKIX_CHECK(PKIX_CertSelector_Create
97 (certSelector->matchCallback,
98 certSelector->context,
99 &certSelectorDuplicate,
100 plContext),
101 PKIX_CERTSELECTORCREATEFAILED);
102
103 PKIX_CHECK(PKIX_PL_Object_Duplicate
104 ((PKIX_PL_Object *)certSelector->params,
105 (PKIX_PL_Object **)&certSelectorDuplicate->params,
106 plContext),
107 PKIX_OBJECTDUPLICATEFAILED);
108
109 *pNewObject = (PKIX_PL_Object *)certSelectorDuplicate;
110
111 cleanup:
112
113 if (PKIX_ERROR_RECEIVED){
114 PKIX_DECREF(certSelectorDuplicate);
115 }
116
117 PKIX_RETURN(CERTSELECTOR);
118 }
119
120 /*
121 * FUNCTION: pkix_CertSelector_Match_BasicConstraint
122 * DESCRIPTION:
123 *
124 * Determines whether the Cert pointed to by "cert" matches the basic
125 * constraints criterion using the basic constraints field of the
126 * ComCertSelParams pointed to by "params". If the basic constraints field is
127 * -1, no basic constraints check is done and the Cert is considered to match
128 * the basic constraints criterion. If the Cert does not match the basic
129 * constraints criterion, an Error pointer is returned.
130 *
131 * In order to match against this criterion, there are several possibilities.
132 *
133 * 1) If the criterion's minimum path length is greater than or equal to zero,
134 * a certificate must include a BasicConstraints extension with a pathLen of
135 * at least this value.
136 *
137 * 2) If the criterion's minimum path length is -2, a certificate must be an
138 * end-entity certificate.
139 *
140 * 3) If the criterion's minimum path length is -1, no basic constraints check
141 * is done and all certificates are considered to match this criterion.
142 *
143 * PARAMETERS:
144 * "params"
145 * Address of ComCertSelParams whose basic constraints field is used.
146 * Must be non-NULL.
147 * "cert"
148 * Address of Cert that is to be matched. Must be non-NULL.
149 * "pResult"
150 * Address of PKIX_Boolean that returns the match result.
151 * "plContext"
152 * Platform-specific context pointer.
153 * THREAD SAFETY:
154 * Conditionally Thread Safe
155 * (see Thread Safety Definitions in Programmer's Guide)
156 * RETURNS:
157 * Returns NULL if the function succeeds.
158 * Returns a CertSelector Error if the function fails in a non-fatal way.
159 * Returns a Fatal Error if the function fails in an unrecoverable way.
160 */
161 static PKIX_Error *
162 pkix_CertSelector_Match_BasicConstraint(
163 PKIX_ComCertSelParams *params,
164 PKIX_PL_Cert *cert,
165 PKIX_Boolean *pResult,
166 void *plContext)
167 {
168 PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
169 PKIX_Boolean caFlag = PKIX_FALSE; /* EE Cert by default */
170 PKIX_Int32 pathLength = 0;
171 PKIX_Int32 minPathLength = 0;
172
173 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_BasicConstraint");
174 PKIX_NULLCHECK_THREE(params, cert, pResult);
175
176 PKIX_CHECK(PKIX_ComCertSelParams_GetBasicConstraints
177 (params, &minPathLength, plContext),
178 PKIX_COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED);
179
180 /* If the minPathLength is unlimited (-1), no checking */
181 if (minPathLength == PKIX_CERTSEL_ALL_MATCH_MIN_PATHLENGTH) {
182 goto cleanup;
183 }
184
185 PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
186 (cert, &basicConstraints, plContext),
187 PKIX_CERTGETBASICCONSTRAINTSFAILED);
188
189 if (basicConstraints != NULL) {
190 PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
191 (basicConstraints, &caFlag, plContext),
192 PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
193
194 PKIX_CHECK(PKIX_PL_BasicConstraints_GetPathLenConstraint
195 (basicConstraints, &pathLength, plContext),
196 PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
197 }
198
199 /*
200 * if minPathLength >= 0, the cert must have a BasicConstraints ext and
201 * the pathLength in this cert
202 * BasicConstraints needs to be >= minPathLength.
203 */
204 if (minPathLength >= 0){
205 if ((!basicConstraints) || (caFlag == PKIX_FALSE)){
206 PKIX_ERROR(PKIX_CERTNOTALLOWEDTOSIGNCERTIFICATES);
207 } else if ((pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) &&
208 (pathLength < minPathLength)){
209 PKIX_CERTSELECTOR_DEBUG
210 ("Basic Constraints path length match failed\n");
211 *pResult = PKIX_FALSE;
212 goto cleanup;
213 }
214 }
215
216 /* if the minPathLength is -2, this cert must be an end-entity cert. */
217 if (minPathLength == PKIX_CERTSEL_ENDENTITY_MIN_PATHLENGTH) {
218 if (caFlag == PKIX_TRUE) {
219 PKIX_CERTSELECTOR_DEBUG
220 ("Basic Constraints end-entity match failed\n");
221 *pResult = PKIX_FALSE;
222 goto cleanup;
223 }
224 }
225
226 cleanup:
227
228 PKIX_DECREF(basicConstraints);
229 PKIX_RETURN(CERTSELECTOR);
230 }
231
232 /*
233 * FUNCTION: pkix_CertSelector_Match_Policies
234 * DESCRIPTION:
235 *
236 * Determines whether the Cert pointed to by "cert" matches the policy
237 * constraints specified in the ComCertsSelParams given by "params".
238 * If "params" specifies a policy constraint of NULL, all certificates
239 * match. If "params" specifies an empty list, "cert" must have at least
240 * some policy. Otherwise "cert" must include at least one of the
241 * policies in the list. See the description of PKIX_CertSelector in
242 * pkix_certsel.h for more.
243 *
244 * PARAMETERS:
245 * "params"
246 * Address of ComCertSelParams whose policy criterion (if any) is used.
247 * Must be non-NULL.
248 * "cert"
249 * Address of Cert that is to be matched. Must be non-NULL.
250 * "pResult"
251 * Address of PKIX_Boolean that returns the match result.
252 * "plContext"
253 * Platform-specific context pointer.
254 * THREAD SAFETY:
255 * Conditionally Thread Safe
256 * (see Thread Safety Definitions in Programmer's Guide)
257 * RETURNS:
258 * Returns NULL if the function succeeds.
259 * Returns a CertSelector Error if the function fails in a non-fatal way.
260 * Returns a Fatal Error if the function fails in an unrecoverable way.
261 */
262 static PKIX_Error *
263 pkix_CertSelector_Match_Policies(
264 PKIX_ComCertSelParams *params,
265 PKIX_PL_Cert *cert,
266 PKIX_Boolean *pResult,
267 void *plContext)
268 {
269 PKIX_UInt32 numConstraintPolicies = 0;
270 PKIX_UInt32 numCertPolicies = 0;
271 PKIX_UInt32 certPolicyIndex = 0;
272 PKIX_Boolean result = PKIX_FALSE;
273 PKIX_List *constraintPolicies = NULL; /* List of PKIX_PL_OID */
274 PKIX_List *certPolicyInfos = NULL; /* List of PKIX_PL_CertPolicyInfo */
275 PKIX_PL_CertPolicyInfo *policyInfo = NULL;
276 PKIX_PL_OID *polOID = NULL;
277
278 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_Policies");
279 PKIX_NULLCHECK_THREE(params, cert, pResult);
280
281 PKIX_CHECK(PKIX_ComCertSelParams_GetPolicy
282 (params, &constraintPolicies, plContext),
283 PKIX_COMCERTSELPARAMSGETPOLICYFAILED);
284
285 /* If constraintPolicies is NULL, all certificates "match" */
286 if (constraintPolicies) {
287 PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
288 (cert, &certPolicyInfos, plContext),
289 PKIX_CERTGETPOLICYINFORMATIONFAILED);
290
291 /* No hope of a match if cert has no policies */
292 if (!certPolicyInfos) {
293 PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n");
294 *pResult = PKIX_FALSE;
295 goto cleanup;
296
297 }
298
299 PKIX_CHECK(PKIX_List_GetLength
300 (constraintPolicies, &numConstraintPolicies, plContext),
301 PKIX_LISTGETLENGTHFAILED);
302
303 if (numConstraintPolicies > 0) {
304
305 PKIX_CHECK(PKIX_List_GetLength
306 (certPolicyInfos, &numCertPolicies, plContext),
307 PKIX_LISTGETLENGTHFAILED);
308
309 for (certPolicyIndex = 0;
310 ((!result) && (certPolicyIndex < numCertPolicies));
311 certPolicyIndex++) {
312
313 PKIX_CHECK(PKIX_List_GetItem
314 (certPolicyInfos,
315 certPolicyIndex,
316 (PKIX_PL_Object **)&policyInfo,
317 plContext),
318 PKIX_LISTGETELEMENTFAILED);
319 PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
320 (policyInfo, &polOID, plContext),
321 PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
322
323 PKIX_CHECK(pkix_List_Contains
324 (constraintPolicies,
325 (PKIX_PL_Object *)polOID,
326 &result,
327 plContext),
328 PKIX_LISTCONTAINSFAILED);
329 PKIX_DECREF(policyInfo);
330 PKIX_DECREF(polOID);
331 }
332 if (!result) {
333 PKIX_CERTSELECTOR_DEBUG
334 ("Certificate has no acceptable policies\n");
335 *pResult = PKIX_FALSE;
336 goto cleanup;
337 }
338 }
339 }
340
341 cleanup:
342
343 PKIX_DECREF(constraintPolicies);
344 PKIX_DECREF(certPolicyInfos);
345 PKIX_DECREF(policyInfo);
346 PKIX_DECREF(polOID);
347
348 PKIX_RETURN(CERTSELECTOR);
349
350 }
351
352 /*
353 * FUNCTION: pkix_CertSelector_Match_CertificateValid
354 * DESCRIPTION:
355 *
356 * Determines whether the Cert pointed to by "cert" matches the certificate
357 * validity criterion using the CertificateValid field of the
358 * ComCertSelParams pointed to by "params". If the CertificateValid field is
359 * NULL, no validity check is done and the Cert is considered to match
360 * the CertificateValid criterion. If the CertificateValid field specifies a
361 * Date prior to the notBefore field in the Cert, or greater than the notAfter
362 * field in the Cert, an Error is returned.
363 *
364 * PARAMETERS:
365 * "params"
366 * Address of ComCertSelParams whose certValid field is used.
367 * Must be non-NULL.
368 * "cert"
369 * Address of Cert that is to be matched. Must be non-NULL.
370 * "pResult"
371 * Address of PKIX_Boolean that returns the match result.
372 * "plContext"
373 * Platform-specific context pointer.
374 * THREAD SAFETY:
375 * Conditionally Thread Safe
376 * (see Thread Safety Definitions in Programmer's Guide)
377 * RETURNS:
378 * Returns NULL if the function succeeds.
379 * Returns a CertSelector Error if the function fails in a non-fatal way.
380 * Returns a Fatal Error if the function fails in an unrecoverable way.
381 */
382 static PKIX_Error *
383 pkix_CertSelector_Match_CertificateValid(
384 PKIX_ComCertSelParams *params,
385 PKIX_PL_Cert *cert,
386 PKIX_Boolean *pResult,
387 void *plContext)
388 {
389 PKIX_PL_Date *validityTime = NULL;
390
391 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_CertificateValid");
392 PKIX_NULLCHECK_THREE(params, cert, pResult);
393
394 PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
395 (params, &validityTime, plContext),
396 PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
397
398 /* If the validityTime is not set, all certificates are acceptable */
399 if (validityTime) {
400 PKIX_CHECK(PKIX_PL_Cert_CheckValidity
401 (cert, validityTime, plContext),
402 PKIX_CERTCHECKVALIDITYFAILED);
403 }
404
405 cleanup:
406
407 PKIX_DECREF(validityTime);
408
409 PKIX_RETURN(CERTSELECTOR);
410 }
411
412 /*
413 * FUNCTION: pkix_CertSelector_Match_NameConstraints
414 * DESCRIPTION:
415 *
416 * Determines whether the Cert pointed to by "cert" matches the name
417 * constraints criterion specified in the ComCertSelParams pointed to by
418 * "params". If the name constraints field is NULL, no name constraints check
419 * is done and the Cert is considered to match the name constraints criterion.
420 * If the Cert does not match the name constraints criterion, an Error pointer
421 * is returned.
422 *
423 * PARAMETERS:
424 * "params"
425 * Address of ComCertSelParams whose name constraints field is used.
426 * Must be non-NULL.
427 * "cert"
428 * Address of Cert that is to be matched. Must be non-NULL.
429 * "pResult"
430 * Address of PKIX_Boolean that returns the match result.
431 * "plContext"
432 * Platform-specific context pointer.
433 * THREAD SAFETY:
434 * Conditionally Thread Safe
435 * (see Thread Safety Definitions in Programmer's Guide)
436 * RETURNS:
437 * Returns NULL if the function succeeds.
438 * Returns a CertSelector Error if the function fails in a non-fatal way.
439 * Returns a Fatal Error if the function fails in an unrecoverable way.
440 */
441 static PKIX_Error *
442 pkix_CertSelector_Match_NameConstraints(
443 PKIX_ComCertSelParams *params,
444 PKIX_PL_Cert *cert,
445 PKIX_Boolean *pResult,
446 void *plContext)
447 {
448 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
449
450 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_NameConstraints");
451 PKIX_NULLCHECK_THREE(params, cert, pResult);
452
453 PKIX_CHECK(PKIX_ComCertSelParams_GetNameConstraints
454 (params, &nameConstraints, plContext),
455 PKIX_COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED);
456
457 if (nameConstraints != NULL) {
458
459 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
460 (cert, nameConstraints, plContext),
461 PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
462 }
463
464 cleanup:
465
466 PKIX_DECREF(nameConstraints);
467 PKIX_RETURN(CERTSELECTOR);
468 }
469
470 /*
471 * FUNCTION: pkix_CertSelector_Match_PathToNames
472 * DESCRIPTION:
473 *
474 * Determines whether the names at pathToNames in "params" complies with the
475 * NameConstraints pointed to by "cert". If the pathToNames field is NULL
476 * or there is no name constraints for this "cert", no checking is done
477 * and the Cert is considered to match the name constraints criterion.
478 * If the Cert does not match the name constraints criterion, an Error
479 * pointer is returned.
480 *
481 * PARAMETERS:
482 * "params"
483 * Address of ComCertSelParams whose PathToNames field is used.
484 * Must be non-NULL.
485 * "cert"
486 * Address of Cert that is to be matched. Must be non-NULL.
487 * "pResult"
488 * Address of PKIX_Boolean that returns the match result.
489 * "plContext"
490 * Platform-specific context pointer.
491 * THREAD SAFETY:
492 * Conditionally Thread Safe
493 * (see Thread Safety Definitions in Programmer's Guide)
494 * RETURNS:
495 * Returns NULL if the function succeeds.
496 * Returns a CertSelector Error if the function fails in a non-fatal way.
497 * Returns a Fatal Error if the function fails in an unrecoverable way.
498 */
499 static PKIX_Error *
500 pkix_CertSelector_Match_PathToNames(
501 PKIX_ComCertSelParams *params,
502 PKIX_PL_Cert *cert,
503 PKIX_Boolean *pResult,
504 void *plContext)
505 {
506 PKIX_List *pathToNamesList = NULL;
507 PKIX_Boolean passed = PKIX_FALSE;
508 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
509
510 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_PathToNames");
511 PKIX_NULLCHECK_THREE(params, cert, pResult);
512
513 PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames
514 (params, &pathToNamesList, plContext),
515 PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED);
516
517 if (pathToNamesList != NULL) {
518
519 PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
520 (cert, &nameConstraints, plContext),
521 PKIX_CERTGETNAMECONSTRAINTSFAILED);
522
523 if (nameConstraints != NULL) {
524
525 PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
526 (pathToNamesList, nameConstraints, &passed, plContext),
527 PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED);
528
529 if (passed != PKIX_TRUE) {
530 PKIX_CERTSELECTOR_DEBUG("PathToName Match failed\n");
531 *pResult = PKIX_FALSE;
532 goto cleanup;
533 }
534 }
535
536 }
537
538 cleanup:
539
540 PKIX_DECREF(nameConstraints);
541 PKIX_DECREF(pathToNamesList);
542
543 PKIX_RETURN(CERTSELECTOR);
544 }
545
546 /*
547 * FUNCTION: pkix_CertSelector_Match_SubjAltNames
548 * DESCRIPTION:
549 *
550 * Determines whether the names at subjAltNames in "params" match with the
551 * SubjAltNames pointed to by "cert". If the subjAltNames field is NULL,
552 * no name checking is done and the Cert is considered to match the
553 * criterion. If the Cert does not match the criterion, an Error pointer
554 * is returned.
555 *
556 * PARAMETERS:
557 * "params"
558 * Address of ComCertSelParams whose SubjAltNames field is used.
559 * Must be non-NULL.
560 * "cert"
561 * Address of Cert that is to be matched. Must be non-NULL.
562 * "pResult"
563 * Address of PKIX_Boolean that returns the match result.
564 * "plContext"
565 * Platform-specific context pointer.
566 * THREAD SAFETY:
567 * Conditionally Thread Safe
568 * (see Thread Safety Definitions in Programmer's Guide)
569 * RETURNS:
570 * Returns NULL if the function succeeds.
571 * Returns a CertSelector Error if the function fails in a non-fatal way.
572 * Returns a Fatal Error if the function fails in an unrecoverable way.
573 */
574 static PKIX_Error *
575 pkix_CertSelector_Match_SubjAltNames(
576 PKIX_ComCertSelParams *params,
577 PKIX_PL_Cert *cert,
578 PKIX_Boolean *pResult,
579 void *plContext)
580 {
581 PKIX_List *subjAltNamesList = NULL;
582 PKIX_List *certSubjAltNames = NULL;
583 PKIX_PL_GeneralName *name = NULL;
584 PKIX_Boolean checkPassed = PKIX_FALSE;
585 PKIX_Boolean matchAll = PKIX_TRUE;
586 PKIX_UInt32 i, numItems;
587 PKIX_UInt32 matchCount = 0;
588
589 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjAltNames");
590 PKIX_NULLCHECK_THREE(params, cert, pResult);
591
592 PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
593 (params, &matchAll, plContext),
594 PKIX_COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED);
595
596 PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames
597 (params, &subjAltNamesList, plContext),
598 PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
599
600 if (subjAltNamesList != NULL) {
601
602 PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
603 (cert, &certSubjAltNames, plContext),
604 PKIX_CERTGETSUBJALTNAMESFAILED);
605
606 if (certSubjAltNames != NULL) {
607
608 PKIX_CHECK(PKIX_List_GetLength
609 (subjAltNamesList, &numItems, plContext),
610 PKIX_LISTGETLENGTHFAILED);
611
612 for (i = 0; i < numItems; i++) {
613
614 PKIX_CHECK(PKIX_List_GetItem
615 (subjAltNamesList,
616 i,
617 (PKIX_PL_Object **) &name,
618 plContext),
619 PKIX_LISTGETITEMFAILED);
620
621 PKIX_CHECK(pkix_List_Contains
622 (certSubjAltNames,
623 (PKIX_PL_Object *) name,
624 &checkPassed,
625 plContext),
626 PKIX_LISTCONTAINSFAILED);
627
628 PKIX_DECREF(name);
629
630 if (checkPassed == PKIX_TRUE) {
631
632 if (matchAll == PKIX_FALSE) {
633 /* one match is good enough */
634 matchCount = numItems;
635 break;
636 } else {
637 /* else continue checking next */
638 matchCount++;
639 }
640
641 }
642
643 }
644
645 if (matchCount != numItems) {
646 PKIX_CERTSELECTOR_DEBUG("SubjAltName Match failed\n");
647 *pResult = PKIX_FALSE;
648 goto cleanup;
649 }
650
651 } else {
652
653 PKIX_CERTSELECTOR_DEBUG
654 ("SubjAltName Match failed: Cert has no SubjAltName\n");
655 *pResult = PKIX_FALSE;
656 goto cleanup;
657 }
658
659 }
660
661 cleanup:
662
663 PKIX_DECREF(name);
664 PKIX_DECREF(certSubjAltNames);
665 PKIX_DECREF(subjAltNamesList);
666
667 PKIX_RETURN(CERTSELECTOR);
668 }
669
670 /*
671 * FUNCTION: pkix_CertSelector_Match_ExtendedKeyUsage
672 * DESCRIPTION:
673 *
674 * Determines whether the names at ExtKeyUsage in "params" matches with the
675 * ExtKeyUsage pointed to by "cert". If the ExtKeyUsage criterion or
676 * ExtKeyUsage in "cert" is NULL, no checking is done and the Cert is
677 * considered a match. If the Cert does not match, an Error pointer is
678 * returned.
679 *
680 * PARAMETERS:
681 * "params"
682 * Address of ComCertSelParams whose ExtKeyUsage field is used.
683 * Must be non-NULL.
684 * "cert"
685 * Address of Cert that is to be matched. Must be non-NULL.
686 * "pResult"
687 * Address of PKIX_Boolean that returns the match result.
688 * "plContext"
689 * Platform-specific context pointer.
690 * THREAD SAFETY:
691 * Conditionally Thread Safe
692 * (see Thread Safety Definitions in Programmer's Guide)
693 * RETURNS:
694 * Returns NULL if the function succeeds.
695 * Returns a CertSelector Error if the function fails in a non-fatal way.
696 * Returns a Fatal Error if the function fails in an unrecoverable way.
697 */
698 static PKIX_Error *
699 pkix_CertSelector_Match_ExtendedKeyUsage(
700 PKIX_ComCertSelParams *params,
701 PKIX_PL_Cert *cert,
702 PKIX_Boolean *pResult,
703 void *plContext)
704 {
705 PKIX_List *extKeyUsageList = NULL;
706 PKIX_List *certExtKeyUsageList = NULL;
707 PKIX_PL_OID *ekuOid = NULL;
708 PKIX_Boolean isContained = PKIX_FALSE;
709 PKIX_UInt32 numItems = 0;
710 PKIX_UInt32 i;
711
712 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_ExtendedKeyUsage");
713 PKIX_NULLCHECK_THREE(params, cert, pResult);
714
715 PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
716 (params, &extKeyUsageList, plContext),
717 PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
718
719 if (extKeyUsageList == NULL) {
720 goto cleanup;
721 }
722
723 PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
724 (cert, &certExtKeyUsageList, plContext),
725 PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
726
727 if (certExtKeyUsageList != NULL) {
728
729 PKIX_CHECK(PKIX_List_GetLength
730 (extKeyUsageList, &numItems, plContext),
731 PKIX_LISTGETLENGTHFAILED);
732
733 for (i = 0; i < numItems; i++) {
734
735 PKIX_CHECK(PKIX_List_GetItem
736 (extKeyUsageList, i, (PKIX_PL_Object **)&ekuOid, plContext),
737 PKIX_LISTGETITEMFAILED);
738
739 PKIX_CHECK(pkix_List_Contains
740 (certExtKeyUsageList,
741 (PKIX_PL_Object *)ekuOid,
742 &isContained,
743 plContext),
744 PKIX_LISTCONTAINSFAILED);
745
746 PKIX_DECREF(ekuOid);
747
748 if (isContained != PKIX_TRUE) {
749 PKIX_CERTSELECTOR_DEBUG
750 ("Extended Key Usage Match failed\n");
751 *pResult = PKIX_FALSE;
752 goto cleanup;
753 }
754 }
755 }
756
757 cleanup:
758
759 PKIX_DECREF(ekuOid);
760 PKIX_DECREF(extKeyUsageList);
761 PKIX_DECREF(certExtKeyUsageList);
762
763 PKIX_RETURN(CERTSELECTOR);
764 }
765
766 /*
767 * FUNCTION: pkix_CertSelector_Match_KeyUsage
768 * DESCRIPTION:
769 *
770 * Determines whether the bits at KeyUsage in "params" matches with the
771 * KeyUsage pointed to by "cert". If the KeyUsage in params is 0
772 * no checking is done and the Cert is considered a match. If the Cert does
773 * not match, an Error pointer is returned.
774 *
775 * PARAMETERS:
776 * "params"
777 * Address of ComCertSelParams whose ExtKeyUsage field is used.
778 * Must be non-NULL.
779 * "cert"
780 * Address of Cert that is to be matched. Must be non-NULL.
781 * "pResult"
782 * Address of PKIX_Boolean that returns the match result.
783 * "plContext"
784 * Platform-specific context pointer.
785 * THREAD SAFETY:
786 * Conditionally Thread Safe
787 * (see Thread Safety Definitions in Programmer's Guide)
788 * RETURNS:
789 * Returns NULL if the function succeeds.
790 * Returns a CertSelector Error if the function fails in a non-fatal way.
791 * Returns a Fatal Error if the function fails in an unrecoverable way.
792 */
793 static PKIX_Error *
794 pkix_CertSelector_Match_KeyUsage(
795 PKIX_ComCertSelParams *params,
796 PKIX_PL_Cert *cert,
797 PKIX_Boolean *pResult,
798 void *plContext)
799 {
800 PKIX_UInt32 keyUsage = 0;
801
802 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_KeyUsage");
803 PKIX_NULLCHECK_THREE(params, cert, pResult);
804
805 PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
806 (params, &keyUsage, plContext),
807 PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
808
809 if (keyUsage != 0) {
810
811 PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
812 (cert, keyUsage, plContext),
813 PKIX_CERTVERIFYKEYUSAGEFAILED);
814
815 }
816
817 cleanup:
818
819 PKIX_RETURN(CERTSELECTOR);
820 }
821
822 /*
823 * FUNCTION: pkix_CertSelector_Match_SubjKeyId
824 * DESCRIPTION:
825 *
826 * Determines whether the bytes at subjKeyId in "params" matches with the
827 * Subject Key Identifier pointed to by "cert". If the subjKeyId in params is
828 * set to NULL, no checking is done and the Cert is considered a match. If
829 * the Cert does not match, an Error pointer is returned.
830 *
831 * PARAMETERS:
832 * "params"
833 * Address of ComCertSelParams whose subjKeyId field is used.
834 * Must be non-NULL.
835 * "cert"
836 * Address of Cert that is to be matched. Must be non-NULL.
837 * "pResult"
838 * Address of PKIX_Boolean that returns the match result.
839 * "plContext"
840 * Platform-specific context pointer.
841 * THREAD SAFETY:
842 * Conditionally Thread Safe
843 * (see Thread Safety Definitions in Programmer's Guide)
844 * RETURNS:
845 * Returns NULL if the function succeeds.
846 * Returns a CertSelector Error if the function fails in a non-fatal way.
847 * Returns a Fatal Error if the function fails in an unrecoverable way.
848 */
849 static PKIX_Error *
850 pkix_CertSelector_Match_SubjKeyId(
851 PKIX_ComCertSelParams *params,
852 PKIX_PL_Cert *cert,
853 PKIX_Boolean *pResult,
854 void *plContext)
855 {
856 PKIX_PL_ByteArray *selSubjKeyId = NULL;
857 PKIX_PL_ByteArray *certSubjKeyId = NULL;
858 PKIX_Boolean equals = PKIX_FALSE;
859
860 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjKeyId");
861 PKIX_NULLCHECK_THREE(params, cert, pResult);
862
863 PKIX_CHECK(PKIX_ComCertSelParams_GetSubjKeyIdentifier
864 (params, &selSubjKeyId, plContext),
865 PKIX_COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED);
866
867 if (selSubjKeyId != NULL) {
868
869 PKIX_CHECK(PKIX_PL_Cert_GetSubjectKeyIdentifier
870 (cert, &certSubjKeyId, plContext),
871 PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
872
873 if (certSubjKeyId != NULL) {
874 PKIX_CHECK(PKIX_PL_Object_Equals
875 ((PKIX_PL_Object *)selSubjKeyId,
876 (PKIX_PL_Object *)certSubjKeyId,
877 &equals,
878 plContext),
879 PKIX_OBJECTEQUALSFAILED);
880
881 if (equals != PKIX_TRUE) {
882 PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match failed\n");
883 *pResult = PKIX_FALSE;
884 goto cleanup;
885 }
886 } else {
887 PKIX_CERTSELECTOR_DEBUG
888 ("SubjKeyId Match failed: Cert has no SubjKeyId\n");
889 *pResult = PKIX_FALSE;
890 goto cleanup;
891 }
892 }
893
894 cleanup:
895
896 PKIX_DECREF(selSubjKeyId);
897 PKIX_DECREF(certSubjKeyId);
898
899 PKIX_RETURN(CERTSELECTOR);
900 }
901
902 /*
903 * FUNCTION: pkix_CertSelector_Match_AuthKeyId
904 * DESCRIPTION:
905 *
906 * Determines whether the bytes at authKeyId in "params" matches with the
907 * Authority Key Identifier pointed to by "cert". If the authKeyId in params
908 * is set to NULL, no checking is done and the Cert is considered a match. If
909 * the Cert does not match, an Error pointer is returned.
910 *
911 * PARAMETERS:
912 * "params"
913 * Address of ComCertSelParams whose authKeyId field is used.
914 * Must be non-NULL.
915 * "cert"
916 * Address of Cert that is to be matched. Must be non-NULL.
917 * "pResult"
918 * Address of PKIX_Boolean that returns the match result.
919 * "plContext"
920 * Platform-specific context pointer.
921 * THREAD SAFETY:
922 * Conditionally Thread Safe
923 * (see Thread Safety Definitions in Programmer's Guide)
924 * RETURNS:
925 * Returns NULL if the function succeeds.
926 * Returns a CertSelector Error if the function fails in a non-fatal way.
927 * Returns a Fatal Error if the function fails in an unrecoverable way.
928 */
929 static PKIX_Error *
930 pkix_CertSelector_Match_AuthKeyId(
931 PKIX_ComCertSelParams *params,
932 PKIX_PL_Cert *cert,
933 PKIX_Boolean *pResult,
934 void *plContext)
935 {
936 PKIX_PL_ByteArray *selAuthKeyId = NULL;
937 PKIX_PL_ByteArray *certAuthKeyId = NULL;
938 PKIX_Boolean equals = PKIX_FALSE;
939
940 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_AuthKeyId");
941 PKIX_NULLCHECK_THREE(params, cert, pResult);
942
943 PKIX_CHECK(PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
944 (params, &selAuthKeyId, plContext),
945 PKIX_COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED);
946
947 if (selAuthKeyId != NULL) {
948
949 PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier
950 (cert, &certAuthKeyId, plContext),
951 PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
952
953 if (certAuthKeyId != NULL) {
954 PKIX_CHECK(PKIX_PL_Object_Equals
955 ((PKIX_PL_Object *)selAuthKeyId,
956 (PKIX_PL_Object *)certAuthKeyId,
957 &equals,
958 plContext),
959 PKIX_OBJECTEQUALSFAILED);
960
961 if (equals != PKIX_TRUE) {
962 PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match failed\n");
963 *pResult = PKIX_FALSE;
964 goto cleanup;
965 }
966 } else {
967 PKIX_CERTSELECTOR_DEBUG
968 ("AuthKeyId Match failed: Cert has no AuthKeyId\n");
969 *pResult = PKIX_FALSE;
970 goto cleanup;
971 }
972 }
973
974 cleanup:
975
976 PKIX_DECREF(selAuthKeyId);
977 PKIX_DECREF(certAuthKeyId);
978
979 PKIX_RETURN(CERTSELECTOR);
980 }
981
982 /*
983 * FUNCTION: pkix_CertSelector_Match_SubjPKAlgId
984 * DESCRIPTION:
985 *
986 * Determines whether the OID at subjPKAlgId in "params" matches with the
987 * Subject Public Key Alg Id pointed to by "cert". If the subjPKAlgId in params
988 * is set to NULL, no checking is done and the Cert is considered a match. If
989 * the Cert does not match, an Error pointer is returned.
990 *
991 * PARAMETERS:
992 * "params"
993 * Address of ComCertSelParams whose subjPKAlgId field is used.
994 * Must be non-NULL.
995 * "cert"
996 * Address of Cert that is to be matched. Must be non-NULL.
997 * "pResult"
998 * Address of PKIX_Boolean that returns the match result.
999 * "plContext"
1000 * Platform-specific context pointer.
1001 * THREAD SAFETY:
1002 * Conditionally Thread Safe
1003 * (see Thread Safety Definitions in Programmer's Guide)
1004 * RETURNS:
1005 * Returns NULL if the function succeeds.
1006 * Returns a CertSelector Error if the function fails in a non-fatal way.
1007 * Returns a Fatal Error if the function fails in an unrecoverable way.
1008 */
1009 static PKIX_Error *
1010 pkix_CertSelector_Match_SubjPKAlgId(
1011 PKIX_ComCertSelParams *params,
1012 PKIX_PL_Cert *cert,
1013 PKIX_Boolean *pResult,
1014 void *plContext)
1015 {
1016 PKIX_PL_OID *selPKAlgId = NULL;
1017 PKIX_PL_OID *certPKAlgId = NULL;
1018 PKIX_Boolean equals = PKIX_FALSE;
1019
1020 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPKAlgId");
1021 PKIX_NULLCHECK_THREE(params, cert, pResult);
1022
1023 PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPKAlgId
1024 (params, &selPKAlgId, plContext),
1025 PKIX_COMCERTSELPARAMSGETSUBJPKALGIDFAILED);
1026
1027 if (selPKAlgId != NULL) {
1028
1029 PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKeyAlgId
1030 (cert, &certPKAlgId, plContext),
1031 PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED);
1032
1033 if (certPKAlgId != NULL) {
1034 PKIX_CHECK(PKIX_PL_Object_Equals
1035 ((PKIX_PL_Object *)selPKAlgId,
1036 (PKIX_PL_Object *)certPKAlgId,
1037 &equals,
1038 plContext),
1039 PKIX_OBJECTEQUALSFAILED);
1040
1041 if (equals != PKIX_TRUE) {
1042 PKIX_CERTSELECTOR_DEBUG
1043 ("SubjPKAlgId Match failed\n");
1044 *pResult = PKIX_FALSE;
1045 goto cleanup;
1046 }
1047 } else {
1048 PKIX_CERTSELECTOR_DEBUG
1049 ("SubjPKAlgId Match failed: Cert has no SubjPKAlgId\n");
1050 *pResult = PKIX_FALSE;
1051 goto cleanup;
1052 }
1053 }
1054
1055 cleanup:
1056
1057 PKIX_DECREF(selPKAlgId);
1058 PKIX_DECREF(certPKAlgId);
1059
1060 PKIX_RETURN(CERTSELECTOR);
1061 }
1062
1063 /*
1064 * FUNCTION: pkix_CertSelector_Match_SubjPubKey
1065 * DESCRIPTION:
1066 *
1067 * Determines whether the key at subjPubKey in "params" matches with the
1068 * Subject Public Key pointed to by "cert". If the subjPubKey in params
1069 * is set to NULL, no checking is done and the Cert is considered a match. If
1070 * the Cert does not match, an Error pointer is returned.
1071 *
1072 * PARAMETERS:
1073 * "params"
1074 * Address of ComCertSelParams whose subPubKey field is used.
1075 * Must be non-NULL.
1076 * "cert"
1077 * Address of Cert that is to be matched. Must be non-NULL.
1078 * "pResult"
1079 * Address of PKIX_Boolean that returns the match result.
1080 * "plContext"
1081 * Platform-specific context pointer.
1082 * THREAD SAFETY:
1083 * Conditionally Thread Safe
1084 * (see Thread Safety Definitions in Programmer's Guide)
1085 * RETURNS:
1086 * Returns NULL if the function succeeds.
1087 * Returns a CertSelector Error if the function fails in a non-fatal way.
1088 * Returns a Fatal Error if the function fails in an unrecoverable way.
1089 */
1090 static PKIX_Error *
1091 pkix_CertSelector_Match_SubjPubKey(
1092 PKIX_ComCertSelParams *params,
1093 PKIX_PL_Cert *cert,
1094 PKIX_Boolean *pResult,
1095 void *plContext)
1096 {
1097 PKIX_PL_PublicKey *selPK = NULL;
1098 PKIX_PL_PublicKey *certPK = NULL;
1099 PKIX_Boolean equals = PKIX_FALSE;
1100
1101 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPubKey");
1102 PKIX_NULLCHECK_THREE(params, cert, pResult);
1103
1104 PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPubKey
1105 (params, &selPK, plContext),
1106 PKIX_COMCERTSELPARAMSGETSUBJPUBKEYFAILED);
1107
1108 if (selPK != NULL) {
1109
1110 PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1111 (cert, &certPK, plContext),
1112 PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1113
1114 if (certPK != NULL) {
1115 PKIX_CHECK(PKIX_PL_Object_Equals
1116 ((PKIX_PL_Object *)selPK,
1117 (PKIX_PL_Object *)certPK,
1118 &equals,
1119 plContext),
1120 PKIX_OBJECTEQUALSFAILED);
1121
1122 if (equals != PKIX_TRUE) {
1123 PKIX_CERTSELECTOR_DEBUG
1124 ("Subject Public Key Match failed\n");
1125 *pResult = PKIX_FALSE;
1126 goto cleanup;
1127 }
1128
1129 } else {
1130 PKIX_CERTSELECTOR_DEBUG
1131 ("SubjPubKey Match failed: Cert has no SubjPubKey\n");
1132 *pResult = PKIX_FALSE;
1133 goto cleanup;
1134 }
1135 }
1136
1137 cleanup:
1138
1139 PKIX_DECREF(selPK);
1140 PKIX_DECREF(certPK);
1141
1142 PKIX_RETURN(CERTSELECTOR);
1143 }
1144
1145 /*
1146 * FUNCTION: pkix_CertSelector_DefaultMatch
1147 * DESCRIPTION:
1148 *
1149 * This default match function determines whether the specified Cert pointed
1150 * to by "cert" matches the criteria of the CertSelector pointed to by
1151 * "selector". If the Cert satisfies the CertSelector's criteria, PKIX_TRUE
1152 * is stored at "pResult". If the Cert does not match the CertSelector's
1153 * criteria, PKIX_FALSE is stored at "pResult".
1154 *
1155 * This default match function understands how to process the most common
1156 * parameters. Any common parameter that is not set is assumed to be disabled,
1157 * which means this function will select all certificates without regard to
1158 * that particular disabled parameter. For example, if the SerialNumber
1159 * parameter is not set, this function will not filter out any certificate
1160 * based on its serial number. As such, if no parameters are set, all are
1161 * disabled and any certificate will match. If a parameter is disabled, its
1162 * associated PKIX_ComCertSelParams_Get* function returns a default value.
1163 * That value is -1 for PKIX_ComCertSelParams_GetBasicConstraints and
1164 * PKIX_ComCertSelParams_GetVersion, 0 for PKIX_ComCertSelParams_GetKeyUsage,
1165 * and NULL for all other Get functions.
1166 *
1167 * PARAMETERS:
1168 * "selector"
1169 * Address of CertSelector whose MatchCallback logic and parameters are
1170 * to be used. Must be non-NULL.
1171 * "cert"
1172 * Address of Cert that is to be matched using "selector".
1173 * Must be non-NULL.
1174 * "pResult"
1175 * Address of PKIX_Boolean that returns the match result.
1176 * "plContext"
1177 * Platform-specific context pointer.
1178 * THREAD SAFETY:
1179 * Conditionally Thread Safe
1180 * (see Thread Safety Definitions in Programmer's Guide)
1181 * RETURNS:
1182 * Returns NULL if the function succeeds.
1183 * Returns a CertSelector Error if the function fails in a non-fatal way.
1184 * Returns a Fatal Error if the function fails in an unrecoverable way.
1185 */
1186 static PKIX_Error *
1187 pkix_CertSelector_DefaultMatch(
1188 PKIX_CertSelector *selector,
1189 PKIX_PL_Cert *cert,
1190 PKIX_Boolean *pResult,
1191 void *plContext)
1192 {
1193 PKIX_ComCertSelParams *params = NULL;
1194 PKIX_PL_X500Name *certSubject = NULL;
1195 PKIX_PL_X500Name *selSubject = NULL;
1196 PKIX_PL_X500Name *certIssuer = NULL;
1197 PKIX_PL_X500Name *selIssuer = NULL;
1198 PKIX_PL_BigInt *certSerialNumber = NULL;
1199 PKIX_PL_BigInt *selSerialNumber = NULL;
1200 PKIX_PL_Cert *selCert = NULL;
1201 PKIX_PL_Date *selDate = NULL;
1202 PKIX_UInt32 requiredKeyUsage = 0;
1203 PKIX_UInt32 selVersion = 0xFFFFFFFF;
1204 PKIX_UInt32 certVersion = 0;
1205 PKIX_Boolean result = PKIX_TRUE;
1206
1207 #ifdef PKIX_BUILDDEBUG
1208 PKIX_PL_String *certString = NULL;
1209 void *certAscii = NULL;
1210 PKIX_UInt32 certAsciiLen;
1211 #endif
1212
1213 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch");
1214 PKIX_NULLCHECK_THREE(selector, cert, pResult);
1215
1216 *pResult = PKIX_TRUE;
1217 params = selector->params;
1218 PKIX_INCREF(params);
1219
1220 if (params == NULL){
1221 goto cleanup;
1222 }
1223
1224 PKIX_CHECK(PKIX_ComCertSelParams_GetVersion
1225 (params, &selVersion, plContext),
1226 PKIX_COMCERTSELPARAMSGETVERSIONFAILED);
1227
1228 if (selVersion != 0xFFFFFFFF){
1229 PKIX_CHECK(PKIX_PL_Cert_GetVersion
1230 (cert, &certVersion, plContext),
1231 PKIX_CERTGETVERSIONFAILED);
1232
1233 if (selVersion != certVersion) {
1234 PKIX_CERTSELECTOR_DEBUG("Version Match FAILED\n");
1235 *pResult = PKIX_FALSE;
1236 goto cleanup;
1237 }
1238 }
1239
1240 PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
1241 (params, &selSubject, plContext),
1242 PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
1243
1244 if (selSubject){
1245 PKIX_CHECK(PKIX_PL_Cert_GetSubject
1246 (cert, &certSubject, plContext),
1247 PKIX_CERTGETSUBJECTFAILED);
1248
1249 if (certSubject){
1250 PKIX_CHECK(PKIX_PL_X500Name_Match
1251 (selSubject, certSubject, &result, plContext),
1252 PKIX_X500NAMEMATCHFAILED);
1253
1254 if (result == PKIX_FALSE){
1255 PKIX_CERTSELECTOR_DEBUG
1256 ("Subject Match FAILED\n");
1257 *pResult = PKIX_FALSE;
1258 goto cleanup;
1259 }
1260 } else { /* cert has no subject */
1261 PKIX_CERTSELECTOR_DEBUG("Subject Match FAILED\n");
1262 *pResult = PKIX_FALSE;
1263 goto cleanup;
1264
1265 }
1266 }
1267
1268 PKIX_CHECK(PKIX_ComCertSelParams_GetIssuer
1269 (params, &selIssuer, plContext),
1270 PKIX_COMCERTSELPARAMSGETISSUERFAILED);
1271
1272 if (selIssuer){
1273 PKIX_CHECK(PKIX_PL_Cert_GetIssuer
1274 (cert, &certIssuer, plContext),
1275 PKIX_CERTGETISSUERFAILED);
1276
1277 PKIX_CHECK(PKIX_PL_X500Name_Match
1278 (selIssuer, certIssuer, &result, plContext),
1279 PKIX_X500NAMEMATCHFAILED);
1280
1281 if (result == PKIX_FALSE){
1282 PKIX_CERTSELECTOR_DEBUG("Issuer Match FAILED\n");
1283 *pResult = PKIX_FALSE;
1284 goto cleanup;
1285 }
1286 }
1287
1288 PKIX_CHECK(PKIX_ComCertSelParams_GetSerialNumber
1289 (params, &selSerialNumber, plContext),
1290 PKIX_COMCERTSELPARAMSGETSERIALNUMBERFAILED);
1291
1292 if (selSerialNumber){
1293 PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
1294 (cert, &certSerialNumber, plContext),
1295 PKIX_CERTGETSERIALNUMBERFAILED);
1296
1297 PKIX_CHECK(PKIX_PL_Object_Equals
1298 ((PKIX_PL_Object *)selSerialNumber,
1299 (PKIX_PL_Object *)certSerialNumber,
1300 &result,
1301 plContext),
1302 PKIX_OBJECTEQUALSFAILED);
1303
1304 if (result == PKIX_FALSE){
1305 PKIX_CERTSELECTOR_DEBUG("Serial Number Match FAILED\n");
1306 *pResult = PKIX_FALSE;
1307 goto cleanup;
1308 }
1309 }
1310
1311 PKIX_CHECK(PKIX_ComCertSelParams_GetCertificate
1312 (params, &selCert, plContext),
1313 PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
1314
1315 if (selCert){
1316 PKIX_CHECK(PKIX_PL_Object_Equals
1317 ((PKIX_PL_Object *) selCert,
1318 (PKIX_PL_Object *) cert,
1319 &result,
1320 plContext),
1321 PKIX_OBJECTEQUALSFAILED);
1322
1323 if (result == PKIX_FALSE){
1324 PKIX_CERTSELECTOR_DEBUG("Certificate Match FAILED\n");
1325 *pResult = PKIX_FALSE;
1326 goto cleanup;
1327 }
1328 }
1329
1330
1331 PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
1332 (params, &selDate, plContext),
1333 PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
1334
1335 if (selDate){
1336 PKIX_CHECK(PKIX_PL_Cert_CheckValidity
1337 (cert, selDate, plContext),
1338 PKIX_CERTCHECKVALIDITYFAILED);
1339 }
1340
1341 PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
1342 (params, &requiredKeyUsage, plContext),
1343 PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
1344
1345 if (requiredKeyUsage != 0) {
1346 PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
1347 (cert, requiredKeyUsage, plContext),
1348 PKIX_CERTVERIFYKEYUSAGEFAILED);
1349 }
1350
1351 PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint
1352 (params, cert, &result, plContext),
1353 PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED);
1354
1355 if (result == PKIX_FALSE){
1356 PKIX_CERTSELECTOR_DEBUG("BasicConstraint Match FAILED\n");
1357 *pResult = PKIX_FALSE;
1358 goto cleanup;
1359 }
1360
1361 PKIX_CHECK(pkix_CertSelector_Match_Policies
1362 (params, cert, &result, plContext),
1363 PKIX_CERTSELECTORMATCHPOLICIESFAILED);
1364
1365 if (result == PKIX_FALSE){
1366 PKIX_CERTSELECTOR_DEBUG("Policies Match FAILED\n");
1367 *pResult = PKIX_FALSE;
1368 goto cleanup;
1369 }
1370
1371 PKIX_CHECK(pkix_CertSelector_Match_CertificateValid
1372 (params, cert, &result, plContext),
1373 PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED);
1374
1375 if (result == PKIX_FALSE){
1376 PKIX_CERTSELECTOR_DEBUG("CertificateValid Match FAILED\n");
1377 *pResult = PKIX_FALSE;
1378 goto cleanup;
1379 }
1380
1381 PKIX_CHECK(pkix_CertSelector_Match_NameConstraints
1382 (params, cert, &result, plContext),
1383 PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED);
1384
1385 if (result == PKIX_FALSE){
1386 PKIX_CERTSELECTOR_DEBUG("NameConstraints Match FAILED\n");
1387 *pResult = PKIX_FALSE;
1388 goto cleanup;
1389 }
1390
1391 PKIX_CHECK(pkix_CertSelector_Match_PathToNames
1392 (params, cert, &result, plContext),
1393 PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
1394
1395 if (result == PKIX_FALSE){
1396 PKIX_CERTSELECTOR_DEBUG("PathToNames Match FAILED\n");
1397 *pResult = PKIX_FALSE;
1398 goto cleanup;
1399 }
1400
1401 PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames
1402 (params, cert, &result, plContext),
1403 PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
1404
1405 if (result == PKIX_FALSE){
1406 PKIX_CERTSELECTOR_DEBUG("SubjAltNames Match FAILED\n");
1407 *pResult = PKIX_FALSE;
1408 goto cleanup;
1409 }
1410
1411 PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage
1412 (params, cert, &result, plContext),
1413 PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
1414
1415 if (result == PKIX_FALSE){
1416 PKIX_CERTSELECTOR_DEBUG("ExtendedKeyUsage Match FAILED\n");
1417 *pResult = PKIX_FALSE;
1418 goto cleanup;
1419 }
1420
1421 PKIX_CHECK(pkix_CertSelector_Match_KeyUsage
1422 (params, cert, &result, plContext),
1423 PKIX_CERTSELECTORMATCHKEYUSAGEFAILED);
1424
1425 if (result == PKIX_FALSE){
1426 PKIX_CERTSELECTOR_DEBUG("KeyUsage Match FAILED\n");
1427 *pResult = PKIX_FALSE;
1428 goto cleanup;
1429 }
1430
1431 PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId
1432 (params, cert, &result, plContext),
1433 PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
1434
1435 if (result == PKIX_FALSE){
1436 PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match FAILED\n");
1437 *pResult = PKIX_FALSE;
1438 goto cleanup;
1439 }
1440
1441 PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId
1442 (params, cert, &result, plContext),
1443 PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
1444
1445 if (result == PKIX_FALSE){
1446 PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match FAILED\n");
1447 *pResult = PKIX_FALSE;
1448 goto cleanup;
1449 }
1450
1451 PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId
1452 (params, cert, &result, plContext),
1453 PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1454
1455 if (result == PKIX_FALSE){
1456 PKIX_CERTSELECTOR_DEBUG("SubjPKAlgId Match FAILED\n");
1457 *pResult = PKIX_FALSE;
1458 goto cleanup;
1459 }
1460
1461 PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey
1462 (params, cert, &result, plContext),
1463 PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1464
1465 if (result == PKIX_FALSE){
1466 PKIX_CERTSELECTOR_DEBUG("SubjPubKey Match FAILED\n");
1467 *pResult = PKIX_FALSE;
1468 goto cleanup;
1469 }
1470
1471 /* if we reach here, the cert has successfully matched criteria */
1472
1473
1474 #ifdef PKIX_BUILDDEBUG
1475
1476 PKIX_CHECK(pkix_pl_Cert_ToString_Helper
1477 (cert, PKIX_TRUE, &certString, plContext),
1478 PKIX_CERTTOSTRINGHELPERFAILED);
1479
1480 PKIX_CHECK(PKIX_PL_String_GetEncoded
1481 (certString,
1482 PKIX_ESCASCII,
1483 &certAscii,
1484 &certAsciiLen,
1485 plContext),
1486 PKIX_STRINGGETENCODEDFAILED);
1487
1488 PKIX_CERTSELECTOR_DEBUG_ARG("Cert Selected:\n%s\n", certAscii);
1489
1490 #endif
1491
1492 cleanup:
1493
1494 #ifdef PKIX_BUILDDEBUG
1495 PKIX_DECREF(certString);
1496 PKIX_FREE(certAscii);
1497 #endif
1498
1499 PKIX_DECREF(certSubject);
1500 PKIX_DECREF(selSubject);
1501 PKIX_DECREF(certIssuer);
1502 PKIX_DECREF(selIssuer);
1503 PKIX_DECREF(certSerialNumber);
1504 PKIX_DECREF(selSerialNumber);
1505 PKIX_DECREF(selCert);
1506 PKIX_DECREF(selDate);
1507 PKIX_DECREF(params);
1508 PKIX_RETURN(CERTSELECTOR);
1509 }
1510
1511 /*
1512 * FUNCTION: pkix_CertSelector_RegisterSelf
1513 * DESCRIPTION:
1514 * Registers PKIX_CERTSELECTOR_TYPE and its related functions with
1515 * systemClasses[]
1516 * THREAD SAFETY:
1517 * Not Thread Safe - for performance and complexity reasons
1518 *
1519 * Since this function is only called by PKIX_PL_Initialize, which should
1520 * only be called once, it is acceptable that this function is not
1521 * thread-safe.
1522 */
1523 PKIX_Error *
1524 pkix_CertSelector_RegisterSelf(void *plContext)
1525 {
1526 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
1527 pkix_ClassTable_Entry entry;
1528
1529 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_RegisterSelf");
1530
1531 entry.description = "CertSelector";
1532 entry.destructor = pkix_CertSelector_Destroy;
1533 entry.equalsFunction = NULL;
1534 entry.hashcodeFunction = NULL;
1535 entry.toStringFunction = NULL;
1536 entry.comparator = NULL;
1537 entry.duplicateFunction = pkix_CertSelector_Duplicate;
1538
1539 systemClasses[PKIX_CERTSELECTOR_TYPE] = entry;
1540
1541 PKIX_RETURN(CERTSELECTOR);
1542 }
1543
1544 /* --Public-Functions--------------------------------------------- */
1545
1546
1547 /*
1548 * FUNCTION: PKIX_CertSelector_Create (see comments in pkix_certsel.h)
1549 */
1550 PKIX_Error *
1551 PKIX_CertSelector_Create(
1552 PKIX_CertSelector_MatchCallback callback,
1553 PKIX_PL_Object *certSelectorContext,
1554 PKIX_CertSelector **pSelector,
1555 void *plContext)
1556 {
1557 PKIX_CertSelector *selector = NULL;
1558
1559 PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Create");
1560 PKIX_NULLCHECK_ONE(pSelector);
1561
1562 PKIX_CHECK(PKIX_PL_Object_Alloc
1563 (PKIX_CERTSELECTOR_TYPE,
1564 sizeof (PKIX_CertSelector),
1565 (PKIX_PL_Object **)&selector,
1566 plContext),
1567 PKIX_COULDNOTCREATECERTSELECTOROBJECT);
1568
1569 /*
1570 * if user specified a particular match callback, we use that one.
1571 * otherwise, we use the default match implementation which
1572 * understands how to process PKIX_ComCertSelParams
1573 */
1574
1575 if (callback){
1576 selector->matchCallback = callback;
1577 } else {
1578 selector->matchCallback = pkix_CertSelector_DefaultMatch;
1579 }
1580
1581 /* initialize other fields */
1582 selector->params = NULL;
1583
1584 PKIX_INCREF(certSelectorContext);
1585 selector->context = certSelectorContext;
1586
1587 *pSelector = selector;
1588
1589 cleanup:
1590
1591 PKIX_RETURN(CERTSELECTOR);
1592
1593 }
1594
1595 /*
1596 * FUNCTION: PKIX_CertSelector_GetMatchCallback
1597 * (see comments in pkix_certsel.h)
1598 */
1599 PKIX_Error *
1600 PKIX_CertSelector_GetMatchCallback(
1601 PKIX_CertSelector *selector,
1602 PKIX_CertSelector_MatchCallback *pCallback,
1603 void *plContext)
1604 {
1605 PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetMatchCallback");
1606 PKIX_NULLCHECK_TWO(selector, pCallback);
1607
1608 *pCallback = selector->matchCallback;
1609
1610 PKIX_RETURN(CERTSELECTOR);
1611 }
1612
1613 /*
1614 * FUNCTION: PKIX_CertSelector_GetCertSelectorContext
1615 * (see comments in pkix_certsel.h)
1616 */
1617 PKIX_Error *
1618 PKIX_CertSelector_GetCertSelectorContext(
1619 PKIX_CertSelector *selector,
1620 PKIX_PL_Object **pCertSelectorContext,
1621 void *plContext)
1622 {
1623 PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetCertSelectorContext");
1624 PKIX_NULLCHECK_TWO(selector, pCertSelectorContext);
1625
1626 PKIX_INCREF(selector->context);
1627
1628 *pCertSelectorContext = selector->context;
1629
1630 PKIX_RETURN(CERTSELECTOR);
1631 }
1632
1633 /*
1634 * FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams
1635 * (see comments in pkix_certsel.h)
1636 */
1637 PKIX_Error *
1638 PKIX_CertSelector_GetCommonCertSelectorParams(
1639 PKIX_CertSelector *selector,
1640 PKIX_ComCertSelParams **pParams,
1641 void *plContext)
1642 {
1643 PKIX_ENTER(CERTSELECTOR,
1644 "PKIX_CertSelector_GetCommonCertSelectorParams");
1645
1646 PKIX_NULLCHECK_TWO(selector, pParams);
1647
1648 PKIX_INCREF(selector->params);
1649 *pParams = selector->params;
1650
1651 PKIX_RETURN(CERTSELECTOR);
1652
1653 }
1654
1655 /*
1656 * FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams
1657 * (see comments in pkix_certsel.h)
1658 */
1659 PKIX_Error *
1660 PKIX_CertSelector_SetCommonCertSelectorParams(
1661 PKIX_CertSelector *selector,
1662 PKIX_ComCertSelParams *params,
1663 void *plContext)
1664 {
1665 PKIX_ENTER(CERTSELECTOR,
1666 "PKIX_CertSelector_SetCommonCertSelectorParams");
1667
1668 PKIX_NULLCHECK_ONE(selector);
1669
1670 PKIX_DECREF(selector->params);
1671 PKIX_INCREF(params);
1672 selector->params = params;
1673
1674 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1675 ((PKIX_PL_Object *)selector, plContext),
1676 PKIX_OBJECTINVALIDATECACHEFAILED);
1677
1678 cleanup:
1679
1680 PKIX_RETURN(CERTSELECTOR);
1681
1682 }
1683
1684 /*
1685 * FUNCTION: pkix_CertSelector_Select
1686 * DESCRIPTION:
1687 *
1688 * This function applies the selector pointed to by "selector" to each Cert,
1689 * in turn, in the List pointed to by "before", and creates a List containing
1690 * all the Certs that matched, or passed the selection process, storing that
1691 * List at "pAfter". If no Certs match, an empty List is stored at "pAfter".
1692 *
1693 * The List returned in "pAfter" is immutable.
1694 *
1695 * PARAMETERS:
1696 * "selector"
1697 * Address of CertSelelector to be applied to the List. Must be non-NULL.
1698 * "before"
1699 * Address of List that is to be filtered. Must be non-NULL.
1700 * "pAfter"
1701 * Address at which resulting List, possibly empty, is stored. Must be
1702 * non-NULL.
1703 * "plContext"
1704 * Platform-specific context pointer.
1705 * THREAD SAFETY:
1706 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1707 * RETURNS:
1708 * Returns NULL if the function succeeds.
1709 * Returns a CertSelector Error if the function fails in a non-fatal way.
1710 * Returns a Fatal Error if the function fails in an unrecoverable way.
1711 */
1712 PKIX_Error *
1713 pkix_CertSelector_Select(
1714 PKIX_CertSelector *selector,
1715 PKIX_List *before,
1716 PKIX_List **pAfter,
1717 void *plContext)
1718 {
1719 PKIX_Boolean match = PKIX_FALSE;
1720 PKIX_UInt32 numBefore = 0;
1721 PKIX_UInt32 i = 0;
1722 PKIX_List *filtered = NULL;
1723 PKIX_PL_Cert *candidate = NULL;
1724
1725 PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Select");
1726 PKIX_NULLCHECK_THREE(selector, before, pAfter);
1727
1728 PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
1729 PKIX_LISTCREATEFAILED);
1730
1731 PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
1732 PKIX_LISTGETLENGTHFAILED);
1733
1734 for (i = 0; i < numBefore; i++) {
1735
1736 PKIX_CHECK(PKIX_List_GetItem
1737 (before, i, (PKIX_PL_Object **)&candidate, plContext),
1738 PKIX_LISTGETITEMFAILED);
1739
1740 PKIX_CHECK_ONLY_FATAL(selector->matchCallback
1741 (selector, candidate, &match, plContext),
1742 PKIX_CERTSELECTORMATCHCALLBACKFAILED);
1743
1744 if ((!(PKIX_ERROR_RECEIVED)) && (match == PKIX_TRUE)) {
1745
1746 PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
1747 (filtered,
1748 (PKIX_PL_Object *)candidate,
1749 plContext),
1750 PKIX_LISTAPPENDITEMFAILED);
1751 }
1752
1753 pkixTempErrorReceived = PKIX_FALSE;
1754 PKIX_DECREF(candidate);
1755 }
1756
1757 PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
1758 PKIX_LISTSETIMMUTABLEFAILED);
1759
1760 /* Don't throw away the list if one Cert was bad! */
1761 pkixTempErrorReceived = PKIX_FALSE;
1762
1763 *pAfter = filtered;
1764
1765 cleanup:
1766
1767 PKIX_DECREF(candidate);
1768
1769 PKIX_RETURN(CERTSELECTOR);
1770
1771 }
Mozilla NSS module