search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import from 1.9a8 tarball
[mozilla-nss.git] / security / nss / lib / libpkix / pkix_pl_nss / pki / pkix_pl_nameconstraints.c
blobbf2d57e72913cb09ba3ac99cac7ad13d4a42b617
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Sun Microsystems
23 *
24 * Alternatively, the contents of this file may be used under the terms of
25 * either the GNU General Public License Version 2 or later (the "GPL"), or
26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 * in which case the provisions of the GPL or the LGPL are applicable instead
28 * of those above. If you wish to allow use of your version of this file only
29 * under the terms of either the GPL or the LGPL, and not to allow others to
30 * use your version of this file under the terms of the MPL, indicate your
31 * decision by deleting the provisions above and replace them with the notice
32 * and other provisions required by the GPL or the LGPL. If you do not delete
33 * the provisions above, a recipient may use your version of this file under
34 * the terms of any one of the MPL, the GPL or the LGPL.
35 *
36 * ***** END LICENSE BLOCK ***** */
37 /*
38 * pkix_pl_nameconstraints.c
39 *
40 * Name Constraints Object Functions Definitions
41 *
42 */
43
44 #include "pkix_pl_nameconstraints.h"
45
46
47 /* --Private-NameConstraints-Functions----------------------------- */
48
49 /*
50 * FUNCTION: pkix_pl_CertNameConstraints_GetPermitted
51 * DESCRIPTION:
52 *
53 * This function retrieve name constraints permitted list from NSS
54 * data in "nameConstraints" and returns a PKIX_PL_GeneralName list
55 * in "pPermittedList".
56 *
57 * PARAMETERS
58 * "nameConstraints"
59 * Address of CertNameConstraints which has a pointer to
60 * CERTNameConstraints data. Must be non-NULL.
61 * "pPermittedList"
62 * Address where returned permitted name list is stored. Must be non-NULL.
63 * "plContext" - Platform-specific context pointer.
64 * THREAD SAFETY:
65 * Conditionally Thread Safe
66 * (see Thread Safety Definitions in Programmer's Guide)
67 * RETURNS:
68 * Returns NULL if the function succeeds.
69 * Returns a NameConstraints Error if the function fails in a
70 * non-fatal way.
71 * Returns a Fatal Error if the function fails in an unrecoverable way.
72 */
73 static PKIX_Error *
74 pkix_pl_CertNameConstraints_GetPermitted(
75 PKIX_PL_CertNameConstraints *nameConstraints,
76 PKIX_List **pPermittedList,
77 void *plContext)
78 {
79 CERTNameConstraints *nssNameConstraints = NULL;
80 CERTNameConstraints **nssNameConstraintsList = NULL;
81 CERTNameConstraint *nssPermitted = NULL;
82 CERTNameConstraint *firstPermitted = NULL;
83 PKIX_List *permittedList = NULL;
84 PKIX_PL_GeneralName *name = NULL;
85 PKIX_UInt32 numItems = 0;
86 PKIX_UInt32 i;
87
88 PKIX_ENTER(CERTNAMECONSTRAINTS,
89 "pkix_pl_CertNameConstraints_GetPermitted");
90 PKIX_NULLCHECK_TWO(nameConstraints, pPermittedList);
91
92 /*
93 * nssNameConstraints is an array of CERTNameConstraints
94 * pointers where CERTNameConstraints keep its permitted and excluded
95 * lists as pointer array of CERTNameConstraint.
96 */
97
98 if (nameConstraints->permittedList == NULL) {
99
100 PKIX_OBJECT_LOCK(nameConstraints);
101
102 if (nameConstraints->permittedList == NULL) {
103
104 PKIX_CHECK(PKIX_List_Create(&permittedList, plContext),
105 PKIX_LISTCREATEFAILED);
106
107 numItems = nameConstraints->numNssNameConstraints;
108 nssNameConstraintsList =
109 nameConstraints->nssNameConstraintsList;
110
111 for (i = 0; i < numItems; i++) {
112
113 PKIX_NULLCHECK_ONE(nssNameConstraintsList);
114 nssNameConstraints = *(nssNameConstraintsList + i);
115 PKIX_NULLCHECK_ONE(nssNameConstraints);
116
117 if (nssNameConstraints->permited != NULL) {
118
119 nssPermitted = nssNameConstraints->permited;
120 firstPermitted = nssPermitted;
121
122 do {
123
124 PKIX_CHECK(pkix_pl_GeneralName_Create
125 (&nssPermitted->name, &name, plContext),
126 PKIX_GENERALNAMECREATEFAILED);
127
128 PKIX_CHECK(PKIX_List_AppendItem
129 (permittedList,
130 (PKIX_PL_Object *)name,
131 plContext),
132 PKIX_LISTAPPENDITEMFAILED);
133
134 PKIX_DECREF(name);
135
136 PKIX_CERTNAMECONSTRAINTS_DEBUG
137 ("\t\tCalling CERT_GetNextNameConstraint\n");
138 nssPermitted = CERT_GetNextNameConstraint
139 (nssPermitted);
140
141 } while (nssPermitted != firstPermitted);
142
143 }
144 }
145
146 PKIX_CHECK(PKIX_List_SetImmutable(permittedList, plContext),
147 PKIX_LISTSETIMMUTABLEFAILED);
148
149 nameConstraints->permittedList = permittedList;
150
151 }
152
153 PKIX_OBJECT_UNLOCK(nameConstraints);
154
155 }
156
157 PKIX_INCREF(nameConstraints->permittedList);
158
159 *pPermittedList = nameConstraints->permittedList;
160
161 cleanup:
162
163 PKIX_RETURN(CERTNAMECONSTRAINTS);
164 }
165
166 /*
167 * FUNCTION: pkix_pl_CertNameConstraints_GetExcluded
168 * DESCRIPTION:
169 *
170 * This function retrieve name constraints excluded list from NSS
171 * data in "nameConstraints" and returns a PKIX_PL_GeneralName list
172 * in "pExcludedList".
173 *
174 * PARAMETERS
175 * "nameConstraints"
176 * Address of CertNameConstraints which has a pointer to NSS data.
177 * Must be non-NULL.
178 * "pPermittedList"
179 * Address where returned excluded name list is stored. Must be non-NULL.
180 * "plContext" - Platform-specific context pointer.
181 * THREAD SAFETY:
182 * Conditionally Thread Safe
183 * (see Thread Safety Definitions in Programmer's Guide)
184 * RETURNS:
185 * Returns NULL if the function succeeds.
186 * Returns a NameConstraints Error if the function fails in a
187 * non-fatal way.
188 * Returns a Fatal Error if the function fails in an unrecoverable way.
189 */
190 static PKIX_Error *
191 pkix_pl_CertNameConstraints_GetExcluded(
192 PKIX_PL_CertNameConstraints *nameConstraints,
193 PKIX_List **pExcludedList,
194 void *plContext)
195 {
196 CERTNameConstraints *nssNameConstraints = NULL;
197 CERTNameConstraints **nssNameConstraintsList = NULL;
198 CERTNameConstraint *nssExcluded = NULL;
199 CERTNameConstraint *firstExcluded = NULL;
200 PKIX_List *excludedList = NULL;
201 PKIX_PL_GeneralName *name = NULL;
202 PKIX_UInt32 numItems = 0;
203 PKIX_UInt32 i;
204
205 PKIX_ENTER(CERTNAMECONSTRAINTS,
206 "pkix_pl_CertNameConstraints_GetExcluded");
207 PKIX_NULLCHECK_TWO(nameConstraints, pExcludedList);
208
209 if (nameConstraints->excludedList == NULL) {
210
211 PKIX_OBJECT_LOCK(nameConstraints);
212
213 if (nameConstraints->excludedList == NULL) {
214
215 PKIX_CHECK(PKIX_List_Create(&excludedList, plContext),
216 PKIX_LISTCREATEFAILED);
217
218 numItems = nameConstraints->numNssNameConstraints;
219 nssNameConstraintsList =
220 nameConstraints->nssNameConstraintsList;
221
222 for (i = 0; i < numItems; i++) {
223
224 PKIX_NULLCHECK_ONE(nssNameConstraintsList);
225 nssNameConstraints = *(nssNameConstraintsList + i);
226 PKIX_NULLCHECK_ONE(nssNameConstraints);
227
228 if (nssNameConstraints->excluded != NULL) {
229
230 nssExcluded = nssNameConstraints->excluded;
231 firstExcluded = nssExcluded;
232
233 do {
234
235 PKIX_CHECK(pkix_pl_GeneralName_Create
236 (&nssExcluded->name, &name, plContext),
237 PKIX_GENERALNAMECREATEFAILED);
238
239 PKIX_CHECK(PKIX_List_AppendItem
240 (excludedList,
241 (PKIX_PL_Object *)name,
242 plContext),
243 PKIX_LISTAPPENDITEMFAILED);
244
245 PKIX_DECREF(name);
246
247 PKIX_CERTNAMECONSTRAINTS_DEBUG
248 ("\t\tCalling CERT_GetNextNameConstraint\n");
249 nssExcluded = CERT_GetNextNameConstraint
250 (nssExcluded);
251
252 } while (nssExcluded != firstExcluded);
253
254 }
255
256 }
257 PKIX_CHECK(PKIX_List_SetImmutable(excludedList, plContext),
258 PKIX_LISTSETIMMUTABLEFAILED);
259
260 nameConstraints->excludedList = excludedList;
261
262 }
263
264 PKIX_OBJECT_UNLOCK(nameConstraints);
265 }
266
267 PKIX_INCREF(nameConstraints->excludedList);
268
269 *pExcludedList = nameConstraints->excludedList;
270
271 cleanup:
272
273 PKIX_RETURN(CERTNAMECONSTRAINTS);
274 }
275
276 /*
277 * FUNCTION: pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
278 * DESCRIPTION:
279 *
280 * This function checks if CERTGeneral names in "nssSubjectNames" complies
281 * with the permitted and excluded names in "nameConstraints". It returns
282 * PKIX_TRUE in "pCheckPass", if the Names satify the name space of the
283 * permitted list and if the Names are not in the excluded list. Otherwise,
284 * it returns PKIX_FALSE.
285 *
286 * PARAMETERS
287 * "nssSubjectNames"
288 * List of CERTGeneralName that nameConstraints verification is based on.
289 * "nameConstraints"
290 * Address of CertNameConstraints that provides lists of permitted
291 * and excluded names. Must be non-NULL.
292 * "pCheckPass"
293 * Address where PKIX_TRUE is returned if the all names in "nameList" are
294 * valid.
295 * "plContext" - Platform-specific context pointer.
296 * THREAD SAFETY:
297 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
298 * RETURNS:
299 * Returns NULL if the function succeeds.
300 * Returns a NameConstraints Error if the function fails in a
301 * non-fatal way.
302 * Returns a Fatal Error if the function fails in an unrecoverable way.
303 */
304 PKIX_Error *
305 pkix_pl_CertNameConstraints_CheckNameSpaceNssNames(
306 CERTGeneralName *nssSubjectNames,
307 PKIX_PL_CertNameConstraints *nameConstraints,
308 PKIX_Boolean *pCheckPass,
309 void *plContext)
310 {
311 CERTNameConstraints **nssNameConstraintsList = NULL;
312 CERTNameConstraints *nssNameConstraints = NULL;
313 CERTGeneralName *nssMatchName = NULL;
314 PRArenaPool *arena = NULL;
315 PKIX_UInt32 numItems = 0;
316 PKIX_UInt32 i;
317 SECStatus status = SECSuccess;
318
319 PKIX_ENTER(CERTNAMECONSTRAINTS,
320 "pkix_pl_CertNameConstraints_CheckNameSpaceNssNames");
321 PKIX_NULLCHECK_THREE(nssSubjectNames, nameConstraints, pCheckPass);
322
323 *pCheckPass = PKIX_TRUE;
324
325 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
326 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
327 if (arena == NULL) {
328 PKIX_ERROR(PKIX_PORTNEWARENAFAILED);
329 }
330
331 if (nssSubjectNames == NULL) {
332 PKIX_ERROR(PKIX_CERTGETCERTIFICATENAMESRETURNNULL);
333 }
334
335 nssMatchName = nssSubjectNames;
336 nssNameConstraintsList = nameConstraints->nssNameConstraintsList;
337
338 /*
339 * CERTNameConstraint items in each permitted or excluded list
340 * is verified as OR condition. That means, if one item matched,
341 * then the checking on the remaining items on the list is skipped.
342 * (see NSS cert_CompareNameWithConstraints(...)).
343 * Items on PKIX_PL_NameConstraint's nssNameConstraints are verified
344 * as AND condition. PKIX_PL_NameConstraint keeps an array of pointers
345 * of CERTNameConstraints resulting from merging multiple
346 * PKIX_PL_NameConstraints. Since each CERTNameConstraint are created
347 * for different entity, a union condition of these entities then is
348 * performed.
349 */
350
351 do {
352
353 numItems = nameConstraints->numNssNameConstraints;
354
355 for (i = 0; i < numItems; i++) {
356
357 PKIX_NULLCHECK_ONE(nssNameConstraintsList);
358 nssNameConstraints = *(nssNameConstraintsList + i);
359 PKIX_NULLCHECK_ONE(nssNameConstraints);
360
361 PKIX_CERTNAMECONSTRAINTS_DEBUG
362 ("\t\tCalling CERT_CheckNameSpace\n");
363 status = CERT_CheckNameSpace
364 (arena, nssNameConstraints, nssMatchName);
365 if (status != SECSuccess) {
366 break;
367 }
368
369 }
370
371 if (status != SECSuccess) {
372 break;
373 }
374
375 PKIX_CERTNAMECONSTRAINTS_DEBUG
376 ("\t\tCalling CERT_GetNextGeneralName\n");
377 nssMatchName = CERT_GetNextGeneralName(nssMatchName);
378
379 } while (nssMatchName != nssSubjectNames);
380
381 if (status == SECFailure) {
382
383 *pCheckPass = PKIX_FALSE;
384 }
385
386 cleanup:
387
388 if (arena){
389 PKIX_CERTNAMECONSTRAINTS_DEBUG
390 ("\t\tCalling PORT_FreeArena).\n");
391 PORT_FreeArena(arena, PR_FALSE);
392 }
393
394 PKIX_RETURN(CERTNAMECONSTRAINTS);
395 }
396
397 /*
398 * FUNCTION: pkix_pl_NameConstraints_Destroy
399 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
400 */
401 static PKIX_Error *
402 pkix_pl_CertNameConstraints_Destroy(
403 PKIX_PL_Object *object,
404 void *plContext)
405 {
406 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
407
408 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Destroy");
409 PKIX_NULLCHECK_ONE(object);
410
411 PKIX_CHECK(pkix_CheckType
412 (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
413 PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
414
415 nameConstraints = (PKIX_PL_CertNameConstraints *)object;
416
417 PKIX_CHECK(PKIX_PL_Free
418 (nameConstraints->nssNameConstraintsList, plContext),
419 PKIX_FREEFAILED);
420
421 if (nameConstraints->arena){
422 PKIX_CERTNAMECONSTRAINTS_DEBUG
423 ("\t\tCalling PORT_FreeArena).\n");
424 PORT_FreeArena(nameConstraints->arena, PR_FALSE);
425 nameConstraints->arena = NULL;
426 }
427
428 PKIX_DECREF(nameConstraints->permittedList);
429 PKIX_DECREF(nameConstraints->excludedList);
430
431 cleanup:
432
433 PKIX_RETURN(CERTNAMECONSTRAINTS);
434 }
435
436 /*
437 * FUNCTION: pkix_pl_CertNameConstraints_ToString_Helper
438 * DESCRIPTION:
439 *
440 * Helper function that creates a string representation of the object
441 * NameConstraints and stores it at "pString".
442 *
443 * PARAMETERS
444 * "nameConstraints"
445 * Address of CertNameConstraints whose string representation is
446 * desired. Must be non-NULL.
447 * "pString"
448 * Address where string object pointer will be stored. Must be non-NULL.
449 * "plContext" - Platform-specific context pointer.
450 * THREAD SAFETY:
451 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
452 * RETURNS:
453 * Returns NULL if the function succeeds.
454 * Returns a NameConstraints Error if the function fails in a
455 * non-fatal way.
456 * Returns a Fatal Error if the function fails in an unrecoverable way.
457 */
458 static PKIX_Error *
459 pkix_pl_CertNameConstraints_ToString_Helper(
460 PKIX_PL_CertNameConstraints *nameConstraints,
461 PKIX_PL_String **pString,
462 void *plContext)
463 {
464 char *asciiFormat = NULL;
465 PKIX_PL_String *formatString = NULL;
466 PKIX_List *permittedList = NULL;
467 PKIX_List *excludedList = NULL;
468 PKIX_PL_String *permittedListString = NULL;
469 PKIX_PL_String *excludedListString = NULL;
470 PKIX_PL_String *nameConstraintsString = NULL;
471
472 PKIX_ENTER(CERTNAMECONSTRAINTS,
473 "pkix_pl_CertNameConstraints_ToString_Helper");
474 PKIX_NULLCHECK_TWO(nameConstraints, pString);
475
476 asciiFormat =
477 "[\n"
478 "\t\tPermitted Name: %s\n"
479 "\t\tExcluded Name: %s\n"
480 "\t]\n";
481
482 PKIX_CHECK(PKIX_PL_String_Create
483 (PKIX_ESCASCII,
484 asciiFormat,
485 0,
486 &formatString,
487 plContext),
488 PKIX_STRINGCREATEFAILED);
489
490 PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
491 (nameConstraints, &permittedList, plContext),
492 PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
493
494 PKIX_TOSTRING(permittedList, &permittedListString, plContext,
495 PKIX_LISTTOSTRINGFAILED);
496
497 PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
498 (nameConstraints, &excludedList, plContext),
499 PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
500
501 PKIX_TOSTRING(excludedList, &excludedListString, plContext,
502 PKIX_LISTTOSTRINGFAILED);
503
504 PKIX_CHECK(PKIX_PL_Sprintf
505 (&nameConstraintsString,
506 plContext,
507 formatString,
508 permittedListString,
509 excludedListString),
510 PKIX_SPRINTFFAILED);
511
512 *pString = nameConstraintsString;
513
514 cleanup:
515
516 PKIX_DECREF(formatString);
517 PKIX_DECREF(permittedList);
518 PKIX_DECREF(excludedList);
519 PKIX_DECREF(permittedListString);
520 PKIX_DECREF(excludedListString);
521
522 PKIX_RETURN(CERTNAMECONSTRAINTS);
523 }
524
525 /*
526 * FUNCTION: pkix_pl_CertNameConstraints_ToString
527 * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
528 */
529 static PKIX_Error *
530 pkix_pl_CertNameConstraints_ToString(
531 PKIX_PL_Object *object,
532 PKIX_PL_String **pString,
533 void *plContext)
534 {
535 PKIX_PL_String *nameConstraintsString = NULL;
536 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
537
538 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_ToString");
539 PKIX_NULLCHECK_TWO(object, pString);
540
541 PKIX_CHECK(pkix_CheckType(
542 object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
543 PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
544
545 nameConstraints = (PKIX_PL_CertNameConstraints *)object;
546
547 PKIX_CHECK(pkix_pl_CertNameConstraints_ToString_Helper
548 (nameConstraints, &nameConstraintsString, plContext),
549 PKIX_CERTNAMECONSTRAINTSTOSTRINGHELPERFAILED);
550
551 *pString = nameConstraintsString;
552
553 cleanup:
554
555 PKIX_RETURN(CERTNAMECONSTRAINTS);
556 }
557
558 /*
559 * FUNCTION: pkix_pl_CertNameConstraints_Hashcode
560 * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
561 */
562 static PKIX_Error *
563 pkix_pl_CertNameConstraints_Hashcode(
564 PKIX_PL_Object *object,
565 PKIX_UInt32 *pHashcode,
566 void *plContext)
567 {
568 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
569 PKIX_List *permittedList = NULL;
570 PKIX_List *excludedList = NULL;
571 PKIX_UInt32 permitHash = 0;
572 PKIX_UInt32 excludeHash = 0;
573
574 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Hashcode");
575 PKIX_NULLCHECK_TWO(object, pHashcode);
576
577 PKIX_CHECK(pkix_CheckType
578 (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
579 PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
580
581 nameConstraints = (PKIX_PL_CertNameConstraints *)object;
582
583 PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
584 (nameConstraints, &permittedList, plContext),
585 PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
586
587 PKIX_HASHCODE(permittedList, &permitHash, plContext,
588 PKIX_OBJECTHASHCODEFAILED);
589
590 PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
591 (nameConstraints, &excludedList, plContext),
592 PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
593
594 PKIX_HASHCODE(excludedList, &excludeHash, plContext,
595 PKIX_OBJECTHASHCODEFAILED);
596
597 *pHashcode = (((permitHash << 7) + excludeHash) << 7) +
598 nameConstraints->numNssNameConstraints;
599
600 cleanup:
601
602 PKIX_DECREF(permittedList);
603 PKIX_DECREF(excludedList);
604 PKIX_RETURN(CERTNAMECONSTRAINTS);
605 }
606
607 /*
608 * FUNCTION: pkix_pl_CertNameConstraints_Equals
609 * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
610 */
611 static PKIX_Error *
612 pkix_pl_CertNameConstraints_Equals(
613 PKIX_PL_Object *firstObject,
614 PKIX_PL_Object *secondObject,
615 PKIX_Boolean *pResult,
616 void *plContext)
617 {
618 PKIX_PL_CertNameConstraints *firstNC = NULL;
619 PKIX_PL_CertNameConstraints *secondNC = NULL;
620 PKIX_List *firstPermittedList = NULL;
621 PKIX_List *secondPermittedList = NULL;
622 PKIX_List *firstExcludedList = NULL;
623 PKIX_List *secondExcludedList = NULL;
624 PKIX_UInt32 secondType;
625 PKIX_Boolean cmpResult = PKIX_FALSE;
626
627 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Equals");
628 PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
629
630 /* test that firstObject is a CertNameConstraints */
631 PKIX_CHECK(pkix_CheckType
632 (firstObject, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
633 PKIX_FIRSTOBJECTNOTCERTNAMECONSTRAINTS);
634
635 firstNC = (PKIX_PL_CertNameConstraints *)firstObject;
636 secondNC = (PKIX_PL_CertNameConstraints *)secondObject;
637
638 /*
639 * Since we know firstObject is a CertNameConstraints, if both
640 * references are identical, they must be equal
641 */
642 if (firstNC == secondNC){
643 *pResult = PKIX_TRUE;
644 goto cleanup;
645 }
646
647 /*
648 * If secondNC isn't a CertNameConstraints, we don't throw an error.
649 * We simply return a Boolean result of FALSE
650 */
651 *pResult = PKIX_FALSE;
652
653 PKIX_CHECK(PKIX_PL_Object_GetType
654 ((PKIX_PL_Object *)secondNC, &secondType, plContext),
655 PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
656
657 if (secondType != PKIX_CERTNAMECONSTRAINTS_TYPE) {
658 goto cleanup;
659 }
660
661 PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
662 (firstNC, &firstPermittedList, plContext),
663 PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
664
665 PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
666 (secondNC, &secondPermittedList, plContext),
667 PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
668
669 PKIX_EQUALS
670 (firstPermittedList, secondPermittedList, &cmpResult, plContext,
671 PKIX_OBJECTEQUALSFAILED);
672
673 if (cmpResult != PKIX_TRUE) {
674 goto cleanup;
675 }
676
677 PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
678 (firstNC, &firstExcludedList, plContext),
679 PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
680
681 PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
682 (secondNC, &secondExcludedList, plContext),
683 PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
684
685 PKIX_EQUALS
686 (firstExcludedList, secondExcludedList, &cmpResult, plContext,
687 PKIX_OBJECTEQUALSFAILED);
688
689 if (cmpResult != PKIX_TRUE) {
690 goto cleanup;
691 }
692
693 /*
694 * numNssNameConstraints is not checked because it is basically a
695 * merge count, it cannot determine the data equality.
696 */
697
698 *pResult = PKIX_TRUE;
699
700 cleanup:
701
702 PKIX_DECREF(firstPermittedList);
703 PKIX_DECREF(secondPermittedList);
704 PKIX_DECREF(firstExcludedList);
705 PKIX_DECREF(secondExcludedList);
706
707 PKIX_RETURN(CERTNAMECONSTRAINTS);
708 }
709
710 /*
711 * FUNCTION: pkix_pl_CertNameConstraints_RegisterSelf
712 * DESCRIPTION:
713 * Registers PKIX_CERTNAMECONSTRAINTS_TYPE and its related functions with
714 * systemClasses[]
715 * THREAD SAFETY:
716 * Not Thread Safe - for performance and complexity reasons
717 *
718 * Since this function is only called by PKIX_PL_Initialize, which should
719 * only be called once, it is acceptable that this function is not
720 * thread-safe.
721 */
722 PKIX_Error *
723 pkix_pl_CertNameConstraints_RegisterSelf(void *plContext)
724 {
725 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
726 pkix_ClassTable_Entry entry;
727
728 PKIX_ENTER(CERTNAMECONSTRAINTS,
729 "pkix_pl_CertNameConstraints_RegisterSelf");
730
731 entry.description = "CertNameConstraints";
732 entry.destructor = pkix_pl_CertNameConstraints_Destroy;
733 entry.equalsFunction = pkix_pl_CertNameConstraints_Equals;
734 entry.hashcodeFunction = pkix_pl_CertNameConstraints_Hashcode;
735 entry.toStringFunction = pkix_pl_CertNameConstraints_ToString;
736 entry.comparator = NULL;
737 entry.duplicateFunction = pkix_duplicateImmutable;
738
739 systemClasses[PKIX_CERTNAMECONSTRAINTS_TYPE] = entry;
740
741 PKIX_RETURN(CERTNAMECONSTRAINTS);
742 }
743
744 /*
745 * FUNCTION: pkix_pl_CertNameConstraints_Create_Helper
746 *
747 * DESCRIPTION:
748 * This function retrieves name constraints in "nssNameConstraints",
749 * converts and stores the result in a PKIX_PL_CertNameConstraints object.
750 *
751 * PARAMETERS
752 * "nssNameConstraints"
753 * Address of CERTNameConstraints that contains this object's data.
754 * Must be non-NULL.
755 * "pNameConstraints"
756 * Address where object pointer will be stored. Must be non-NULL.
757 * A NULL value will be returned if there is no Name Constraints extension.
758 * "plContext" - Platform-specific context pointer.
759 *
760 * THREAD SAFETY:
761 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
762 *
763 * RETURNS:
764 * Returns NULL if the function succeeds.
765 * Returns a NameConstraints Error if the function fails in a non-fatal way.
766 * Returns a Fatal Error if the function fails in an unrecoverable way.
767 */
768 static PKIX_Error *
769 pkix_pl_CertNameConstraints_Create_Helper(
770 CERTNameConstraints *nssNameConstraints,
771 PKIX_PL_CertNameConstraints **pNameConstraints,
772 void *plContext)
773 {
774 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
775 CERTNameConstraints **nssNameConstraintPtr = NULL;
776
777 PKIX_ENTER(CERTNAMECONSTRAINTS,
778 "pkix_pl_CertNameConstraints_Create_Helper");
779 PKIX_NULLCHECK_TWO(nssNameConstraints, pNameConstraints);
780
781 PKIX_CHECK(PKIX_PL_Object_Alloc
782 (PKIX_CERTNAMECONSTRAINTS_TYPE,
783 sizeof (PKIX_PL_CertNameConstraints),
784 (PKIX_PL_Object **)&nameConstraints,
785 plContext),
786 PKIX_COULDNOTCREATECERTNAMECONSTRAINTSOBJECT);
787
788 PKIX_CHECK(PKIX_PL_Malloc
789 (sizeof (CERTNameConstraint *),
790 (void *)&nssNameConstraintPtr,
791 plContext),
792 PKIX_MALLOCFAILED);
793
794 nameConstraints->numNssNameConstraints = 1;
795 nameConstraints->nssNameConstraintsList = nssNameConstraintPtr;
796 *nssNameConstraintPtr = nssNameConstraints;
797
798 nameConstraints->permittedList = NULL;
799 nameConstraints->excludedList = NULL;
800 nameConstraints->arena = NULL;
801
802 *pNameConstraints = nameConstraints;
803
804 cleanup:
805
806 if (PKIX_ERROR_RECEIVED){
807 PKIX_DECREF(nameConstraints);
808 }
809
810 PKIX_RETURN(CERTNAMECONSTRAINTS);
811 }
812
813 /*
814 * FUNCTION: pkix_pl_CertNameConstraints_Create
815 *
816 * DESCRIPTION:
817 * function that allocates and initialize the object CertNameConstraints.
818 *
819 * PARAMETERS
820 * "nssCert"
821 * Address of CERT that contains this object's data.
822 * Must be non-NULL.
823 * "pNameConstraints"
824 * Address where object pointer will be stored. Must be non-NULL.
825 * A NULL value will be returned if there is no Name Constraints extension.
826 * "plContext" - Platform-specific context pointer.
827 *
828 * THREAD SAFETY:
829 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
830 *
831 * RETURNS:
832 * Returns NULL if the function succeeds.
833 * Returns a NameConstraints Error if the function fails in a non-fatal way.
834 * Returns a Fatal Error if the function fails in an unrecoverable way.
835 */
836 PKIX_Error *
837 pkix_pl_CertNameConstraints_Create(
838 CERTCertificate *nssCert,
839 PKIX_PL_CertNameConstraints **pNameConstraints,
840 void *plContext)
841 {
842 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
843 CERTNameConstraints *nssNameConstraints = NULL;
844 PLArenaPool *arena = NULL;
845 SECStatus status;
846
847 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Create");
848 PKIX_NULLCHECK_THREE(nssCert, pNameConstraints, nssCert->arena);
849
850 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
851 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
852 if (arena == NULL) {
853 PKIX_ERROR(PKIX_PORTNEWARENAFAILED);
854 }
855
856 PKIX_CERTNAMECONSTRAINTS_DEBUG
857 ("\t\tCalling CERT_FindNameConstraintsExten\n");
858 status = CERT_FindNameConstraintsExten
859 (arena, nssCert, &nssNameConstraints);
860
861 if (status != SECSuccess) {
862 PKIX_ERROR(PKIX_DECODINGCERTNAMECONSTRAINTSFAILED);
863 }
864
865 if (nssNameConstraints == NULL) {
866 *pNameConstraints = NULL;
867 if (arena){
868 PKIX_CERTNAMECONSTRAINTS_DEBUG
869 ("\t\tCalling PORT_FreeArena).\n");
870 PORT_FreeArena(arena, PR_FALSE);
871 }
872 goto cleanup;
873 }
874
875 PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
876 (nssNameConstraints, &nameConstraints, plContext),
877 PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
878
879 nameConstraints->arena = arena;
880
881 *pNameConstraints = nameConstraints;
882
883 cleanup:
884
885 if (PKIX_ERROR_RECEIVED){
886 if (arena){
887 PKIX_CERTNAMECONSTRAINTS_DEBUG
888 ("\t\tCalling PORT_FreeArena).\n");
889 PORT_FreeArena(arena, PR_FALSE);
890 }
891 }
892
893 PKIX_RETURN(CERTNAMECONSTRAINTS);
894 }
895
896 /*
897 * FUNCTION: pkix_pl_CertNameConstraints_CreateByMerge
898 *
899 * DESCRIPTION:
900 *
901 * This function allocates and creates a PKIX_PL_NameConstraint object
902 * for merging. It also allocates CERTNameConstraints data space for the
903 * merged NSS NameConstraints data.
904 *
905 * PARAMETERS
906 * "pNameConstraints"
907 * Address where object pointer will be stored and returned.
908 * Must be non-NULL.
909 * "plContext" - Platform-specific context pointer.
910 *
911 * THREAD SAFETY:
912 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
913 *
914 * RETURNS:
915 * Returns NULL if the function succeeds.
916 * Returns a NameConstraints Error if the function fails in a non-fatal way.
917 * Returns a Fatal Error if the function fails in an unrecoverable way.
918 */
919 static PKIX_Error *
920 pkix_pl_CertNameConstraints_CreateByMerge(
921 PKIX_PL_CertNameConstraints **pNameConstraints,
922 void *plContext)
923 {
924 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
925 CERTNameConstraints *nssNameConstraints = NULL;
926 PLArenaPool *arena = NULL;
927
928 PKIX_ENTER(CERTNAMECONSTRAINTS,
929 "pkix_pl_CertNameConstraints_CreateByMerge");
930 PKIX_NULLCHECK_ONE(pNameConstraints);
931
932 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
933 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
934 if (arena == NULL) {
935 PKIX_ERROR(PKIX_PORTNEWARENAFAILED);
936 }
937
938 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
939 nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
940 if (nssNameConstraints == NULL) {
941 PKIX_ERROR(PKIX_ALLOCATESPACEFORCERTNAMECONSTRAINTSFAILED);
942 }
943
944 nssNameConstraints->permited = NULL;
945 nssNameConstraints->excluded = NULL;
946 nssNameConstraints->DERPermited = NULL;
947 nssNameConstraints->DERExcluded = NULL;
948
949 PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
950 (nssNameConstraints, &nameConstraints, plContext),
951 PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
952
953 nameConstraints->arena = arena;
954
955 *pNameConstraints = nameConstraints;
956
957 cleanup:
958
959 if (PKIX_ERROR_RECEIVED){
960 if (arena){
961 PKIX_CERTNAMECONSTRAINTS_DEBUG
962 ("\t\tCalling PORT_FreeArena).\n");
963 PORT_FreeArena(arena, PR_FALSE);
964 }
965 }
966
967 PKIX_RETURN(CERTNAMECONSTRAINTS);
968 }
969
970 /*
971 * FUNCTION: pkix_pl_CertNameConstraints_CopyNssNameConstraints
972 *
973 * DESCRIPTION:
974 *
975 * This function allocates and copies data to a NSS CERTNameConstraints from
976 * the NameConstraints given by "srcNC" and stores the result at "pDestNC". It
977 * copies items on both the permitted and excluded lists, but not the
978 * DERPermited and DERExcluded.
979 *
980 * PARAMETERS
981 * "arena"
982 * Memory pool where object data is allocated from. Must be non-NULL.
983 * "srcNC"
984 * Address of the NameConstraints to copy from. Must be non-NULL.
985 * "pDestNC"
986 * Address where new copied object is stored and returned.
987 * Must be non-NULL.
988 * "plContext" - Platform-specific context pointer.
989 *
990 * THREAD SAFETY:
991 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
992 *
993 * RETURNS:
994 * Returns NULL if the function succeeds.
995 * Returns a NameConstraints Error if the function fails in a non-fatal way.
996 * Returns a Fatal Error if the function fails in an unrecoverable way.
997 */
998 static PKIX_Error *
999 pkix_pl_CertNameConstraints_CopyNssNameConstraints(
1000 PLArenaPool *arena,
1001 CERTNameConstraints *srcNC,
1002 CERTNameConstraints **pDestNC,
1003 void *plContext)
1004 {
1005 CERTNameConstraints *nssNameConstraints = NULL;
1006 CERTNameConstraint *nssNameConstraintHead = NULL;
1007 CERTNameConstraint *nssCurrent = NULL;
1008 CERTNameConstraint *nssCopyTo = NULL;
1009 CERTNameConstraint *nssCopyFrom = NULL;
1010
1011 PKIX_ENTER(CERTNAMECONSTRAINTS,
1012 "pkix_pl_CertNameConstraints_CopyNssNameConstraints");
1013 PKIX_NULLCHECK_THREE(arena, srcNC, pDestNC);
1014
1015 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
1016 nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
1017 if (nssNameConstraints == NULL) {
1018 PKIX_ERROR(PKIX_ALLOCATESPACEFORCERTNAMECONSTRAINTSFAILED);
1019 }
1020
1021 if (srcNC->permited) {
1022
1023 nssCopyFrom = srcNC->permited;
1024
1025 do {
1026
1027 nssCopyTo = NULL;
1028 PKIX_CERTNAMECONSTRAINTS_DEBUG
1029 ("\t\tCalling CERT_CopyNameConstraint).\n");
1030 nssCopyTo = CERT_CopyNameConstraint
1031 (arena, nssCopyTo, nssCopyFrom);
1032 if (nssCopyTo == NULL) {
1033 PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
1034 }
1035 if (nssCurrent == NULL) {
1036 nssCurrent = nssNameConstraintHead = nssCopyTo;
1037 } else {
1038 PKIX_CERTNAMECONSTRAINTS_DEBUG
1039 ("\t\tCalling CERT_AddNameConstraint).\n");
1040 nssCurrent = CERT_AddNameConstraint
1041 (nssCurrent, nssCopyTo);
1042 }
1043
1044 PKIX_CERTNAMECONSTRAINTS_DEBUG
1045 ("\t\tCalling CERT_GetNextNameConstrain).\n");
1046 nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
1047
1048 } while (nssCopyFrom != srcNC->permited);
1049
1050 nssNameConstraints->permited = nssNameConstraintHead;
1051 }
1052
1053 if (srcNC->excluded) {
1054
1055 nssCurrent = NULL;
1056 nssCopyFrom = srcNC->excluded;
1057
1058 do {
1059
1060 /*
1061 * Cannot use CERT_DupGeneralNameList, which just increments
1062 * refcount. We need our own copy since arena is for each
1063 * PKIX_PL_NameConstraints. Perhaps contribute this code
1064 * as CERT_CopyGeneralNameList (in the future).
1065 */
1066 nssCopyTo = NULL;
1067 PKIX_CERTNAMECONSTRAINTS_DEBUG
1068 ("\t\tCalling CERT_CopyNameConstraint).\n");
1069 nssCopyTo = CERT_CopyNameConstraint
1070 (arena, nssCopyTo, nssCopyFrom);
1071 if (nssCopyTo == NULL) {
1072 PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
1073 }
1074 if (nssCurrent == NULL) {
1075 nssCurrent = nssNameConstraintHead = nssCopyTo;
1076 } else {
1077 PKIX_CERTNAMECONSTRAINTS_DEBUG
1078 ("\t\tCalling CERT_AddNameConstraint).\n");
1079 nssCurrent = CERT_AddNameConstraint
1080 (nssCurrent, nssCopyTo);
1081 }
1082
1083 PKIX_CERTNAMECONSTRAINTS_DEBUG
1084 ("\t\tCalling CERT_GetNextNameConstrain).\n");
1085 nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
1086
1087 } while (nssCopyFrom != srcNC->excluded);
1088
1089 nssNameConstraints->excluded = nssNameConstraintHead;
1090 }
1091
1092 *pDestNC = nssNameConstraints;
1093
1094 cleanup:
1095
1096 PKIX_RETURN(CERTNAMECONSTRAINTS);
1097 }
1098
1099 /*
1100 * FUNCTION: pkix_pl_CertNameConstraints_Merge
1101 *
1102 * DESCRIPTION:
1103 *
1104 * This function merges two NameConstraints pointed to by "firstNC" and
1105 * "secondNC" and stores the result in "pMergedNC".
1106 *
1107 * PARAMETERS
1108 * "firstNC"
1109 * Address of the first NameConstraints to be merged. Must be non-NULL.
1110 * "secondNC"
1111 * Address of the second NameConstraints to be merged. Must be non-NULL.
1112 * "pMergedNC"
1113 * Address where the merge result is stored and returned. Must be non-NULL.
1114 * "plContext" - Platform-specific context pointer.
1115 *
1116 * THREAD SAFETY:
1117 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1118 *
1119 * RETURNS:
1120 * Returns NULL if the function succeeds.
1121 * Returns a NameConstraints Error if the function fails in a non-fatal way.
1122 * Returns a Fatal Error if the function fails in an unrecoverable way.
1123 */
1124 PKIX_Error *
1125 pkix_pl_CertNameConstraints_Merge(
1126 PKIX_PL_CertNameConstraints *firstNC,
1127 PKIX_PL_CertNameConstraints *secondNC,
1128 PKIX_PL_CertNameConstraints **pMergedNC,
1129 void *plContext)
1130 {
1131 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
1132 CERTNameConstraints **nssNCto = NULL;
1133 CERTNameConstraints **nssNCfrom = NULL;
1134 CERTNameConstraints *nssNameConstraints = NULL;
1135 PKIX_UInt32 numNssItems = 0;
1136 PKIX_UInt32 i;
1137
1138 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Merge");
1139 PKIX_NULLCHECK_THREE(firstNC, secondNC, pMergedNC);
1140
1141 PKIX_CHECK(pkix_pl_CertNameConstraints_CreateByMerge
1142 (&nameConstraints, plContext),
1143 PKIX_CERTNAMECONSTRAINTSCREATEBYMERGEFAILED);
1144
1145 /* Merge NSSCertConstraint lists */
1146
1147 numNssItems = firstNC->numNssNameConstraints +
1148 secondNC->numNssNameConstraints;
1149
1150 /* Free the default space (only one entry) allocated by create */
1151 PKIX_CHECK(PKIX_PL_Free
1152 (nameConstraints->nssNameConstraintsList, plContext),
1153 PKIX_FREEFAILED);
1154
1155 /* Reallocate the size we need */
1156 PKIX_CHECK(PKIX_PL_Malloc
1157 (numNssItems * sizeof (CERTNameConstraint *),
1158 (void *)&nssNCto,
1159 plContext),
1160 PKIX_MALLOCFAILED);
1161
1162 nameConstraints->nssNameConstraintsList = nssNCto;
1163
1164 nssNCfrom = firstNC->nssNameConstraintsList;
1165
1166 for (i = 0; i < firstNC->numNssNameConstraints; i++) {
1167
1168 PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
1169 (nameConstraints->arena,
1170 *nssNCfrom,
1171 &nssNameConstraints,
1172 plContext),
1173 PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
1174
1175 *nssNCto = nssNameConstraints;
1176
1177 nssNCto++;
1178 nssNCfrom++;
1179 }
1180
1181 nssNCfrom = secondNC->nssNameConstraintsList;
1182
1183 for (i = 0; i < secondNC->numNssNameConstraints; i++) {
1184
1185 PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
1186 (nameConstraints->arena,
1187 *nssNCfrom,
1188 &nssNameConstraints,
1189 plContext),
1190 PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
1191
1192 *nssNCto = nssNameConstraints;
1193
1194 nssNCto++;
1195 nssNCfrom++;
1196 }
1197
1198 nameConstraints->numNssNameConstraints = numNssItems;
1199 nameConstraints->permittedList = NULL;
1200 nameConstraints->excludedList = NULL;
1201
1202 *pMergedNC = nameConstraints;
1203
1204 cleanup:
1205
1206 if (PKIX_ERROR_RECEIVED){
1207 PKIX_DECREF(nameConstraints);
1208 }
1209
1210 PKIX_RETURN(CERTNAMECONSTRAINTS);
1211 }
1212
1213 /* --Public-NameConstraints-Functions-------------------------------- */
1214
1215 /*
1216 * FUNCTION: PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
1217 * (see comments in pkix_pl_system.h)
1218 */
1219 PKIX_Error *
1220 PKIX_PL_CertNameConstraints_CheckNamesInNameSpace(
1221 PKIX_List *nameList, /* List of PKIX_PL_GeneralName */
1222 PKIX_PL_CertNameConstraints *nameConstraints,
1223 PKIX_Boolean *pCheckPass,
1224 void *plContext)
1225 {
1226 CERTNameConstraints **nssNameConstraintsList = NULL;
1227 CERTNameConstraints *nssNameConstraints = NULL;
1228 CERTGeneralName *nssMatchName = NULL;
1229 PRArenaPool *arena = NULL;
1230 PKIX_PL_GeneralName *name = NULL;
1231 PKIX_UInt32 numNameItems = 0;
1232 PKIX_UInt32 numNCItems = 0;
1233 PKIX_UInt32 i, j;
1234 SECStatus status = SECSuccess;
1235
1236 PKIX_ENTER(CERTNAMECONSTRAINTS,
1237 "PKIX_PL_CertNameConstraints_CheckNamesInNameSpace");
1238 PKIX_NULLCHECK_TWO(nameConstraints, pCheckPass);
1239
1240 *pCheckPass = PKIX_TRUE;
1241
1242 if (nameList != NULL) {
1243
1244 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
1245 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1246 if (arena == NULL) {
1247 PKIX_ERROR(PKIX_PORTNEWARENAFAILED);
1248 }
1249
1250 nssNameConstraintsList =
1251 nameConstraints->nssNameConstraintsList;
1252 PKIX_NULLCHECK_ONE(nssNameConstraintsList);
1253 numNCItems = nameConstraints->numNssNameConstraints;
1254
1255 PKIX_CHECK(PKIX_List_GetLength
1256 (nameList, &numNameItems, plContext),
1257 PKIX_LISTGETLENGTHFAILED);
1258
1259 for (i = 0; i < numNameItems; i++) {
1260
1261 PKIX_CHECK(PKIX_List_GetItem
1262 (nameList,
1263 i,
1264 (PKIX_PL_Object **) &name,
1265 plContext),
1266 PKIX_LISTGETITEMFAILED);
1267
1268 PKIX_CHECK(pkix_pl_GeneralName_GetNssGeneralName
1269 (name, &nssMatchName, plContext),
1270 PKIX_GENERALNAMEGETNSSGENERALNAMEFAILED);
1271
1272 PKIX_DECREF(name);
1273
1274 for (j = 0; j < numNCItems; j++) {
1275
1276 nssNameConstraints = *(nssNameConstraintsList + j);
1277 PKIX_NULLCHECK_ONE(nssNameConstraints);
1278
1279 PKIX_CERTNAMECONSTRAINTS_DEBUG
1280 ("\t\tCalling CERT_CheckNameSpace\n");
1281 status = CERT_CheckNameSpace
1282 (arena, nssNameConstraints, nssMatchName);
1283 if (status != SECSuccess) {
1284 break;
1285 }
1286
1287 }
1288
1289 if (status != SECSuccess) {
1290 break;
1291 }
1292
1293 }
1294 }
1295
1296 if (status == SECFailure) {
1297 *pCheckPass = PKIX_FALSE;
1298 }
1299
1300 cleanup:
1301
1302 if (arena){
1303 PKIX_CERTNAMECONSTRAINTS_DEBUG
1304 ("\t\tCalling PORT_FreeArena).\n");
1305 PORT_FreeArena(arena, PR_FALSE);
1306 }
1307
1308 PKIX_RETURN(CERTNAMECONSTRAINTS);
1309 }
Mozilla NSS module