search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nss: import at 3.0.1 beta 1
[mozilla-nss.git] / security / nss / lib / libpkix / pkix_pl_nss / pki / pkix_pl_nameconstraints.c
bloba0127668bea32e88131cf04244e226614a776725
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the PKIX-C library.
15 *
16 * The Initial Developer of the Original Code is
17 * Sun Microsystems, Inc.
18 * Portions created by the Initial Developer are
19 * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Sun Microsystems, Inc.
23 *
24 * Alternatively, the contents of this file may be used under the terms of
25 * either the GNU General Public License Version 2 or later (the "GPL"), or
26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 * in which case the provisions of the GPL or the LGPL are applicable instead
28 * of those above. If you wish to allow use of your version of this file only
29 * under the terms of either the GPL or the LGPL, and not to allow others to
30 * use your version of this file under the terms of the MPL, indicate your
31 * decision by deleting the provisions above and replace them with the notice
32 * and other provisions required by the GPL or the LGPL. If you do not delete
33 * the provisions above, a recipient may use your version of this file under
34 * the terms of any one of the MPL, the GPL or the LGPL.
35 *
36 * ***** END LICENSE BLOCK ***** */
37 /*
38 * pkix_pl_nameconstraints.c
39 *
40 * Name Constraints Object Functions Definitions
41 *
42 */
43
44 #include "pkix_pl_nameconstraints.h"
45
46
47 /* --Private-NameConstraints-Functions----------------------------- */
48
49 /*
50 * FUNCTION: pkix_pl_CertNameConstraints_GetPermitted
51 * DESCRIPTION:
52 *
53 * This function retrieve name constraints permitted list from NSS
54 * data in "nameConstraints" and returns a PKIX_PL_GeneralName list
55 * in "pPermittedList".
56 *
57 * PARAMETERS
58 * "nameConstraints"
59 * Address of CertNameConstraints which has a pointer to
60 * CERTNameConstraints data. Must be non-NULL.
61 * "pPermittedList"
62 * Address where returned permitted name list is stored. Must be non-NULL.
63 * "plContext" - Platform-specific context pointer.
64 * THREAD SAFETY:
65 * Conditionally Thread Safe
66 * (see Thread Safety Definitions in Programmer's Guide)
67 * RETURNS:
68 * Returns NULL if the function succeeds.
69 * Returns a NameConstraints Error if the function fails in a
70 * non-fatal way.
71 * Returns a Fatal Error if the function fails in an unrecoverable way.
72 */
73 static PKIX_Error *
74 pkix_pl_CertNameConstraints_GetPermitted(
75 PKIX_PL_CertNameConstraints *nameConstraints,
76 PKIX_List **pPermittedList,
77 void *plContext)
78 {
79 CERTNameConstraints *nssNameConstraints = NULL;
80 CERTNameConstraints **nssNameConstraintsList = NULL;
81 CERTNameConstraint *nssPermitted = NULL;
82 CERTNameConstraint *firstPermitted = NULL;
83 PKIX_List *permittedList = NULL;
84 PKIX_PL_GeneralName *name = NULL;
85 PKIX_UInt32 numItems = 0;
86 PKIX_UInt32 i;
87
88 PKIX_ENTER(CERTNAMECONSTRAINTS,
89 "pkix_pl_CertNameConstraints_GetPermitted");
90 PKIX_NULLCHECK_TWO(nameConstraints, pPermittedList);
91
92 /*
93 * nssNameConstraints is an array of CERTNameConstraints
94 * pointers where CERTNameConstraints keep its permitted and excluded
95 * lists as pointer array of CERTNameConstraint.
96 */
97
98 if (nameConstraints->permittedList == NULL) {
99
100 PKIX_OBJECT_LOCK(nameConstraints);
101
102 if (nameConstraints->permittedList == NULL) {
103
104 PKIX_CHECK(PKIX_List_Create(&permittedList, plContext),
105 PKIX_LISTCREATEFAILED);
106
107 numItems = nameConstraints->numNssNameConstraints;
108 nssNameConstraintsList =
109 nameConstraints->nssNameConstraintsList;
110
111 for (i = 0; i < numItems; i++) {
112
113 PKIX_NULLCHECK_ONE(nssNameConstraintsList);
114 nssNameConstraints = *(nssNameConstraintsList + i);
115 PKIX_NULLCHECK_ONE(nssNameConstraints);
116
117 if (nssNameConstraints->permited != NULL) {
118
119 nssPermitted = nssNameConstraints->permited;
120 firstPermitted = nssPermitted;
121
122 do {
123
124 PKIX_CHECK(pkix_pl_GeneralName_Create
125 (&nssPermitted->name, &name, plContext),
126 PKIX_GENERALNAMECREATEFAILED);
127
128 PKIX_CHECK(PKIX_List_AppendItem
129 (permittedList,
130 (PKIX_PL_Object *)name,
131 plContext),
132 PKIX_LISTAPPENDITEMFAILED);
133
134 PKIX_DECREF(name);
135
136 PKIX_CERTNAMECONSTRAINTS_DEBUG
137 ("\t\tCalling CERT_GetNextNameConstraint\n");
138 nssPermitted = CERT_GetNextNameConstraint
139 (nssPermitted);
140
141 } while (nssPermitted != firstPermitted);
142
143 }
144 }
145
146 PKIX_CHECK(PKIX_List_SetImmutable(permittedList, plContext),
147 PKIX_LISTSETIMMUTABLEFAILED);
148
149 nameConstraints->permittedList = permittedList;
150
151 }
152
153 PKIX_OBJECT_UNLOCK(nameConstraints);
154
155 }
156
157 PKIX_INCREF(nameConstraints->permittedList);
158
159 *pPermittedList = nameConstraints->permittedList;
160
161 cleanup:
162
163 PKIX_RETURN(CERTNAMECONSTRAINTS);
164 }
165
166 /*
167 * FUNCTION: pkix_pl_CertNameConstraints_GetExcluded
168 * DESCRIPTION:
169 *
170 * This function retrieve name constraints excluded list from NSS
171 * data in "nameConstraints" and returns a PKIX_PL_GeneralName list
172 * in "pExcludedList".
173 *
174 * PARAMETERS
175 * "nameConstraints"
176 * Address of CertNameConstraints which has a pointer to NSS data.
177 * Must be non-NULL.
178 * "pPermittedList"
179 * Address where returned excluded name list is stored. Must be non-NULL.
180 * "plContext" - Platform-specific context pointer.
181 * THREAD SAFETY:
182 * Conditionally Thread Safe
183 * (see Thread Safety Definitions in Programmer's Guide)
184 * RETURNS:
185 * Returns NULL if the function succeeds.
186 * Returns a NameConstraints Error if the function fails in a
187 * non-fatal way.
188 * Returns a Fatal Error if the function fails in an unrecoverable way.
189 */
190 static PKIX_Error *
191 pkix_pl_CertNameConstraints_GetExcluded(
192 PKIX_PL_CertNameConstraints *nameConstraints,
193 PKIX_List **pExcludedList,
194 void *plContext)
195 {
196 CERTNameConstraints *nssNameConstraints = NULL;
197 CERTNameConstraints **nssNameConstraintsList = NULL;
198 CERTNameConstraint *nssExcluded = NULL;
199 CERTNameConstraint *firstExcluded = NULL;
200 PKIX_List *excludedList = NULL;
201 PKIX_PL_GeneralName *name = NULL;
202 PKIX_UInt32 numItems = 0;
203 PKIX_UInt32 i;
204
205 PKIX_ENTER(CERTNAMECONSTRAINTS,
206 "pkix_pl_CertNameConstraints_GetExcluded");
207 PKIX_NULLCHECK_TWO(nameConstraints, pExcludedList);
208
209 if (nameConstraints->excludedList == NULL) {
210
211 PKIX_OBJECT_LOCK(nameConstraints);
212
213 if (nameConstraints->excludedList == NULL) {
214
215 PKIX_CHECK(PKIX_List_Create(&excludedList, plContext),
216 PKIX_LISTCREATEFAILED);
217
218 numItems = nameConstraints->numNssNameConstraints;
219 nssNameConstraintsList =
220 nameConstraints->nssNameConstraintsList;
221
222 for (i = 0; i < numItems; i++) {
223
224 PKIX_NULLCHECK_ONE(nssNameConstraintsList);
225 nssNameConstraints = *(nssNameConstraintsList + i);
226 PKIX_NULLCHECK_ONE(nssNameConstraints);
227
228 if (nssNameConstraints->excluded != NULL) {
229
230 nssExcluded = nssNameConstraints->excluded;
231 firstExcluded = nssExcluded;
232
233 do {
234
235 PKIX_CHECK(pkix_pl_GeneralName_Create
236 (&nssExcluded->name, &name, plContext),
237 PKIX_GENERALNAMECREATEFAILED);
238
239 PKIX_CHECK(PKIX_List_AppendItem
240 (excludedList,
241 (PKIX_PL_Object *)name,
242 plContext),
243 PKIX_LISTAPPENDITEMFAILED);
244
245 PKIX_DECREF(name);
246
247 PKIX_CERTNAMECONSTRAINTS_DEBUG
248 ("\t\tCalling CERT_GetNextNameConstraint\n");
249 nssExcluded = CERT_GetNextNameConstraint
250 (nssExcluded);
251
252 } while (nssExcluded != firstExcluded);
253
254 }
255
256 }
257 PKIX_CHECK(PKIX_List_SetImmutable(excludedList, plContext),
258 PKIX_LISTSETIMMUTABLEFAILED);
259
260 nameConstraints->excludedList = excludedList;
261
262 }
263
264 PKIX_OBJECT_UNLOCK(nameConstraints);
265 }
266
267 PKIX_INCREF(nameConstraints->excludedList);
268
269 *pExcludedList = nameConstraints->excludedList;
270
271 cleanup:
272
273 PKIX_RETURN(CERTNAMECONSTRAINTS);
274 }
275
276 /*
277 * FUNCTION: pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
278 * DESCRIPTION:
279 *
280 * This function checks if CERTGeneral names in "nssSubjectNames" complies
281 * with the permitted and excluded names in "nameConstraints". It returns
282 * PKIX_TRUE in "pCheckPass", if the Names satify the name space of the
283 * permitted list and if the Names are not in the excluded list. Otherwise,
284 * it returns PKIX_FALSE.
285 *
286 * PARAMETERS
287 * "nssSubjectNames"
288 * List of CERTGeneralName that nameConstraints verification is based on.
289 * "nameConstraints"
290 * Address of CertNameConstraints that provides lists of permitted
291 * and excluded names. Must be non-NULL.
292 * "pCheckPass"
293 * Address where PKIX_TRUE is returned if the all names in "nameList" are
294 * valid.
295 * "plContext" - Platform-specific context pointer.
296 * THREAD SAFETY:
297 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
298 * RETURNS:
299 * Returns NULL if the function succeeds.
300 * Returns a NameConstraints Error if the function fails in a
301 * non-fatal way.
302 * Returns a Fatal Error if the function fails in an unrecoverable way.
303 */
304 PKIX_Error *
305 pkix_pl_CertNameConstraints_CheckNameSpaceNssNames(
306 CERTGeneralName *nssSubjectNames,
307 PKIX_PL_CertNameConstraints *nameConstraints,
308 PKIX_Boolean *pCheckPass,
309 void *plContext)
310 {
311 CERTNameConstraints **nssNameConstraintsList = NULL;
312 CERTNameConstraints *nssNameConstraints = NULL;
313 CERTGeneralName *nssMatchName = NULL;
314 PRArenaPool *arena = NULL;
315 PKIX_UInt32 numItems = 0;
316 PKIX_UInt32 i;
317 SECStatus status = SECSuccess;
318
319 PKIX_ENTER(CERTNAMECONSTRAINTS,
320 "pkix_pl_CertNameConstraints_CheckNameSpaceNssNames");
321 PKIX_NULLCHECK_THREE(nssSubjectNames, nameConstraints, pCheckPass);
322
323 *pCheckPass = PKIX_TRUE;
324
325 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
326 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
327 if (arena == NULL) {
328 PKIX_ERROR(PKIX_OUTOFMEMORY);
329 }
330
331 nssMatchName = nssSubjectNames;
332 nssNameConstraintsList = nameConstraints->nssNameConstraintsList;
333
334 /*
335 * CERTNameConstraint items in each permitted or excluded list
336 * is verified as OR condition. That means, if one item matched,
337 * then the checking on the remaining items on the list is skipped.
338 * (see NSS cert_CompareNameWithConstraints(...)).
339 * Items on PKIX_PL_NameConstraint's nssNameConstraints are verified
340 * as AND condition. PKIX_PL_NameConstraint keeps an array of pointers
341 * of CERTNameConstraints resulting from merging multiple
342 * PKIX_PL_NameConstraints. Since each CERTNameConstraint are created
343 * for different entity, a union condition of these entities then is
344 * performed.
345 */
346
347 do {
348
349 numItems = nameConstraints->numNssNameConstraints;
350
351 for (i = 0; i < numItems; i++) {
352
353 PKIX_NULLCHECK_ONE(nssNameConstraintsList);
354 nssNameConstraints = *(nssNameConstraintsList + i);
355 PKIX_NULLCHECK_ONE(nssNameConstraints);
356
357 PKIX_CERTNAMECONSTRAINTS_DEBUG
358 ("\t\tCalling CERT_CheckNameSpace\n");
359 status = CERT_CheckNameSpace
360 (arena, nssNameConstraints, nssMatchName);
361 if (status != SECSuccess) {
362 break;
363 }
364
365 }
366
367 if (status != SECSuccess) {
368 break;
369 }
370
371 PKIX_CERTNAMECONSTRAINTS_DEBUG
372 ("\t\tCalling CERT_GetNextGeneralName\n");
373 nssMatchName = CERT_GetNextGeneralName(nssMatchName);
374
375 } while (nssMatchName != nssSubjectNames);
376
377 if (status == SECFailure) {
378
379 *pCheckPass = PKIX_FALSE;
380 }
381
382 cleanup:
383
384 if (arena){
385 PKIX_CERTNAMECONSTRAINTS_DEBUG
386 ("\t\tCalling PORT_FreeArena).\n");
387 PORT_FreeArena(arena, PR_FALSE);
388 }
389
390 PKIX_RETURN(CERTNAMECONSTRAINTS);
391 }
392
393 /*
394 * FUNCTION: pkix_pl_NameConstraints_Destroy
395 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
396 */
397 static PKIX_Error *
398 pkix_pl_CertNameConstraints_Destroy(
399 PKIX_PL_Object *object,
400 void *plContext)
401 {
402 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
403
404 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Destroy");
405 PKIX_NULLCHECK_ONE(object);
406
407 PKIX_CHECK(pkix_CheckType
408 (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
409 PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
410
411 nameConstraints = (PKIX_PL_CertNameConstraints *)object;
412
413 PKIX_CHECK(PKIX_PL_Free
414 (nameConstraints->nssNameConstraintsList, plContext),
415 PKIX_FREEFAILED);
416
417 if (nameConstraints->arena){
418 PKIX_CERTNAMECONSTRAINTS_DEBUG
419 ("\t\tCalling PORT_FreeArena).\n");
420 PORT_FreeArena(nameConstraints->arena, PR_FALSE);
421 nameConstraints->arena = NULL;
422 }
423
424 PKIX_DECREF(nameConstraints->permittedList);
425 PKIX_DECREF(nameConstraints->excludedList);
426
427 cleanup:
428
429 PKIX_RETURN(CERTNAMECONSTRAINTS);
430 }
431
432 /*
433 * FUNCTION: pkix_pl_CertNameConstraints_ToString_Helper
434 * DESCRIPTION:
435 *
436 * Helper function that creates a string representation of the object
437 * NameConstraints and stores it at "pString".
438 *
439 * PARAMETERS
440 * "nameConstraints"
441 * Address of CertNameConstraints whose string representation is
442 * desired. Must be non-NULL.
443 * "pString"
444 * Address where string object pointer will be stored. Must be non-NULL.
445 * "plContext" - Platform-specific context pointer.
446 * THREAD SAFETY:
447 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
448 * RETURNS:
449 * Returns NULL if the function succeeds.
450 * Returns a NameConstraints Error if the function fails in a
451 * non-fatal way.
452 * Returns a Fatal Error if the function fails in an unrecoverable way.
453 */
454 static PKIX_Error *
455 pkix_pl_CertNameConstraints_ToString_Helper(
456 PKIX_PL_CertNameConstraints *nameConstraints,
457 PKIX_PL_String **pString,
458 void *plContext)
459 {
460 char *asciiFormat = NULL;
461 PKIX_PL_String *formatString = NULL;
462 PKIX_List *permittedList = NULL;
463 PKIX_List *excludedList = NULL;
464 PKIX_PL_String *permittedListString = NULL;
465 PKIX_PL_String *excludedListString = NULL;
466 PKIX_PL_String *nameConstraintsString = NULL;
467
468 PKIX_ENTER(CERTNAMECONSTRAINTS,
469 "pkix_pl_CertNameConstraints_ToString_Helper");
470 PKIX_NULLCHECK_TWO(nameConstraints, pString);
471
472 asciiFormat =
473 "[\n"
474 "\t\tPermitted Name: %s\n"
475 "\t\tExcluded Name: %s\n"
476 "\t]\n";
477
478 PKIX_CHECK(PKIX_PL_String_Create
479 (PKIX_ESCASCII,
480 asciiFormat,
481 0,
482 &formatString,
483 plContext),
484 PKIX_STRINGCREATEFAILED);
485
486 PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
487 (nameConstraints, &permittedList, plContext),
488 PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
489
490 PKIX_TOSTRING(permittedList, &permittedListString, plContext,
491 PKIX_LISTTOSTRINGFAILED);
492
493 PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
494 (nameConstraints, &excludedList, plContext),
495 PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
496
497 PKIX_TOSTRING(excludedList, &excludedListString, plContext,
498 PKIX_LISTTOSTRINGFAILED);
499
500 PKIX_CHECK(PKIX_PL_Sprintf
501 (&nameConstraintsString,
502 plContext,
503 formatString,
504 permittedListString,
505 excludedListString),
506 PKIX_SPRINTFFAILED);
507
508 *pString = nameConstraintsString;
509
510 cleanup:
511
512 PKIX_DECREF(formatString);
513 PKIX_DECREF(permittedList);
514 PKIX_DECREF(excludedList);
515 PKIX_DECREF(permittedListString);
516 PKIX_DECREF(excludedListString);
517
518 PKIX_RETURN(CERTNAMECONSTRAINTS);
519 }
520
521 /*
522 * FUNCTION: pkix_pl_CertNameConstraints_ToString
523 * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
524 */
525 static PKIX_Error *
526 pkix_pl_CertNameConstraints_ToString(
527 PKIX_PL_Object *object,
528 PKIX_PL_String **pString,
529 void *plContext)
530 {
531 PKIX_PL_String *nameConstraintsString = NULL;
532 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
533
534 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_ToString");
535 PKIX_NULLCHECK_TWO(object, pString);
536
537 PKIX_CHECK(pkix_CheckType(
538 object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
539 PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
540
541 nameConstraints = (PKIX_PL_CertNameConstraints *)object;
542
543 PKIX_CHECK(pkix_pl_CertNameConstraints_ToString_Helper
544 (nameConstraints, &nameConstraintsString, plContext),
545 PKIX_CERTNAMECONSTRAINTSTOSTRINGHELPERFAILED);
546
547 *pString = nameConstraintsString;
548
549 cleanup:
550
551 PKIX_RETURN(CERTNAMECONSTRAINTS);
552 }
553
554 /*
555 * FUNCTION: pkix_pl_CertNameConstraints_Hashcode
556 * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
557 */
558 static PKIX_Error *
559 pkix_pl_CertNameConstraints_Hashcode(
560 PKIX_PL_Object *object,
561 PKIX_UInt32 *pHashcode,
562 void *plContext)
563 {
564 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
565 PKIX_List *permittedList = NULL;
566 PKIX_List *excludedList = NULL;
567 PKIX_UInt32 permitHash = 0;
568 PKIX_UInt32 excludeHash = 0;
569
570 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Hashcode");
571 PKIX_NULLCHECK_TWO(object, pHashcode);
572
573 PKIX_CHECK(pkix_CheckType
574 (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
575 PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
576
577 nameConstraints = (PKIX_PL_CertNameConstraints *)object;
578
579 PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
580 (nameConstraints, &permittedList, plContext),
581 PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
582
583 PKIX_HASHCODE(permittedList, &permitHash, plContext,
584 PKIX_OBJECTHASHCODEFAILED);
585
586 PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
587 (nameConstraints, &excludedList, plContext),
588 PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
589
590 PKIX_HASHCODE(excludedList, &excludeHash, plContext,
591 PKIX_OBJECTHASHCODEFAILED);
592
593 *pHashcode = (((permitHash << 7) + excludeHash) << 7) +
594 nameConstraints->numNssNameConstraints;
595
596 cleanup:
597
598 PKIX_DECREF(permittedList);
599 PKIX_DECREF(excludedList);
600 PKIX_RETURN(CERTNAMECONSTRAINTS);
601 }
602
603 /*
604 * FUNCTION: pkix_pl_CertNameConstraints_Equals
605 * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
606 */
607 static PKIX_Error *
608 pkix_pl_CertNameConstraints_Equals(
609 PKIX_PL_Object *firstObject,
610 PKIX_PL_Object *secondObject,
611 PKIX_Boolean *pResult,
612 void *plContext)
613 {
614 PKIX_PL_CertNameConstraints *firstNC = NULL;
615 PKIX_PL_CertNameConstraints *secondNC = NULL;
616 PKIX_List *firstPermittedList = NULL;
617 PKIX_List *secondPermittedList = NULL;
618 PKIX_List *firstExcludedList = NULL;
619 PKIX_List *secondExcludedList = NULL;
620 PKIX_UInt32 secondType;
621 PKIX_Boolean cmpResult = PKIX_FALSE;
622
623 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Equals");
624 PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
625
626 /* test that firstObject is a CertNameConstraints */
627 PKIX_CHECK(pkix_CheckType
628 (firstObject, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
629 PKIX_FIRSTOBJECTNOTCERTNAMECONSTRAINTS);
630
631 firstNC = (PKIX_PL_CertNameConstraints *)firstObject;
632 secondNC = (PKIX_PL_CertNameConstraints *)secondObject;
633
634 /*
635 * Since we know firstObject is a CertNameConstraints, if both
636 * references are identical, they must be equal
637 */
638 if (firstNC == secondNC){
639 *pResult = PKIX_TRUE;
640 goto cleanup;
641 }
642
643 /*
644 * If secondNC isn't a CertNameConstraints, we don't throw an error.
645 * We simply return a Boolean result of FALSE
646 */
647 *pResult = PKIX_FALSE;
648
649 PKIX_CHECK(PKIX_PL_Object_GetType
650 ((PKIX_PL_Object *)secondNC, &secondType, plContext),
651 PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
652
653 if (secondType != PKIX_CERTNAMECONSTRAINTS_TYPE) {
654 goto cleanup;
655 }
656
657 PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
658 (firstNC, &firstPermittedList, plContext),
659 PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
660
661 PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
662 (secondNC, &secondPermittedList, plContext),
663 PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
664
665 PKIX_EQUALS
666 (firstPermittedList, secondPermittedList, &cmpResult, plContext,
667 PKIX_OBJECTEQUALSFAILED);
668
669 if (cmpResult != PKIX_TRUE) {
670 goto cleanup;
671 }
672
673 PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
674 (firstNC, &firstExcludedList, plContext),
675 PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
676
677 PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
678 (secondNC, &secondExcludedList, plContext),
679 PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
680
681 PKIX_EQUALS
682 (firstExcludedList, secondExcludedList, &cmpResult, plContext,
683 PKIX_OBJECTEQUALSFAILED);
684
685 if (cmpResult != PKIX_TRUE) {
686 goto cleanup;
687 }
688
689 /*
690 * numNssNameConstraints is not checked because it is basically a
691 * merge count, it cannot determine the data equality.
692 */
693
694 *pResult = PKIX_TRUE;
695
696 cleanup:
697
698 PKIX_DECREF(firstPermittedList);
699 PKIX_DECREF(secondPermittedList);
700 PKIX_DECREF(firstExcludedList);
701 PKIX_DECREF(secondExcludedList);
702
703 PKIX_RETURN(CERTNAMECONSTRAINTS);
704 }
705
706 /*
707 * FUNCTION: pkix_pl_CertNameConstraints_RegisterSelf
708 * DESCRIPTION:
709 * Registers PKIX_CERTNAMECONSTRAINTS_TYPE and its related functions with
710 * systemClasses[]
711 * THREAD SAFETY:
712 * Not Thread Safe - for performance and complexity reasons
713 *
714 * Since this function is only called by PKIX_PL_Initialize, which should
715 * only be called once, it is acceptable that this function is not
716 * thread-safe.
717 */
718 PKIX_Error *
719 pkix_pl_CertNameConstraints_RegisterSelf(void *plContext)
720 {
721 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
722 pkix_ClassTable_Entry entry;
723
724 PKIX_ENTER(CERTNAMECONSTRAINTS,
725 "pkix_pl_CertNameConstraints_RegisterSelf");
726
727 entry.description = "CertNameConstraints";
728 entry.objCounter = 0;
729 entry.typeObjectSize = sizeof(PKIX_PL_CertNameConstraints);
730 entry.destructor = pkix_pl_CertNameConstraints_Destroy;
731 entry.equalsFunction = pkix_pl_CertNameConstraints_Equals;
732 entry.hashcodeFunction = pkix_pl_CertNameConstraints_Hashcode;
733 entry.toStringFunction = pkix_pl_CertNameConstraints_ToString;
734 entry.comparator = NULL;
735 entry.duplicateFunction = pkix_duplicateImmutable;
736
737 systemClasses[PKIX_CERTNAMECONSTRAINTS_TYPE] = entry;
738
739 PKIX_RETURN(CERTNAMECONSTRAINTS);
740 }
741
742 /*
743 * FUNCTION: pkix_pl_CertNameConstraints_Create_Helper
744 *
745 * DESCRIPTION:
746 * This function retrieves name constraints in "nssNameConstraints",
747 * converts and stores the result in a PKIX_PL_CertNameConstraints object.
748 *
749 * PARAMETERS
750 * "nssNameConstraints"
751 * Address of CERTNameConstraints that contains this object's data.
752 * Must be non-NULL.
753 * "pNameConstraints"
754 * Address where object pointer will be stored. Must be non-NULL.
755 * A NULL value will be returned if there is no Name Constraints extension.
756 * "plContext" - Platform-specific context pointer.
757 *
758 * THREAD SAFETY:
759 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
760 *
761 * RETURNS:
762 * Returns NULL if the function succeeds.
763 * Returns a NameConstraints Error if the function fails in a non-fatal way.
764 * Returns a Fatal Error if the function fails in an unrecoverable way.
765 */
766 static PKIX_Error *
767 pkix_pl_CertNameConstraints_Create_Helper(
768 CERTNameConstraints *nssNameConstraints,
769 PKIX_PL_CertNameConstraints **pNameConstraints,
770 void *plContext)
771 {
772 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
773 CERTNameConstraints **nssNameConstraintPtr = NULL;
774
775 PKIX_ENTER(CERTNAMECONSTRAINTS,
776 "pkix_pl_CertNameConstraints_Create_Helper");
777 PKIX_NULLCHECK_TWO(nssNameConstraints, pNameConstraints);
778
779 PKIX_CHECK(PKIX_PL_Object_Alloc
780 (PKIX_CERTNAMECONSTRAINTS_TYPE,
781 sizeof (PKIX_PL_CertNameConstraints),
782 (PKIX_PL_Object **)&nameConstraints,
783 plContext),
784 PKIX_COULDNOTCREATECERTNAMECONSTRAINTSOBJECT);
785
786 PKIX_CHECK(PKIX_PL_Malloc
787 (sizeof (CERTNameConstraint *),
788 (void *)&nssNameConstraintPtr,
789 plContext),
790 PKIX_MALLOCFAILED);
791
792 nameConstraints->numNssNameConstraints = 1;
793 nameConstraints->nssNameConstraintsList = nssNameConstraintPtr;
794 *nssNameConstraintPtr = nssNameConstraints;
795
796 nameConstraints->permittedList = NULL;
797 nameConstraints->excludedList = NULL;
798 nameConstraints->arena = NULL;
799
800 *pNameConstraints = nameConstraints;
801
802 cleanup:
803
804 if (PKIX_ERROR_RECEIVED){
805 PKIX_DECREF(nameConstraints);
806 }
807
808 PKIX_RETURN(CERTNAMECONSTRAINTS);
809 }
810
811 /*
812 * FUNCTION: pkix_pl_CertNameConstraints_Create
813 *
814 * DESCRIPTION:
815 * function that allocates and initialize the object CertNameConstraints.
816 *
817 * PARAMETERS
818 * "nssCert"
819 * Address of CERT that contains this object's data.
820 * Must be non-NULL.
821 * "pNameConstraints"
822 * Address where object pointer will be stored. Must be non-NULL.
823 * A NULL value will be returned if there is no Name Constraints extension.
824 * "plContext" - Platform-specific context pointer.
825 *
826 * THREAD SAFETY:
827 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
828 *
829 * RETURNS:
830 * Returns NULL if the function succeeds.
831 * Returns a NameConstraints Error if the function fails in a non-fatal way.
832 * Returns a Fatal Error if the function fails in an unrecoverable way.
833 */
834 PKIX_Error *
835 pkix_pl_CertNameConstraints_Create(
836 CERTCertificate *nssCert,
837 PKIX_PL_CertNameConstraints **pNameConstraints,
838 void *plContext)
839 {
840 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
841 CERTNameConstraints *nssNameConstraints = NULL;
842 PLArenaPool *arena = NULL;
843 SECStatus status;
844
845 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Create");
846 PKIX_NULLCHECK_THREE(nssCert, pNameConstraints, nssCert->arena);
847
848 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
849 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
850 if (arena == NULL) {
851 PKIX_ERROR(PKIX_OUTOFMEMORY);
852 }
853
854 PKIX_CERTNAMECONSTRAINTS_DEBUG
855 ("\t\tCalling CERT_FindNameConstraintsExten\n");
856 status = CERT_FindNameConstraintsExten
857 (arena, nssCert, &nssNameConstraints);
858
859 if (status != SECSuccess) {
860 PKIX_ERROR(PKIX_DECODINGCERTNAMECONSTRAINTSFAILED);
861 }
862
863 if (nssNameConstraints == NULL) {
864 *pNameConstraints = NULL;
865 if (arena){
866 PKIX_CERTNAMECONSTRAINTS_DEBUG
867 ("\t\tCalling PORT_FreeArena).\n");
868 PORT_FreeArena(arena, PR_FALSE);
869 }
870 goto cleanup;
871 }
872
873 PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
874 (nssNameConstraints, &nameConstraints, plContext),
875 PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
876
877 nameConstraints->arena = arena;
878
879 *pNameConstraints = nameConstraints;
880
881 cleanup:
882
883 if (PKIX_ERROR_RECEIVED){
884 if (arena){
885 PKIX_CERTNAMECONSTRAINTS_DEBUG
886 ("\t\tCalling PORT_FreeArena).\n");
887 PORT_FreeArena(arena, PR_FALSE);
888 }
889 }
890
891 PKIX_RETURN(CERTNAMECONSTRAINTS);
892 }
893
894 /*
895 * FUNCTION: pkix_pl_CertNameConstraints_CreateByMerge
896 *
897 * DESCRIPTION:
898 *
899 * This function allocates and creates a PKIX_PL_NameConstraint object
900 * for merging. It also allocates CERTNameConstraints data space for the
901 * merged NSS NameConstraints data.
902 *
903 * PARAMETERS
904 * "pNameConstraints"
905 * Address where object pointer will be stored and returned.
906 * Must be non-NULL.
907 * "plContext" - Platform-specific context pointer.
908 *
909 * THREAD SAFETY:
910 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
911 *
912 * RETURNS:
913 * Returns NULL if the function succeeds.
914 * Returns a NameConstraints Error if the function fails in a non-fatal way.
915 * Returns a Fatal Error if the function fails in an unrecoverable way.
916 */
917 static PKIX_Error *
918 pkix_pl_CertNameConstraints_CreateByMerge(
919 PKIX_PL_CertNameConstraints **pNameConstraints,
920 void *plContext)
921 {
922 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
923 CERTNameConstraints *nssNameConstraints = NULL;
924 PLArenaPool *arena = NULL;
925
926 PKIX_ENTER(CERTNAMECONSTRAINTS,
927 "pkix_pl_CertNameConstraints_CreateByMerge");
928 PKIX_NULLCHECK_ONE(pNameConstraints);
929
930 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
931 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
932 if (arena == NULL) {
933 PKIX_ERROR(PKIX_OUTOFMEMORY);
934 }
935
936 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
937 nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
938 if (nssNameConstraints == NULL) {
939 PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
940 }
941
942 nssNameConstraints->permited = NULL;
943 nssNameConstraints->excluded = NULL;
944 nssNameConstraints->DERPermited = NULL;
945 nssNameConstraints->DERExcluded = NULL;
946
947 PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
948 (nssNameConstraints, &nameConstraints, plContext),
949 PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
950
951 nameConstraints->arena = arena;
952
953 *pNameConstraints = nameConstraints;
954
955 cleanup:
956
957 if (PKIX_ERROR_RECEIVED){
958 if (arena){
959 PKIX_CERTNAMECONSTRAINTS_DEBUG
960 ("\t\tCalling PORT_FreeArena).\n");
961 PORT_FreeArena(arena, PR_FALSE);
962 }
963 }
964
965 PKIX_RETURN(CERTNAMECONSTRAINTS);
966 }
967
968 /*
969 * FUNCTION: pkix_pl_CertNameConstraints_CopyNssNameConstraints
970 *
971 * DESCRIPTION:
972 *
973 * This function allocates and copies data to a NSS CERTNameConstraints from
974 * the NameConstraints given by "srcNC" and stores the result at "pDestNC". It
975 * copies items on both the permitted and excluded lists, but not the
976 * DERPermited and DERExcluded.
977 *
978 * PARAMETERS
979 * "arena"
980 * Memory pool where object data is allocated from. Must be non-NULL.
981 * "srcNC"
982 * Address of the NameConstraints to copy from. Must be non-NULL.
983 * "pDestNC"
984 * Address where new copied object is stored and returned.
985 * Must be non-NULL.
986 * "plContext" - Platform-specific context pointer.
987 *
988 * THREAD SAFETY:
989 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
990 *
991 * RETURNS:
992 * Returns NULL if the function succeeds.
993 * Returns a NameConstraints Error if the function fails in a non-fatal way.
994 * Returns a Fatal Error if the function fails in an unrecoverable way.
995 */
996 static PKIX_Error *
997 pkix_pl_CertNameConstraints_CopyNssNameConstraints(
998 PLArenaPool *arena,
999 CERTNameConstraints *srcNC,
1000 CERTNameConstraints **pDestNC,
1001 void *plContext)
1002 {
1003 CERTNameConstraints *nssNameConstraints = NULL;
1004 CERTNameConstraint *nssNameConstraintHead = NULL;
1005 CERTNameConstraint *nssCurrent = NULL;
1006 CERTNameConstraint *nssCopyTo = NULL;
1007 CERTNameConstraint *nssCopyFrom = NULL;
1008
1009 PKIX_ENTER(CERTNAMECONSTRAINTS,
1010 "pkix_pl_CertNameConstraints_CopyNssNameConstraints");
1011 PKIX_NULLCHECK_THREE(arena, srcNC, pDestNC);
1012
1013 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
1014 nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
1015 if (nssNameConstraints == NULL) {
1016 PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
1017 }
1018
1019 if (srcNC->permited) {
1020
1021 nssCopyFrom = srcNC->permited;
1022
1023 do {
1024
1025 nssCopyTo = NULL;
1026 PKIX_CERTNAMECONSTRAINTS_DEBUG
1027 ("\t\tCalling CERT_CopyNameConstraint).\n");
1028 nssCopyTo = CERT_CopyNameConstraint
1029 (arena, nssCopyTo, nssCopyFrom);
1030 if (nssCopyTo == NULL) {
1031 PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
1032 }
1033 if (nssCurrent == NULL) {
1034 nssCurrent = nssNameConstraintHead = nssCopyTo;
1035 } else {
1036 PKIX_CERTNAMECONSTRAINTS_DEBUG
1037 ("\t\tCalling CERT_AddNameConstraint).\n");
1038 nssCurrent = CERT_AddNameConstraint
1039 (nssCurrent, nssCopyTo);
1040 }
1041
1042 PKIX_CERTNAMECONSTRAINTS_DEBUG
1043 ("\t\tCalling CERT_GetNextNameConstrain).\n");
1044 nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
1045
1046 } while (nssCopyFrom != srcNC->permited);
1047
1048 nssNameConstraints->permited = nssNameConstraintHead;
1049 }
1050
1051 if (srcNC->excluded) {
1052
1053 nssCurrent = NULL;
1054 nssCopyFrom = srcNC->excluded;
1055
1056 do {
1057
1058 /*
1059 * Cannot use CERT_DupGeneralNameList, which just increments
1060 * refcount. We need our own copy since arena is for each
1061 * PKIX_PL_NameConstraints. Perhaps contribute this code
1062 * as CERT_CopyGeneralNameList (in the future).
1063 */
1064 nssCopyTo = NULL;
1065 PKIX_CERTNAMECONSTRAINTS_DEBUG
1066 ("\t\tCalling CERT_CopyNameConstraint).\n");
1067 nssCopyTo = CERT_CopyNameConstraint
1068 (arena, nssCopyTo, nssCopyFrom);
1069 if (nssCopyTo == NULL) {
1070 PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
1071 }
1072 if (nssCurrent == NULL) {
1073 nssCurrent = nssNameConstraintHead = nssCopyTo;
1074 } else {
1075 PKIX_CERTNAMECONSTRAINTS_DEBUG
1076 ("\t\tCalling CERT_AddNameConstraint).\n");
1077 nssCurrent = CERT_AddNameConstraint
1078 (nssCurrent, nssCopyTo);
1079 }
1080
1081 PKIX_CERTNAMECONSTRAINTS_DEBUG
1082 ("\t\tCalling CERT_GetNextNameConstrain).\n");
1083 nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
1084
1085 } while (nssCopyFrom != srcNC->excluded);
1086
1087 nssNameConstraints->excluded = nssNameConstraintHead;
1088 }
1089
1090 *pDestNC = nssNameConstraints;
1091
1092 cleanup:
1093
1094 PKIX_RETURN(CERTNAMECONSTRAINTS);
1095 }
1096
1097 /*
1098 * FUNCTION: pkix_pl_CertNameConstraints_Merge
1099 *
1100 * DESCRIPTION:
1101 *
1102 * This function merges two NameConstraints pointed to by "firstNC" and
1103 * "secondNC" and stores the result in "pMergedNC".
1104 *
1105 * PARAMETERS
1106 * "firstNC"
1107 * Address of the first NameConstraints to be merged. Must be non-NULL.
1108 * "secondNC"
1109 * Address of the second NameConstraints to be merged. Must be non-NULL.
1110 * "pMergedNC"
1111 * Address where the merge result is stored and returned. Must be non-NULL.
1112 * "plContext" - Platform-specific context pointer.
1113 *
1114 * THREAD SAFETY:
1115 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1116 *
1117 * RETURNS:
1118 * Returns NULL if the function succeeds.
1119 * Returns a NameConstraints Error if the function fails in a non-fatal way.
1120 * Returns a Fatal Error if the function fails in an unrecoverable way.
1121 */
1122 PKIX_Error *
1123 pkix_pl_CertNameConstraints_Merge(
1124 PKIX_PL_CertNameConstraints *firstNC,
1125 PKIX_PL_CertNameConstraints *secondNC,
1126 PKIX_PL_CertNameConstraints **pMergedNC,
1127 void *plContext)
1128 {
1129 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
1130 CERTNameConstraints **nssNCto = NULL;
1131 CERTNameConstraints **nssNCfrom = NULL;
1132 CERTNameConstraints *nssNameConstraints = NULL;
1133 PKIX_UInt32 numNssItems = 0;
1134 PKIX_UInt32 i;
1135
1136 PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Merge");
1137 PKIX_NULLCHECK_THREE(firstNC, secondNC, pMergedNC);
1138
1139 PKIX_CHECK(pkix_pl_CertNameConstraints_CreateByMerge
1140 (&nameConstraints, plContext),
1141 PKIX_CERTNAMECONSTRAINTSCREATEBYMERGEFAILED);
1142
1143 /* Merge NSSCertConstraint lists */
1144
1145 numNssItems = firstNC->numNssNameConstraints +
1146 secondNC->numNssNameConstraints;
1147
1148 /* Free the default space (only one entry) allocated by create */
1149 PKIX_CHECK(PKIX_PL_Free
1150 (nameConstraints->nssNameConstraintsList, plContext),
1151 PKIX_FREEFAILED);
1152
1153 /* Reallocate the size we need */
1154 PKIX_CHECK(PKIX_PL_Malloc
1155 (numNssItems * sizeof (CERTNameConstraint *),
1156 (void *)&nssNCto,
1157 plContext),
1158 PKIX_MALLOCFAILED);
1159
1160 nameConstraints->nssNameConstraintsList = nssNCto;
1161
1162 nssNCfrom = firstNC->nssNameConstraintsList;
1163
1164 for (i = 0; i < firstNC->numNssNameConstraints; i++) {
1165
1166 PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
1167 (nameConstraints->arena,
1168 *nssNCfrom,
1169 &nssNameConstraints,
1170 plContext),
1171 PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
1172
1173 *nssNCto = nssNameConstraints;
1174
1175 nssNCto++;
1176 nssNCfrom++;
1177 }
1178
1179 nssNCfrom = secondNC->nssNameConstraintsList;
1180
1181 for (i = 0; i < secondNC->numNssNameConstraints; i++) {
1182
1183 PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
1184 (nameConstraints->arena,
1185 *nssNCfrom,
1186 &nssNameConstraints,
1187 plContext),
1188 PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
1189
1190 *nssNCto = nssNameConstraints;
1191
1192 nssNCto++;
1193 nssNCfrom++;
1194 }
1195
1196 nameConstraints->numNssNameConstraints = numNssItems;
1197 nameConstraints->permittedList = NULL;
1198 nameConstraints->excludedList = NULL;
1199
1200 *pMergedNC = nameConstraints;
1201
1202 cleanup:
1203
1204 if (PKIX_ERROR_RECEIVED){
1205 PKIX_DECREF(nameConstraints);
1206 }
1207
1208 PKIX_RETURN(CERTNAMECONSTRAINTS);
1209 }
1210
1211 /* --Public-NameConstraints-Functions-------------------------------- */
1212
1213 /*
1214 * FUNCTION: PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
1215 * (see comments in pkix_pl_system.h)
1216 */
1217 PKIX_Error *
1218 PKIX_PL_CertNameConstraints_CheckNamesInNameSpace(
1219 PKIX_List *nameList, /* List of PKIX_PL_GeneralName */
1220 PKIX_PL_CertNameConstraints *nameConstraints,
1221 PKIX_Boolean *pCheckPass,
1222 void *plContext)
1223 {
1224 CERTNameConstraints **nssNameConstraintsList = NULL;
1225 CERTNameConstraints *nssNameConstraints = NULL;
1226 CERTGeneralName *nssMatchName = NULL;
1227 PRArenaPool *arena = NULL;
1228 PKIX_PL_GeneralName *name = NULL;
1229 PKIX_UInt32 numNameItems = 0;
1230 PKIX_UInt32 numNCItems = 0;
1231 PKIX_UInt32 i, j;
1232 SECStatus status = SECSuccess;
1233
1234 PKIX_ENTER(CERTNAMECONSTRAINTS,
1235 "PKIX_PL_CertNameConstraints_CheckNamesInNameSpace");
1236 PKIX_NULLCHECK_TWO(nameConstraints, pCheckPass);
1237
1238 *pCheckPass = PKIX_TRUE;
1239
1240 if (nameList != NULL) {
1241
1242 PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
1243 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1244 if (arena == NULL) {
1245 PKIX_ERROR(PKIX_OUTOFMEMORY);
1246 }
1247
1248 nssNameConstraintsList =
1249 nameConstraints->nssNameConstraintsList;
1250 PKIX_NULLCHECK_ONE(nssNameConstraintsList);
1251 numNCItems = nameConstraints->numNssNameConstraints;
1252
1253 PKIX_CHECK(PKIX_List_GetLength
1254 (nameList, &numNameItems, plContext),
1255 PKIX_LISTGETLENGTHFAILED);
1256
1257 for (i = 0; i < numNameItems; i++) {
1258
1259 PKIX_CHECK(PKIX_List_GetItem
1260 (nameList,
1261 i,
1262 (PKIX_PL_Object **) &name,
1263 plContext),
1264 PKIX_LISTGETITEMFAILED);
1265
1266 PKIX_CHECK(pkix_pl_GeneralName_GetNssGeneralName
1267 (name, &nssMatchName, plContext),
1268 PKIX_GENERALNAMEGETNSSGENERALNAMEFAILED);
1269
1270 PKIX_DECREF(name);
1271
1272 for (j = 0; j < numNCItems; j++) {
1273
1274 nssNameConstraints = *(nssNameConstraintsList + j);
1275 PKIX_NULLCHECK_ONE(nssNameConstraints);
1276
1277 PKIX_CERTNAMECONSTRAINTS_DEBUG
1278 ("\t\tCalling CERT_CheckNameSpace\n");
1279 status = CERT_CheckNameSpace
1280 (arena, nssNameConstraints, nssMatchName);
1281 if (status != SECSuccess) {
1282 break;
1283 }
1284
1285 }
1286
1287 if (status != SECSuccess) {
1288 break;
1289 }
1290
1291 }
1292 }
1293
1294 if (status == SECFailure) {
1295 *pCheckPass = PKIX_FALSE;
1296 }
1297
1298 cleanup:
1299
1300 if (arena){
1301 PKIX_CERTNAMECONSTRAINTS_DEBUG
1302 ("\t\tCalling PORT_FreeArena).\n");
1303 PORT_FreeArena(arena, PR_FALSE);
1304 }
1305
1306 PKIX_RETURN(CERTNAMECONSTRAINTS);
1307 }
Mozilla NSS module