| blob | d09ad867ef37e29a3c012ce800972454040610b9 |
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the PKIX-C library.
15 *
16 * The Initial Developer of the Original Code is
17 * Sun Microsystems, Inc.
18 * Portions created by the Initial Developer are
19 * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Sun Microsystems, Inc.
23 *
24 * Alternatively, the contents of this file may be used under the terms of
25 * either the GNU General Public License Version 2 or later (the "GPL"), or
26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 * in which case the provisions of the GPL or the LGPL are applicable instead
28 * of those above. If you wish to allow use of your version of this file only
29 * under the terms of either the GPL or the LGPL, and not to allow others to
30 * use your version of this file under the terms of the MPL, indicate your
31 * decision by deleting the provisions above and replace them with the notice
32 * and other provisions required by the GPL or the LGPL. If you do not delete
33 * the provisions above, a recipient may use your version of this file under
34 * the terms of any one of the MPL, the GPL or the LGPL.
35 *
36 * ***** END LICENSE BLOCK ***** */
37 /*
38 * pkix_pl_ocspresponse.c
39 *
40 */
44 /* ----Public functions------------------------------------- */
45 /*
46 * This is the libpkix replacement for CERT_VerifyOCSPResponseSignature.
47 * It is used if it has been set as the verifyFcn member of ocspChecker.
48 */
49 PKIX_Error *
59 {
74 /* Are we resuming after a WOULDBLOCK return, or starting anew ? */
76 /* Starting anew */
80 plContext),
81 PKIX_OBJECTDUPLICATEFAILED);
84 PKIX_PROCESSINGPARAMSSETDATEFAILED);
86 /* create CertSelector with target certificate in params */
90 PKIX_CERTSELECTORCREATEFAILED);
94 PKIX_COMCERTSELPARAMSCREATEFAILED);
98 PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED);
102 PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
106 PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
107 }
109 buildError = PKIX_BuildChain
112 pState,
113 pBuildResult,
114 pVerifyTree,
115 plContext);
117 /* non-null nbioContext means the build would block */
122 /* no buildResult means the build has failed */
128 }
130 cleanup:
138 }
140 /* --Private-OcspResponse-Functions------------------------------------- */
142 /*
143 * FUNCTION: pkix_pl_OcspResponse_Destroy
144 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
145 */
150 {
159 PKIX_OBJECTNOTANOCSPRESPONSE);
167 }
172 }
183 }
188 }
189 }
194 }
200 cleanup:
203 }
205 /*
206 * FUNCTION: pkix_pl_OcspResponse_Hashcode
207 * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
208 */
214 {
221 PKIX_OBJECTNOTANOCSPRESPONSE);
231 pHashcode,
232 plContext),
233 PKIX_HASHFAILED);
234 }
236 cleanup:
239 }
241 /*
242 * FUNCTION: pkix_pl_OcspResponse_Equals
243 * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
244 */
251 {
263 /* test that firstObj is a OcspResponse */
265 PKIX_FIRSTOBJARGUMENTNOTANOCSPRESPONSE);
267 /*
268 * Since we know firstObj is a OcspResponse, if both references are
269 * identical, they must be equal
270 */
274 }
276 /*
277 * If secondObj isn't a OcspResponse, we don't throw an error.
278 * We simply return a Boolean result of FALSE
279 */
282 PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
285 }
290 /* If either lacks an encoded string, they cannot be compared */
295 }
301 }
306 }
307 }
311 cleanup:
314 }
316 /*
317 * FUNCTION: pkix_pl_OcspResponse_RegisterSelf
318 * DESCRIPTION:
319 * Registers PKIX_OCSPRESPONSE_TYPE and its related functions with
320 * systemClasses[]
321 * PARAMETERS:
322 * "plContext"
323 * Platform-specific context pointer.
324 * THREAD SAFETY:
325 * Not Thread Safe - for performance and complexity reasons
326 *
327 * Since this function is only called by PKIX_PL_Initialize, which should
328 * only be called once, it is acceptable that this function is not
329 * thread-safe.
330 */
331 PKIX_Error *
333 {
335 pkix_ClassTable_Entry entry;
352 }
354 /* --Public-Functions------------------------------------------------------- */
356 /*
357 * FUNCTION: pkix_pl_OcspResponse_Create
358 * DESCRIPTION:
359 *
360 * This function transmits the OcspRequest pointed to by "request" and obtains
361 * an OcspResponse, which it stores at "pOcspResponse". If the HTTPClient
362 * supports non-blocking I/O this function may store a non-NULL value at
363 * "pNBIOContext" (the WOULDBLOCK condition). In that case the caller should
364 * make a subsequent call with the same value in "pNBIOContext" and
365 * "pOcspResponse" to resume the operation. Additional WOULDBLOCK returns may
366 * occur; the caller should persist until a return occurs with NULL stored at
367 * "pNBIOContext".
368 *
369 * If a SEC_HttpClientFcn "responder" is supplied, it is used as the client
370 * to which the OCSP query is sent. If none is supplied, the default responder
371 * is used.
372 *
373 * If an OcspResponse_VerifyCallback "verifyFcn" is supplied, it is used to
374 * verify the Cert received from the responder as the signer. If none is
375 * supplied, the default verification function is used.
376 *
377 * The contents of "request" are ignored on calls subsequent to a WOULDBLOCK
378 * return, and the caller is permitted to supply NULL.
379 *
380 * PARAMETERS
381 * "request"
382 * Address of the OcspRequest for which a response is desired.
383 * "responder"
384 * Address, if non-NULL, of the SEC_HttpClientFcn to be sent the OCSP
385 * query.
386 * "verifyFcn"
387 * Address, if non-NULL, of the OcspResponse_VerifyCallback function to be
388 * used to verify the Cert of the OCSP responder.
389 * "pNBIOContext"
390 * Address at which platform-dependent information is stored for handling
391 * of non-blocking I/O. Must be non-NULL.
392 * "pOcspResponse"
393 * The address where the created OcspResponse is stored. Must be non-NULL.
394 * "plContext"
395 * Platform-specific context pointer.
396 * THREAD SAFETY:
397 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
398 * RETURNS:
399 * Returns NULL if the function succeeds.
400 * Returns an OcspResponse Error if the function fails in a non-fatal way.
401 * Returns a Fatal Error if the function fails in an unrecoverable way.
402 */
403 PKIX_Error *
407 PKIX_PL_OcspResponse_VerifyCallback verifyFcn,
411 {
450 PKIX_OCSPREQUESTGETENCODEDFAILED);
452 /* prepare initial message to HTTPClient */
454 /* Is there a default responder and is it enabled? */
456 PKIX_PL_NSSCALLRV
458 responder,
460 ());
461 }
471 PKIX_OCSPREQUESTGETLOCATIONFAILED);
473 /* parse location -> hostname, port, path */
479 }
481 PKIX_PL_NSSCALLRV
483 rv,
489 }
491 PKIX_PL_NSSCALLRV
495 path,
502 }
504 PKIX_PL_NSSCALLRV
513 }
515 /* create a PKIX_PL_OcspResponse object */
520 plContext),
521 PKIX_COULDNOTCREATEOBJECT);
537 }
538 }
540 /* begin or resume IO to HTTPClient */
558 }
563 }
567 }
570 PKIX_PL_NSSCALLRV
576 }
578 PKIX_PL_NSSCALLRV
581 SECITEM_AllocItem,
586 }
590 responseData,
591 responseDataLen));
593 }
597 cleanup:
601 }
605 }
609 }
612 }
614 /*
615 * FUNCTION: pkix_pl_OcspResponse_Decode
616 * DESCRIPTION:
617 *
618 * This function decodes the DER data contained in the OcspResponse pointed to
619 * by "response", storing PKIX_TRUE at "pPassed" if the decoding was
620 * successful, and PKIX_FALSE otherwise.
621 *
622 * PARAMETERS
623 * "response"
624 * The address of the OcspResponse whose DER data is to be decoded. Must
625 * be non-NULL.
626 * "pPassed"
627 * Address at which the Boolean result is stored. Must be non-NULL.
628 * "pReturnCode"
629 * Address at which the SECErrorCodes result is stored. Must be non-NULL.
630 * "plContext"
631 * Platform-specific context pointer.
632 * THREAD SAFETY:
633 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
634 * RETURNS:
635 * Returns NULL if the function succeeds.
636 * Returns an OcspResponse Error if the function fails in a non-fatal way.
637 * Returns a Fatal Error if the function fails in an unrecoverable way.
638 */
640 PKIX_Error *
646 {
660 }
663 }
665 /*
666 * FUNCTION: pkix_pl_OcspResponse_GetStatus
667 * DESCRIPTION:
668 *
669 * This function checks the response status of the OcspResponse pointed to
670 * by "response", storing PKIX_TRUE at "pPassed" if the responder understood
671 * the request and considered it valid, and PKIX_FALSE otherwise.
672 *
673 * PARAMETERS
674 * "response"
675 * The address of the OcspResponse whose status is to be retrieved. Must
676 * be non-NULL.
677 * "pPassed"
678 * Address at which the Boolean result is stored. Must be non-NULL.
679 * "plContext"
680 * Platform-specific context pointer.
681 * THREAD SAFETY:
682 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
683 * RETURNS:
684 * Returns NULL if the function succeeds.
685 * Returns an OcspResponse Error if the function fails in a non-fatal way.
686 * Returns a Fatal Error if the function fails in an unrecoverable way.
687 */
689 PKIX_Error *
695 {
709 }
712 }
715 PKIX_Error*
719 SECCertUsage certUsage,
724 {
735 PKIX_NSSCONTEXTCREATEFAILED);
743 PKIX_CERTVERIFYKEYUSAGEFAILED);
749 }
750 }
752 cleanup:
755 }
757 /*
758 * FUNCTION: pkix_pl_OcspResponse_VerifySignature
759 * DESCRIPTION:
760 *
761 * This function verifies the ocspResponse signature field in the OcspResponse
762 * pointed to by "response", storing PKIX_TRUE at "pPassed" if verification
763 * is successful and PKIX_FALSE otherwise. If verification is unsuccessful an
764 * error code (an enumeration of type SECErrorCodes) is stored at *pReturnCode.
765 *
766 * PARAMETERS
767 * "response"
768 * The address of the OcspResponse whose signature field is to be
769 * retrieved. Must be non-NULL.
770 * "cert"
771 * The address of the Cert for which the OCSP query was made. Must be
772 * non-NULL.
773 * "procParams"
774 * Address of ProcessingParams used to initialize the ExpirationChecker
775 * and TargetCertChecker. Must be non-NULL.
776 * "pPassed"
777 * Address at which the Boolean result is stored. Must be non-NULL.
778 * "pNBIOContext"
779 * Address at which the NBIOContext is stored indicating whether the
780 * checking is complete. Must be non-NULL.
781 * "plContext"
782 * Platform-specific context pointer.
783 * THREAD SAFETY:
784 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
785 * RETURNS:
786 * Returns NULL if the function succeeds.
787 * Returns an OcspResponse Error if the function fails in a non-fatal way.
788 * Returns a Fatal Error if the function fails in an unrecoverable way.
789 */
790 PKIX_Error *
798 {
821 }
823 tbsData =
829 /* Are we resuming after a WOULDBLOCK response? */
831 /* No, this is a new query */
834 certUsageAnyCA);
836 /*
837 * If this signature has already gone through verification,
838 * just return the cached result.
839 */
847 }
848 }
857 }
862 plContext),
863 PKIX_CERTCREATEWITHNSSCERTFAILED);
865 /*
866 * We could mark this true at the top of this function, or
867 * always below at "finish", but if the problem was just that
868 * we could not find the signer's cert, leave that as if the
869 * signature hasn't been checked. Maybe a subsequent call will
870 * have better luck.
871 */
874 /*
875 * We are about to verify the signer certificate; we need to
876 * specify *when* that certificate must be valid -- for our
877 * purposes we expect it to be valid when the response was
878 * signed. The value of "producedAt" is the signing time.
879 */
885 }
887 /*
888 * We need producedAtDate and pkixSignerCert if we are calling a
889 * user-supplied verification function. Let's put their
890 * creation before the code that gets repeated when
891 * non-blocking I/O is used.
892 */
897 plContext),
898 PKIX_DATECREATEFROMPRTIMEFAILED);
900 }
902 /*
903 * Just because we have a cert does not mean it is any good; check
904 * it for validity, trust and usage. Use the caller-supplied
905 * verification function, if one was supplied.
906 */
911 SECCertUsage certUsage;
916 }
917 /* Set negative result before call. If fail to verify, will jump
918 * into cleanup with rv = SECFailure. Restore rv after the call. */
924 plContext),
925 PKIX_CERTVERIFYKEYUSAGEFAILED);
932 }
933 }
938 cleanup:
943 }
947 }
954 }
956 /* Save signer's certificate in signature. */
958 }
961 }
963 /*
964 * FUNCTION: pkix_pl_OcspResponse_GetStatusForCert
965 * DESCRIPTION:
966 *
967 * This function checks the revocation status of the Cert for which the
968 * OcspResponse was obtained, storing PKIX_TRUE at "pPassed" if the Cert has
969 * not been revoked and PKIX_FALSE otherwise.
970 *
971 * PARAMETERS
972 * "response"
973 * The address of the OcspResponse whose certificate status is to be
974 * retrieved. Must be non-NULL.
975 * "pPassed"
976 * Address at which the Boolean result is stored. Must be non-NULL.
977 * "pReturnCode"
978 * Address at which the SECErrorCodes result is stored. Must be non-NULL.
979 * "plContext"
980 * Platform-specific context pointer.
981 * THREAD SAFETY:
982 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
983 * RETURNS:
984 * Returns NULL if the function succeeds.
985 * Returns an OcspResponse Error if the function fails in a non-fatal way.
986 * Returns a Fatal Error if the function fails in an unrecoverable way.
987 */
988 PKIX_Error *
995 {
997 SECStatus rvCache;
1002 /*
1003 * It is an error to call this function except following a successful
1004 * return from pkix_pl_OcspResponse_VerifySignature, which would have
1005 * set response->signerCert.
1006 */
1022 }
1025 }