mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-16 04:20:32 +01:00
517 lines
18 KiB
C
517 lines
18 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
/*
|
|
* pkix_targetcertchecker.c
|
|
*
|
|
* Functions for target cert validation
|
|
*
|
|
*/
|
|
|
|
|
|
#include "pkix_targetcertchecker.h"
|
|
|
|
/* --Private-TargetCertCheckerState-Functions------------------------------- */
|
|
|
|
/*
|
|
* FUNCTION: pkix_TargetCertCheckerState_Destroy
|
|
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
|
|
*/
|
|
static PKIX_Error *
|
|
pkix_TargetCertCheckerState_Destroy(
|
|
PKIX_PL_Object *object,
|
|
void *plContext)
|
|
{
|
|
pkix_TargetCertCheckerState *state = NULL;
|
|
|
|
PKIX_ENTER(TARGETCERTCHECKERSTATE,
|
|
"pkix_TargetCertCheckerState_Destroy");
|
|
PKIX_NULLCHECK_ONE(object);
|
|
|
|
/* Check that this object is a target cert checker state */
|
|
PKIX_CHECK(pkix_CheckType
|
|
(object, PKIX_TARGETCERTCHECKERSTATE_TYPE, plContext),
|
|
PKIX_OBJECTNOTTARGETCERTCHECKERSTATE);
|
|
|
|
state = (pkix_TargetCertCheckerState *)object;
|
|
|
|
PKIX_DECREF(state->certSelector);
|
|
PKIX_DECREF(state->extKeyUsageOID);
|
|
PKIX_DECREF(state->subjAltNameOID);
|
|
PKIX_DECREF(state->pathToNameList);
|
|
PKIX_DECREF(state->extKeyUsageList);
|
|
PKIX_DECREF(state->subjAltNameList);
|
|
|
|
cleanup:
|
|
|
|
PKIX_RETURN(TARGETCERTCHECKERSTATE);
|
|
}
|
|
|
|
/*
|
|
* FUNCTION: pkix_TargetCertCheckerState_RegisterSelf
|
|
* DESCRIPTION:
|
|
* Registers PKIX_TARGETCERTCHECKERSTATE_TYPE and its related functions with
|
|
* systemClasses[]
|
|
* THREAD SAFETY:
|
|
* Not Thread Safe - for performance and complexity reasons
|
|
*
|
|
* Since this function is only called by PKIX_PL_Initialize, which should
|
|
* only be called once, it is acceptable that this function is not
|
|
* thread-safe.
|
|
*/
|
|
PKIX_Error *
|
|
pkix_TargetCertCheckerState_RegisterSelf(void *plContext)
|
|
{
|
|
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
|
|
pkix_ClassTable_Entry entry;
|
|
|
|
PKIX_ENTER(TARGETCERTCHECKERSTATE,
|
|
"pkix_TargetCertCheckerState_RegisterSelf");
|
|
|
|
entry.description = "TargetCertCheckerState";
|
|
entry.objCounter = 0;
|
|
entry.typeObjectSize = sizeof(pkix_TargetCertCheckerState);
|
|
entry.destructor = pkix_TargetCertCheckerState_Destroy;
|
|
entry.equalsFunction = NULL;
|
|
entry.hashcodeFunction = NULL;
|
|
entry.toStringFunction = NULL;
|
|
entry.comparator = NULL;
|
|
entry.duplicateFunction = NULL;
|
|
|
|
systemClasses[PKIX_TARGETCERTCHECKERSTATE_TYPE] = entry;
|
|
|
|
PKIX_RETURN(TARGETCERTCHECKERSTATE);
|
|
}
|
|
|
|
/*
|
|
* FUNCTION: pkix_TargetCertCheckerState_Create
|
|
* DESCRIPTION:
|
|
*
|
|
* Creates a new TargetCertCheckerState using the CertSelector pointed to
|
|
* by "certSelector" and the number of certs represented by "certsRemaining"
|
|
* and stores it at "pState".
|
|
*
|
|
* PARAMETERS:
|
|
* "certSelector"
|
|
* Address of CertSelector representing the criteria against which the
|
|
* final certificate in a chain is to be matched. Must be non-NULL.
|
|
* "certsRemaining"
|
|
* Number of certificates remaining in the chain.
|
|
* "pState"
|
|
* Address where object pointer will be stored. Must be non-NULL.
|
|
* "plContext"
|
|
* Platform-specific context pointer.
|
|
* THREAD SAFETY:
|
|
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
|
|
* RETURNS:
|
|
* Returns NULL if the function succeeds.
|
|
* Returns a TargetCertCheckerState Error if the function fails in a
|
|
* non-fatal way.
|
|
* Returns a Fatal Error if the function fails in an unrecoverable way.
|
|
*/
|
|
PKIX_Error *
|
|
pkix_TargetCertCheckerState_Create(
|
|
PKIX_CertSelector *certSelector,
|
|
PKIX_UInt32 certsRemaining,
|
|
pkix_TargetCertCheckerState **pState,
|
|
void *plContext)
|
|
{
|
|
pkix_TargetCertCheckerState *state = NULL;
|
|
PKIX_ComCertSelParams *certSelectorParams = NULL;
|
|
PKIX_List *pathToNameList = NULL;
|
|
PKIX_List *extKeyUsageList = NULL;
|
|
PKIX_List *subjAltNameList = NULL;
|
|
PKIX_PL_OID *extKeyUsageOID = NULL;
|
|
PKIX_PL_OID *subjAltNameOID = NULL;
|
|
PKIX_Boolean subjAltNameMatchAll = PKIX_TRUE;
|
|
|
|
PKIX_ENTER(TARGETCERTCHECKERSTATE,
|
|
"pkix_TargetCertCheckerState_Create");
|
|
PKIX_NULLCHECK_ONE(pState);
|
|
|
|
PKIX_CHECK(PKIX_PL_OID_Create
|
|
(PKIX_EXTENDEDKEYUSAGE_OID,
|
|
&extKeyUsageOID,
|
|
plContext),
|
|
PKIX_OIDCREATEFAILED);
|
|
|
|
PKIX_CHECK(PKIX_PL_OID_Create
|
|
(PKIX_CERTSUBJALTNAME_OID,
|
|
&subjAltNameOID,
|
|
plContext),
|
|
PKIX_OIDCREATEFAILED);
|
|
|
|
PKIX_CHECK(PKIX_PL_Object_Alloc
|
|
(PKIX_TARGETCERTCHECKERSTATE_TYPE,
|
|
sizeof (pkix_TargetCertCheckerState),
|
|
(PKIX_PL_Object **)&state,
|
|
plContext),
|
|
PKIX_COULDNOTCREATETARGETCERTCHECKERSTATEOBJECT);
|
|
|
|
/* initialize fields */
|
|
|
|
if (certSelector != NULL) {
|
|
|
|
PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
|
|
(certSelector, &certSelectorParams, plContext),
|
|
PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMFAILED);
|
|
|
|
if (certSelectorParams != NULL) {
|
|
|
|
PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames
|
|
(certSelectorParams,
|
|
&pathToNameList,
|
|
plContext),
|
|
PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED);
|
|
|
|
PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
|
|
(certSelectorParams,
|
|
&extKeyUsageList,
|
|
plContext),
|
|
PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
|
|
|
|
PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames
|
|
(certSelectorParams,
|
|
&subjAltNameList,
|
|
plContext),
|
|
PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
|
|
|
|
PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
|
|
(certSelectorParams,
|
|
&subjAltNameMatchAll,
|
|
plContext),
|
|
PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
|
|
}
|
|
}
|
|
|
|
state->certsRemaining = certsRemaining;
|
|
state->subjAltNameMatchAll = subjAltNameMatchAll;
|
|
|
|
PKIX_INCREF(certSelector);
|
|
state->certSelector = certSelector;
|
|
|
|
state->pathToNameList = pathToNameList;
|
|
pathToNameList = NULL;
|
|
|
|
state->extKeyUsageList = extKeyUsageList;
|
|
extKeyUsageList = NULL;
|
|
|
|
state->subjAltNameList = subjAltNameList;
|
|
subjAltNameList = NULL;
|
|
|
|
state->extKeyUsageOID = extKeyUsageOID;
|
|
extKeyUsageOID = NULL;
|
|
|
|
state->subjAltNameOID = subjAltNameOID;
|
|
subjAltNameOID = NULL;
|
|
|
|
*pState = state;
|
|
state = NULL;
|
|
|
|
cleanup:
|
|
|
|
PKIX_DECREF(extKeyUsageOID);
|
|
PKIX_DECREF(subjAltNameOID);
|
|
PKIX_DECREF(pathToNameList);
|
|
PKIX_DECREF(extKeyUsageList);
|
|
PKIX_DECREF(subjAltNameList);
|
|
PKIX_DECREF(state);
|
|
|
|
PKIX_DECREF(certSelectorParams);
|
|
|
|
PKIX_RETURN(TARGETCERTCHECKERSTATE);
|
|
|
|
}
|
|
|
|
/* --Private-TargetCertChecker-Functions------------------------------- */
|
|
|
|
/*
|
|
* FUNCTION: pkix_TargetCertChecker_Check
|
|
* (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
|
|
*/
|
|
PKIX_Error *
|
|
pkix_TargetCertChecker_Check(
|
|
PKIX_CertChainChecker *checker,
|
|
PKIX_PL_Cert *cert,
|
|
PKIX_List *unresolvedCriticalExtensions,
|
|
void **pNBIOContext,
|
|
void *plContext)
|
|
{
|
|
pkix_TargetCertCheckerState *state = NULL;
|
|
PKIX_CertSelector_MatchCallback certSelectorMatch = NULL;
|
|
PKIX_PL_CertNameConstraints *nameConstraints = NULL;
|
|
PKIX_List *certSubjAltNames = NULL;
|
|
PKIX_List *certExtKeyUsageList = NULL;
|
|
PKIX_PL_GeneralName *name = NULL;
|
|
PKIX_PL_X500Name *certSubjectName = NULL;
|
|
PKIX_Boolean checkPassed = PKIX_FALSE;
|
|
PKIX_UInt32 numItems, i;
|
|
PKIX_UInt32 matchCount = 0;
|
|
|
|
PKIX_ENTER(CERTCHAINCHECKER, "pkix_TargetCertChecker_Check");
|
|
PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
|
|
|
|
*pNBIOContext = NULL; /* we never block on pending I/O */
|
|
|
|
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
|
|
(checker, (PKIX_PL_Object **)&state, plContext),
|
|
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
|
|
|
|
(state->certsRemaining)--;
|
|
|
|
if (state->pathToNameList != NULL) {
|
|
|
|
PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
|
|
(cert, &nameConstraints, plContext),
|
|
PKIX_CERTGETNAMECONSTRAINTSFAILED);
|
|
|
|
/*
|
|
* XXX We should either make the following call a public one
|
|
* so it is legal to call from the portability layer or we
|
|
* should try to create pathToNameList as CertNameConstraints
|
|
* then call the existing check function.
|
|
*/
|
|
PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
|
|
(state->pathToNameList,
|
|
nameConstraints,
|
|
&checkPassed,
|
|
plContext),
|
|
PKIX_CERTNAMECONSTRAINTSCHECKNAMEINNAMESPACEFAILED);
|
|
|
|
if (checkPassed != PKIX_TRUE) {
|
|
PKIX_ERROR(PKIX_VALIDATIONFAILEDPATHTONAMECHECKFAILED);
|
|
}
|
|
|
|
}
|
|
|
|
PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
|
|
(cert, &certSubjAltNames, plContext),
|
|
PKIX_CERTGETSUBJALTNAMESFAILED);
|
|
|
|
if (state->subjAltNameList != NULL && certSubjAltNames != NULL) {
|
|
|
|
PKIX_CHECK(PKIX_List_GetLength
|
|
(state->subjAltNameList, &numItems, plContext),
|
|
PKIX_LISTGETLENGTHFAILED);
|
|
|
|
for (i = 0; i < numItems; i++) {
|
|
|
|
PKIX_CHECK(PKIX_List_GetItem
|
|
(state->subjAltNameList,
|
|
i,
|
|
(PKIX_PL_Object **) &name,
|
|
plContext),
|
|
PKIX_LISTGETITEMFAILED);
|
|
|
|
PKIX_CHECK(pkix_List_Contains
|
|
(certSubjAltNames,
|
|
(PKIX_PL_Object *) name,
|
|
&checkPassed,
|
|
plContext),
|
|
PKIX_LISTCONTAINSFAILED);
|
|
|
|
PKIX_DECREF(name);
|
|
|
|
if (checkPassed == PKIX_TRUE) {
|
|
|
|
if (state->subjAltNameMatchAll == PKIX_FALSE) {
|
|
matchCount = numItems;
|
|
break;
|
|
} else {
|
|
/* else continue checking next */
|
|
matchCount++;
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
if (matchCount != numItems) {
|
|
PKIX_ERROR(PKIX_SUBJALTNAMECHECKFAILED);
|
|
|
|
}
|
|
}
|
|
|
|
if (state->certsRemaining == 0) {
|
|
|
|
if (state->certSelector != NULL) {
|
|
PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
|
|
(state->certSelector,
|
|
&certSelectorMatch,
|
|
plContext),
|
|
PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
|
|
|
|
PKIX_CHECK(certSelectorMatch
|
|
(state->certSelector,
|
|
cert,
|
|
plContext),
|
|
PKIX_CERTSELECTORMATCHFAILED);
|
|
} else {
|
|
/* Check at least cert/key usages if target cert selector
|
|
* is not set. */
|
|
PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert,
|
|
PKIX_FALSE /* is chain cert*/,
|
|
plContext),
|
|
PKIX_CERTVERIFYCERTTYPEFAILED);
|
|
}
|
|
/*
|
|
* There are two Extended Key Usage Checkings
|
|
* available :
|
|
* 1) here at the targetcertchecker where we
|
|
* verify the Extended Key Usage OIDs application
|
|
* specifies via ComCertSelParams are included
|
|
* in Cert's Extended Key Usage OID's. Note,
|
|
* this is an OID to OID comparison and only last
|
|
* Cert is checked.
|
|
* 2) at user defined ekuchecker where checking
|
|
* is applied to all Certs on the chain and
|
|
* the NSS Extended Key Usage algorithm is
|
|
* used. In order to invoke this checking, not
|
|
* only does the ComCertSelparams needs to be
|
|
* set, the EKU initialize call is required to
|
|
* activate the checking.
|
|
*
|
|
* XXX We use the same ComCertSelParams Set/Get
|
|
* functions to set the parameters for both cases.
|
|
* We may want to separate them in the future.
|
|
*/
|
|
|
|
PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
|
|
(cert, &certExtKeyUsageList, plContext),
|
|
PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
|
|
|
|
|
|
if (state->extKeyUsageList != NULL &&
|
|
certExtKeyUsageList != NULL) {
|
|
|
|
PKIX_CHECK(PKIX_List_GetLength
|
|
(state->extKeyUsageList, &numItems, plContext),
|
|
PKIX_LISTGETLENGTHFAILED);
|
|
|
|
for (i = 0; i < numItems; i++) {
|
|
|
|
PKIX_CHECK(PKIX_List_GetItem
|
|
(state->extKeyUsageList,
|
|
i,
|
|
(PKIX_PL_Object **) &name,
|
|
plContext),
|
|
PKIX_LISTGETITEMFAILED);
|
|
|
|
PKIX_CHECK(pkix_List_Contains
|
|
(certExtKeyUsageList,
|
|
(PKIX_PL_Object *) name,
|
|
&checkPassed,
|
|
plContext),
|
|
PKIX_LISTCONTAINSFAILED);
|
|
|
|
PKIX_DECREF(name);
|
|
|
|
if (checkPassed != PKIX_TRUE) {
|
|
PKIX_ERROR
|
|
(PKIX_EXTENDEDKEYUSAGECHECKINGFAILED);
|
|
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
/* Check key usage and cert type based on certificate usage. */
|
|
PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, PKIX_TRUE,
|
|
plContext),
|
|
PKIX_CERTVERIFYCERTTYPEFAILED);
|
|
}
|
|
|
|
/* Remove Critical Extension OID from list */
|
|
if (unresolvedCriticalExtensions != NULL) {
|
|
|
|
PKIX_CHECK(pkix_List_Remove
|
|
(unresolvedCriticalExtensions,
|
|
(PKIX_PL_Object *) state->extKeyUsageOID,
|
|
plContext),
|
|
PKIX_LISTREMOVEFAILED);
|
|
|
|
PKIX_CHECK(PKIX_PL_Cert_GetSubject
|
|
(cert, &certSubjectName, plContext),
|
|
PKIX_CERTGETSUBJECTFAILED);
|
|
|
|
if (certSubjAltNames != NULL) {
|
|
PKIX_CHECK(pkix_List_Remove
|
|
(unresolvedCriticalExtensions,
|
|
(PKIX_PL_Object *) state->subjAltNameOID,
|
|
plContext),
|
|
PKIX_LISTREMOVEFAILED);
|
|
}
|
|
|
|
}
|
|
|
|
cleanup:
|
|
|
|
PKIX_DECREF(name);
|
|
PKIX_DECREF(nameConstraints);
|
|
PKIX_DECREF(certSubjAltNames);
|
|
PKIX_DECREF(certExtKeyUsageList);
|
|
PKIX_DECREF(certSubjectName);
|
|
PKIX_DECREF(state);
|
|
|
|
PKIX_RETURN(CERTCHAINCHECKER);
|
|
|
|
}
|
|
|
|
/*
|
|
* FUNCTION: pkix_TargetCertChecker_Initialize
|
|
* DESCRIPTION:
|
|
*
|
|
* Creates a new CertChainChecker and stores it at "pChecker", where it will
|
|
* used by pkix_TargetCertChecker_Check to check that the final certificate
|
|
* of a chain meets the criteria of the CertSelector pointed to by
|
|
* "certSelector". The number of certs remaining in the chain, represented by
|
|
* "certsRemaining" is used to initialize the checker's state.
|
|
*
|
|
* PARAMETERS:
|
|
* "certSelector"
|
|
* Address of CertSelector representing the criteria against which the
|
|
* final certificate in a chain is to be matched. May be NULL.
|
|
* "certsRemaining"
|
|
* Number of certificates remaining in the chain.
|
|
* "pChecker"
|
|
* Address where object pointer will be stored. Must be non-NULL.
|
|
* "plContext"
|
|
* Platform-specific context pointer.
|
|
* THREAD SAFETY:
|
|
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
|
|
* RETURNS:
|
|
* Returns NULL if the function succeeds.
|
|
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
|
|
* Returns a Fatal Error if the function fails in an unrecoverable way.
|
|
*/
|
|
PKIX_Error *
|
|
pkix_TargetCertChecker_Initialize(
|
|
PKIX_CertSelector *certSelector,
|
|
PKIX_UInt32 certsRemaining,
|
|
PKIX_CertChainChecker **pChecker,
|
|
void *plContext)
|
|
{
|
|
pkix_TargetCertCheckerState *state = NULL;
|
|
|
|
PKIX_ENTER(CERTCHAINCHECKER, "pkix_TargetCertChecker_Initialize");
|
|
PKIX_NULLCHECK_ONE(pChecker);
|
|
|
|
PKIX_CHECK(pkix_TargetCertCheckerState_Create
|
|
(certSelector, certsRemaining, &state, plContext),
|
|
PKIX_TARGETCERTCHECKERSTATECREATEFAILED);
|
|
|
|
PKIX_CHECK(PKIX_CertChainChecker_Create
|
|
(pkix_TargetCertChecker_Check,
|
|
PKIX_FALSE,
|
|
PKIX_FALSE,
|
|
NULL,
|
|
(PKIX_PL_Object *)state,
|
|
pChecker,
|
|
plContext),
|
|
PKIX_CERTCHAINCHECKERCREATEFAILED);
|
|
|
|
cleanup:
|
|
|
|
PKIX_DECREF(state);
|
|
|
|
PKIX_RETURN(CERTCHAINCHECKER);
|
|
}
|