diff options
author | Lorry Tar Creator <lorry-tar-importer@lorry> | 2017-01-04 14:24:24 +0000 |
---|---|---|
committer | Lorry Tar Creator <lorry-tar-importer@lorry> | 2017-01-04 14:24:24 +0000 |
commit | dc1565216a5d20ae0d75872151523252309a1292 (patch) | |
tree | d57454ba9a40386552179eddf60d28bd1e8f3d54 /nss/lib/certdb/certdb.c | |
parent | 26c046fbc57d53136b4fb3b5e0d18298318125d4 (diff) | |
download | nss-dc1565216a5d20ae0d75872151523252309a1292.tar.gz |
nss-3.28.1nss-3.28.1
Diffstat (limited to 'nss/lib/certdb/certdb.c')
-rw-r--r-- | nss/lib/certdb/certdb.c | 2970 |
1 files changed, 1459 insertions, 1511 deletions
diff --git a/nss/lib/certdb/certdb.c b/nss/lib/certdb/certdb.c index f282bbb..d37334d 100644 --- a/nss/lib/certdb/certdb.c +++ b/nss/lib/certdb/certdb.c @@ -26,7 +26,7 @@ #include "secerr.h" #include "sslerr.h" #include "pk11func.h" -#include "xconst.h" /* for CERT_DecodeAltNameExtension */ +#include "xconst.h" /* for CERT_DecodeAltNameExtension */ #include "pki.h" #include "pki3hack.h" @@ -41,17 +41,13 @@ SEC_ASN1_MKSUB(SEC_SkipTemplate) * Certificate database handling code */ - const SEC_ASN1Template CERT_CertExtensionTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTCertExtension) }, - { SEC_ASN1_OBJECT_ID, - offsetof(CERTCertExtension,id) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */ - offsetof(CERTCertExtension,critical) }, - { SEC_ASN1_OCTET_STRING, - offsetof(CERTCertExtension,value) }, - { 0, } + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTCertExtension) }, + { SEC_ASN1_OBJECT_ID, offsetof(CERTCertExtension, id) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */ + offsetof(CERTCertExtension, critical) }, + { SEC_ASN1_OCTET_STRING, offsetof(CERTCertExtension, value) }, + { 0 } }; const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[] = { @@ -59,80 +55,60 @@ const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[] = { }; const SEC_ASN1Template CERT_TimeChoiceTemplate[] = { - { SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) }, - { SEC_ASN1_UTC_TIME, 0, 0, siUTCTime }, - { SEC_ASN1_GENERALIZED_TIME, 0, 0, siGeneralizedTime }, - { 0 } + { SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) }, + { SEC_ASN1_UTC_TIME, 0, 0, siUTCTime }, + { SEC_ASN1_GENERALIZED_TIME, 0, 0, siGeneralizedTime }, + { 0 } }; const SEC_ASN1Template CERT_ValidityTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTValidity) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(CERTValidity,notBefore), - SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(CERTValidity,notAfter), - SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 }, + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTValidity) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(CERTValidity, notBefore), + SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(CERTValidity, notAfter), + SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 }, { 0 } }; const SEC_ASN1Template CERT_CertificateTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTCertificate) }, - { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | - SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, /* XXX DER_DEFAULT */ - offsetof(CERTCertificate,version), - SEC_ASN1_SUB(SEC_IntegerTemplate) }, - { SEC_ASN1_INTEGER, - offsetof(CERTCertificate,serialNumber) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(CERTCertificate,signature), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_SAVE, - offsetof(CERTCertificate,derIssuer) }, - { SEC_ASN1_INLINE, - offsetof(CERTCertificate,issuer), - CERT_NameTemplate }, - { SEC_ASN1_INLINE, - offsetof(CERTCertificate,validity), - CERT_ValidityTemplate }, - { SEC_ASN1_SAVE, - offsetof(CERTCertificate,derSubject) }, - { SEC_ASN1_INLINE, - offsetof(CERTCertificate,subject), - CERT_NameTemplate }, - { SEC_ASN1_SAVE, - offsetof(CERTCertificate,derPublicKey) }, - { SEC_ASN1_INLINE, - offsetof(CERTCertificate,subjectPublicKeyInfo), - CERT_SubjectPublicKeyInfoTemplate }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, - offsetof(CERTCertificate,issuerID), - SEC_ASN1_SUB(SEC_BitStringTemplate) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2, - offsetof(CERTCertificate,subjectID), - SEC_ASN1_SUB(SEC_BitStringTemplate) }, - { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | - SEC_ASN1_CONTEXT_SPECIFIC | 3, - offsetof(CERTCertificate,extensions), - CERT_SequenceOfCertExtensionTemplate }, + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTCertificate) }, + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, /* XXX DER_DEFAULT */ + offsetof(CERTCertificate, version), + SEC_ASN1_SUB(SEC_IntegerTemplate) }, + { SEC_ASN1_INTEGER, offsetof(CERTCertificate, serialNumber) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(CERTCertificate, signature), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_SAVE, offsetof(CERTCertificate, derIssuer) }, + { SEC_ASN1_INLINE, offsetof(CERTCertificate, issuer), CERT_NameTemplate }, + { SEC_ASN1_INLINE, offsetof(CERTCertificate, validity), + CERT_ValidityTemplate }, + { SEC_ASN1_SAVE, offsetof(CERTCertificate, derSubject) }, + { SEC_ASN1_INLINE, offsetof(CERTCertificate, subject), CERT_NameTemplate }, + { SEC_ASN1_SAVE, offsetof(CERTCertificate, derPublicKey) }, + { SEC_ASN1_INLINE, offsetof(CERTCertificate, subjectPublicKeyInfo), + CERT_SubjectPublicKeyInfoTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, + offsetof(CERTCertificate, issuerID), + SEC_ASN1_SUB(SEC_BitStringTemplate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2, + offsetof(CERTCertificate, subjectID), + SEC_ASN1_SUB(SEC_BitStringTemplate) }, + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | 3, + offsetof(CERTCertificate, extensions), + CERT_SequenceOfCertExtensionTemplate }, { 0 } }; -const SEC_ASN1Template SEC_SignedCertificateTemplate[] = -{ - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTCertificate) }, - { SEC_ASN1_SAVE, - offsetof(CERTCertificate,signatureWrap.data) }, - { SEC_ASN1_INLINE, - 0, CERT_CertificateTemplate }, +const SEC_ASN1Template SEC_SignedCertificateTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTCertificate) }, + { SEC_ASN1_SAVE, offsetof(CERTCertificate, signatureWrap.data) }, + { SEC_ASN1_INLINE, 0, CERT_CertificateTemplate }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(CERTCertificate,signatureWrap.signatureAlgorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_BIT_STRING, - offsetof(CERTCertificate,signatureWrap.signature) }, + offsetof(CERTCertificate, signatureWrap.signatureAlgorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_BIT_STRING, offsetof(CERTCertificate, signatureWrap.signature) }, { 0 } }; @@ -140,16 +116,15 @@ const SEC_ASN1Template SEC_SignedCertificateTemplate[] = * Find the subjectName in a DER encoded certificate */ const SEC_ASN1Template SEC_CertSubjectTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(SECItem) }, - { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | - SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ - { SEC_ASN1_SKIP }, /* serial number */ - { SEC_ASN1_SKIP }, /* signature algorithm */ - { SEC_ASN1_SKIP }, /* issuer */ - { SEC_ASN1_SKIP }, /* validity */ - { SEC_ASN1_ANY, 0, NULL }, /* subject */ + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ + { SEC_ASN1_SKIP }, /* serial number */ + { SEC_ASN1_SKIP }, /* signature algorithm */ + { SEC_ASN1_SKIP }, /* issuer */ + { SEC_ASN1_SKIP }, /* validity */ + { SEC_ASN1_ANY, 0, NULL }, /* subject */ { SEC_ASN1_SKIP_REST }, { 0 } }; @@ -158,14 +133,13 @@ const SEC_ASN1Template SEC_CertSubjectTemplate[] = { * Find the issuerName in a DER encoded certificate */ const SEC_ASN1Template SEC_CertIssuerTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(SECItem) }, - { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | - SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ - { SEC_ASN1_SKIP }, /* serial number */ - { SEC_ASN1_SKIP }, /* signature algorithm */ - { SEC_ASN1_ANY, 0, NULL }, /* issuer */ + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ + { SEC_ASN1_SKIP }, /* serial number */ + { SEC_ASN1_SKIP }, /* signature algorithm */ + { SEC_ASN1_ANY, 0, NULL }, /* issuer */ { SEC_ASN1_SKIP_REST }, { 0 } }; @@ -173,12 +147,11 @@ const SEC_ASN1Template SEC_CertIssuerTemplate[] = { * Find the subjectName in a DER encoded certificate */ const SEC_ASN1Template SEC_CertSerialNumberTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(SECItem) }, - { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | - SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ - { SEC_ASN1_ANY, 0, NULL }, /* serial number */ + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ + { SEC_ASN1_ANY, 0, NULL }, /* serial number */ { SEC_ASN1_SKIP_REST }, { 0 } }; @@ -189,16 +162,13 @@ const SEC_ASN1Template SEC_CertSerialNumberTemplate[] = { * identifier of a certificate. */ const SEC_ASN1Template CERT_CertKeyTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTCertKey) }, - { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | - SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ - { SEC_ASN1_INTEGER, - offsetof(CERTCertKey,serialNumber) }, - { SEC_ASN1_SKIP }, /* signature algorithm */ - { SEC_ASN1_ANY, - offsetof(CERTCertKey,derIssuer) }, + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTCertKey) }, + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + 0, SEC_ASN1_SUB(SEC_SkipTemplate) }, /* version */ + { SEC_ASN1_INTEGER, offsetof(CERTCertKey, serialNumber) }, + { SEC_ASN1_SKIP }, /* signature algorithm */ + { SEC_ASN1_ANY, offsetof(CERTCertKey, derIssuer) }, { SEC_ASN1_SKIP_REST }, { 0 } }; @@ -210,17 +180,17 @@ SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SequenceOfCertExtensionTemplate) SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer, SECItem *sn, - SECItem *key) + SECItem *key) { key->len = sn->len + issuer->len; if ((sn->data == NULL) || (issuer->data == NULL)) { - goto loser; + goto loser; } - - key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len); - if ( !key->data ) { - goto loser; + + key->data = (unsigned char *)PORT_ArenaAlloc(arena, key->len); + if (!key->data) { + goto loser; } /* copy the serialNumber */ @@ -229,13 +199,12 @@ CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer, SECItem *sn, /* copy the issuer */ PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len); - return(SECSuccess); + return (SECSuccess); loser: - return(SECFailure); + return (SECFailure); } - /* * Extract the subject name from a DER certificate */ @@ -246,129 +215,122 @@ CERT_NameFromDERCert(SECItem *derCert, SECItem *derName) PLArenaPool *arena; CERTSignedData sd; void *tmpptr; - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( ! arena ) { - return(SECFailure); + + if (!arena) { + return (SECFailure); } - + PORT_Memset(&sd, 0, sizeof(CERTSignedData)); rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert); - - if ( rv ) { - goto loser; + + if (rv) { + goto loser; } - + PORT_Memset(derName, 0, sizeof(SECItem)); - rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSubjectTemplate, &sd.data); + rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSubjectTemplate, + &sd.data); - if ( rv ) { - goto loser; + if (rv) { + goto loser; } tmpptr = derName->data; - derName->data = (unsigned char*)PORT_Alloc(derName->len); - if ( derName->data == NULL ) { - goto loser; + derName->data = (unsigned char *)PORT_Alloc(derName->len); + if (derName->data == NULL) { + goto loser; } - + PORT_Memcpy(derName->data, tmpptr, derName->len); - + PORT_FreeArena(arena, PR_FALSE); - return(SECSuccess); + return (SECSuccess); loser: PORT_FreeArena(arena, PR_FALSE); - return(SECFailure); + return (SECFailure); } SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName) { int rv; - PLArenaPool *arena; + PORTCheapArenaPool tmpArena; CERTSignedData sd; void *tmpptr; - - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( ! arena ) { - return(SECFailure); - } - + + PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); + PORT_Memset(&sd, 0, sizeof(CERTSignedData)); - rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert); - - if ( rv ) { - goto loser; + rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &sd, CERT_SignedDataTemplate, + derCert); + if (rv) { + goto loser; } - - PORT_Memset(derName, 0, sizeof(SECItem)); - rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertIssuerTemplate, &sd.data); - if ( rv ) { - goto loser; + PORT_Memset(derName, 0, sizeof(SECItem)); + rv = SEC_QuickDERDecodeItem(&tmpArena.arena, derName, + SEC_CertIssuerTemplate, &sd.data); + if (rv) { + goto loser; } tmpptr = derName->data; - derName->data = (unsigned char*)PORT_Alloc(derName->len); - if ( derName->data == NULL ) { - goto loser; + derName->data = (unsigned char *)PORT_Alloc(derName->len); + if (derName->data == NULL) { + goto loser; } - + PORT_Memcpy(derName->data, tmpptr, derName->len); - - PORT_FreeArena(arena, PR_FALSE); - return(SECSuccess); + + PORT_DestroyCheapArena(&tmpArena); + return (SECSuccess); loser: - PORT_FreeArena(arena, PR_FALSE); - return(SECFailure); + PORT_DestroyCheapArena(&tmpArena); + return (SECFailure); } SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, SECItem *derName) { int rv; - PLArenaPool *arena; + PORTCheapArenaPool tmpArena; CERTSignedData sd; void *tmpptr; - - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( ! arena ) { - return(SECFailure); - } - + + PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); + PORT_Memset(&sd, 0, sizeof(CERTSignedData)); - rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert); - - if ( rv ) { - goto loser; + rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &sd, CERT_SignedDataTemplate, + derCert); + if (rv) { + goto loser; } - - PORT_Memset(derName, 0, sizeof(SECItem)); - rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSerialNumberTemplate, &sd.data); - if ( rv ) { - goto loser; + PORT_Memset(derName, 0, sizeof(SECItem)); + rv = SEC_QuickDERDecodeItem(&tmpArena.arena, derName, + SEC_CertSerialNumberTemplate, &sd.data); + if (rv) { + goto loser; } tmpptr = derName->data; - derName->data = (unsigned char*)PORT_Alloc(derName->len); - if ( derName->data == NULL ) { - goto loser; + derName->data = (unsigned char *)PORT_Alloc(derName->len); + if (derName->data == NULL) { + goto loser; } - + PORT_Memcpy(derName->data, tmpptr, derName->len); - - PORT_FreeArena(arena, PR_FALSE); - return(SECSuccess); + + PORT_DestroyCheapArena(&tmpArena); + return (SECSuccess); loser: - PORT_FreeArena(arena, PR_FALSE); - return(SECFailure); + PORT_DestroyCheapArena(&tmpArena); + return (SECFailure); } /* @@ -388,25 +350,25 @@ CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert, SECItem *key) } PORT_Memset(&sd, 0, sizeof(CERTSignedData)); - rv = SEC_QuickDERDecodeItem(reqArena, &sd, CERT_SignedDataTemplate, - derCert); - - if ( rv ) { - goto loser; + rv = + SEC_QuickDERDecodeItem(reqArena, &sd, CERT_SignedDataTemplate, derCert); + + if (rv) { + goto loser; } - + PORT_Memset(&certkey, 0, sizeof(CERTCertKey)); rv = SEC_QuickDERDecodeItem(reqArena, &certkey, CERT_CertKeyTemplate, &sd.data); - if ( rv ) { - goto loser; + if (rv) { + goto loser; } - return(CERT_KeyFromIssuerAndSN(reqArena, &certkey.derIssuer, - &certkey.serialNumber, key)); + return (CERT_KeyFromIssuerAndSN(reqArena, &certkey.derIssuer, + &certkey.serialNumber, key)); loser: - return(SECFailure); + return (SECFailure); } /* @@ -418,32 +380,30 @@ GetKeyUsage(CERTCertificate *cert) { SECStatus rv; SECItem tmpitem; - + rv = CERT_FindKeyUsageExtension(cert, &tmpitem); - if ( rv == SECSuccess ) { - /* remember the actual value of the extension */ - cert->rawKeyUsage = tmpitem.data[0]; - cert->keyUsagePresent = PR_TRUE; - cert->keyUsage = tmpitem.data[0]; - - PORT_Free(tmpitem.data); - tmpitem.data = NULL; - + if (rv == SECSuccess) { + /* remember the actual value of the extension */ + cert->rawKeyUsage = tmpitem.data[0]; + cert->keyUsagePresent = PR_TRUE; + cert->keyUsage = tmpitem.data[0]; + + PORT_Free(tmpitem.data); + tmpitem.data = NULL; } else { - /* if the extension is not present, then we allow all uses */ - cert->keyUsage = KU_ALL; - cert->rawKeyUsage = KU_ALL; - cert->keyUsagePresent = PR_FALSE; + /* if the extension is not present, then we allow all uses */ + cert->keyUsage = KU_ALL; + cert->rawKeyUsage = KU_ALL; + cert->keyUsagePresent = PR_FALSE; } - if ( CERT_GovtApprovedBitSet(cert) ) { - cert->keyUsage |= KU_NS_GOVT_APPROVED; - cert->rawKeyUsage |= KU_NS_GOVT_APPROVED; + if (CERT_GovtApprovedBitSet(cert)) { + cert->keyUsage |= KU_NS_GOVT_APPROVED; + cert->rawKeyUsage |= KU_NS_GOVT_APPROVED; } - - return(SECSuccess); -} + return (SECSuccess); +} static SECStatus findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum) @@ -451,17 +411,17 @@ findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum) SECItem **oids; SECItem *oid; SECStatus rv = SECFailure; - + if (seq != NULL) { - oids = seq->oids; - while (oids != NULL && *oids != NULL) { - oid = *oids; - if (SECOID_FindOIDTag(oid) == tagnum) { - rv = SECSuccess; - break; - } - oids++; - } + oids = seq->oids; + while (oids != NULL && *oids != NULL) { + oid = *oids; + if (SECOID_FindOIDTag(oid) == tagnum) { + rv = SECSuccess; + break; + } + oids++; + } } return rv; } @@ -500,132 +460,121 @@ cert_ComputeCertType(CERTCertificate *cert) tmpitem.data = NULL; CERT_FindNSCertTypeExtension(cert, &tmpitem); encodedExtKeyUsage.data = NULL; - rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, - &encodedExtKeyUsage); + rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, + &encodedExtKeyUsage); if (rv == SECSuccess) { - extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage); + extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage); } rv = CERT_FindBasicConstraintExten(cert, &basicConstraint); if (rv == SECSuccess) { - basicConstraintPresent = PR_TRUE; + basicConstraintPresent = PR_TRUE; } if (tmpitem.data != NULL || extKeyUsage != NULL) { - if (tmpitem.data == NULL) { - nsCertType = 0; - } else { - nsCertType = tmpitem.data[0]; - } - - /* free tmpitem data pointer to avoid memory leak */ - PORT_Free(tmpitem.data); - tmpitem.data = NULL; - - /* - * for this release, we will allow SSL certs with an email address - * to be used for email - */ - if ( ( nsCertType & NS_CERT_TYPE_SSL_CLIENT ) && - cert->emailAddr && cert->emailAddr[0]) { - nsCertType |= NS_CERT_TYPE_EMAIL; - } - /* - * for this release, we will allow SSL intermediate CAs to be - * email intermediate CAs too. - */ - if ( nsCertType & NS_CERT_TYPE_SSL_CA ) { - nsCertType |= NS_CERT_TYPE_EMAIL_CA; - } - /* - * allow a cert with the extended key usage of EMail Protect - * to be used for email or as an email CA, if basic constraints - * indicates that it is a CA. - */ - if (findOIDinOIDSeqByTagNum(extKeyUsage, - SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) == - SECSuccess) { - if (basicConstraintPresent == PR_TRUE && - (basicConstraint.isCA)) { - nsCertType |= NS_CERT_TYPE_EMAIL_CA; - } else { - nsCertType |= NS_CERT_TYPE_EMAIL; - } - } - if (findOIDinOIDSeqByTagNum(extKeyUsage, - SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) == - SECSuccess){ - if (basicConstraintPresent == PR_TRUE && - (basicConstraint.isCA)) { - nsCertType |= NS_CERT_TYPE_SSL_CA; - } else { - nsCertType |= NS_CERT_TYPE_SSL_SERVER; - } - } - /* - * Treat certs with step-up OID as also having SSL server type. - * COMODO needs this behaviour until June 2020. See Bug 737802. - */ - if (findOIDinOIDSeqByTagNum(extKeyUsage, - SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) == - SECSuccess){ - if (basicConstraintPresent == PR_TRUE && - (basicConstraint.isCA)) { - nsCertType |= NS_CERT_TYPE_SSL_CA; - } else { - nsCertType |= NS_CERT_TYPE_SSL_SERVER; - } - } - if (findOIDinOIDSeqByTagNum(extKeyUsage, - SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == - SECSuccess){ - if (basicConstraintPresent == PR_TRUE && - (basicConstraint.isCA)) { - nsCertType |= NS_CERT_TYPE_SSL_CA; - } else { - nsCertType |= NS_CERT_TYPE_SSL_CLIENT; - } - } - if (findOIDinOIDSeqByTagNum(extKeyUsage, - SEC_OID_EXT_KEY_USAGE_CODE_SIGN) == - SECSuccess) { - if (basicConstraintPresent == PR_TRUE && - (basicConstraint.isCA)) { - nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA; - } else { - nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING; - } - } - if (findOIDinOIDSeqByTagNum(extKeyUsage, - SEC_OID_EXT_KEY_USAGE_TIME_STAMP) == - SECSuccess) { - nsCertType |= EXT_KEY_USAGE_TIME_STAMP; - } - if (findOIDinOIDSeqByTagNum(extKeyUsage, - SEC_OID_OCSP_RESPONDER) == - SECSuccess) { - nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER; - } + if (tmpitem.data == NULL) { + nsCertType = 0; + } else { + nsCertType = tmpitem.data[0]; + } + + /* free tmpitem data pointer to avoid memory leak */ + PORT_Free(tmpitem.data); + tmpitem.data = NULL; + + /* + * for this release, we will allow SSL certs with an email address + * to be used for email + */ + if ((nsCertType & NS_CERT_TYPE_SSL_CLIENT) && cert->emailAddr && + cert->emailAddr[0]) { + nsCertType |= NS_CERT_TYPE_EMAIL; + } + /* + * for this release, we will allow SSL intermediate CAs to be + * email intermediate CAs too. + */ + if (nsCertType & NS_CERT_TYPE_SSL_CA) { + nsCertType |= NS_CERT_TYPE_EMAIL_CA; + } + /* + * allow a cert with the extended key usage of EMail Protect + * to be used for email or as an email CA, if basic constraints + * indicates that it is a CA. + */ + if (findOIDinOIDSeqByTagNum(extKeyUsage, + SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) == + SECSuccess) { + if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) { + nsCertType |= NS_CERT_TYPE_EMAIL_CA; + } else { + nsCertType |= NS_CERT_TYPE_EMAIL; + } + } + if (findOIDinOIDSeqByTagNum( + extKeyUsage, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) == SECSuccess) { + if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) { + nsCertType |= NS_CERT_TYPE_SSL_CA; + } else { + nsCertType |= NS_CERT_TYPE_SSL_SERVER; + } + } + /* + * Treat certs with step-up OID as also having SSL server type. + * COMODO needs this behaviour until June 2020. See Bug 737802. + */ + if (findOIDinOIDSeqByTagNum(extKeyUsage, + SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) == + SECSuccess) { + if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) { + nsCertType |= NS_CERT_TYPE_SSL_CA; + } else { + nsCertType |= NS_CERT_TYPE_SSL_SERVER; + } + } + if (findOIDinOIDSeqByTagNum( + extKeyUsage, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == SECSuccess) { + if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) { + nsCertType |= NS_CERT_TYPE_SSL_CA; + } else { + nsCertType |= NS_CERT_TYPE_SSL_CLIENT; + } + } + if (findOIDinOIDSeqByTagNum( + extKeyUsage, SEC_OID_EXT_KEY_USAGE_CODE_SIGN) == SECSuccess) { + if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) { + nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA; + } else { + nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING; + } + } + if (findOIDinOIDSeqByTagNum( + extKeyUsage, SEC_OID_EXT_KEY_USAGE_TIME_STAMP) == SECSuccess) { + nsCertType |= EXT_KEY_USAGE_TIME_STAMP; + } + if (findOIDinOIDSeqByTagNum(extKeyUsage, SEC_OID_OCSP_RESPONDER) == + SECSuccess) { + nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER; + } } else { - /* If no NS Cert Type extension and no EKU extension, then */ - nsCertType = 0; - if (CERT_IsCACert(cert, &nsCertType)) - nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER; - /* if the basic constraint extension says the cert is a CA, then - allow SSL CA and EMAIL CA and Status Responder */ - if (basicConstraintPresent && basicConstraint.isCA ) { - nsCertType |= (NS_CERT_TYPE_SSL_CA | - NS_CERT_TYPE_EMAIL_CA | - EXT_KEY_USAGE_STATUS_RESPONDER); - } - /* allow any ssl or email (no ca or object signing. */ - nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | - NS_CERT_TYPE_EMAIL; + /* If no NS Cert Type extension and no EKU extension, then */ + nsCertType = 0; + if (CERT_IsCACert(cert, &nsCertType)) + nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER; + /* if the basic constraint extension says the cert is a CA, then + allow SSL CA and EMAIL CA and Status Responder */ + if (basicConstraintPresent && basicConstraint.isCA) { + nsCertType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | + EXT_KEY_USAGE_STATUS_RESPONDER); + } + /* allow any ssl or email (no ca or object signing. */ + nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | + NS_CERT_TYPE_EMAIL; } if (encodedExtKeyUsage.data != NULL) { - PORT_Free(encodedExtKeyUsage.data); + PORT_Free(encodedExtKeyUsage.data); } if (extKeyUsage != NULL) { - CERT_DestroyOidSequence(extKeyUsage); + CERT_DestroyOidSequence(extKeyUsage); } return nsCertType; } @@ -638,44 +587,44 @@ cert_GetKeyID(CERTCertificate *cert) { SECItem tmpitem; SECStatus rv; - + cert->subjectKeyID.len = 0; /* see of the cert has a key identifier extension */ rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem); - if ( rv == SECSuccess ) { - cert->subjectKeyID.data = (unsigned char*) PORT_ArenaAlloc(cert->arena, tmpitem.len); - if ( cert->subjectKeyID.data != NULL ) { - PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len); - cert->subjectKeyID.len = tmpitem.len; - cert->keyIDGenerated = PR_FALSE; - } - - PORT_Free(tmpitem.data); - } - - /* if the cert doesn't have a key identifier extension, then generate one*/ - if ( cert->subjectKeyID.len == 0 ) { - /* - * pkix says that if the subjectKeyID is not present, then we should - * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert - */ - cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH); - if ( cert->subjectKeyID.data != NULL ) { - rv = PK11_HashBuf(SEC_OID_SHA1,cert->subjectKeyID.data, - cert->derPublicKey.data, - cert->derPublicKey.len); - if ( rv == SECSuccess ) { - cert->subjectKeyID.len = SHA1_LENGTH; - } - } + if (rv == SECSuccess) { + cert->subjectKeyID.data = + (unsigned char *)PORT_ArenaAlloc(cert->arena, tmpitem.len); + if (cert->subjectKeyID.data != NULL) { + PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len); + cert->subjectKeyID.len = tmpitem.len; + cert->keyIDGenerated = PR_FALSE; + } + + PORT_Free(tmpitem.data); } - if ( cert->subjectKeyID.len == 0 ) { - return(SECFailure); + /* if the cert doesn't have a key identifier extension, then generate one*/ + if (cert->subjectKeyID.len == 0) { + /* + * pkix says that if the subjectKeyID is not present, then we should + * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert + */ + cert->subjectKeyID.data = + (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH); + if (cert->subjectKeyID.data != NULL) { + rv = PK11_HashBuf(SEC_OID_SHA1, cert->subjectKeyID.data, + cert->derPublicKey.data, cert->derPublicKey.len); + if (rv == SECSuccess) { + cert->subjectKeyID.len = SHA1_LENGTH; + } + } } - return(SECSuccess); + if (cert->subjectKeyID.len == 0) { + return (SECFailure); + } + return (SECSuccess); } static PRBool @@ -689,48 +638,48 @@ cert_IsRootCert(CERTCertificate *cert) /* it MUST be self-issued to be a root */ if (cert->derIssuer.len == 0 || - !SECITEM_ItemsAreEqual(&cert->derIssuer, &cert->derSubject)) - { - return PR_FALSE; + !SECITEM_ItemsAreEqual(&cert->derIssuer, &cert->derSubject)) { + return PR_FALSE; } /* check the authKeyID extension */ if (cert->authKeyID) { - /* authority key identifier is present */ - if (cert->authKeyID->keyID.len > 0) { - /* the keyIdentifier field is set, look for subjectKeyID */ - rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem); - if (rv == SECSuccess) { - PRBool match; - /* also present, they MUST match for it to be a root */ - match = SECITEM_ItemsAreEqual(&cert->authKeyID->keyID, - &tmpitem); - PORT_Free(tmpitem.data); - if (!match) return PR_FALSE; /* else fall through */ - } else { - /* the subject key ID is required when AKI is present */ - return PR_FALSE; - } - } - if (cert->authKeyID->authCertIssuer) { - SECItem *caName; - caName = (SECItem *)CERT_GetGeneralNameByType( - cert->authKeyID->authCertIssuer, - certDirectoryName, PR_TRUE); - if (caName) { - if (!SECITEM_ItemsAreEqual(&cert->derIssuer, caName)) { - return PR_FALSE; - } /* else fall through */ - } /* else ??? could not get general name as directory name? */ - } - if (cert->authKeyID->authCertSerialNumber.len > 0) { - if (!SECITEM_ItemsAreEqual(&cert->serialNumber, - &cert->authKeyID->authCertSerialNumber)) { - return PR_FALSE; - } /* else fall through */ - } - /* all of the AKI fields that were present passed the test */ - return PR_TRUE; + /* authority key identifier is present */ + if (cert->authKeyID->keyID.len > 0) { + /* the keyIdentifier field is set, look for subjectKeyID */ + rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem); + if (rv == SECSuccess) { + PRBool match; + /* also present, they MUST match for it to be a root */ + match = + SECITEM_ItemsAreEqual(&cert->authKeyID->keyID, &tmpitem); + PORT_Free(tmpitem.data); + if (!match) + return PR_FALSE; /* else fall through */ + } else { + /* the subject key ID is required when AKI is present */ + return PR_FALSE; + } + } + if (cert->authKeyID->authCertIssuer) { + SECItem *caName; + caName = (SECItem *)CERT_GetGeneralNameByType( + cert->authKeyID->authCertIssuer, certDirectoryName, PR_TRUE); + if (caName) { + if (!SECITEM_ItemsAreEqual(&cert->derIssuer, caName)) { + return PR_FALSE; + } /* else fall through */ + } /* else ??? could not get general name as directory name? */ + } + if (cert->authKeyID->authCertSerialNumber.len > 0) { + if (!SECITEM_ItemsAreEqual( + &cert->serialNumber, + &cert->authKeyID->authCertSerialNumber)) { + return PR_FALSE; + } /* else fall through */ + } + /* all of the AKI fields that were present passed the test */ + return PR_TRUE; } /* else the AKI was not present, so this is a root */ return PR_TRUE; @@ -741,7 +690,7 @@ cert_IsRootCert(CERTCertificate *cert) */ CERTCertificate * CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER, - char *nickname) + char *nickname) { CERTCertificate *cert; PLArenaPool *arena; @@ -749,83 +698,83 @@ CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER, int rv; int len; char *tmpname; - + /* make a new arena */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( !arena ) { - return 0; + + if (!arena) { + return 0; } /* allocate the certificate structure */ cert = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate)); - - if ( !cert ) { - goto loser; + + if (!cert) { + goto loser; } - + cert->arena = arena; - - if ( copyDER ) { - /* copy the DER data for the cert into this arena */ - data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len); - if ( !data ) { - goto loser; - } - cert->derCert.data = (unsigned char *)data; - cert->derCert.len = derSignedCert->len; - PORT_Memcpy(data, derSignedCert->data, derSignedCert->len); + + if (copyDER) { + /* copy the DER data for the cert into this arena */ + data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len); + if (!data) { + goto loser; + } + cert->derCert.data = (unsigned char *)data; + cert->derCert.len = derSignedCert->len; + PORT_Memcpy(data, derSignedCert->data, derSignedCert->len); } else { - /* point to passed in DER data */ - cert->derCert = *derSignedCert; + /* point to passed in DER data */ + cert->derCert = *derSignedCert; } /* decode the certificate info */ rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate, - &cert->derCert); + &cert->derCert); - if ( rv ) { - goto loser; + if (rv) { + goto loser; } - if (cert_HasUnknownCriticalExten (cert->extensions) == PR_TRUE) { + if (cert_HasUnknownCriticalExten(cert->extensions) == PR_TRUE) { cert->options.bits.hasUnsupportedCriticalExt = PR_TRUE; } /* generate and save the database key for the cert */ rv = CERT_KeyFromIssuerAndSN(arena, &cert->derIssuer, &cert->serialNumber, - &cert->certKey); - if ( rv ) { - goto loser; + &cert->certKey); + if (rv) { + goto loser; } /* set the nickname */ - if ( nickname == NULL ) { - cert->nickname = NULL; + if (nickname == NULL) { + cert->nickname = NULL; } else { - /* copy and install the nickname */ - len = PORT_Strlen(nickname) + 1; - cert->nickname = (char*)PORT_ArenaAlloc(arena, len); - if ( cert->nickname == NULL ) { - goto loser; - } + /* copy and install the nickname */ + len = PORT_Strlen(nickname) + 1; + cert->nickname = (char *)PORT_ArenaAlloc(arena, len); + if (cert->nickname == NULL) { + goto loser; + } - PORT_Memcpy(cert->nickname, nickname, len); + PORT_Memcpy(cert->nickname, nickname, len); } /* set the email address */ cert->emailAddr = cert_GetCertificateEmailAddresses(cert); - + /* initialize the subjectKeyID */ rv = cert_GetKeyID(cert); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } /* initialize keyUsage */ rv = GetKeyUsage(cert); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } /* determine if this is a root cert */ @@ -833,46 +782,45 @@ CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER, /* initialize the certType */ rv = cert_GetCertType(cert); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } tmpname = CERT_NameToAscii(&cert->subject); - if ( tmpname != NULL ) { - cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname); - PORT_Free(tmpname); + if (tmpname != NULL) { + cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname); + PORT_Free(tmpname); } - + tmpname = CERT_NameToAscii(&cert->issuer); - if ( tmpname != NULL ) { - cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname); - PORT_Free(tmpname); + if (tmpname != NULL) { + cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname); + PORT_Free(tmpname); } - + cert->referenceCount = 1; cert->slot = NULL; cert->pkcs11ID = CK_INVALID_HANDLE; cert->dbnickname = NULL; - - return(cert); - + + return (cert); + loser: - if ( arena ) { - PORT_FreeArena(arena, PR_FALSE); + if (arena) { + PORT_FreeArena(arena, PR_FALSE); } - - return(0); + + return (0); } CERTCertificate * __CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER, - char *nickname) + char *nickname) { return CERT_DecodeDERCertificate(derSignedCert, copyDER, nickname); } - CERTValidity * CERT_CreateValidity(PRTime notBefore, PRTime notAfter) { @@ -881,26 +829,28 @@ CERT_CreateValidity(PRTime notBefore, PRTime notAfter) PLArenaPool *arena; if (notBefore > notAfter) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( !arena ) { - return(0); + + if (!arena) { + return (0); } - - v = (CERTValidity*) PORT_ArenaZAlloc(arena, sizeof(CERTValidity)); + + v = (CERTValidity *)PORT_ArenaZAlloc(arena, sizeof(CERTValidity)); if (v) { - v->arena = arena; - rv = DER_EncodeTimeChoice(arena, &v->notBefore, notBefore); - if (rv) goto loser; - rv = DER_EncodeTimeChoice(arena, &v->notAfter, notAfter); - if (rv) goto loser; + v->arena = arena; + rv = DER_EncodeTimeChoice(arena, &v->notBefore, notBefore); + if (rv) + goto loser; + rv = DER_EncodeTimeChoice(arena, &v->notAfter, notAfter); + if (rv) + goto loser; } return v; - loser: +loser: CERT_DestroyValidity(v); return 0; } @@ -912,9 +862,10 @@ CERT_CopyValidity(PLArenaPool *arena, CERTValidity *to, CERTValidity *from) CERT_DestroyValidity(to); to->arena = arena; - + rv = SECITEM_CopyItem(arena, &to->notBefore, &from->notBefore); - if (rv) return rv; + if (rv) + return rv; rv = SECITEM_CopyItem(arena, &to->notAfter, &from->notAfter); return rv; } @@ -923,7 +874,7 @@ void CERT_DestroyValidity(CERTValidity *v) { if (v && v->arena) { - PORT_FreeArena(v->arena, PR_FALSE); + PORT_FreeArena(v->arena, PR_FALSE); } return; } @@ -934,20 +885,19 @@ CERT_DestroyValidity(CERTValidity *v) ** valid. The slop is designed to allow for some variance in the clocks ** of the machine checking the certificate. */ -#define PENDING_SLOP (24L*60L*60L) /* seconds per day */ -static PRInt32 pendingSlop = PENDING_SLOP; /* seconds */ +#define PENDING_SLOP (24L * 60L * 60L) /* seconds per day */ +static PRInt32 pendingSlop = PENDING_SLOP; /* seconds */ PRInt32 CERT_GetSlopTime(void) { - return pendingSlop; /* seconds */ + return pendingSlop; /* seconds */ } -SECStatus -CERT_SetSlopTime(PRInt32 slop) /* seconds */ +SECStatus CERT_SetSlopTime(PRInt32 slop) /* seconds */ { if (slop < 0) - return SECFailure; + return SECFailure; pendingSlop = slop; return SECSuccess; } @@ -961,20 +911,20 @@ CERT_GetCertTimes(const CERTCertificate *c, PRTime *notBefore, PRTime *notAfter) PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - + /* convert DER not-before time */ rv = DER_DecodeTimeChoice(notBefore, &c->validity.notBefore); if (rv) { - return(SECFailure); + return (SECFailure); } - + /* convert DER not-after time */ rv = DER_DecodeTimeChoice(notAfter, &c->validity.notAfter); if (rv) { - return(SECFailure); + return (SECFailure); } - return(SECSuccess); + return (SECSuccess); } /* @@ -989,77 +939,77 @@ CERT_CheckCertValidTimes(const CERTCertificate *c, PRTime t, if (!c) { PORT_SetError(SEC_ERROR_INVALID_ARGS); - return(secCertTimeUndetermined); + return (secCertTimeUndetermined); } /* if cert is already marked OK, then don't bother to check */ - if ( allowOverride && c->timeOK ) { - return(secCertTimeValid); + if (allowOverride && c->timeOK) { + return (secCertTimeValid); } rv = CERT_GetCertTimes(c, ¬Before, ¬After); - + if (rv) { - return(secCertTimeExpired); /*XXX is this the right thing to do here?*/ + return (secCertTimeExpired); /*XXX is this the right thing to do here?*/ } - + LL_I2L(llPendingSlop, pendingSlop); /* convert to micro seconds */ LL_UI2L(tmp1, PR_USEC_PER_SEC); LL_MUL(llPendingSlop, llPendingSlop, tmp1); LL_SUB(notBefore, notBefore, llPendingSlop); - if ( LL_CMP( t, <, notBefore ) ) { - PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE); - return(secCertTimeNotValidYet); + if (LL_CMP(t, <, notBefore)) { + PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE); + return (secCertTimeNotValidYet); } - if ( LL_CMP( t, >, notAfter) ) { - PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE); - return(secCertTimeExpired); + if (LL_CMP(t, >, notAfter)) { + PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE); + return (secCertTimeExpired); } - return(secCertTimeValid); + return (secCertTimeValid); } SECStatus SEC_GetCrlTimes(CERTCrl *date, PRTime *notBefore, PRTime *notAfter) { int rv; - + /* convert DER not-before time */ rv = DER_DecodeTimeChoice(notBefore, &date->lastUpdate); if (rv) { - return(SECFailure); + return (SECFailure); } - + /* convert DER not-after time */ if (date->nextUpdate.data) { - rv = DER_DecodeTimeChoice(notAfter, &date->nextUpdate); - if (rv) { - return(SECFailure); - } - } - else { - LL_I2L(*notAfter, 0L); + rv = DER_DecodeTimeChoice(notAfter, &date->nextUpdate); + if (rv) { + return (SECFailure); + } + } else { + LL_I2L(*notAfter, 0L); } - return(SECSuccess); + return (SECSuccess); } /* These routines should probably be combined with the cert * routines using an common extraction routine. */ SECCertTimeValidity -SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) { +SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) +{ PRTime notBefore, notAfter, llPendingSlop, tmp1; SECStatus rv; if (!crl) { PORT_SetError(SEC_ERROR_INVALID_ARGS); - return(secCertTimeUndetermined); + return (secCertTimeUndetermined); } rv = SEC_GetCrlTimes(crl, ¬Before, ¬After); - + if (rv) { - return(secCertTimeExpired); + return (secCertTimeExpired); } LL_I2L(llPendingSlop, pendingSlop); @@ -1067,155 +1017,157 @@ SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) { LL_I2L(tmp1, PR_USEC_PER_SEC); LL_MUL(llPendingSlop, llPendingSlop, tmp1); LL_SUB(notBefore, notBefore, llPendingSlop); - if ( LL_CMP( t, <, notBefore ) ) { - PORT_SetError(SEC_ERROR_CRL_EXPIRED); - return(secCertTimeNotValidYet); + if (LL_CMP(t, <, notBefore)) { + PORT_SetError(SEC_ERROR_CRL_EXPIRED); + return (secCertTimeNotValidYet); } /* If next update is omitted and the test for notBefore passes, then we assume that the crl is up to date. */ - if ( LL_IS_ZERO(notAfter) ) { - return(secCertTimeValid); + if (LL_IS_ZERO(notAfter)) { + return (secCertTimeValid); } - if ( LL_CMP( t, >, notAfter) ) { - PORT_SetError(SEC_ERROR_CRL_EXPIRED); - return(secCertTimeExpired); + if (LL_CMP(t, >, notAfter)) { + PORT_SetError(SEC_ERROR_CRL_EXPIRED); + return (secCertTimeExpired); } - return(secCertTimeValid); + return (secCertTimeValid); } PRBool -SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) { +SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) +{ PRTime newNotBefore, newNotAfter; PRTime oldNotBefore, oldNotAfter; SECStatus rv; /* problems with the new CRL? reject it */ rv = SEC_GetCrlTimes(inNew, &newNotBefore, &newNotAfter); - if (rv) return PR_FALSE; + if (rv) + return PR_FALSE; /* problems with the old CRL? replace it */ rv = SEC_GetCrlTimes(old, &oldNotBefore, &oldNotAfter); - if (rv) return PR_TRUE; + if (rv) + return PR_TRUE; /* Question: what about the notAfter's? */ return ((PRBool)LL_CMP(oldNotBefore, <, newNotBefore)); } - + /* - * return required key usage and cert type based on cert usage + * return required key usage and cert type based on cert usage */ SECStatus -CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, - PRBool ca, - unsigned int *retKeyUsage, - unsigned int *retCertType) +CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca, + unsigned int *retKeyUsage, + unsigned int *retCertType) { unsigned int requiredKeyUsage = 0; unsigned int requiredCertType = 0; - - if ( ca ) { - switch ( usage ) { - case certUsageSSLServerWithStepUp: - requiredKeyUsage = KU_NS_GOVT_APPROVED | KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_SSL_CA; - break; - case certUsageSSLClient: - requiredKeyUsage = KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_SSL_CA; - break; - case certUsageSSLServer: - requiredKeyUsage = KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_SSL_CA; - break; - case certUsageSSLCA: - requiredKeyUsage = KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_SSL_CA; - break; - case certUsageEmailSigner: - requiredKeyUsage = KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_EMAIL_CA; - break; - case certUsageEmailRecipient: - requiredKeyUsage = KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_EMAIL_CA; - break; - case certUsageObjectSigner: - requiredKeyUsage = KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA; - break; - case certUsageAnyCA: - case certUsageVerifyCA: - case certUsageStatusResponder: - requiredKeyUsage = KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA | - NS_CERT_TYPE_EMAIL_CA | - NS_CERT_TYPE_SSL_CA; - break; - default: - PORT_Assert(0); - goto loser; - } + + if (ca) { + switch (usage) { + case certUsageSSLServerWithStepUp: + requiredKeyUsage = KU_NS_GOVT_APPROVED | KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_SSL_CA; + break; + case certUsageSSLClient: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_SSL_CA; + break; + case certUsageSSLServer: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_SSL_CA; + break; + case certUsageSSLCA: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_SSL_CA; + break; + case certUsageEmailSigner: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_EMAIL_CA; + break; + case certUsageEmailRecipient: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_EMAIL_CA; + break; + case certUsageObjectSigner: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA; + break; + case certUsageAnyCA: + case certUsageVerifyCA: + case certUsageStatusResponder: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA | + NS_CERT_TYPE_EMAIL_CA | NS_CERT_TYPE_SSL_CA; + break; + default: + PORT_Assert(0); + goto loser; + } } else { - switch ( usage ) { - case certUsageSSLClient: - /* - * RFC 5280 lists digitalSignature and keyAgreement for - * id-kp-clientAuth. NSS does not support the *_fixed_dh and - * *_fixed_ecdh client certificate types. - */ - requiredKeyUsage = KU_DIGITAL_SIGNATURE; - requiredCertType = NS_CERT_TYPE_SSL_CLIENT; - break; - case certUsageSSLServer: - requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT; - requiredCertType = NS_CERT_TYPE_SSL_SERVER; - break; - case certUsageSSLServerWithStepUp: - requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT | - KU_NS_GOVT_APPROVED; - requiredCertType = NS_CERT_TYPE_SSL_SERVER; - break; - case certUsageSSLCA: - requiredKeyUsage = KU_KEY_CERT_SIGN; - requiredCertType = NS_CERT_TYPE_SSL_CA; - break; - case certUsageEmailSigner: - requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION; - requiredCertType = NS_CERT_TYPE_EMAIL; - break; - case certUsageEmailRecipient: - requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT; - requiredCertType = NS_CERT_TYPE_EMAIL; - break; - case certUsageObjectSigner: - /* RFC 5280 lists only digitalSignature for id-kp-codeSigning. */ - requiredKeyUsage = KU_DIGITAL_SIGNATURE; - requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING; - break; - case certUsageStatusResponder: - requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION; - requiredCertType = EXT_KEY_USAGE_STATUS_RESPONDER; - break; - default: - PORT_Assert(0); - goto loser; - } - } - - if ( retKeyUsage != NULL ) { - *retKeyUsage = requiredKeyUsage; - } - if ( retCertType != NULL ) { - *retCertType = requiredCertType; - } - - return(SECSuccess); + switch (usage) { + case certUsageSSLClient: + /* + * RFC 5280 lists digitalSignature and keyAgreement for + * id-kp-clientAuth. NSS does not support the *_fixed_dh and + * *_fixed_ecdh client certificate types. + */ + requiredKeyUsage = KU_DIGITAL_SIGNATURE; + requiredCertType = NS_CERT_TYPE_SSL_CLIENT; + break; + case certUsageSSLServer: + requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT; + requiredCertType = NS_CERT_TYPE_SSL_SERVER; + break; + case certUsageSSLServerWithStepUp: + requiredKeyUsage = + KU_KEY_AGREEMENT_OR_ENCIPHERMENT | KU_NS_GOVT_APPROVED; + requiredCertType = NS_CERT_TYPE_SSL_SERVER; + break; + case certUsageSSLCA: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_SSL_CA; + break; + case certUsageEmailSigner: + requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION; + requiredCertType = NS_CERT_TYPE_EMAIL; + break; + case certUsageEmailRecipient: + requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT; + requiredCertType = NS_CERT_TYPE_EMAIL; + break; + case certUsageObjectSigner: + /* RFC 5280 lists only digitalSignature for id-kp-codeSigning. + */ + requiredKeyUsage = KU_DIGITAL_SIGNATURE; + requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING; + break; + case certUsageStatusResponder: + requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION; + requiredCertType = EXT_KEY_USAGE_STATUS_RESPONDER; + break; + default: + PORT_Assert(0); + goto loser; + } + } + + if (retKeyUsage != NULL) { + *retKeyUsage = requiredKeyUsage; + } + if (retCertType != NULL) { + *retCertType = requiredCertType; + } + + return (SECSuccess); loser: - return(SECFailure); + return (SECFailure); } /* @@ -1226,60 +1178,60 @@ CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage) { if (!cert) { PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + return SECFailure; } /* choose between key agreement or key encipherment based on key * type in cert */ - if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) { - KeyType keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo); - /* turn off the special bit */ - requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT); - - switch (keyType) { - case rsaKey: - requiredUsage |= KU_KEY_ENCIPHERMENT; - break; - case dsaKey: - requiredUsage |= KU_DIGITAL_SIGNATURE; - break; - case dhKey: - requiredUsage |= KU_KEY_AGREEMENT; - break; - case ecKey: - /* Accept either signature or agreement. */ - if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT))) - goto loser; - break; - default: - goto loser; - } + if (requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT) { + KeyType keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo); + /* turn off the special bit */ + requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT); + + switch (keyType) { + case rsaKey: + requiredUsage |= KU_KEY_ENCIPHERMENT; + break; + case dsaKey: + requiredUsage |= KU_DIGITAL_SIGNATURE; + break; + case dhKey: + requiredUsage |= KU_KEY_AGREEMENT; + break; + case ecKey: + /* Accept either signature or agreement. */ + if (!(cert->keyUsage & + (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT))) + goto loser; + break; + default: + goto loser; + } } /* Allow either digital signature or non-repudiation */ - if ( requiredUsage & KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION ) { - /* turn off the special bit */ - requiredUsage &= (~KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION); + if (requiredUsage & KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION) { + /* turn off the special bit */ + requiredUsage &= (~KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION); if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION))) - goto loser; - } - - if ( (cert->keyUsage & requiredUsage) == requiredUsage ) - return SECSuccess; + goto loser; + } + + if ((cert->keyUsage & requiredUsage) == requiredUsage) + return SECSuccess; loser: PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); return SECFailure; } - CERTCertificate * CERT_DupCertificate(CERTCertificate *c) { if (c) { - NSSCertificate *tmp = STAN_GetNSSCertificate(c); - nssCertificate_AddRef(tmp); + NSSCertificate *tmp = STAN_GetNSSCertificate(c); + nssCertificate_AddRef(tmp); } return c; } @@ -1294,37 +1246,37 @@ void CERT_SetDefaultCertDB(CERTCertDBHandle *handle) { default_cert_db_handle = handle; - + return; } CERTCertDBHandle * CERT_GetDefaultCertDB(void) { - return(default_cert_db_handle); + return (default_cert_db_handle); } /* XXX this would probably be okay/better as an xp routine? */ static void sec_lower_string(char *s) { - if ( s == NULL ) { - return; + if (s == NULL) { + return; } - - while ( *s ) { - *s = PORT_Tolower(*s); - s++; + + while (*s) { + *s = PORT_Tolower(*s); + s++; } - + return; } static PRBool cert_IsIPAddr(const char *hn) { - PRBool isIPaddr = PR_FALSE; - PRNetAddr netAddr; + PRBool isIPaddr = PR_FALSE; + PRNetAddr netAddr; isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr)); return isIPaddr; } @@ -1337,18 +1289,22 @@ SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hn) { CERTOKDomainName *domainOK; - int newNameLen; + int newNameLen; if (!hn || !(newNameLen = strlen(hn))) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(cert->arena, sizeof(*domainOK)); + if (!domainOK) { + return SECFailure; /* error code is already set. */ + } + domainOK->name = (char *)PORT_ArenaZAlloc(cert->arena, newNameLen + 1); + if (!domainOK->name) { + return SECFailure; /* error code is already set. */ } - domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(cert->arena, - (sizeof *domainOK) + newNameLen); - if (!domainOK) - return SECFailure; /* error code is already set. */ - PORT_Strcpy(domainOK->name, hn); + PORT_Strncpy(domainOK->name, hn, newNameLen + 1); sec_lower_string(domainOK->name); /* put at head of list. */ @@ -1364,177 +1320,179 @@ CERT_AddOKDomainName(CERTCertificate *cert, const char *hn) ** This function may modify string cn, so caller must pass a modifiable copy. */ static SECStatus -cert_TestHostName(char * cn, const char * hn) +cert_TestHostName(char *cn, const char *hn) { static int useShellExp = -1; if (useShellExp < 0) { - useShellExp = (NULL != PR_GetEnv("NSS_USE_SHEXP_IN_CERT_NAME")); + useShellExp = (NULL != PR_GetEnvSecure("NSS_USE_SHEXP_IN_CERT_NAME")); } if (useShellExp) { - /* Backward compatible code, uses Shell Expressions (SHEXP). */ - int regvalid = PORT_RegExpValid(cn); - if (regvalid != NON_SXP) { - SECStatus rv; - /* cn is a regular expression, try to match the shexp */ - int match = PORT_RegExpCaseSearch(hn, cn); - - if ( match == 0 ) { - rv = SECSuccess; - } else { - PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); - rv = SECFailure; - } - return rv; - } + /* Backward compatible code, uses Shell Expressions (SHEXP). */ + int regvalid = PORT_RegExpValid(cn); + if (regvalid != NON_SXP) { + SECStatus rv; + /* cn is a regular expression, try to match the shexp */ + int match = PORT_RegExpCaseSearch(hn, cn); + + if (match == 0) { + rv = SECSuccess; + } else { + PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); + rv = SECFailure; + } + return rv; + } } else { - /* New approach conforms to RFC 6125. */ - char *wildcard = PORT_Strchr(cn, '*'); - char *firstcndot = PORT_Strchr(cn, '.'); - char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; - char *firsthndot = PORT_Strchr(hn, '.'); - - /* For a cn pattern to be considered valid, the wildcard character... - * - may occur only in a DNS name with at least 3 components, and - * - may occur only as last character in the first component, and - * - may be preceded by additional characters, and - * - must not be preceded by an IDNA ACE prefix (xn--) - */ - if (wildcard && secondcndot && secondcndot[1] && firsthndot - && firstcndot - wildcard == 1 /* wildcard is last char in first component */ - && secondcndot - firstcndot > 1 /* second component is non-empty */ - && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ - && !PORT_Strncasecmp(cn, hn, wildcard - cn) - && !PORT_Strcasecmp(firstcndot, firsthndot) - /* If hn starts with xn--, then cn must start with wildcard */ - && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { - /* valid wildcard pattern match */ - return SECSuccess; - } - } - /* String cn has no wildcard or shell expression. - * Compare entire string hn with cert name. + /* New approach conforms to RFC 6125. */ + char *wildcard = PORT_Strchr(cn, '*'); + char *firstcndot = PORT_Strchr(cn, '.'); + char *secondcndot = + firstcndot ? PORT_Strchr(firstcndot + 1, '.') : NULL; + char *firsthndot = PORT_Strchr(hn, '.'); + + /* For a cn pattern to be considered valid, the wildcard character... + * - may occur only in a DNS name with at least 3 components, and + * - may occur only as last character in the first component, and + * - may be preceded by additional characters, and + * - must not be preceded by an IDNA ACE prefix (xn--) + */ + if (wildcard && secondcndot && secondcndot[1] && firsthndot && + firstcndot - wildcard == 1 /* wildcard is last char in first component */ + && secondcndot - firstcndot > 1 /* second component is non-empty */ + && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ + && !PORT_Strncasecmp(cn, hn, wildcard - cn) && + !PORT_Strcasecmp(firstcndot, firsthndot) + /* If hn starts with xn--, then cn must start with wildcard */ + && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { + /* valid wildcard pattern match */ + return SECSuccess; + } + } + /* String cn has no wildcard or shell expression. + * Compare entire string hn with cert name. */ if (PORT_Strcasecmp(hn, cn) == 0) { - return SECSuccess; + return SECSuccess; } PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); return SECFailure; } - SECStatus cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn) { - PLArenaPool * arena = NULL; - CERTGeneralName * nameList = NULL; - CERTGeneralName * current; - char * cn; - int cnBufLen; - int DNSextCount = 0; - int IPextCount = 0; - PRBool isIPaddr = PR_FALSE; - SECStatus rv = SECFailure; - SECItem subAltName; - PRNetAddr netAddr; - char cnbuf[128]; + PLArenaPool *arena = NULL; + CERTGeneralName *nameList = NULL; + CERTGeneralName *current; + char *cn; + int cnBufLen; + int DNSextCount = 0; + int IPextCount = 0; + PRBool isIPaddr = PR_FALSE; + SECStatus rv = SECFailure; + SECItem subAltName; + PRNetAddr netAddr; + char cnbuf[128]; subAltName.data = NULL; - cn = cnbuf; + cn = cnbuf; cnBufLen = sizeof cnbuf; - rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, - &subAltName); + rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, + &subAltName); if (rv != SECSuccess) { - goto fail; + goto fail; } isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr)); - rv = SECFailure; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (!arena) - goto fail; + if (!arena) + goto fail; nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName); if (!current) - goto fail; + goto fail; do { - switch (current->type) { - case certDNSName: - if (!isIPaddr) { - /* DNS name current->name.other.data is not null terminated. - ** so must copy it. - */ - int cnLen = current->name.other.len; - rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen, - (char *)current->name.other.data, - cnLen); - if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_OUTPUT_LEN) { - cnBufLen = cnLen * 3 + 3; /* big enough for worst case */ - cn = (char *)PORT_ArenaAlloc(arena, cnBufLen); - if (!cn) - goto fail; - rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen, - (char *)current->name.other.data, - cnLen); - } - if (rv == SECSuccess) - rv = cert_TestHostName(cn ,hn); - if (rv == SECSuccess) - goto finish; - } - DNSextCount++; - break; - case certIPAddress: - if (isIPaddr) { - int match = 0; - PRIPv6Addr v6Addr; - if (current->name.other.len == 4 && /* IP v4 address */ - netAddr.inet.family == PR_AF_INET) { - match = !memcmp(&netAddr.inet.ip, - current->name.other.data, 4); - } else if (current->name.other.len == 16 && /* IP v6 address */ - netAddr.ipv6.family == PR_AF_INET6) { - match = !memcmp(&netAddr.ipv6.ip, - current->name.other.data, 16); - } else if (current->name.other.len == 16 && /* IP v6 address */ - netAddr.inet.family == PR_AF_INET) { - /* convert netAddr to ipv6, then compare. */ - /* ipv4 must be in Network Byte Order on input. */ - PR_ConvertIPv4AddrToIPv6(netAddr.inet.ip, &v6Addr); - match = !memcmp(&v6Addr, current->name.other.data, 16); - } else if (current->name.other.len == 4 && /* IP v4 address */ - netAddr.inet.family == PR_AF_INET6) { - /* convert netAddr to ipv6, then compare. */ - PRUint32 ipv4 = (current->name.other.data[0] << 24) | - (current->name.other.data[1] << 16) | - (current->name.other.data[2] << 8) | - current->name.other.data[3]; - /* ipv4 must be in Network Byte Order on input. */ - PR_ConvertIPv4AddrToIPv6(PR_htonl(ipv4), &v6Addr); - match = !memcmp(&netAddr.ipv6.ip, &v6Addr, 16); - } - if (match) { - rv = SECSuccess; - goto finish; - } - } - IPextCount++; - break; - default: - break; - } - current = CERT_GetNextGeneralName(current); + switch (current->type) { + case certDNSName: + if (!isIPaddr) { + /* DNS name current->name.other.data is not null terminated. + ** so must copy it. + */ + int cnLen = current->name.other.len; + rv = CERT_RFC1485_EscapeAndQuote( + cn, cnBufLen, (char *)current->name.other.data, cnLen); + if (rv != SECSuccess && + PORT_GetError() == SEC_ERROR_OUTPUT_LEN) { + cnBufLen = + cnLen * 3 + 3; /* big enough for worst case */ + cn = (char *)PORT_ArenaAlloc(arena, cnBufLen); + if (!cn) + goto fail; + rv = CERT_RFC1485_EscapeAndQuote( + cn, cnBufLen, (char *)current->name.other.data, + cnLen); + } + if (rv == SECSuccess) + rv = cert_TestHostName(cn, hn); + if (rv == SECSuccess) + goto finish; + } + DNSextCount++; + break; + case certIPAddress: + if (isIPaddr) { + int match = 0; + PRIPv6Addr v6Addr; + if (current->name.other.len == 4 && /* IP v4 address */ + netAddr.inet.family == PR_AF_INET) { + match = !memcmp(&netAddr.inet.ip, + current->name.other.data, 4); + } else if (current->name.other.len == + 16 && /* IP v6 address */ + netAddr.ipv6.family == PR_AF_INET6) { + match = !memcmp(&netAddr.ipv6.ip, + current->name.other.data, 16); + } else if (current->name.other.len == + 16 && /* IP v6 address */ + netAddr.inet.family == PR_AF_INET) { + /* convert netAddr to ipv6, then compare. */ + /* ipv4 must be in Network Byte Order on input. */ + PR_ConvertIPv4AddrToIPv6(netAddr.inet.ip, &v6Addr); + match = !memcmp(&v6Addr, current->name.other.data, 16); + } else if (current->name.other.len == 4 && /* IP v4 address */ + netAddr.inet.family == PR_AF_INET6) { + /* convert netAddr to ipv6, then compare. */ + PRUint32 ipv4 = (current->name.other.data[0] << 24) | + (current->name.other.data[1] << 16) | + (current->name.other.data[2] << 8) | + current->name.other.data[3]; + /* ipv4 must be in Network Byte Order on input. */ + PR_ConvertIPv4AddrToIPv6(PR_htonl(ipv4), &v6Addr); + match = !memcmp(&netAddr.ipv6.ip, &v6Addr, 16); + } + if (match) { + rv = SECSuccess; + goto finish; + } + } + IPextCount++; + break; + default: + break; + } + current = CERT_GetNextGeneralName(current); } while (current != nameList); fail: if (!(isIPaddr ? IPextCount : DNSextCount)) { - /* no relevant value in the extension was found. */ - PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND); + /* no relevant value in the extension was found. */ + PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND); } else { - PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); + PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); } rv = SECFailure; @@ -1542,11 +1500,11 @@ finish: /* Don't free nameList, it's part of the arena. */ if (arena) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } if (subAltName.data) { - SECITEM_FreeItem(&subAltName, PR_FALSE); + SECITEM_FreeItem(&subAltName, PR_FALSE); } return rv; @@ -1562,19 +1520,19 @@ finish: CERTGeneralName * cert_GetSubjectAltNameList(const CERTCertificate *cert, PLArenaPool *arena) { - CERTGeneralName * nameList = NULL; - SECStatus rv = SECFailure; - SECItem subAltName; + CERTGeneralName *nameList = NULL; + SECStatus rv = SECFailure; + SECItem subAltName; if (!cert || !arena) - return NULL; + return NULL; subAltName.data = NULL; - rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, + rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, &subAltName); if (rv != SECSuccess) - return NULL; + return NULL; nameList = CERT_DecodeAltNameExtension(arena, &subAltName); SECITEM_FreeItem(&subAltName, PR_FALSE); @@ -1584,21 +1542,21 @@ cert_GetSubjectAltNameList(const CERTCertificate *cert, PLArenaPool *arena) PRUint32 cert_CountDNSPatterns(CERTGeneralName *firstName) { - CERTGeneralName * current; + CERTGeneralName *current; PRUint32 count = 0; if (!firstName) - return 0; + return 0; current = firstName; do { switch (current->type) { - case certDNSName: - case certIPAddress: - ++count; - break; - default: - break; + case certDNSName: + case certIPAddress: + ++count; + break; + default: + break; } current = CERT_GetNextGeneralName(current); } while (current != firstName); @@ -1610,27 +1568,27 @@ cert_CountDNSPatterns(CERTGeneralName *firstName) #define INET6_ADDRSTRLEN 46 #endif -/* will fill nickNames, +/* will fill nickNames, * will allocate all data from nickNames->arena, * numberOfGeneralNames should have been obtained from cert_CountDNSPatterns, * will ensure the numberOfGeneralNames matches the number of output entries. */ SECStatus cert_GetDNSPatternsFromGeneralNames(CERTGeneralName *firstName, - PRUint32 numberOfGeneralNames, + PRUint32 numberOfGeneralNames, CERTCertNicknames *nickNames) { CERTGeneralName *currentInput; char **currentOutput; if (!firstName || !nickNames || !numberOfGeneralNames) - return SECFailure; + return SECFailure; nickNames->numnicknames = numberOfGeneralNames; - nickNames->nicknames = PORT_ArenaAlloc(nickNames->arena, - sizeof(char *) * numberOfGeneralNames); + nickNames->nicknames = PORT_ArenaAlloc( + nickNames->arena, sizeof(char *) * numberOfGeneralNames); if (!nickNames->nicknames) - return SECFailure; + return SECFailure; currentInput = firstName; currentOutput = nickNames->nicknames; @@ -1640,47 +1598,49 @@ cert_GetDNSPatternsFromGeneralNames(CERTGeneralName *firstName, PRNetAddr addr; if (numberOfGeneralNames < 1) { - /* internal consistency error */ - return SECFailure; + /* internal consistency error */ + return SECFailure; } switch (currentInput->type) { - case certDNSName: - /* DNS name currentInput->name.other.data is not null terminated. - ** so must copy it. - */ - cn = (char *)PORT_ArenaAlloc(nickNames->arena, - currentInput->name.other.len + 1); - if (!cn) - return SECFailure; - PORT_Memcpy(cn, currentInput->name.other.data, + case certDNSName: + /* DNS name currentInput->name.other.data is not null + *terminated. + ** so must copy it. + */ + cn = (char *)PORT_ArenaAlloc(nickNames->arena, + currentInput->name.other.len + 1); + if (!cn) + return SECFailure; + PORT_Memcpy(cn, currentInput->name.other.data, currentInput->name.other.len); - cn[currentInput->name.other.len] = 0; - break; - case certIPAddress: - if (currentInput->name.other.len == 4) { - addr.inet.family = PR_AF_INET; - memcpy(&addr.inet.ip, currentInput->name.other.data, - currentInput->name.other.len); - } else if (currentInput->name.other.len == 16) { - addr.ipv6.family = PR_AF_INET6; - memcpy(&addr.ipv6.ip, currentInput->name.other.data, - currentInput->name.other.len); - } - if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf)) == PR_FAILURE) - return SECFailure; - cn = PORT_ArenaStrdup(nickNames->arena, ipbuf); - if (!cn) - return SECFailure; - break; - default: - break; + cn[currentInput->name.other.len] = 0; + break; + case certIPAddress: + if (currentInput->name.other.len == 4) { + addr.inet.family = PR_AF_INET; + memcpy(&addr.inet.ip, currentInput->name.other.data, + currentInput->name.other.len); + } else if (currentInput->name.other.len == 16) { + addr.ipv6.family = PR_AF_INET6; + memcpy(&addr.ipv6.ip, currentInput->name.other.data, + currentInput->name.other.len); + } + if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf)) == + PR_FAILURE) + return SECFailure; + cn = PORT_ArenaStrdup(nickNames->arena, ipbuf); + if (!cn) + return SECFailure; + break; + default: + break; } if (cn) { - *currentOutput = cn; - nickNames->totallen += PORT_Strlen(cn); - ++currentOutput; - --numberOfGeneralNames; + *currentOutput = cn; + nickNames->totallen += PORT_Strlen(cn); + ++currentOutput; + --numberOfGeneralNames; } currentInput = CERT_GetNextGeneralName(currentInput); } while (currentInput != firstName); @@ -1701,16 +1661,16 @@ CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert) CERTCertNicknames *nickNames; PLArenaPool *arena; char *singleName; - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { return NULL; } - + nickNames = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames)); if (!nickNames) { - PORT_FreeArena(arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } /* init the structure */ @@ -1722,40 +1682,41 @@ CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert) generalNames = cert_GetSubjectAltNameList(cert, arena); if (generalNames) { - SECStatus rv_getnames = SECFailure; - PRUint32 numNames = cert_CountDNSPatterns(generalNames); - - if (numNames) { - rv_getnames = cert_GetDNSPatternsFromGeneralNames(generalNames, - numNames, nickNames); - } - - /* if there were names, we'll exit now, either with success or failure */ - if (numNames) { - if (rv_getnames == SECSuccess) { - return nickNames; + SECStatus rv_getnames = SECFailure; + PRUint32 numNames = cert_CountDNSPatterns(generalNames); + + if (numNames) { + rv_getnames = cert_GetDNSPatternsFromGeneralNames( + generalNames, numNames, nickNames); } - /* failure to produce output */ - PORT_FreeArena(arena, PR_FALSE); - return NULL; - } + /* if there were names, we'll exit now, either with success or failure + */ + if (numNames) { + if (rv_getnames == SECSuccess) { + return nickNames; + } + + /* failure to produce output */ + PORT_FreeArena(arena, PR_FALSE); + return NULL; + } } /* no SAN extension or no names found in extension */ singleName = CERT_GetCommonName(&cert->subject); if (singleName) { - nickNames->numnicknames = 1; - nickNames->nicknames = PORT_ArenaAlloc(arena, sizeof(char *)); - if (nickNames->nicknames) { - *nickNames->nicknames = PORT_ArenaStrdup(arena, singleName); - } - PORT_Free(singleName); + nickNames->numnicknames = 1; + nickNames->nicknames = PORT_ArenaAlloc(arena, sizeof(char *)); + if (nickNames->nicknames) { + *nickNames->nicknames = PORT_ArenaStrdup(arena, singleName); + } + PORT_Free(singleName); - /* Did we allocate both the buffer of pointers and the string? */ - if (nickNames->nicknames && *nickNames->nicknames) { - return nickNames; - } + /* Did we allocate both the buffer of pointers and the string? */ + if (nickNames->nicknames && *nickNames->nicknames) { + return nickNames; + } } PORT_FreeArena(arena, PR_FALSE); @@ -1769,20 +1730,20 @@ CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert) SECStatus CERT_VerifyCertName(const CERTCertificate *cert, const char *hn) { - char * cn; + char *cn; SECStatus rv; CERTOKDomainName *domainOK; if (!hn || !strlen(hn)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } /* if the name is one that the user has already approved, it's OK. */ for (domainOK = cert->domainOK; domainOK; domainOK = domainOK->next) { - if (0 == PORT_Strcasecmp(hn, domainOK->name)) { - return SECSuccess; - } + if (0 == PORT_Strcasecmp(hn, domainOK->name)) { + return SECSuccess; + } } /* Per RFC 2818, if the SubjectAltName extension is present, it must @@ -1790,14 +1751,14 @@ CERT_VerifyCertName(const CERTCertificate *cert, const char *hn) */ rv = cert_VerifySubjectAltName(cert, hn); if (rv == SECSuccess || PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) - return rv; + return rv; cn = CERT_GetCommonName(&cert->subject); - if ( cn ) { + if (cn) { PRBool isIPaddr = cert_IsIPAddr(hn); if (isIPaddr) { if (PORT_Strcasecmp(hn, cn) == 0) { - rv = SECSuccess; + rv = SECSuccess; } else { PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); rv = SECFailure; @@ -1805,9 +1766,9 @@ CERT_VerifyCertName(const CERTCertificate *cert, const char *hn) } else { rv = cert_TestHostName(cn, hn); } - PORT_Free(cn); - } else - PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); + PORT_Free(cn); + } else + PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); return rv; } @@ -1815,48 +1776,48 @@ PRBool CERT_CompareCerts(const CERTCertificate *c1, const CERTCertificate *c2) { SECComparison comp; - + comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert); - if ( comp == SECEqual ) { /* certs are the same */ - return(PR_TRUE); + if (comp == SECEqual) { /* certs are the same */ + return (PR_TRUE); } else { - return(PR_FALSE); + return (PR_FALSE); } } static SECStatus -StringsEqual(char *s1, char *s2) { - if ( ( s1 == NULL ) || ( s2 == NULL ) ) { - if ( s1 != s2 ) { /* only one is null */ - return(SECFailure); - } - return(SECSuccess); /* both are null */ +StringsEqual(char *s1, char *s2) +{ + if ((s1 == NULL) || (s2 == NULL)) { + if (s1 != s2) { /* only one is null */ + return (SECFailure); + } + return (SECSuccess); /* both are null */ } - - if ( PORT_Strcmp( s1, s2 ) != 0 ) { - return(SECFailure); /* not equal */ + + if (PORT_Strcmp(s1, s2) != 0) { + return (SECFailure); /* not equal */ } - return(SECSuccess); /* strings are equal */ + return (SECSuccess); /* strings are equal */ } - PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2) { SECComparison comp; char *c1str, *c2str; SECStatus eq; - + comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert); - if ( comp == SECEqual ) { /* certs are the same */ - return(PR_TRUE); + if (comp == SECEqual) { /* certs are the same */ + return (PR_TRUE); } - + /* check if they are issued by the same CA */ comp = SECITEM_CompareItem(&c1->derIssuer, &c2->derIssuer); - if ( comp != SECEqual ) { /* different issuer */ - return(PR_FALSE); + if (comp != SECEqual) { /* different issuer */ + return (PR_FALSE); } /* check country name */ @@ -1865,8 +1826,8 @@ CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2) eq = StringsEqual(c1str, c2str); PORT_Free(c1str); PORT_Free(c2str); - if ( eq != SECSuccess ) { - return(PR_FALSE); + if (eq != SECSuccess) { + return (PR_FALSE); } /* check locality name */ @@ -1875,18 +1836,18 @@ CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2) eq = StringsEqual(c1str, c2str); PORT_Free(c1str); PORT_Free(c2str); - if ( eq != SECSuccess ) { - return(PR_FALSE); + if (eq != SECSuccess) { + return (PR_FALSE); } - + /* check state name */ c1str = CERT_GetStateName(&c1->subject); c2str = CERT_GetStateName(&c2->subject); eq = StringsEqual(c1str, c2str); PORT_Free(c1str); PORT_Free(c2str); - if ( eq != SECSuccess ) { - return(PR_FALSE); + if (eq != SECSuccess) { + return (PR_FALSE); } /* check org name */ @@ -1895,11 +1856,11 @@ CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2) eq = StringsEqual(c1str, c2str); PORT_Free(c1str); PORT_Free(c2str); - if ( eq != SECSuccess ) { - return(PR_FALSE); + if (eq != SECSuccess) { + return (PR_FALSE); } -#ifdef NOTDEF +#ifdef NOTDEF /* check orgUnit name */ /* * We need to revisit this and decide which fields should be allowed to be @@ -1910,46 +1871,44 @@ CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2) eq = StringsEqual(c1str, c2str); PORT_Free(c1str); PORT_Free(c2str); - if ( eq != SECSuccess ) { - return(PR_FALSE); + if (eq != SECSuccess) { + return (PR_FALSE); } #endif - return(PR_TRUE); /* all fields but common name are the same */ + return (PR_TRUE); /* all fields but common name are the same */ } - /* CERT_CertChainFromCert and CERT_DestroyCertificateList moved to certhigh.c */ - CERTIssuerAndSN * CERT_GetCertIssuerAndSN(PLArenaPool *arena, CERTCertificate *cert) { CERTIssuerAndSN *result; SECStatus rv; - if ( arena == NULL ) { - arena = cert->arena; + if (arena == NULL) { + arena = cert->arena; } - - result = (CERTIssuerAndSN*)PORT_ArenaZAlloc(arena, sizeof(*result)); + + result = (CERTIssuerAndSN *)PORT_ArenaZAlloc(arena, sizeof(*result)); if (result == NULL) { - PORT_SetError (SEC_ERROR_NO_MEMORY); - return NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } rv = SECITEM_CopyItem(arena, &result->derIssuer, &cert->derIssuer); if (rv != SECSuccess) - return NULL; + return NULL; rv = CERT_CopyName(arena, &result->issuer, &cert->issuer); if (rv != SECSuccess) - return NULL; + return NULL; rv = SECITEM_CopyItem(arena, &result->serialNumber, &cert->serialNumber); if (rv != SECSuccess) - return NULL; + return NULL; return result; } @@ -1962,85 +1921,84 @@ CERT_MakeCANickname(CERTCertificate *cert) char *nickname = NULL; int count; CERTCertificate *dummycert; - + firstname = CERT_GetCommonName(&cert->subject); - if ( firstname == NULL ) { - firstname = CERT_GetOrgUnitName(&cert->subject); + if (firstname == NULL) { + firstname = CERT_GetOrgUnitName(&cert->subject); } org = CERT_GetOrgName(&cert->issuer); if (org == NULL) { - org = CERT_GetDomainComponentName(&cert->issuer); - if (org == NULL) { - if (firstname) { - org = firstname; - firstname = NULL; - } else { - org = PORT_Strdup("Unknown CA"); - } - } + org = CERT_GetDomainComponentName(&cert->issuer); + if (org == NULL) { + if (firstname) { + org = firstname; + firstname = NULL; + } else { + org = PORT_Strdup("Unknown CA"); + } + } } /* can only fail if PORT_Strdup fails, in which case * we're having memory problems. */ if (org == NULL) { - goto done; + goto done; } - count = 1; - while ( 1 ) { - - if ( firstname ) { - if ( count == 1 ) { - nickname = PR_smprintf("%s - %s", firstname, org); - } else { - nickname = PR_smprintf("%s - %s #%d", firstname, org, count); - } - } else { - if ( count == 1 ) { - nickname = PR_smprintf("%s", org); - } else { - nickname = PR_smprintf("%s #%d", org, count); - } - } - if ( nickname == NULL ) { - goto done; - } - - /* look up the nickname to make sure it isn't in use already */ - dummycert = CERT_FindCertByNickname(cert->dbhandle, nickname); - - if ( dummycert == NULL ) { - goto done; - } - - /* found a cert, destroy it and loop */ - CERT_DestroyCertificate(dummycert); - - /* free the nickname */ - PORT_Free(nickname); - - count++; + while (1) { + + if (firstname) { + if (count == 1) { + nickname = PR_smprintf("%s - %s", firstname, org); + } else { + nickname = PR_smprintf("%s - %s #%d", firstname, org, count); + } + } else { + if (count == 1) { + nickname = PR_smprintf("%s", org); + } else { + nickname = PR_smprintf("%s #%d", org, count); + } + } + if (nickname == NULL) { + goto done; + } + + /* look up the nickname to make sure it isn't in use already */ + dummycert = CERT_FindCertByNickname(cert->dbhandle, nickname); + + if (dummycert == NULL) { + goto done; + } + + /* found a cert, destroy it and loop */ + CERT_DestroyCertificate(dummycert); + + /* free the nickname */ + PORT_Free(nickname); + + count++; } done: - if ( firstname ) { - PORT_Free(firstname); + if (firstname) { + PORT_Free(firstname); } - if ( org ) { - PORT_Free(org); + if (org) { + PORT_Free(org); } - - return(nickname); + + return (nickname); } /* CERT_Import_CAChain moved to certhigh.c */ void -CERT_DestroyCrl (CERTSignedCrl *crl) +CERT_DestroyCrl(CERTSignedCrl *crl) { - SEC_DestroyCrl (crl); + SEC_DestroyCrl(crl); } static int @@ -2048,9 +2006,9 @@ cert_Version(CERTCertificate *cert) { int version = 0; if (cert && cert->version.data && cert->version.len) { - version = DER_GetInteger(&cert->version); - if (version < 0) - version = 0; + version = DER_GetInteger(&cert->version); + if (version < 0) + version = 0; } return version; } @@ -2063,35 +2021,35 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType) rv = CERT_GetCertTrust(cert, &trust); - if (rv == SECSuccess && (trust.sslFlags | - trust.emailFlags | - trust.objectSigningFlags)) { + if (rv == SECSuccess && + (trust.sslFlags | trust.emailFlags | trust.objectSigningFlags)) { - if (trust.sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) - cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT; - if (trust.sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) - cType |= NS_CERT_TYPE_SSL_CA; + if (trust.sslFlags & (CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED)) + cType |= NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_SSL_CLIENT; + if (trust.sslFlags & (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) + cType |= NS_CERT_TYPE_SSL_CA; #if defined(CERTDB_NOT_TRUSTED) - if (trust.sslFlags & CERTDB_NOT_TRUSTED) - cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT| - NS_CERT_TYPE_SSL_CA); + if (trust.sslFlags & CERTDB_NOT_TRUSTED) + cType &= ~(NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_SSL_CLIENT | + NS_CERT_TYPE_SSL_CA); #endif - if (trust.emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) - cType |= NS_CERT_TYPE_EMAIL; - if (trust.emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) - cType |= NS_CERT_TYPE_EMAIL_CA; + if (trust.emailFlags & (CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED)) + cType |= NS_CERT_TYPE_EMAIL; + if (trust.emailFlags & (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) + cType |= NS_CERT_TYPE_EMAIL_CA; #if defined(CERTDB_NOT_TRUSTED) - if (trust.emailFlags & CERTDB_NOT_TRUSTED) - cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA); + if (trust.emailFlags & CERTDB_NOT_TRUSTED) + cType &= ~(NS_CERT_TYPE_EMAIL | NS_CERT_TYPE_EMAIL_CA); #endif - if (trust.objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) - cType |= NS_CERT_TYPE_OBJECT_SIGNING; - if (trust.objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) - cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA; + if (trust.objectSigningFlags & + (CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED)) + cType |= NS_CERT_TYPE_OBJECT_SIGNING; + if (trust.objectSigningFlags & (CERTDB_VALID_CA | CERTDB_TRUSTED_CA)) + cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA; #if defined(CERTDB_NOT_TRUSTED) - if (trust.objectSigningFlags & CERTDB_NOT_TRUSTED) - cType &= ~(NS_CERT_TYPE_OBJECT_SIGNING| - NS_CERT_TYPE_OBJECT_SIGNING_CA); + if (trust.objectSigningFlags & CERTDB_NOT_TRUSTED) + cType &= + ~(NS_CERT_TYPE_OBJECT_SIGNING | NS_CERT_TYPE_OBJECT_SIGNING_CA); #endif } return cType; @@ -2107,48 +2065,45 @@ CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype) unsigned int cType = cert->nsCertType; PRBool ret = PR_FALSE; - if (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | - NS_CERT_TYPE_OBJECT_SIGNING_CA)) { - ret = PR_TRUE; - } else { - SECStatus rv; - CERTBasicConstraints constraints; - - rv = CERT_FindBasicConstraintExten(cert, &constraints); - if (rv == SECSuccess && constraints.isCA) { - ret = PR_TRUE; - cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); - } - } + /* + * Check if the constraints are available and it's a CA, OR if it's + * a X.509 v1 Root CA. + */ + CERTBasicConstraints constraints; + if ((CERT_FindBasicConstraintExten(cert, &constraints) == SECSuccess && + constraints.isCA) || + (cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3)) + cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); - /* finally check if it's an X.509 v1 root CA */ - if (!ret && - (cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3)) { - ret = PR_TRUE; - cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); - } - /* Now apply trust overrides, if any */ + /* + * Apply trust overrides, if any. + */ cType = cert_ComputeTrustOverrides(cert, cType); ret = (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | - NS_CERT_TYPE_OBJECT_SIGNING_CA)) ? PR_TRUE : PR_FALSE; + NS_CERT_TYPE_OBJECT_SIGNING_CA)) + ? PR_TRUE + : PR_FALSE; - if (rettype != NULL) { - *rettype = cType; + if (rettype) { + *rettype = cType; } + return ret; } PRBool -CERT_IsCADERCert(SECItem *derCert, unsigned int *type) { +CERT_IsCADERCert(SECItem *derCert, unsigned int *type) +{ CERTCertificate *cert; PRBool isCA; /* This is okay -- only looks at extensions */ cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL); - if (cert == NULL) return PR_FALSE; + if (cert == NULL) + return PR_FALSE; - isCA = CERT_IsCACert(cert,type); - CERT_DestroyCertificate (cert); + isCA = CERT_IsCACert(cert, type); + CERT_DestroyCertificate(cert); return isCA; } @@ -2160,51 +2115,51 @@ CERT_IsRootDERCert(SECItem *derCert) /* This is okay -- only looks at extensions */ cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL); - if (cert == NULL) return PR_FALSE; + if (cert == NULL) + return PR_FALSE; isRoot = cert->isRoot; - CERT_DestroyCertificate (cert); + CERT_DestroyCertificate(cert); return isRoot; } CERTCompareValidityStatus -CERT_CompareValidityTimes(CERTValidity* val_a, CERTValidity* val_b) +CERT_CompareValidityTimes(CERTValidity *val_a, CERTValidity *val_b) { PRTime notBeforeA, notBeforeB, notAfterA, notAfterB; - if (!val_a || !val_b) - { + if (!val_a || !val_b) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return certValidityUndetermined; } - if ( SECSuccess != DER_DecodeTimeChoice(¬BeforeA, &val_a->notBefore) || - SECSuccess != DER_DecodeTimeChoice(¬BeforeB, &val_b->notBefore) || - SECSuccess != DER_DecodeTimeChoice(¬AfterA, &val_a->notAfter) || - SECSuccess != DER_DecodeTimeChoice(¬AfterB, &val_b->notAfter) ) { + if (SECSuccess != DER_DecodeTimeChoice(¬BeforeA, &val_a->notBefore) || + SECSuccess != DER_DecodeTimeChoice(¬BeforeB, &val_b->notBefore) || + SECSuccess != DER_DecodeTimeChoice(¬AfterA, &val_a->notAfter) || + SECSuccess != DER_DecodeTimeChoice(¬AfterB, &val_b->notAfter)) { return certValidityUndetermined; } /* sanity check */ - if (LL_CMP(notBeforeA,>,notAfterA) || LL_CMP(notBeforeB,>,notAfterB)) { + if (LL_CMP(notBeforeA, >, notAfterA) || LL_CMP(notBeforeB, >, notAfterB)) { PORT_SetError(SEC_ERROR_INVALID_TIME); return certValidityUndetermined; } - if (LL_CMP(notAfterA,!=,notAfterB)) { + if (LL_CMP(notAfterA, !=, notAfterB)) { /* one cert validity goes farther into the future, select it */ - return LL_CMP(notAfterA,<,notAfterB) ? - certValidityChooseB : certValidityChooseA; + return LL_CMP(notAfterA, <, notAfterB) ? certValidityChooseB + : certValidityChooseA; } /* the two certs have the same expiration date */ - PORT_Assert(LL_CMP(notAfterA, == , notAfterB)); + PORT_Assert(LL_CMP(notAfterA, ==, notAfterB)); /* do they also have the same start date ? */ - if (LL_CMP(notBeforeA,==,notBeforeB)) { - return certValidityEqual; + if (LL_CMP(notBeforeA, ==, notBeforeB)) { + return certValidityEqual; } /* choose cert with the later start date */ - return LL_CMP(notBeforeA,<,notBeforeB) ? - certValidityChooseB : certValidityChooseA; + return LL_CMP(notBeforeA, <, notBeforeB) ? certValidityChooseB + : certValidityChooseA; } /* @@ -2216,52 +2171,52 @@ CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb) PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now; SECStatus rv; PRBool newerbefore, newerafter; - + rv = CERT_GetCertTimes(certa, ¬BeforeA, ¬AfterA); - if ( rv != SECSuccess ) { - return(PR_FALSE); + if (rv != SECSuccess) { + return (PR_FALSE); } - + rv = CERT_GetCertTimes(certb, ¬BeforeB, ¬AfterB); - if ( rv != SECSuccess ) { - return(PR_TRUE); + if (rv != SECSuccess) { + return (PR_TRUE); } newerbefore = PR_FALSE; - if ( LL_CMP(notBeforeA, >, notBeforeB) ) { - newerbefore = PR_TRUE; + if (LL_CMP(notBeforeA, >, notBeforeB)) { + newerbefore = PR_TRUE; } newerafter = PR_FALSE; - if ( LL_CMP(notAfterA, >, notAfterB) ) { - newerafter = PR_TRUE; + if (LL_CMP(notAfterA, >, notAfterB)) { + newerafter = PR_TRUE; } - - if ( newerbefore && newerafter ) { - return(PR_TRUE); + + if (newerbefore && newerafter) { + return (PR_TRUE); } - - if ( ( !newerbefore ) && ( !newerafter ) ) { - return(PR_FALSE); + + if ((!newerbefore) && (!newerafter)) { + return (PR_FALSE); } /* get current time */ now = PR_Now(); - if ( newerbefore ) { - /* cert A was issued after cert B, but expires sooner */ - /* if A is expired, then pick B */ - if ( LL_CMP(notAfterA, <, now ) ) { - return(PR_FALSE); - } - return(PR_TRUE); + if (newerbefore) { + /* cert A was issued after cert B, but expires sooner */ + /* if A is expired, then pick B */ + if (LL_CMP(notAfterA, <, now)) { + return (PR_FALSE); + } + return (PR_TRUE); } else { - /* cert B was issued after cert A, but expires sooner */ - /* if B is expired, then pick A */ - if ( LL_CMP(notAfterB, <, now ) ) { - return(PR_TRUE); - } - return(PR_FALSE); + /* cert B was issued after cert A, but expires sooner */ + /* if B is expired, then pick A */ + if (LL_CMP(notAfterB, <, now)) { + return (PR_TRUE); + } + return (PR_FALSE); } } @@ -2269,17 +2224,17 @@ void CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts) { unsigned int i; - - if ( certs ) { - for ( i = 0; i < ncerts; i++ ) { - if ( certs[i] ) { - CERT_DestroyCertificate(certs[i]); - } - } - PORT_Free(certs); + if (certs) { + for (i = 0; i < ncerts; i++) { + if (certs[i]) { + CERT_DestroyCertificate(certs[i]); + } + } + + PORT_Free(certs); } - + return; } @@ -2289,23 +2244,23 @@ CERT_FixupEmailAddr(const char *emailAddr) char *retaddr; char *str; - if ( emailAddr == NULL ) { - return(NULL); + if (emailAddr == NULL) { + return (NULL); } - + /* copy the string */ str = retaddr = PORT_Strdup(emailAddr); - if ( str == NULL ) { - return(NULL); + if (str == NULL) { + return (NULL); } - + /* make it lower case */ - while ( *str ) { - *str = tolower( *str ); - str++; + while (*str) { + *str = tolower(*str); + str++; } - - return(retaddr); + + return (retaddr); } /* @@ -2318,67 +2273,67 @@ CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts) unsigned int *pflags; if (!trust) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } trust->sslFlags = 0; trust->emailFlags = 0; trust->objectSigningFlags = 0; if (!trusts) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } pflags = &trust->sslFlags; - for (i=0; i < PORT_Strlen(trusts); i++) { - switch (trusts[i]) { - case 'p': - *pflags = *pflags | CERTDB_TERMINAL_RECORD; - break; - - case 'P': - *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD; - break; - - case 'w': - *pflags = *pflags | CERTDB_SEND_WARN; - break; - - case 'c': - *pflags = *pflags | CERTDB_VALID_CA; - break; - - case 'T': - *pflags = *pflags | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA; - break; - - case 'C' : - *pflags = *pflags | CERTDB_TRUSTED_CA | CERTDB_VALID_CA; - break; - - case 'u': - *pflags = *pflags | CERTDB_USER; - break; - - case 'i': - *pflags = *pflags | CERTDB_INVISIBLE_CA; - break; - case 'g': - *pflags = *pflags | CERTDB_GOVT_APPROVED_CA; - break; - - case ',': - if ( pflags == &trust->sslFlags ) { - pflags = &trust->emailFlags; - } else { - pflags = &trust->objectSigningFlags; - } - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } + for (i = 0; i < PORT_Strlen(trusts); i++) { + switch (trusts[i]) { + case 'p': + *pflags = *pflags | CERTDB_TERMINAL_RECORD; + break; + + case 'P': + *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD; + break; + + case 'w': + *pflags = *pflags | CERTDB_SEND_WARN; + break; + + case 'c': + *pflags = *pflags | CERTDB_VALID_CA; + break; + + case 'T': + *pflags = *pflags | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA; + break; + + case 'C': + *pflags = *pflags | CERTDB_TRUSTED_CA | CERTDB_VALID_CA; + break; + + case 'u': + *pflags = *pflags | CERTDB_USER; + break; + + case 'i': + *pflags = *pflags | CERTDB_INVISIBLE_CA; + break; + case 'g': + *pflags = *pflags | CERTDB_GOVT_APPROVED_CA; + break; + + case ',': + if (pflags == &trust->sslFlags) { + pflags = &trust->emailFlags; + } else { + pflags = &trust->objectSigningFlags; + } + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } } return SECSuccess; @@ -2388,26 +2343,25 @@ static void EncodeFlags(char *trusts, unsigned int flags) { if (flags & CERTDB_VALID_CA) - if (!(flags & CERTDB_TRUSTED_CA) && - !(flags & CERTDB_TRUSTED_CLIENT_CA)) - PORT_Strcat(trusts, "c"); + if (!(flags & CERTDB_TRUSTED_CA) && !(flags & CERTDB_TRUSTED_CLIENT_CA)) + PORT_Strcat(trusts, "c"); if (flags & CERTDB_TERMINAL_RECORD) - if (!(flags & CERTDB_TRUSTED)) - PORT_Strcat(trusts, "p"); + if (!(flags & CERTDB_TRUSTED)) + PORT_Strcat(trusts, "p"); if (flags & CERTDB_TRUSTED_CA) - PORT_Strcat(trusts, "C"); + PORT_Strcat(trusts, "C"); if (flags & CERTDB_TRUSTED_CLIENT_CA) - PORT_Strcat(trusts, "T"); + PORT_Strcat(trusts, "T"); if (flags & CERTDB_TRUSTED) - PORT_Strcat(trusts, "P"); + PORT_Strcat(trusts, "P"); if (flags & CERTDB_USER) - PORT_Strcat(trusts, "u"); + PORT_Strcat(trusts, "u"); if (flags & CERTDB_SEND_WARN) - PORT_Strcat(trusts, "w"); + PORT_Strcat(trusts, "w"); if (flags & CERTDB_INVISIBLE_CA) - PORT_Strcat(trusts, "I"); + PORT_Strcat(trusts, "I"); if (flags & CERTDB_GOVT_APPROVED_CA) - PORT_Strcat(trusts, "G"); + PORT_Strcat(trusts, "G"); return; } @@ -2419,96 +2373,93 @@ CERT_EncodeTrustString(CERTCertTrust *trust) char tmpTrustSigning[32]; char *retstr = NULL; - if ( trust ) { - tmpTrustSSL[0] = '\0'; - tmpTrustEmail[0] = '\0'; - tmpTrustSigning[0] = '\0'; - - EncodeFlags(tmpTrustSSL, trust->sslFlags); - EncodeFlags(tmpTrustEmail, trust->emailFlags); - EncodeFlags(tmpTrustSigning, trust->objectSigningFlags); - - retstr = PR_smprintf("%s,%s,%s", tmpTrustSSL, tmpTrustEmail, - tmpTrustSigning); + if (trust) { + tmpTrustSSL[0] = '\0'; + tmpTrustEmail[0] = '\0'; + tmpTrustSigning[0] = '\0'; + + EncodeFlags(tmpTrustSSL, trust->sslFlags); + EncodeFlags(tmpTrustEmail, trust->emailFlags); + EncodeFlags(tmpTrustSigning, trust->objectSigningFlags); + + retstr = PR_smprintf("%s,%s,%s", tmpTrustSSL, tmpTrustEmail, + tmpTrustSigning); } - - return(retstr); + + return (retstr); } SECStatus CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, - unsigned int ncerts, SECItem **derCerts, - CERTCertificate ***retCerts, PRBool keepCerts, - PRBool caOnly, char *nickname) + unsigned int ncerts, SECItem **derCerts, + CERTCertificate ***retCerts, PRBool keepCerts, PRBool caOnly, + char *nickname) { unsigned int i; CERTCertificate **certs = NULL; unsigned int fcerts = 0; - if ( ncerts ) { - certs = PORT_ZNewArray(CERTCertificate*, ncerts); - if ( certs == NULL ) { - return(SECFailure); - } - - /* decode all of the certs into the temporary DB */ - for ( i = 0, fcerts= 0; i < ncerts; i++) { - certs[fcerts] = CERT_NewTempCertificate(certdb, - derCerts[i], - NULL, - PR_FALSE, - PR_TRUE); - if (certs[fcerts]) { - SECItem subjKeyID = {siBuffer, NULL, 0}; - if (CERT_FindSubjectKeyIDExtension(certs[fcerts], - &subjKeyID) == SECSuccess) { - if (subjKeyID.data) { - cert_AddSubjectKeyIDMapping(&subjKeyID, certs[fcerts]); - } - SECITEM_FreeItem(&subjKeyID, PR_FALSE); - } - fcerts++; - } - } - - if ( keepCerts ) { - for ( i = 0; i < fcerts; i++ ) { - char* canickname = NULL; + if (ncerts) { + certs = PORT_ZNewArray(CERTCertificate *, ncerts); + if (certs == NULL) { + return (SECFailure); + } + + /* decode all of the certs into the temporary DB */ + for (i = 0, fcerts = 0; i < ncerts; i++) { + certs[fcerts] = CERT_NewTempCertificate(certdb, derCerts[i], NULL, + PR_FALSE, PR_TRUE); + if (certs[fcerts]) { + SECItem subjKeyID = { siBuffer, NULL, 0 }; + if (CERT_FindSubjectKeyIDExtension(certs[fcerts], &subjKeyID) == + SECSuccess) { + if (subjKeyID.data) { + cert_AddSubjectKeyIDMapping(&subjKeyID, certs[fcerts]); + } + SECITEM_FreeItem(&subjKeyID, PR_FALSE); + } + fcerts++; + } + } + + if (keepCerts) { + for (i = 0; i < fcerts; i++) { + char *canickname = NULL; PRBool isCA; - SECKEY_UpdateCertPQG(certs[i]); - + SECKEY_UpdateCertPQG(certs[i]); + isCA = CERT_IsCACert(certs[i], NULL); - if ( isCA ) { + if (isCA) { canickname = CERT_MakeCANickname(certs[i]); } - if(isCA && (fcerts > 1)) { - /* if we are importing only a single cert and specifying - * a nickname, we want to use that nickname if it a CA, - * otherwise if there are more than one cert, we don't - * know which cert it belongs to. But we still may try + if (isCA && (fcerts > 1)) { + /* if we are importing only a single cert and specifying + * a nickname, we want to use that nickname if it a CA, + * otherwise if there are more than one cert, we don't + * know which cert it belongs to. But we still may try * the individual canickname from the cert itself. - */ + */ /* Bug 1192442 - propagate errors from these calls. */ - (void)CERT_AddTempCertToPerm(certs[i], canickname, NULL); - } else { - (void)CERT_AddTempCertToPerm(certs[i], - nickname?nickname:canickname, NULL); - } + (void)CERT_AddTempCertToPerm(certs[i], canickname, NULL); + } else { + (void)CERT_AddTempCertToPerm( + certs[i], nickname ? nickname : canickname, NULL); + } PORT_Free(canickname); - /* don't care if it fails - keep going */ - } - } + /* don't care if it fails - keep going */ + } + } } - if ( retCerts ) { - *retCerts = certs; + if (retCerts) { + *retCerts = certs; } else { - if (certs) { - CERT_DestroyCertArray(certs, fcerts); - } + if (certs) { + CERT_DestroyCertArray(certs, fcerts); + } } return (fcerts || !ncerts) ? SECSuccess : SECFailure; @@ -2523,29 +2474,29 @@ CERT_NewCertList(void) { PLArenaPool *arena = NULL; CERTCertList *ret = NULL; - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( arena == NULL ) { - goto loser; + if (arena == NULL) { + goto loser; } - + ret = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList)); - if ( ret == NULL ) { - goto loser; + if (ret == NULL) { + goto loser; } - + ret->arena = arena; - + PR_INIT_CLIST(&ret->list); - - return(ret); + + return (ret); loser: - if ( arena != NULL ) { - PORT_FreeArena(arena, PR_FALSE); + if (arena != NULL) { + PORT_FreeArena(arena, PR_FALSE); } - - return(NULL); + + return (NULL); } void @@ -2553,14 +2504,14 @@ CERT_DestroyCertList(CERTCertList *certs) { PRCList *node; - while( !PR_CLIST_IS_EMPTY(&certs->list) ) { - node = PR_LIST_HEAD(&certs->list); - CERT_DestroyCertificate(((CERTCertListNode *)node)->cert); - PR_REMOVE_LINK(node); + while (!PR_CLIST_IS_EMPTY(&certs->list)) { + node = PR_LIST_HEAD(&certs->list); + CERT_DestroyCertificate(((CERTCertListNode *)node)->cert); + PR_REMOVE_LINK(node); } - + PORT_FreeArena(certs->arena, PR_FALSE); - + return; } @@ -2572,27 +2523,26 @@ CERT_RemoveCertListNode(CERTCertListNode *node) return; } - SECStatus -CERT_AddCertToListTailWithData(CERTCertList *certs, - CERTCertificate *cert, void *appData) +CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert, + void *appData) { CERTCertListNode *node; - + node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena, - sizeof(CERTCertListNode)); - if ( node == NULL ) { - goto loser; + sizeof(CERTCertListNode)); + if (node == NULL) { + goto loser; } - + PR_INSERT_BEFORE(&node->links, &certs->list); /* certs->count++; */ node->cert = cert; node->appData = appData; - return(SECSuccess); - + return (SECSuccess); + loser: - return(SECFailure); + return (SECFailure); } SECStatus @@ -2602,30 +2552,31 @@ CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert) } SECStatus -CERT_AddCertToListHeadWithData(CERTCertList *certs, - CERTCertificate *cert, void *appData) +CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert, + void *appData) { CERTCertListNode *node; CERTCertListNode *head; - + head = CERT_LIST_HEAD(certs); - if (head == NULL) return CERT_AddCertToListTail(certs,cert); + if (head == NULL) + return CERT_AddCertToListTail(certs, cert); node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena, - sizeof(CERTCertListNode)); - if ( node == NULL ) { - goto loser; + sizeof(CERTCertListNode)); + if (node == NULL) { + goto loser; } - + PR_INSERT_BEFORE(&node->links, &head->links); /* certs->count++; */ node->cert = cert; node->appData = appData; - return(SECSuccess); - + return (SECSuccess); + loser: - return(SECFailure); + return (SECFailure); } SECStatus @@ -2639,9 +2590,7 @@ CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert) * Not valid certs are considered older than valid certs. */ PRBool -CERT_SortCBValidity(CERTCertificate *certa, - CERTCertificate *certb, - void *arg) +CERT_SortCBValidity(CERTCertificate *certa, CERTCertificate *certb, void *arg) { PRTime sorttime; PRTime notBeforeA, notAfterA, notBeforeB, notAfterB; @@ -2650,113 +2599,110 @@ CERT_SortCBValidity(CERTCertificate *certa, PRBool aNotValid = PR_FALSE, bNotValid = PR_FALSE; sorttime = *(PRTime *)arg; - + rv = CERT_GetCertTimes(certa, ¬BeforeA, ¬AfterA); - if ( rv != SECSuccess ) { - return(PR_FALSE); + if (rv != SECSuccess) { + return (PR_FALSE); } - + rv = CERT_GetCertTimes(certb, ¬BeforeB, ¬AfterB); - if ( rv != SECSuccess ) { - return(PR_TRUE); + if (rv != SECSuccess) { + return (PR_TRUE); } newerbefore = PR_FALSE; - if ( LL_CMP(notBeforeA, >, notBeforeB) ) { - newerbefore = PR_TRUE; + if (LL_CMP(notBeforeA, >, notBeforeB)) { + newerbefore = PR_TRUE; } newerafter = PR_FALSE; - if ( LL_CMP(notAfterA, >, notAfterB) ) { - newerafter = PR_TRUE; + if (LL_CMP(notAfterA, >, notAfterB)) { + newerafter = PR_TRUE; } /* check if A is valid at sorttime */ - if ( CERT_CheckCertValidTimes(certa, sorttime, PR_FALSE) - != secCertTimeValid ) { - aNotValid = PR_TRUE; + if (CERT_CheckCertValidTimes(certa, sorttime, PR_FALSE) != + secCertTimeValid) { + aNotValid = PR_TRUE; } /* check if B is valid at sorttime */ - if ( CERT_CheckCertValidTimes(certb, sorttime, PR_FALSE) - != secCertTimeValid ) { - bNotValid = PR_TRUE; + if (CERT_CheckCertValidTimes(certb, sorttime, PR_FALSE) != + secCertTimeValid) { + bNotValid = PR_TRUE; } /* a is valid, b is not */ - if ( bNotValid && ( ! aNotValid ) ) { - return(PR_TRUE); + if (bNotValid && (!aNotValid)) { + return (PR_TRUE); } /* b is valid, a is not */ - if ( aNotValid && ( ! bNotValid ) ) { - return(PR_FALSE); + if (aNotValid && (!bNotValid)) { + return (PR_FALSE); } - + /* a and b are either valid or not valid */ - if ( newerbefore && newerafter ) { - return(PR_TRUE); + if (newerbefore && newerafter) { + return (PR_TRUE); } - - if ( ( !newerbefore ) && ( !newerafter ) ) { - return(PR_FALSE); + + if ((!newerbefore) && (!newerafter)) { + return (PR_FALSE); } - if ( newerbefore ) { - /* cert A was issued after cert B, but expires sooner */ - return(PR_TRUE); + if (newerbefore) { + /* cert A was issued after cert B, but expires sooner */ + return (PR_TRUE); } else { - /* cert B was issued after cert A, but expires sooner */ - return(PR_FALSE); + /* cert B was issued after cert A, but expires sooner */ + return (PR_FALSE); } } - SECStatus -CERT_AddCertToListSorted(CERTCertList *certs, - CERTCertificate *cert, - CERTSortCallback f, - void *arg) +CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert, + CERTSortCallback f, void *arg) { CERTCertListNode *node; CERTCertListNode *head; PRBool ret; - + node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena, - sizeof(CERTCertListNode)); - if ( node == NULL ) { - goto loser; + sizeof(CERTCertListNode)); + if (node == NULL) { + goto loser; } - + head = CERT_LIST_HEAD(certs); - - while ( !CERT_LIST_END(head, certs) ) { - - /* if cert is already in the list, then don't add it again */ - if ( cert == head->cert ) { - /*XXX*/ - /* don't keep a reference */ - CERT_DestroyCertificate(cert); - goto done; - } - - ret = (* f)(cert, head->cert, arg); - /* if sort function succeeds, then insert before current node */ - if ( ret ) { - PR_INSERT_BEFORE(&node->links, &head->links); - goto done; - } - - head = CERT_LIST_NEXT(head); + + while (!CERT_LIST_END(head, certs)) { + + /* if cert is already in the list, then don't add it again */ + if (cert == head->cert) { + /*XXX*/ + /* don't keep a reference */ + CERT_DestroyCertificate(cert); + goto done; + } + + ret = (*f)(cert, head->cert, arg); + /* if sort function succeeds, then insert before current node */ + if (ret) { + PR_INSERT_BEFORE(&node->links, &head->links); + goto done; + } + + head = CERT_LIST_NEXT(head); } /* if we get to the end, then just insert it at the tail */ PR_INSERT_BEFORE(&node->links, &certs->list); -done: +done: /* certs->count++; */ node->cert = cert; - return(SECSuccess); - + return (SECSuccess); + loser: - return(SECFailure); + return (SECFailure); } /* This routine is here because pcertdb.c still has a call to it. @@ -2769,74 +2715,75 @@ loser: */ SECStatus CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage, - PRBool ca) + PRBool ca) { unsigned int requiredKeyUsage; unsigned int requiredCertType; CERTCertListNode *node, *savenode; SECStatus rv; - - if (certList == NULL) goto loser; + + if (certList == NULL) + goto loser; rv = CERT_KeyUsageAndTypeForCertUsage(usage, ca, &requiredKeyUsage, - &requiredCertType); - if ( rv != SECSuccess ) { - goto loser; + &requiredCertType); + if (rv != SECSuccess) { + goto loser; } node = CERT_LIST_HEAD(certList); - - while ( !CERT_LIST_END(node, certList) ) { - - PRBool bad = (PRBool)(!node->cert); - - /* bad key usage ? */ - if ( !bad && - CERT_CheckKeyUsage(node->cert, requiredKeyUsage) != SECSuccess ) { - bad = PR_TRUE; - } - /* bad cert type ? */ - if ( !bad ) { - unsigned int certType = 0; - if ( ca ) { - /* This function returns a more comprehensive cert type that - * takes trust flags into consideration. Should probably - * fix the cert decoding code to do this. - */ - (void)CERT_IsCACert(node->cert, &certType); - } else { - certType = node->cert->nsCertType; - } - if ( !( certType & requiredCertType ) ) { - bad = PR_TRUE; - } - } - - if ( bad ) { - /* remove the node if it is bad */ - savenode = CERT_LIST_NEXT(node); - CERT_RemoveCertListNode(node); - node = savenode; - } else { - node = CERT_LIST_NEXT(node); - } - } - return(SECSuccess); - + + while (!CERT_LIST_END(node, certList)) { + + PRBool bad = (PRBool)(!node->cert); + + /* bad key usage ? */ + if (!bad && + CERT_CheckKeyUsage(node->cert, requiredKeyUsage) != SECSuccess) { + bad = PR_TRUE; + } + /* bad cert type ? */ + if (!bad) { + unsigned int certType = 0; + if (ca) { + /* This function returns a more comprehensive cert type that + * takes trust flags into consideration. Should probably + * fix the cert decoding code to do this. + */ + (void)CERT_IsCACert(node->cert, &certType); + } else { + certType = node->cert->nsCertType; + } + if (!(certType & requiredCertType)) { + bad = PR_TRUE; + } + } + + if (bad) { + /* remove the node if it is bad */ + savenode = CERT_LIST_NEXT(node); + CERT_RemoveCertListNode(node); + node = savenode; + } else { + node = CERT_LIST_NEXT(node); + } + } + return (SECSuccess); + loser: - return(SECFailure); + return (SECFailure); } -PRBool CERT_IsUserCert(CERTCertificate* cert) +PRBool +CERT_IsUserCert(CERTCertificate *cert) { CERTCertTrust trust; SECStatus rv = SECFailure; rv = CERT_GetCertTrust(cert, &trust); if (rv == SECSuccess && - ((trust.sslFlags & CERTDB_USER ) || - (trust.emailFlags & CERTDB_USER ) || - (trust.objectSigningFlags & CERTDB_USER )) ) { + ((trust.sslFlags & CERTDB_USER) || (trust.emailFlags & CERTDB_USER) || + (trust.objectSigningFlags & CERTDB_USER))) { return PR_TRUE; } else { return PR_FALSE; @@ -2854,21 +2801,21 @@ CERT_FilterCertListForUserCerts(CERTCertList *certList) } node = CERT_LIST_HEAD(certList); - - while ( ! CERT_LIST_END(node, certList) ) { - cert = node->cert; - if ( PR_TRUE != CERT_IsUserCert(cert) ) { - /* Not a User Cert, so remove this cert from the list */ - freenode = node; - node = CERT_LIST_NEXT(node); - CERT_RemoveCertListNode(freenode); - } else { - /* Is a User cert, so leave it in the list */ - node = CERT_LIST_NEXT(node); - } + + while (!CERT_LIST_END(node, certList)) { + cert = node->cert; + if (PR_TRUE != CERT_IsUserCert(cert)) { + /* Not a User Cert, so remove this cert from the list */ + freenode = node; + node = CERT_LIST_NEXT(node); + CERT_RemoveCertListNode(freenode); + } else { + /* Is a User cert, so leave it in the list */ + node = CERT_LIST_NEXT(node); + } } - return(SECSuccess); + return (SECSuccess); } static PZLock *certRefCountLock = NULL; @@ -2894,7 +2841,7 @@ void CERT_UnlockCertRefCount(CERTCertificate *cert) { PORT_Assert(certRefCountLock != NULL); - + #ifdef DEBUG { PRStatus prstat = PZ_Unlock(certRefCountLock); @@ -2924,7 +2871,7 @@ CERT_LockCertTrust(const CERTCertificate *cert) SECStatus cert_InitLocks(void) { - if ( certRefCountLock == NULL ) { + if (certRefCountLock == NULL) { certRefCountLock = PZ_NewLock(nssILockRefLock); PORT_Assert(certRefCountLock != NULL); if (!certRefCountLock) { @@ -2932,7 +2879,7 @@ cert_InitLocks(void) } } - if ( certTrustLock == NULL ) { + if (certTrustLock == NULL) { certTrustLock = PZ_NewLock(nssILockCertDB); PORT_Assert(certTrustLock != NULL); if (!certTrustLock) { @@ -2940,7 +2887,7 @@ cert_InitLocks(void) certRefCountLock = NULL; return SECFailure; } - } + } return SECSuccess; } @@ -2975,7 +2922,7 @@ void CERT_UnlockCertTrust(const CERTCertificate *cert) { PORT_Assert(certTrustLock != NULL); - + #ifdef DEBUG { PRStatus prstat = PZ_Unlock(certTrustLock); @@ -2986,14 +2933,13 @@ CERT_UnlockCertTrust(const CERTCertificate *cert) #endif } - /* * Get the StatusConfig data for this handle */ CERTStatusConfig * CERT_GetStatusConfig(CERTCertDBHandle *handle) { - return handle->statusConfig; + return handle->statusConfig; } /* @@ -3003,8 +2949,8 @@ CERT_GetStatusConfig(CERTCertDBHandle *handle) void CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig) { - PORT_Assert(handle->statusConfig == NULL); - handle->statusConfig = statusConfig; + PORT_Assert(handle->statusConfig == NULL); + handle->statusConfig = statusConfig; } /* @@ -3012,37 +2958,40 @@ CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig) */ static PLHashTable *gSubjKeyIDHash = NULL; -static PRLock *gSubjKeyIDLock = NULL; +static PRLock *gSubjKeyIDLock = NULL; static PLHashTable *gSubjKeyIDSlotCheckHash = NULL; -static PRLock *gSubjKeyIDSlotCheckLock = NULL; +static PRLock *gSubjKeyIDSlotCheckLock = NULL; -static void *cert_AllocTable(void *pool, PRSize size) +static void * +cert_AllocTable(void *pool, PRSize size) { return PORT_Alloc(size); } -static void cert_FreeTable(void *pool, void *item) +static void +cert_FreeTable(void *pool, void *item) { PORT_Free(item); } -static PLHashEntry* cert_AllocEntry(void *pool, const void *key) +static PLHashEntry * +cert_AllocEntry(void *pool, const void *key) { return PORT_New(PLHashEntry); } -static void cert_FreeEntry(void *pool, PLHashEntry *he, PRUintn flag) +static void +cert_FreeEntry(void *pool, PLHashEntry *he, PRUintn flag) { - SECITEM_FreeItem((SECItem*)(he->value), PR_TRUE); + SECITEM_FreeItem((SECItem *)(he->value), PR_TRUE); if (flag == HT_FREE_ENTRY) { - SECITEM_FreeItem((SECItem*)(he->key), PR_TRUE); + SECITEM_FreeItem((SECItem *)(he->key), PR_TRUE); PORT_Free(he); } } -static PLHashAllocOps cert_AllocOps = { - cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry -}; +static PLHashAllocOps cert_AllocOps = { cert_AllocTable, cert_FreeTable, + cert_AllocEntry, cert_FreeEntry }; SECStatus cert_CreateSubjectKeyIDSlotCheckHash(void) @@ -3051,10 +3000,9 @@ cert_CreateSubjectKeyIDSlotCheckHash(void) * This hash is used to remember the series of a slot * when we last checked for user certs */ - gSubjKeyIDSlotCheckHash = PL_NewHashTable(0, SECITEM_Hash, - SECITEM_HashCompare, - SECITEM_HashCompare, - &cert_AllocOps, NULL); + gSubjKeyIDSlotCheckHash = + PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare, + SECITEM_HashCompare, &cert_AllocOps, NULL); if (!gSubjKeyIDSlotCheckHash) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; @@ -3073,8 +3021,7 @@ SECStatus cert_CreateSubjectKeyIDHashTable(void) { gSubjKeyIDHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare, - SECITEM_HashCompare, - &cert_AllocOps, NULL); + SECITEM_HashCompare, &cert_AllocOps, NULL); if (!gSubjKeyIDHash) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; @@ -3088,8 +3035,8 @@ cert_CreateSubjectKeyIDHashTable(void) } /* initialize the companion hash (for remembering slot series) */ if (cert_CreateSubjectKeyIDSlotCheckHash() != SECSuccess) { - cert_DestroySubjectKeyIDHashTable(); - return SECFailure; + cert_DestroySubjectKeyIDHashTable(); + return SECFailure; } return SECSuccess; } @@ -3101,8 +3048,8 @@ cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert) SECStatus rv = SECFailure; if (!gSubjKeyIDLock) { - /* If one is created, then both are there. So only check for one. */ - return SECFailure; + /* If one is created, then both are there. So only check for one. */ + return SECFailure; } newVal = SECITEM_DupItem(&cert->derCert); @@ -3118,18 +3065,18 @@ cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert) } PR_Lock(gSubjKeyIDLock); - /* The hash table implementation does not free up the memory - * associated with the key of an already existing entry if we add a - * duplicate, so we would wind up leaking the previously allocated + /* The hash table implementation does not free up the memory + * associated with the key of an already existing entry if we add a + * duplicate, so we would wind up leaking the previously allocated * key if we don't remove before adding. */ - oldVal = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID); + oldVal = (SECItem *)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID); if (oldVal) { PL_HashTableRemove(gSubjKeyIDHash, subjKeyID); } - rv = (PL_HashTableAdd(gSubjKeyIDHash, newKeyID, newVal)) ? SECSuccess : - SECFailure; + rv = (PL_HashTableAdd(gSubjKeyIDHash, newKeyID, newVal)) ? SECSuccess + : SECFailure; PR_Unlock(gSubjKeyIDLock); done: return rv; @@ -3143,8 +3090,8 @@ cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID) return SECFailure; PR_Lock(gSubjKeyIDLock); - rv = (PL_HashTableRemove(gSubjKeyIDHash, subjKeyID)) ? SECSuccess : - SECFailure; + rv = (PL_HashTableRemove(gSubjKeyIDHash, subjKeyID)) ? SECSuccess + : SECFailure; PR_Unlock(gSubjKeyIDLock); return rv; } @@ -3156,12 +3103,12 @@ cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series) SECStatus rv = SECFailure; if (!gSubjKeyIDSlotCheckLock) { - return rv; + return rv; } newSlotid = SECITEM_DupItem(slotid); newSeries = SECITEM_AllocItem(NULL, NULL, sizeof(int)); - if (!newSlotid || !newSeries ) { + if (!newSlotid || !newSeries) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } @@ -3170,17 +3117,18 @@ cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series) PR_Lock(gSubjKeyIDSlotCheckLock); oldSeries = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid); if (oldSeries) { - /* - * make sure we don't leak the key of an existing entry - * (similar to cert_AddSubjectKeyIDMapping, see comment there) - */ + /* + * make sure we don't leak the key of an existing entry + * (similar to cert_AddSubjectKeyIDMapping, see comment there) + */ PL_HashTableRemove(gSubjKeyIDSlotCheckHash, slotid); } - rv = (PL_HashTableAdd(gSubjKeyIDSlotCheckHash, newSlotid, newSeries)) ? - SECSuccess : SECFailure; + rv = (PL_HashTableAdd(gSubjKeyIDSlotCheckHash, newSlotid, newSeries)) + ? SECSuccess + : SECFailure; PR_Unlock(gSubjKeyIDSlotCheckLock); if (rv == SECSuccess) { - return rv; + return rv; } loser: @@ -3200,23 +3148,23 @@ cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid) int series; if (!gSubjKeyIDSlotCheckLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return -1; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return -1; } PR_Lock(gSubjKeyIDSlotCheckLock); seriesItem = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid); PR_Unlock(gSubjKeyIDSlotCheckLock); - /* getting a null series just means we haven't registered one yet, - * just return 0 */ + /* getting a null series just means we haven't registered one yet, + * just return 0 */ if (seriesItem == NULL) { - return 0; + return 0; } /* if we got a series back, assert if it's not the proper length. */ PORT_Assert(seriesItem->len == sizeof(int)); if (seriesItem->len != sizeof(int)) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return -1; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return -1; } PORT_Memcpy(&series, seriesItem->data, sizeof(int)); return series; @@ -3251,16 +3199,16 @@ cert_DestroySubjectKeyIDHashTable(void) return SECSuccess; } -SECItem* +SECItem * cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID) { - SECItem *val; - + SECItem *val; + if (!gSubjKeyIDLock) return NULL; PR_Lock(gSubjKeyIDLock); - val = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID); + val = (SECItem *)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID); if (val) { val = SECITEM_DupItem(val); } @@ -3268,7 +3216,7 @@ cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID) return val; } -CERTCertificate* +CERTCertificate * CERT_FindCertBySubjectKeyID(CERTCertDBHandle *handle, SECItem *subjKeyID) { CERTCertificate *cert = NULL; |