From 0cb06e0fdefdbcc72c19e29d092f79fd449ee8f2 Mon Sep 17 00:00:00 2001 From: "ian.mcgreer%sun.com" Date: Thu, 12 Sep 2002 21:04:47 +0000 Subject: [PATCH] add support for key identifiers git-svn-id: svn://10.0.0.236/branches/STAN_WORK_BRANCH@129419 18797224-902f-48f8-a5cc-f745e15eee43 --- mozilla/security/nss/cmd/cmdlib/cmderrors.c | 12 +- mozilla/security/nss/cmd/cmdlib/cmdpp.c | 62 ++- mozilla/security/nss/cmd/cmdlib/errorgen.perl | 14 +- mozilla/security/nss/cmd/pkiutil/pkiobject.c | 118 ++++- mozilla/security/nss/cmd/pkiutil/pkiutil.c | 33 +- mozilla/security/nss/cmd/pkiutil/pkiutil.h | 13 +- mozilla/security/nss/lib/pki/certificate.c | 5 +- .../security/nss/lib/pkix/include/nsspkix.h | 14 +- mozilla/security/nss/lib/pkix/include/pkix.h | 10 +- .../security/nss/lib/pkix/include/pkixtm.h | 50 +- .../nss/lib/pkix/src/AuthorityKeyID.c | 487 ++++++++++++++++++ .../nss/lib/pkix/src/BasicConstraints.c | 23 +- .../security/nss/lib/pkix/src/Extensions.c | 108 +++- mozilla/security/nss/lib/pkix/src/manifest.mn | 1 + mozilla/security/nss/lib/pkix/src/nsspkix.def | 6 + mozilla/security/nss/lib/pkix/src/pkiglue.c | 124 ++++- 16 files changed, 994 insertions(+), 86 deletions(-) create mode 100644 mozilla/security/nss/lib/pkix/src/AuthorityKeyID.c diff --git a/mozilla/security/nss/cmd/cmdlib/cmderrors.c b/mozilla/security/nss/cmd/cmdlib/cmderrors.c index 3840551f0b8..c14785796e8 100644 --- a/mozilla/security/nss/cmd/cmdlib/cmderrors.c +++ b/mozilla/security/nss/cmd/cmdlib/cmderrors.c @@ -224,15 +224,19 @@ CMD_PrintError(char *message, ...) va_list args; e = NSS_GetError(); - text = get_error_text(e); va_start(args, message); PR_vfprintf(PR_STDERR, message, args); - if (text) { - PR_fprintf(PR_STDERR, ": %s\n", text); + if (e) { + text = get_error_text(e); + if (text) { + PR_fprintf(PR_STDERR, ": %s\n", text); + } else { + PR_fprintf(PR_STDERR, ": (%d)\n", e); + } } else { - PR_fprintf(PR_STDERR, ": (%d)\n", e); + PR_fprintf(PR_STDERR, "\n"); } va_end(args); diff --git a/mozilla/security/nss/cmd/cmdlib/cmdpp.c b/mozilla/security/nss/cmd/cmdlib/cmdpp.c index 18221e20d92..e9d0f8b5a70 100644 --- a/mozilla/security/nss/cmd/cmdlib/cmdpp.c +++ b/mozilla/security/nss/cmd/cmdlib/cmdpp.c @@ -112,7 +112,8 @@ CMD_PrintHex(CMDPrinter *printer, NSSItem *item, char *message) int i; unsigned char *buf = (unsigned char *)item->data; - print_heading(printer, message); + if (message) + print_heading(printer, message); for (i = 0; i < item->size; i++) { if (i < item->size - 1) { PR_fprintf(printer->out, "%02x:", buf[i]); @@ -236,6 +237,44 @@ CMD_PrintPKIXKeyUsage(CMDPrinter *printer, NSSPKIXKeyUsage *keyUsage, unindent(printer); } +void +CMD_PrintPKIXBasicConstraints(CMDPrinter *printer, + NSSPKIXBasicConstraints *bc, + char *message) +{ + print_heading(printer, message); + newline_reset(printer); + indent(printer); + + if (NSSPKIXBasicConstraints_IsCA(bc)) { + PR_fprintf(printer->out, "Certificate is CA"); + newline(printer); + PR_fprintf(printer->out, "With maximum path length %d", + NSSPKIXBasicConstraints_GetPathLengthConstraint(bc)); + } else { + PR_fprintf(printer->out, "Certificate is not CA"); + } + + unindent(printer); +} + +void +CMD_PrintPKIXAuthorityKeyID(CMDPrinter *printer, + NSSPKIXAuthorityKeyIdentifier *akid, + char *message) +{ + NSSPKIXKeyIdentifier *kid; + + print_heading(printer, message); + newline_reset(printer); + indent(printer); + + kid = NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier(akid); + CMD_PrintHex(printer, kid, "Key Identifier"); + + unindent(printer); +} + void CMD_PrintPKIXnsCertType(CMDPrinter *printer, NSSPKIXnetscapeCertType *nsCertType, @@ -293,6 +332,9 @@ CMD_PrintPKIXExtensions(CMDPrinter *printer, NSSPKIXExtensions *extensions, char *message) { NSSPKIXKeyUsage *keyUsage; + NSSPKIXBasicConstraints *bc; + NSSPKIXAuthorityKeyIdentifier *akid; + NSSPKIXSubjectKeyIdentifier *skid; NSSPKIXnetscapeCertType *nsCertType; print_heading(printer, message); @@ -305,6 +347,24 @@ CMD_PrintPKIXExtensions(CMDPrinter *printer, NSSPKIXExtensions *extensions, newline_reset(printer); } + bc = NSSPKIXExtensions_GetBasicConstraints(extensions); + if (bc) { + CMD_PrintPKIXBasicConstraints(printer, bc, "Basic Constraints"); + newline_reset(printer); + } + + akid = NSSPKIXExtensions_GetAuthorityKeyIdentifier(extensions); + if (akid) { + CMD_PrintPKIXAuthorityKeyID(printer, akid, "Authority Key Identifier"); + newline_reset(printer); + } + + skid = NSSPKIXExtensions_GetSubjectKeyIdentifier(extensions); + if (skid) { + CMD_PrintHex(printer, skid, "Subject Key Identifier"); + newline_reset(printer); + } + nsCertType = NSSPKIXExtensions_GetNetscapeCertType(extensions); if (keyUsage) { CMD_PrintPKIXnsCertType(printer, nsCertType, "netscape Cert Type"); diff --git a/mozilla/security/nss/cmd/cmdlib/errorgen.perl b/mozilla/security/nss/cmd/cmdlib/errorgen.perl index 6278a68e0a7..04547e8f6f4 100644 --- a/mozilla/security/nss/cmd/cmdlib/errorgen.perl +++ b/mozilla/security/nss/cmd/cmdlib/errorgen.perl @@ -31,7 +31,7 @@ # may use your version of this file under either the MPL or the # GPL. # -$cvs_id = '@(#) $RCSfile: errorgen.perl,v $ $Revision: 1.1.2.1 $ $Date: 2002-09-10 23:24:11 $ $Name: not supported by cvs2svn $'; +$cvs_id = '@(#) $RCSfile: errorgen.perl,v $ $Revision: 1.1.2.2 $ $Date: 2002-09-12 21:04:19 $ $Name: not supported by cvs2svn $'; $cfile = shift; open(CFILE, "> $cfile") || die "Can't open $cfile: $!"; @@ -134,15 +134,19 @@ CMD_PrintError(char *message, ...) va_list args; e = NSS_GetError(); - text = get_error_text(e); va_start(args, message); PR_vfprintf(PR_STDERR, message, args); - if (text) { - PR_fprintf(PR_STDERR, ": %s\\n", text); + if (e) { + text = get_error_text(e); + if (text) { + PR_fprintf(PR_STDERR, ": %s\\n", text); + } else { + PR_fprintf(PR_STDERR, ": (%d)\\n", e); + } } else { - PR_fprintf(PR_STDERR, ": (%d)\\n", e); + PR_fprintf(PR_STDERR, "\\n"); } va_end(args); diff --git a/mozilla/security/nss/cmd/pkiutil/pkiobject.c b/mozilla/security/nss/cmd/pkiutil/pkiobject.c index d0a47e8e020..9ed0fbb1542 100644 --- a/mozilla/security/nss/cmd/pkiutil/pkiobject.c +++ b/mozilla/security/nss/cmd/pkiutil/pkiobject.c @@ -32,19 +32,67 @@ get_object_class(char *type) return PKIUnknown; } +/* XXX */ +static NSSItem * +get_cert_serial_number(NSSCertificate *c) +{ + NSSPKIXCertificate *pkixCert; + NSSPKIXTBSCertificate *tbsCert; + pkixCert = (NSSPKIXCertificate *)NSSCertificate_GetDecoding(c); + tbsCert = NSSPKIXCertificate_GetTBSCertificate(pkixCert); + return NSSPKIXTBSCertificate_GetSerialNumber(tbsCert); +} + +/* XXX should have a filter function */ +static NSSCertificate * +find_nick_cert_by_sn(NSSTrustDomain *td, char *nickname, char *serial) +{ + int i = 0; + NSSCertificate **certs; + NSSCertificate *c = NULL; + certs = NSSTrustDomain_FindCertificatesByNickname(td, nickname, + NULL, 0, NULL); + if (certs) { + while (certs[i]) { + NSSItem *sn = get_cert_serial_number(certs[i]); + NSSItem *ser; + CMDFileMode mode = CMDFileMode_Hex; + ser = CMD_GetDataFromBuffer(serial, strlen(serial), &mode); + if (NSSItem_Equal(sn, ser, NULL)) { + int j = i; + c = certs[i]; + /* XXX super-hack while not filter */ + while (certs[i+1]) i++; + certs[j] = certs[i]; + certs[i] = NULL; + break; + } + i++; + } + NSSCertificateArray_Destroy(certs); + } + return c; +} + static PRStatus print_cert_callback(NSSCertificate *c, void *arg) { CMDRunTimeData *rtData = (CMDRunTimeData *)arg; + CMDPrinter printer; NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL); + NSSItem *serialNumber; #if 0 PRBool isUserCert = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL); #else PRBool isUserCert = PR_FALSE; #endif - PR_fprintf(rtData->output.file, "Listing %c %s\n", + serialNumber = get_cert_serial_number(c); + PR_fprintf(rtData->output.file, "%c %-40s", (isUserCert) ? '*' : ' ', nickname); + CMD_InitPrinter(&printer, rtData->output.file, 0, 80); + CMD_PrintHex(&printer, serialNumber, NULL); + PR_fprintf(rtData->output.file, "\n"); return PR_SUCCESS; } @@ -239,17 +287,33 @@ ListObjects return status; } -static PRStatus -dump_cert_chain +PRStatus +ListChain ( NSSTrustDomain *td, - NSSCertificate *c, + char *nickname, + char *serial, + PRUint32 maximumOpt, CMDRunTimeData *rtData ) { + int i; PRStatus status; - PRUint32 i, j; - NSSCertificate **chain, **chainp; + NSSCertificate *c; + NSSCertificate **chain; + + if (serial) { + c = find_nick_cert_by_sn(td, nickname, serial); + } else { + c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, + NSSTime_Now(), + NULL, NULL); + } + + if (!c) { + CMD_PrintError("Failed to find certificate %s", nickname); + return PR_FAILURE; + } chain = NSSCertificate_BuildChain(c, NSSTime_Now(), NULL, /* usage */ @@ -258,13 +322,11 @@ dump_cert_chain 0, /* rvLimit */ NULL, /* arena */ &status); - chainp = chain; i = 0; - while (chainp && *chainp) { - for (j=0; joutput.file, " "); - status = print_cert_callback(*chainp, rtData); - i++; - chainp++; + while (chain[++i]); + while (i > 0) { + --i; + status = print_cert_callback(chain[i], rtData); } NSSCertificateArray_Destroy(chain); return PR_SUCCESS; @@ -302,8 +364,8 @@ DumpObject NSSTrustDomain *td, char *objectType, char *nickname, + char *serialOpt, PRBool info, - PRBool chain, CMDRunTimeData *rtData ) { @@ -313,12 +375,9 @@ DumpObject switch (get_object_class(objectType)) { case PKICertificate: case PKIAny: /* default to certificate */ - if (chain) { - c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, - NSSTime_Now(), - NULL, - NULL); - status = dump_cert_chain(td, c, rtData); + if (serialOpt) { + c = find_nick_cert_by_sn(td, nickname, serialOpt); + status = dump_cert_info(td, c, rtData); NSSCertificate_Destroy(c); } else if (info) { c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, @@ -348,6 +407,7 @@ ValidateCert ( NSSTrustDomain *td, char *nickname, + char *serial, char *usageStr, PRBool info, CMDRunTimeData *rtData @@ -355,6 +415,7 @@ ValidateCert { PRStatus status; NSSCertificate *c; + NSSCertificate **certs = NULL; char usage; NSSUsages usages = { 0 }; @@ -379,12 +440,19 @@ ValidateCert } } - c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, - NSSTime_Now(), - NULL, - NULL); + if (serial) { + c = find_nick_cert_by_sn(td, nickname, serial); + } else { + c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, + NSSTime_Now(), + NULL, + NULL); + } if (!c) { CMD_PrintError("Failed to locate cert %s", nickname); + if (certs) { + NSSCertificateArray_Destroy(certs); + } return PR_FAILURE; } @@ -395,6 +463,10 @@ ValidateCert CMD_PrintError("Validation failed"); } + if (certs) { + NSSCertificateArray_Destroy(certs); + } + return status; } diff --git a/mozilla/security/nss/cmd/pkiutil/pkiutil.c b/mozilla/security/nss/cmd/pkiutil/pkiutil.c index e7c9668aa65..ccb6a4e58ce 100644 --- a/mozilla/security/nss/cmd/pkiutil/pkiutil.c +++ b/mozilla/security/nss/cmd/pkiutil/pkiutil.c @@ -56,6 +56,7 @@ enum { cmd_Import, cmd_Interactive, cmd_List, + cmd_ListChain, cmd_Print, cmd_Validate, cmd_Version, @@ -66,7 +67,6 @@ enum { enum { opt_Help = 0, opt_Ascii, - opt_Chain, opt_ProfileDir, opt_TokenName, opt_InputFile, @@ -75,6 +75,7 @@ enum { opt_OutputFile, opt_Orphans, opt_Binary, + opt_Serial, opt_Trust, opt_Type, opt_Usages, @@ -157,6 +158,20 @@ static cmdCommandLineArg pkiutil_commands[] = }, "List objects on the token" }, + { /* cmd_ListChain */ + 0 , "list-chain", + CMDNoArg, 0, PR_FALSE, + { + CMDBIT(opt_Nickname), + 0, 0, 0 + }, + { + CMDBIT(opt_ProfileDir) | + CMDBIT(opt_Serial), + 0, 0, 0 + }, + "List a certificate chain" + }, { /* cmd_Print */ 'P', "print", CMDNoArg, 0, PR_FALSE, @@ -166,11 +181,11 @@ static cmdCommandLineArg pkiutil_commands[] = }, { CMDBIT(opt_Ascii) | - CMDBIT(opt_Chain) | CMDBIT(opt_Info) | CMDBIT(opt_ProfileDir) | CMDBIT(opt_OutputFile) | CMDBIT(opt_Binary) | + CMDBIT(opt_Serial) | CMDBIT(opt_Type), 0, 0, 0 }, @@ -186,6 +201,7 @@ static cmdCommandLineArg pkiutil_commands[] = { CMDBIT(opt_Info) | CMDBIT(opt_ProfileDir) | + CMDBIT(opt_Serial) | CMDBIT(opt_Usages) | 0, 0, 0 }, @@ -204,7 +220,6 @@ static cmdCommandLineOpt pkiutil_options[] = { { /* opt_Help */ '?', "help", CMDNoArg }, { /* opt_Ascii */ 'a', "ascii", CMDNoArg }, - { /* opt_Chain */ 0 , "chain", CMDNoArg }, { /* opt_ProfileDir */ 'd', "dbdir", CMDArgReq }, { /* opt_TokenName */ 'h', "token", CMDArgReq }, { /* opt_InputFile */ 'i', "infile", CMDArgReq }, @@ -213,6 +228,7 @@ static cmdCommandLineOpt pkiutil_options[] = { /* opt_OutputFile */ 'o', "outfile", CMDArgReq }, { /* opt_Orphans */ 0 , "orphans", CMDNoArg }, { /* opt_Binary */ 'r', "raw", CMDNoArg }, + { /* opt_Serial */ 0 , "serial", CMDArgReq }, { /* opt_Trust */ 't', "trust", CMDArgReq }, { /* opt_Type */ 0 , "type", CMDArgReq }, { /* opt_Usages */ 'u', "usages", CMDArgReq }, @@ -222,7 +238,6 @@ static char * pkiutil_options_help[] = { "get help for command", "use ascii (base-64 encoded) mode for I/O", - "list the certificate path (chain)", "directory containing security databases (default: \"./\")", "name of PKCS#11 token to use (default: internal)", "file for input (default: stdin)", @@ -422,17 +437,25 @@ pkiutil_command_dispatcher(cmdCommand *pkiutil, int cmdToRun) 0, &rtData); break; + case cmd_ListChain: + status = ListChain(td, + pkiutil->opt[opt_Nickname].arg, + pkiutil->opt[opt_Serial].arg, + 0, + &rtData); + break; case cmd_Print: status = DumpObject(td, NULL, pkiutil->opt[opt_Nickname].arg, + pkiutil->opt[opt_Serial].arg, pkiutil->opt[opt_Info].on, - pkiutil->opt[opt_Chain].on, &rtData); break; case cmd_Validate: status = ValidateCert(td, pkiutil->opt[opt_Nickname].arg, + pkiutil->opt[opt_Serial].arg, pkiutil->opt[opt_Usages].arg, pkiutil->opt[opt_Info].on, &rtData); diff --git a/mozilla/security/nss/cmd/pkiutil/pkiutil.h b/mozilla/security/nss/cmd/pkiutil/pkiutil.h index 813d4b5930a..3d7d88df196 100644 --- a/mozilla/security/nss/cmd/pkiutil/pkiutil.h +++ b/mozilla/security/nss/cmd/pkiutil/pkiutil.h @@ -45,14 +45,24 @@ ListObjects CMDRunTimeData *rtData ); +PRStatus +ListChain +( + NSSTrustDomain *td, + char *nickname, + char *serial, + PRUint32 maximumOpt, + CMDRunTimeData *rtData +); + PRStatus DumpObject ( NSSTrustDomain *td, char *objectType, char *nickname, + char *serialOpt, PRBool info, - PRBool chain, CMDRunTimeData *rtData ); @@ -61,6 +71,7 @@ ValidateCert ( NSSTrustDomain *td, char *nickname, + char *serial, char *usages, PRBool info, CMDRunTimeData *rtData diff --git a/mozilla/security/nss/lib/pki/certificate.c b/mozilla/security/nss/lib/pki/certificate.c index e5d1baebe77..ec749a03c05 100644 --- a/mozilla/security/nss/lib/pki/certificate.c +++ b/mozilla/security/nss/lib/pki/certificate.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.38.2.7 $ $Date: 2002-09-10 22:29:40 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.38.2.8 $ $Date: 2002-09-12 21:04:25 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef BASE_H @@ -449,7 +449,8 @@ nssCertificate_IsNewer PRStatus *statusOpt ) { - nssCertDecoding *dc1, *dc2; + nssCertDecoding *dc1 = nssCertificate_GetDecoding(c1); + nssCertDecoding *dc2 = nssCertificate_GetDecoding(c2); if (statusOpt) *statusOpt = PR_SUCCESS; /* get the times from the decoding */ if (get_validity_period(dc1) == PR_FAILURE) { diff --git a/mozilla/security/nss/lib/pkix/include/nsspkix.h b/mozilla/security/nss/lib/pkix/include/nsspkix.h index 83cb4c6a62f..1b2faa6ed64 100644 --- a/mozilla/security/nss/lib/pkix/include/nsspkix.h +++ b/mozilla/security/nss/lib/pkix/include/nsspkix.h @@ -35,7 +35,7 @@ #define NSSPKIX_H #ifdef DEBUG -static const char NSSPKIX_CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/include/Attic/nsspkix.h,v $ $Revision: 1.1.192.4 $ $Date: 2002-09-10 21:01:45 $ $Name: not supported by cvs2svn $"; +static const char NSSPKIX_CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/include/Attic/nsspkix.h,v $ $Revision: 1.1.192.5 $ $Date: 2002-09-12 21:04:29 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ /* @@ -14351,6 +14351,8 @@ NSSPKIXTeletexDomainDefinedAttribute_Duplicate NSSArena *arenaOpt ); +#endif /* nodef */ + /* * AuthorityKeyIdentifier * @@ -14467,6 +14469,7 @@ NSSPKIXAuthorityKeyIdentifier_Destroy * NULL upon failure */ +#ifdef nodef NSS_EXTERN NSSBER * NSSPKIXAuthorityKeyIdentifier_Encode ( @@ -14475,6 +14478,7 @@ NSSPKIXAuthorityKeyIdentifier_Encode NSSBER *rvOpt, NSSArena *arenaOpt ); +#endif /* * NSSPKIXAuthorityKeyIdentifier_HasKeyIdentifier @@ -14516,9 +14520,7 @@ NSSPKIXAuthorityKeyIdentifier_HasKeyIdentifier NSS_EXTERN NSSPKIXKeyIdentifier * NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier ( - NSSPKIXAuthorityKeyIdentifier *aki, - NSSPKIXKeyIdentifier *rvOpt, - NSSArena *arenaOpt + NSSPKIXAuthorityKeyIdentifier *aki ); /* @@ -14853,6 +14855,7 @@ NSSPKIXKeyUsage_Destroy * NULL upon failure */ +#ifdef nodef NSS_EXTERN NSSBER * NSSPKIXKeyUsage_Encode ( @@ -14861,6 +14864,7 @@ NSSPKIXKeyUsage_Encode NSSBER *rvOpt, NSSArena *arenaOpt ); +#endif /* * NSSPKIXKeyUsage_GetUTF8Encoding @@ -14897,12 +14901,12 @@ NSSPKIXKeyUsage_GetUTF8Encoding * NSSKeyUsage_NSSinvalid upon failure */ -#endif /* nodef */ NSS_EXTERN NSSPKIXKeyUsageValue NSSPKIXKeyUsage_GetValue ( NSSPKIXKeyUsage *keyUsage ); + #ifdef nodef /* diff --git a/mozilla/security/nss/lib/pkix/include/pkix.h b/mozilla/security/nss/lib/pkix/include/pkix.h index 6cbd0307c4e..13665a458a3 100644 --- a/mozilla/security/nss/lib/pkix/include/pkix.h +++ b/mozilla/security/nss/lib/pkix/include/pkix.h @@ -35,7 +35,7 @@ #define PKIX_H #ifdef DEBUG -static const char PKIX_CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/include/Attic/pkix.h,v $ $Revision: 1.1.192.5 $ $Date: 2002-09-10 21:01:48 $ $Name: not supported by cvs2svn $"; +static const char PKIX_CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/include/Attic/pkix.h,v $ $Revision: 1.1.192.6 $ $Date: 2002-09-12 21:04:35 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ /* @@ -14312,6 +14312,8 @@ nssPKIXTeletexDomainDefinedAttribute_Duplicate NSSArena *arenaOpt ); +#endif /* nodef */ + /* * AuthorityKeyIdentifier * @@ -14476,9 +14478,7 @@ nssPKIXAuthorityKeyIdentifier_HasKeyIdentifier NSS_EXTERN NSSPKIXKeyIdentifier * nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier ( - NSSPKIXAuthorityKeyIdentifier *aki, - NSSPKIXKeyIdentifier *rvOpt, - NSSArena *arenaOpt + NSSPKIXAuthorityKeyIdentifier *aki ); /* @@ -14679,8 +14679,6 @@ nssPKIXAuthorityKeyIdentifier_Duplicate NSSArena *arenaOpt ); -#endif /* nodef */ - /* * KeyUsage * diff --git a/mozilla/security/nss/lib/pkix/include/pkixtm.h b/mozilla/security/nss/lib/pkix/include/pkixtm.h index 11d765eca88..9378749728b 100644 --- a/mozilla/security/nss/lib/pkix/include/pkixtm.h +++ b/mozilla/security/nss/lib/pkix/include/pkixtm.h @@ -35,7 +35,7 @@ #define PKIXTM_H #ifdef DEBUG -static const char PKIXTM_CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/include/Attic/pkixtm.h,v $ $Revision: 1.1.192.2 $ $Date: 2002-09-10 21:01:53 $ $Name: not supported by cvs2svn $"; +static const char PKIXTM_CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/include/Attic/pkixtm.h,v $ $Revision: 1.1.192.3 $ $Date: 2002-09-12 21:04:41 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ /* @@ -1034,6 +1034,26 @@ struct NSSPKIXTeletexDomainDefinedAttributeStr { NSSUTF8 *value; }; +#endif /* nodef */ + +/* + * GeneralNames + * + * This structure contains a sequence of GeneralName objects. + * + * From RFC 2459: + * + * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + * + */ + +struct NSSPKIXGeneralNamesStr { + NSSArena *arena; + PRBool i_allocated_arena; + NSSDER der; + /* ... */ +}; + /* * AuthorityKeyIdentifier * @@ -1053,12 +1073,14 @@ struct NSSPKIXTeletexDomainDefinedAttributeStr { struct NSSPKIXAuthorityKeyIdentifierStr { NSSArena *arena; PRBool i_allocated_arena; - NSSDER *der; - NSSPKIXKeyIdentifier *keyIdentifier; - NSSPKIXGeneralNames *authorityCertIssuer; - NSSPKIXCertificateSerialNumber *authorityCertSerialNumber; + NSSDER der; + NSSPKIXKeyIdentifier keyIdentifier; + NSSPKIXGeneralNames authorityCertIssuer; + NSSPKIXCertificateSerialNumber authorityCertSerialNumber; }; +#ifdef nodef + /* * PrivateKeyUsagePeriod * @@ -1265,24 +1287,6 @@ struct NSSPKIXGeneralNameStr { } u; }; -/* - * GeneralNames - * - * This structure contains a sequence of GeneralName objects. - * - * From RFC 2459: - * - * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName - * - */ - -struct NSSPKIXGeneralNamesStr { - NSSArena *arena; - PRBool i_allocated_arena; - NSSDER *der; - ... -}; - /* * AnotherName * diff --git a/mozilla/security/nss/lib/pkix/src/AuthorityKeyID.c b/mozilla/security/nss/lib/pkix/src/AuthorityKeyID.c new file mode 100644 index 00000000000..66dd03296e6 --- /dev/null +++ b/mozilla/security/nss/lib/pkix/src/AuthorityKeyID.c @@ -0,0 +1,487 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ + +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/src/Attic/AuthorityKeyID.c,v $ $Revision: 1.1.2.1 $ $Date: 2002-09-12 21:04:46 $ $Name: not supported by cvs2svn $"; +#endif /* DEBUG */ + +#ifndef PKIXM_H +#include "../include/pkixm.h" +#endif /* PKIXM_H */ + +/* XXX move to common location */ +static const NSSASN1Template NSSASN1Template_OctetString[] = +{ + { NSSASN1_OCTET_STRING | NSSASN1_MAY_STREAM, 0, NULL, sizeof(NSSItem) } +}; +static const NSSASN1Template NSSASN1Template_Integer[] = +{ + { NSSASN1_INTEGER, 0, NULL, sizeof(NSSItem) } +}; +static const NSSASN1Template NSSASN1Template_Any[] = +{ + { NSSASN1_ANY, 0, NULL, sizeof(NSSItem) } +}; + +/* XXX move to GeneralNames.c */ +const NSSASN1Template nssPKIXGeneralNames_template[] = +{ + { NSSASN1_SEQUENCE_OF, 0, NSSASN1Template_Any } +}; + +/* + * nssPKIXAuthorityKeyIdentifier_template + * + */ + +const NSSASN1Template nssPKIXAuthorityKeyIdentifier_template[] = +{ + { NSSASN1_SEQUENCE, 0, NULL, sizeof(NSSPKIXAuthorityKeyIdentifier) }, + { NSSASN1_OPTIONAL | + NSSASN1_CONTEXT_SPECIFIC | 0, + offsetof(NSSPKIXAuthorityKeyIdentifier, keyIdentifier), + NSSASN1Template_OctetString }, + { NSSASN1_OPTIONAL | + NSSASN1_CONSTRUCTED | + NSSASN1_CONTEXT_SPECIFIC | 1, + offsetof(NSSPKIXAuthorityKeyIdentifier, authorityCertIssuer.der), + nssPKIXGeneralNames_template }, + { NSSASN1_OPTIONAL | + NSSASN1_CONTEXT_SPECIFIC | 2, + offsetof(NSSPKIXAuthorityKeyIdentifier, authorityCertSerialNumber), + NSSASN1Template_Integer }, + { 0 } +}; + +static PRStatus +encode_me(NSSPKIXAuthorityKeyIdentifier *akid) +{ + NSSASN1EncodingType encoding = NSSASN1DER; + if (NSSITEM_IS_EMPTY(&akid->der)) { + if ((NSSBER *)NULL == NSSASN1_EncodeItem( + akid->arena, + &akid->der, + akid, + nssPKIXAuthorityKeyIdentifier_template, + encoding)) + { + return PR_FAILURE; + } + } + return PR_SUCCESS; +} + +static PRStatus +decode_me(NSSPKIXAuthorityKeyIdentifier *akid) +{ + if (!NSSITEM_IS_EMPTY(&akid->der)) { + return NSSASN1_DecodeBER(akid->arena, akid, + nssPKIXAuthorityKeyIdentifier_template, + &akid->der); + } else { + return PR_FAILURE; + } +} + +static NSSPKIXAuthorityKeyIdentifier * +create_me +( + NSSArena *arenaOpt +) +{ + NSSArena *arena; + PRBool arena_allocated = PR_FALSE; + nssArenaMark *mark = (nssArenaMark *)NULL; + NSSPKIXAuthorityKeyIdentifier *rv = (NSSPKIXAuthorityKeyIdentifier *)NULL; + + if ((NSSArena *)NULL == arenaOpt) { + arena = NSSArena_Create(); + if ((NSSArena *)NULL == arena) { + goto loser; + } + arena_allocated = PR_TRUE; + } else { + arena = arenaOpt; + mark = nssArena_Mark(arena); + if ((nssArenaMark *)NULL == mark ) { + goto loser; + } + } + + rv = nss_ZNEW(arena, NSSPKIXAuthorityKeyIdentifier); + if ((NSSPKIXAuthorityKeyIdentifier *)NULL == rv) { + goto loser; + } + + rv->arena = arena; + rv->i_allocated_arena = arena_allocated; + + if ((nssArenaMark *)NULL != mark) { + if (PR_SUCCESS != nssArena_Unmark(arena, mark)) { + goto loser; + } + } + + return rv; + +loser: + if ((nssArenaMark *)NULL != mark) { + (void)nssArena_Release(arena, mark); + } + + if (PR_TRUE == arena_allocated) { + (void)NSSArena_Destroy(arena); + } + + return (NSSPKIXAuthorityKeyIdentifier *)NULL; +} + +#if 0 +NSS_IMPLEMENT NSSPKIXAuthorityKeyIdentifier * +nssPKIXAuthorityKeyIdentifier_Create +( + NSSArena *arenaOpt, + NSSOID *extnID, + PRBool critical, + NSSItem *extnValue +) +{ + NSSPKIXAuthorityKeyIdentifier *rv = (NSSPKIXAuthorityKeyIdentifier *)NULL; + + rv = create_me(arenaOpt); + if (!rv) { + return (NSSPKIXAuthorityKeyIdentifier *)NULL; + } + +#if 0 + NSSOID_Encode(extnID, &rv->extnID); +#endif + rv->critical = critical; + rv->extnValue = *extnValue; + + return rv; +} +#endif + +NSS_IMPLEMENT NSSPKIXAuthorityKeyIdentifier * +nssPKIXAuthorityKeyIdentifier_Decode +( + NSSArena *arenaOpt, + NSSBER *ber +) +{ + NSSPKIXAuthorityKeyIdentifier *rv = (NSSPKIXAuthorityKeyIdentifier *)NULL; + PRStatus status; + + rv = create_me(arenaOpt); + if (!rv) { + return (NSSPKIXAuthorityKeyIdentifier *)NULL; + } + + if ((NSSItem *)NULL == NSSItem_Duplicate(ber, rv->arena, &rv->der)) { + goto loser; + } + + status = decode_me(rv); + if (PR_SUCCESS != status) { + goto loser; + } + + return rv; + +loser: + nssPKIXAuthorityKeyIdentifier_Destroy(rv); + return (NSSPKIXAuthorityKeyIdentifier *)NULL; +} + +NSS_IMPLEMENT PRStatus +nssPKIXAuthorityKeyIdentifier_Destroy +( + NSSPKIXAuthorityKeyIdentifier *akid +) +{ + if (PR_TRUE == akid->i_allocated_arena) { + return NSSArena_Destroy(akid->arena); + } + return PR_SUCCESS; +} + +NSS_IMPLEMENT NSSBER * +nssPKIXAuthorityKeyIdentifier_Encode +( + NSSPKIXAuthorityKeyIdentifier *akid, + NSSASN1EncodingType encoding, + NSSBER *rvOpt, + NSSArena *arenaOpt +) +{ + PRStatus status; + switch (encoding) { + case NSSASN1BER: + case NSSASN1DER: + status = encode_me(akid); + if (status == PR_FAILURE) { + return (NSSBER *)NULL; + } + return &akid->der; + default: +#ifdef nodef + nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING); +#endif + return (NSSBER *)NULL; + } +} + +#if 0 +NSS_IMPLEMENT PRBool +nssPKIXAuthorityKeyIdentifier_Equal +( + NSSPKIXAuthorityKeyIdentifier *one, + NSSPKIXAuthorityKeyIdentifier *two, + PRStatus *statusOpt +) +{ + PRStatus status; + + /* either one or both have been encoded, get encoding and compare */ + if (!(NSSITEM_IS_EMPTY(&one->der) && NSSITEM_IS_EMPTY(&two->der))) { + status = PR_SUCCESS; + if (NSSITEM_IS_EMPTY(&one->der)) { + status = encode_me(one); + } else if (NSSITEM_IS_EMPTY(&two->der)) { + status = encode_me(two); + } + if (status != PR_SUCCESS) { + if (statusOpt) *statusOpt = status; + return PR_FALSE; + } + return NSSItem_Equal(&one->der, &two->der, statusOpt); + } + + /* both only exist as decoded parts, compare parts */ + +} +#endif + +NSS_IMPLEMENT PRStatus +nssPKIXAuthorityKeyIdentifier_duplicate +( + NSSPKIXAuthorityKeyIdentifier *akid, + NSSArena *arena, + NSSPKIXAuthorityKeyIdentifier *copy +) +{ + PRStatus status; + + if (!NSSITEM_IS_EMPTY(&akid->der)) { + if (NSSItem_Duplicate(&akid->der, arena, ©->der) + == (NSSItem *)NULL) + { + return PR_FAILURE; + } + } + + if (!NSSITEM_IS_EMPTY(&akid->keyIdentifier)) { + if (NSSItem_Duplicate(&akid->keyIdentifier, arena, + ©->keyIdentifier) + == (NSSItem *)NULL) + { + return PR_FAILURE; + } + } + + /* XXX do the rest */ + + return PR_SUCCESS; +} + +NSS_IMPLEMENT NSSPKIXAuthorityKeyIdentifier * +nssPKIXAuthorityKeyIdentifier_Duplicate +( + NSSPKIXAuthorityKeyIdentifier *akid, + NSSArena *arenaOpt +) +{ + NSSPKIXAuthorityKeyIdentifier *rv = (NSSPKIXAuthorityKeyIdentifier *)NULL; + + rv = create_me(arenaOpt); + if (rv) { + if (nssPKIXAuthorityKeyIdentifier_duplicate(akid, rv->arena, rv) + != PR_SUCCESS) + { + nssPKIXAuthorityKeyIdentifier_Destroy(rv); + return (NSSPKIXAuthorityKeyIdentifier *)NULL; + } + } + + return rv; +} + +NSS_IMPLEMENT NSSPKIXKeyIdentifier * +nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier +( + NSSPKIXAuthorityKeyIdentifier *aki +) +{ + return &aki->keyIdentifier; +} + +/* + * NSSPKIXAuthorityKeyIdentifier_Create + * + * -- fgmr comments -- + * + * The error may be one of the following values: + * NSS_ERROR_NO_MEMORY + * NSS_ERROR_INVALID_ARENA + * NSS_ERROR_INVALID_OID + * NSS_ERROR_INVALID_POINTER + * + * Return value: + * A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success + * NULL upon failure + */ + +#if 0 +NSS_IMPLEMENT NSSPKIXAuthorityKeyIdentifier * +NSSPKIXAuthorityKeyIdentifier_Create +( + NSSArena *arenaOpt, + NSSOID *extnID, + PRBool critical, + NSSItem *extnValue +) +{ + nss_ClearErrorStack(); + + return nssPKIXAuthorityKeyIdentifier_Create(arenaOpt, extnID, critical, extnValue); +} +#endif + +/* + * NSSPKIXAuthorityKeyIdentifier_Decode + * + * + * + * The error may be one of the following values: + * NSS_ERROR_INVALID_BER + * NSS_ERROR_NO_MEMORY + * NSS_ERROR_INVALID_ARENA + * + * Return value: + * A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success + * NULL upon failure + */ + +NSS_IMPLEMENT NSSPKIXAuthorityKeyIdentifier * +NSSPKIXAuthorityKeyIdentifier_Decode +( + NSSArena *arenaOpt, + NSSBER *ber +) +{ + nss_ClearErrorStack(); + + return nssPKIXAuthorityKeyIdentifier_Decode(arenaOpt, ber); +} + +/* + * NSSPKIXAuthorityKeyIdentifier_Destroy + * + */ + +NSS_IMPLEMENT PRStatus +NSSPKIXAuthorityKeyIdentifier_Destroy +( + NSSPKIXAuthorityKeyIdentifier *akid +) +{ + nss_ClearErrorStack(); + + return nssPKIXAuthorityKeyIdentifier_Destroy(akid); +} + +/* + * NSSPKIXAuthorityKeyIdentifier_Duplicate + * + */ + +#if 0 +NSS_IMPLEMENT NSSPKIXAuthorityKeyIdentifier * +NSSPKIXAuthorityKeyIdentifier_Duplicate +( + NSSPKIXAuthorityKeyIdentifier *akid, + NSSArena *arenaOpt +) +{ + nss_ClearErrorStack(); + + return nssPKIXAuthorityKeyIdentifier_Duplicate(akid, arenaOpt); +} +#endif + +/* + * NSSPKIXAuthorityKeyIdentifier_Encode + * + */ + +NSS_IMPLEMENT NSSBER * +NSSPKIXAuthorityKeyIdentifier_Encode +( + NSSPKIXAuthorityKeyIdentifier *akid, + NSSASN1EncodingType encoding, + NSSBER *rvOpt, + NSSArena *arenaOpt +) +{ + nss_ClearErrorStack(); + + /* XXX the idea is: assert that either akid has the DER or all of the + * parts, as that could only be an application error + */ +#if 0 + PKIX_Assert(am_i_complete(akid)); +#endif + + return nssPKIXAuthorityKeyIdentifier_Encode(akid, encoding, rvOpt, arenaOpt); +} + +NSS_IMPLEMENT NSSPKIXKeyIdentifier * +NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier +( + NSSPKIXAuthorityKeyIdentifier *akid +) +{ + return nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier(akid); +} + diff --git a/mozilla/security/nss/lib/pkix/src/BasicConstraints.c b/mozilla/security/nss/lib/pkix/src/BasicConstraints.c index acc18ca2f9d..3a81b3c4f07 100644 --- a/mozilla/security/nss/lib/pkix/src/BasicConstraints.c +++ b/mozilla/security/nss/lib/pkix/src/BasicConstraints.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/src/Attic/BasicConstraints.c,v $ $Revision: 1.1.2.3 $ $Date: 2002-09-10 21:01:57 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/src/Attic/BasicConstraints.c,v $ $Revision: 1.1.2.4 $ $Date: 2002-09-12 21:04:46 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef PKIXM_H @@ -480,6 +480,25 @@ NSSPKIXBasicConstraints_Encode PKIX_Assert(am_i_complete(basicConstraints)); #endif - return nssPKIXBasicConstraints_Encode(basicConstraints, encoding, rvOpt, arenaOpt); + return nssPKIXBasicConstraints_Encode(basicConstraints, encoding, + rvOpt, arenaOpt); +} + +NSS_IMPLEMENT PRBool +NSSPKIXBasicConstraints_IsCA +( + NSSPKIXBasicConstraints *basicConstraints +) +{ + return nssPKIXBasicConstraints_IsCA(basicConstraints); +} + +NSS_IMPLEMENT PRInt32 +NSSPKIXBasicConstraints_GetPathLengthConstraint +( + NSSPKIXBasicConstraints *basicConstraints +) +{ + return nssPKIXBasicConstraints_GetPathLengthConstraint(basicConstraints); } diff --git a/mozilla/security/nss/lib/pkix/src/Extensions.c b/mozilla/security/nss/lib/pkix/src/Extensions.c index 5a9c0da1339..f93c6773c53 100644 --- a/mozilla/security/nss/lib/pkix/src/Extensions.c +++ b/mozilla/security/nss/lib/pkix/src/Extensions.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/src/Attic/Extensions.c,v $ $Revision: 1.1.2.5 $ $Date: 2002-08-28 16:50:14 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/src/Attic/Extensions.c,v $ $Revision: 1.1.2.6 $ $Date: 2002-09-12 21:04:46 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef PKIXM_H @@ -43,6 +43,12 @@ static const char CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozil #include "nsspki1.h" #endif /* NSSPKI1_H */ +/* XXX move to common location */ +static const NSSASN1Template NSSASN1Template_OctetString[] = +{ + { NSSASN1_OCTET_STRING | NSSASN1_MAY_STREAM, 0, NULL, sizeof(NSSItem) } +}; + /* * nssPKIXExtensions_template * @@ -428,6 +434,82 @@ nssPKIXExtensions_GetKeyUsage return rv; } +NSS_IMPLEMENT NSSPKIXAuthorityKeyIdentifier * +nssPKIXExtensions_GetAuthorityKeyIdentifier +( + NSSPKIXExtensions *extensions +) +{ + NSSOID *extnOID; + NSSPKIXAuthorityKeyIdentifier *rv = NULL; + NSSPKIXExtension **extns; + PRIntn i; + if (extensions->count == 0) { + count_me(extensions); + if (extensions->count < 0) { + return (NSSPKIXAuthorityKeyIdentifier *)NULL; + } + } + extns = extensions->extensions; + for (i = 0; i < extensions->count; i++) { + extnOID = nssPKIXExtension_GetExtensionID(extns[i]); + if (NSSOID_IsTag(extnOID, NSS_OID_X509_AUTH_KEY_ID)) { + if (extns[i]->extnData) { + return (NSSPKIXAuthorityKeyIdentifier *)extns[i]->extnData; + } + rv = nssPKIXAuthorityKeyIdentifier_Decode(extns[i]->arena, + &extns[i]->extnValue); + if (rv) { + extns[i]->extnData = (void *)rv; + } + } + } + return rv; +} + +NSS_IMPLEMENT NSSPKIXKeyIdentifier * +nssPKIXExtensions_GetSubjectKeyIdentifier +( + NSSPKIXExtensions *extensions +) +{ + PRStatus status; + NSSOID *extnOID; + NSSPKIXSubjectKeyIdentifier *rv = NULL; + NSSPKIXExtension **extns; + PRIntn i; + if (extensions->count == 0) { + count_me(extensions); + if (extensions->count < 0) { + return (NSSPKIXSubjectKeyIdentifier *)NULL; + } + } + extns = extensions->extensions; + for (i = 0; i < extensions->count; i++) { + extnOID = nssPKIXExtension_GetExtensionID(extns[i]); + if (NSSOID_IsTag(extnOID, NSS_OID_X509_SUBJECT_KEY_ID)) { + if (extns[i]->extnData) { + return (NSSPKIXKeyIdentifier *)extns[i]->extnData; + } + /* XXX this doesn't seem right */ + rv = NSSItem_Create(extns[i]->arena, NULL, 0, NULL); + if (!rv) { + return (NSSPKIXSubjectKeyIdentifier *)NULL; + } + status = NSSASN1_DecodeBER(extns[i]->arena, rv, + NSSASN1Template_OctetString, + &extns[i]->extnValue); + if (status == PR_FAILURE) { + return (NSSPKIXKeyIdentifier *)NULL; + } + if (rv) { + extns[i]->extnData = (void *)rv; + } + } + } + return rv; +} + NSS_IMPLEMENT NSSPKIXnetscapeCertType * nssPKIXExtensions_GetNetscapeCertType ( @@ -585,6 +667,15 @@ NSSPKIXExtensions_GetExtensionCount return nssPKIXExtensions_GetExtensionCount(extensions); } +NSS_IMPLEMENT NSSPKIXKeyUsage * +NSSPKIXExtensions_GetKeyUsage +( + NSSPKIXExtensions *extensions +) +{ + return nssPKIXExtensions_GetKeyUsage(extensions); +} + NSS_IMPLEMENT NSSPKIXBasicConstraints * NSSPKIXExtensions_GetBasicConstraints ( @@ -594,13 +685,22 @@ NSSPKIXExtensions_GetBasicConstraints return nssPKIXExtensions_GetBasicConstraints(extensions); } -NSS_IMPLEMENT NSSPKIXKeyUsage * -NSSPKIXExtensions_GetKeyUsage +NSS_IMPLEMENT NSSPKIXAuthorityKeyIdentifier * +NSSPKIXExtensions_GetAuthorityKeyIdentifier ( NSSPKIXExtensions *extensions ) { - return nssPKIXExtensions_GetKeyUsage(extensions); + return nssPKIXExtensions_GetAuthorityKeyIdentifier(extensions); +} + +NSS_IMPLEMENT NSSPKIXKeyIdentifier * +NSSPKIXExtensions_GetSubjectKeyIdentifier +( + NSSPKIXExtensions *extensions +) +{ + return nssPKIXExtensions_GetSubjectKeyIdentifier(extensions); } NSS_IMPLEMENT NSSPKIXnetscapeCertType * diff --git a/mozilla/security/nss/lib/pkix/src/manifest.mn b/mozilla/security/nss/lib/pkix/src/manifest.mn index f3ee1b62a6a..3b48624df6f 100644 --- a/mozilla/security/nss/lib/pkix/src/manifest.mn +++ b/mozilla/security/nss/lib/pkix/src/manifest.mn @@ -40,6 +40,7 @@ MODULE = security CSRCS= \ AlgorithmID.c \ + AuthorityKeyID.c \ ATAV.c \ BasicConstraints.c \ Certificate.c \ diff --git a/mozilla/security/nss/lib/pkix/src/nsspkix.def b/mozilla/security/nss/lib/pkix/src/nsspkix.def index 1b7c888935f..33dffb8a2d4 100644 --- a/mozilla/security/nss/lib/pkix/src/nsspkix.def +++ b/mozilla/security/nss/lib/pkix/src/nsspkix.def @@ -49,6 +49,9 @@ LIBRARY nsspkix4;- EXPORTS ;- NSS_EnablePKIXCertificates; +NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier; +NSSPKIXBasicConstraints_IsCA; +NSSPKIXBasicConstraints_GetPathLengthConstraint; NSSPKIXCertificate_Decode; NSSPKIXCertificate_GetSignature; NSSPKIXCertificate_GetTBSCertificate; @@ -63,6 +66,9 @@ NSSPKIXValidity_GetNotBefore; NSSPKIXValidity_GetNotAfter; NSSPKIXExtensions_GetExtensionCount; NSSPKIXExtensions_GetKeyUsage; +NSSPKIXExtensions_GetBasicConstraints; +NSSPKIXExtensions_GetAuthorityKeyIdentifier; +NSSPKIXExtensions_GetSubjectKeyIdentifier; NSSPKIXExtensions_GetNetscapeCertType; NSSPKIXKeyUsage_GetValue; NSSPKIXnetscapeCertType_GetValue; diff --git a/mozilla/security/nss/lib/pkix/src/pkiglue.c b/mozilla/security/nss/lib/pkix/src/pkiglue.c index fc5f139e1af..bc632c2c295 100644 --- a/mozilla/security/nss/lib/pkix/src/pkiglue.c +++ b/mozilla/security/nss/lib/pkix/src/pkiglue.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/src/Attic/pkiglue.c,v $ $Revision: 1.1.2.6 $ $Date: 2002-09-10 22:29:43 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $Source: /home/befator/cvs/jail/cvsroot/mozilla/security/nss/lib/pkix/src/Attic/pkiglue.c,v $ $Revision: 1.1.2.7 $ $Date: 2002-09-12 21:04:47 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef NSSDEV_H @@ -498,10 +498,10 @@ loser: return PR_FAILURE; } -#if 0 -struct nss_pkix_issuer_id_str { +struct pkix_issuer_id_str { + NSSArena *arena; + NSSPKIXAuthorityKeyIdentifier *authKeyID; }; -#endif static void * pkix_GetIssuerIdentifier @@ -509,7 +509,72 @@ pkix_GetIssuerIdentifier void *cert ) { - return NULL; + NSSArena *arena = NULL; + NSSPKIXTBSCertificate *tbsCert; + NSSPKIXExtensions *extns; + NSSPKIXCertificate *pkixCert = (NSSPKIXCertificate *)cert; + NSSPKIXAuthorityKeyIdentifier *authKeyID; + struct pkix_issuer_id_str *issuer_id = NULL; + + nss_HoldErrorStack(); + + /* + * cert->tbsCert + */ + tbsCert = nssPKIXCertificate_GetTBSCertificate(pkixCert); + if (!tbsCert) { + goto loser; + } + /* + * tbsCert->extensions + */ + extns = nssPKIXTBSCertificate_GetExtensions(tbsCert); + if (!extns) { + if (NSS_GetError() == NSS_ERROR_INVALID_BER) { + goto loser; + } else { + /* no extensions */ + nss_ResumeErrorStack(); + return (void *)NULL; + } + } + + /* + * extensions[authorityKeyIdentifier] + */ + authKeyID = nssPKIXExtensions_GetAuthorityKeyIdentifier(extns); + if (!authKeyID) { + if (NSS_GetError() == NSS_ERROR_INVALID_BER) { + goto loser; + } else { + /* authKeyID extension not present XXX should check code */ + nss_ResumeErrorStack(); + return (void *)NULL; + } + } + + arena = NSSArena_Create(); + if (!arena) { + goto loser; + } + + issuer_id = nss_ZNEW(arena, struct pkix_issuer_id_str); + if (!issuer_id) { + goto loser; + } + + issuer_id->arena = arena; + issuer_id->authKeyID = nssPKIXAuthorityKeyIdentifier_Duplicate(authKeyID, + arena); + + nss_ResumeErrorStack(); + return (void *)issuer_id; +loser: + if (arena) { + NSSArena_Destroy(arena); + } + nss_ResumeErrorStack(); + return (void *)NULL; } static PRBool @@ -519,6 +584,50 @@ pkix_IsMyIdentifier void *id ) { + NSSPKIXTBSCertificate *tbsCert; + NSSPKIXExtensions *extns; + NSSPKIXCertificate *pkixCert = (NSSPKIXCertificate *)cert; + NSSPKIXKeyIdentifier *skID, *akID; + struct pkix_issuer_id_str *iid = (struct pkix_issuer_id *)id; + + nss_HoldErrorStack(); + + /* + * cert->tbsCert + */ + tbsCert = nssPKIXCertificate_GetTBSCertificate(pkixCert); + if (!tbsCert) { + goto loser; + } + /* + * tbsCert->extensions + */ + extns = nssPKIXTBSCertificate_GetExtensions(tbsCert); + if (!extns) { + if (NSS_GetError() == NSS_ERROR_INVALID_BER) { + goto loser; + } else { + nss_ResumeErrorStack(); + return (void *)NULL; + } + } + /* + * extensions[subjectKeyIdentifier] + */ + skID = nssPKIXExtensions_GetSubjectKeyIdentifier(extns); + if (!skID) { + if (NSS_GetError() == NSS_ERROR_INVALID_BER) { + goto loser; + } + } + + akID = nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier(iid->authKeyID); + if (akID) { + return NSSItem_Equal(skID, akID, NULL); + } + /* XXX under construction */ +loser: + nss_ResumeErrorStack(); return PR_FALSE; } @@ -528,6 +637,11 @@ pkix_FreeIdentifier void *id ) { + struct pkix_issuer_id_str *iid = (struct pkix_issuer_id *)id; + + nss_HoldErrorStack(); + NSSArena_Destroy(iid->arena); + nss_ResumeErrorStack(); } struct nss_pkix_validation_data_str