tor-browser

pkix_ekuchecker.c (10309B)

---

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* pkix_ekuchecker.c
*
* User Defined ExtenedKeyUsage Function Definitions
*
*/

#include "pkix_ekuchecker.h"

SECOidTag ekuOidStrings[] = {
   PKIX_KEY_USAGE_SERVER_AUTH_OID,
   PKIX_KEY_USAGE_CLIENT_AUTH_OID,
   PKIX_KEY_USAGE_CODE_SIGN_OID,
   PKIX_KEY_USAGE_EMAIL_PROTECT_OID,
   PKIX_KEY_USAGE_TIME_STAMP_OID,
   PKIX_KEY_USAGE_OCSP_RESPONDER_OID,
   PKIX_UNKNOWN_OID
};

typedef struct pkix_EkuCheckerStruct {
   PKIX_List *requiredExtKeyUsageOids;
   PKIX_PL_OID *ekuOID;
} pkix_EkuChecker;


/*
* FUNCTION: pkix_EkuChecker_Destroy
* (see comments for PKIX_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_EkuChecker_Destroy(
       PKIX_PL_Object *object,
       void *plContext)
{
       pkix_EkuChecker *ekuCheckerState = NULL;

       PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Destroy");
       PKIX_NULLCHECK_ONE(object);

       PKIX_CHECK(pkix_CheckType(object, PKIX_EKUCHECKER_TYPE, plContext),
                   PKIX_OBJECTNOTANEKUCHECKERSTATE);

       ekuCheckerState = (pkix_EkuChecker *)object;

       PKIX_DECREF(ekuCheckerState->ekuOID);
       PKIX_DECREF(ekuCheckerState->requiredExtKeyUsageOids);

cleanup:

       PKIX_RETURN(EKUCHECKER);
}

/*
* FUNCTION: pkix_EkuChecker_RegisterSelf
*
* DESCRIPTION:
*  Registers PKIX_PL_HTTPCERTSTORECONTEXT_TYPE and its related
*  functions with systemClasses[]
*
* THREAD SAFETY:
*  Not Thread Safe - for performance and complexity reasons
*
*  Since this function is only called by PKIX_PL_Initialize, which should
*  only be called once, it is acceptable that this function is not
*  thread-safe.
*/
PKIX_Error *
pkix_EkuChecker_RegisterSelf(void *plContext)
{
       extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
       pkix_ClassTable_Entry *entry = &systemClasses[PKIX_EKUCHECKER_TYPE];

       PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_RegisterSelf");

       entry->description = "EkuChecker";
       entry->typeObjectSize = sizeof(pkix_EkuChecker);
       entry->destructor = pkix_EkuChecker_Destroy;

       PKIX_RETURN(EKUCHECKER);
}

/*
* FUNCTION: pkix_EkuChecker_Create
* DESCRIPTION:
*
*  Creates a new Extend Key Usage CheckerState using "params" to retrieve
*  application specified EKU for verification and stores it at "pState".
*
* PARAMETERS:
*  "params"
*      a PKIX_ProcessingParams links to PKIX_ComCertSelParams where a list of
*      Extended Key Usage OIDs specified by application can be retrieved for
*      verification.
*  "pState"
*      Address where state pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a UserDefinedModules Error if the function fails in a
*      non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_EkuChecker_Create(
       PKIX_ProcessingParams *params,
       pkix_EkuChecker **pState,
       void *plContext)
{
       pkix_EkuChecker *state = NULL;
       PKIX_CertSelector *certSelector = NULL;
       PKIX_ComCertSelParams *comCertSelParams = NULL;
       PKIX_List *requiredOids = NULL;

       PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Create");
       PKIX_NULLCHECK_TWO(params, pState);

       PKIX_CHECK(PKIX_PL_Object_Alloc
                   (PKIX_EKUCHECKER_TYPE,
                   sizeof (pkix_EkuChecker),
                   (PKIX_PL_Object **)&state,
                   plContext),
                   PKIX_COULDNOTCREATEEKUCHECKERSTATEOBJECT);


       PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
                   (params, &certSelector, plContext),
                   PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);

       if (certSelector != NULL) {

           /* Get initial EKU OIDs from ComCertSelParams, if set */
           PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
                      (certSelector, &comCertSelParams, plContext),
                      PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);

           if (comCertSelParams != NULL) {
               PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
                          (comCertSelParams, &requiredOids, plContext),
                          PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);

           }
       }

       PKIX_CHECK(PKIX_PL_OID_Create
                   (PKIX_EXTENDEDKEYUSAGE_OID,
                   &state->ekuOID,
                   plContext),
                   PKIX_OIDCREATEFAILED);

       state->requiredExtKeyUsageOids = requiredOids;
       requiredOids = NULL;
       *pState = state;
       state = NULL;

cleanup:

       PKIX_DECREF(certSelector);
       PKIX_DECREF(comCertSelParams);
       PKIX_DECREF(requiredOids);
       PKIX_DECREF(state);

       PKIX_RETURN(EKUCHECKER);
}

/*
* FUNCTION: pkix_EkuChecker_Check
* DESCRIPTION:
*
*  This function determines the Extended Key Usage OIDs specified by the
*  application is included in the Extended Key Usage OIDs of this "cert".
*
* PARAMETERS:
*  "checker"
*      Address of CertChainChecker which has the state data.
*      Must be non-NULL.
*  "cert"
*      Address of Certificate that is to be validated. Must be non-NULL.
*  "unresolvedCriticalExtensions"
*      A List OIDs. The OID for Extended Key Usage is removed.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a UserDefinedModules Error if the function fails in
*      a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_EkuChecker_Check(
       PKIX_CertChainChecker *checker,
       PKIX_PL_Cert *cert,
       PKIX_List *unresolvedCriticalExtensions,
       void **pNBIOContext,
       void *plContext)
{
       pkix_EkuChecker *state = NULL;
       PKIX_List *requiredExtKeyUsageList = NULL;
       PKIX_List *certExtKeyUsageList = NULL;
       PKIX_PL_OID *ekuOid = NULL;
       PKIX_Boolean isContained = PKIX_FALSE;
       PKIX_UInt32 numItems = 0;
       PKIX_UInt32 i;
       PKIX_Boolean checkResult = PKIX_TRUE;

       PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Check");
       PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);

       *pNBIOContext = NULL; /* no non-blocking IO */

       PKIX_CHECK(
           PKIX_CertChainChecker_GetCertChainCheckerState
           (checker, (PKIX_PL_Object **)&state, plContext),
           PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);

       requiredExtKeyUsageList = state->requiredExtKeyUsageOids;
       if (requiredExtKeyUsageList == NULL) {
           goto cleanup;
       }

       PKIX_CHECK(
           PKIX_List_GetLength(requiredExtKeyUsageList, &numItems,
                               plContext),
           PKIX_LISTGETLENGTHFAILED);
       if (numItems == 0) {
           goto cleanup;
       }

       PKIX_CHECK(
           PKIX_PL_Cert_GetExtendedKeyUsage(cert, &certExtKeyUsageList,
                                            plContext),
           PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);

       if (certExtKeyUsageList == NULL) {
           goto cleanup;
       }
       
       for (i = 0; i < numItems; i++) {
           
           PKIX_CHECK(
               PKIX_List_GetItem(requiredExtKeyUsageList, i,
                                 (PKIX_PL_Object **)&ekuOid, plContext),
               PKIX_LISTGETITEMFAILED);

           PKIX_CHECK(
               pkix_List_Contains(certExtKeyUsageList,
                                  (PKIX_PL_Object *)ekuOid,
                                  &isContained,
                                  plContext),
               PKIX_LISTCONTAINSFAILED);
           
           PKIX_DECREF(ekuOid);
           if (isContained != PKIX_TRUE) {
               checkResult = PKIX_FALSE;
               goto cleanup;
           }
       }

cleanup:
       if (!pkixErrorResult && checkResult == PKIX_FALSE) {
           pkixErrorReceived = PKIX_TRUE;
           pkixErrorCode = PKIX_EXTENDEDKEYUSAGECHECKINGFAILED;
       }
       
       PKIX_DECREF(ekuOid);
       PKIX_DECREF(certExtKeyUsageList);
       PKIX_DECREF(state);

       PKIX_RETURN(EKUCHECKER);
}

/*
* FUNCTION: pkix_EkuChecker_Initialize
* (see comments in pkix_sample_modules.h)
*/
PKIX_Error *
PKIX_EkuChecker_Create(
       PKIX_ProcessingParams *params,
       PKIX_CertChainChecker **pEkuChecker,
       void *plContext)
{
       pkix_EkuChecker *state = NULL;
       PKIX_List *critExtOIDsList = NULL;

       PKIX_ENTER(EKUCHECKER, "PKIX_EkuChecker_Initialize");
       PKIX_NULLCHECK_ONE(params);

       /*
        * This function and functions in this file provide an example of how
        * an application defined checker can be hooked into libpkix.
        */

       PKIX_CHECK(pkix_EkuChecker_Create
                   (params, &state, plContext),
                   PKIX_EKUCHECKERSTATECREATEFAILED);

       PKIX_CHECK(PKIX_List_Create(&critExtOIDsList, plContext),
                   PKIX_LISTCREATEFAILED);

       PKIX_CHECK(PKIX_List_AppendItem
                   (critExtOIDsList,
                   (PKIX_PL_Object *)state->ekuOID,
                   plContext),
                   PKIX_LISTAPPENDITEMFAILED);

       PKIX_CHECK(PKIX_CertChainChecker_Create
               (pkix_EkuChecker_Check,
               PKIX_TRUE,                 /* forwardCheckingSupported */
               PKIX_FALSE,                /* forwardDirectionExpected */
               critExtOIDsList,
               (PKIX_PL_Object *) state,
               pEkuChecker,
               plContext),
               PKIX_CERTCHAINCHECKERCREATEFAILED);
cleanup:

       PKIX_DECREF(critExtOIDsList);
       PKIX_DECREF(state);

       PKIX_RETURN(EKUCHECKER);
}