pkix_namechainingchecker.c (4061B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 /* 5 * pkix_namechainingchecker.c 6 * 7 * Functions for name chaining validation 8 * 9 */ 10 11 12 #include "pkix_namechainingchecker.h" 13 14 /* --Private-Functions-------------------------------------------- */ 15 16 /* 17 * FUNCTION: pkix_NameChainingChecker_Check 18 * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h) 19 */ 20 PKIX_Error * 21 pkix_NameChainingChecker_Check( 22 PKIX_CertChainChecker *checker, 23 PKIX_PL_Cert *cert, 24 PKIX_List *unresolvedCriticalExtensions, 25 void **pNBIOContext, 26 void *plContext) 27 { 28 PKIX_PL_X500Name *prevSubject = NULL; 29 PKIX_PL_X500Name *currIssuer = NULL; 30 PKIX_PL_X500Name *currSubject = NULL; 31 PKIX_Boolean result; 32 33 PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameChainingChecker_Check"); 34 PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); 35 36 *pNBIOContext = NULL; /* we never block on pending I/O */ 37 38 PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState 39 (checker, (PKIX_PL_Object **)&prevSubject, plContext), 40 PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); 41 42 PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &currIssuer, plContext), 43 PKIX_CERTGETISSUERFAILED); 44 45 if (prevSubject){ 46 PKIX_CHECK(PKIX_PL_X500Name_Match 47 (prevSubject, currIssuer, &result, plContext), 48 PKIX_X500NAMEMATCHFAILED); 49 if (!result){ 50 PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED); 51 } 52 } else { 53 PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED); 54 } 55 56 PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &currSubject, plContext), 57 PKIX_CERTGETSUBJECTFAILED); 58 59 PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState 60 (checker, (PKIX_PL_Object *)currSubject, plContext), 61 PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED); 62 63 cleanup: 64 65 PKIX_DECREF(prevSubject); 66 PKIX_DECREF(currIssuer); 67 PKIX_DECREF(currSubject); 68 69 PKIX_RETURN(CERTCHAINCHECKER); 70 71 } 72 73 /* 74 * FUNCTION: pkix_NameChainingChecker_Initialize 75 * DESCRIPTION: 76 * 77 * Creates a new CertChainChecker and stores it at "pChecker", where it will 78 * be used by pkix_NameChainingChecker_Check to check that the issuer name 79 * of the certificate matches the subject name in the checker's state. The 80 * X500Name pointed to by "trustedCAName" is used to initialize the checker's 81 * state. 82 * 83 * PARAMETERS: 84 * "trustedCAName" 85 * Address of X500Name representing the trusted CA Name used to 86 * initialize the state of this checker. Must be non-NULL. 87 * "pChecker" 88 * Address where object pointer will be stored. Must be non-NULL. 89 * "plContext" 90 * Platform-specific context pointer. 91 * THREAD SAFETY: 92 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 93 * RETURNS: 94 * Returns NULL if the function succeeds. 95 * Returns a CertChainChecker Error if the function fails in a non-fatal way. 96 * Returns a Fatal Error if the function fails in an unrecoverable way. 97 */ 98 PKIX_Error * 99 pkix_NameChainingChecker_Initialize( 100 PKIX_PL_X500Name *trustedCAName, 101 PKIX_CertChainChecker **pChecker, 102 void *plContext) 103 { 104 PKIX_ENTER(CERTCHAINCHECKER, "PKIX_NameChainingChecker_Initialize"); 105 PKIX_NULLCHECK_TWO(pChecker, trustedCAName); 106 107 PKIX_CHECK(PKIX_CertChainChecker_Create 108 (pkix_NameChainingChecker_Check, 109 PKIX_FALSE, 110 PKIX_FALSE, 111 NULL, 112 (PKIX_PL_Object *)trustedCAName, 113 pChecker, 114 plContext), 115 PKIX_CERTCHAINCHECKERCREATEFAILED); 116 117 cleanup: 118 119 PKIX_RETURN(CERTCHAINCHECKER); 120 121 }