pkix_crlselector.c (26827B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 /* 5 * pkix_crlselector.c 6 * 7 * CRLSelector Function Definitions 8 * 9 */ 10 11 #include "pkix_crlselector.h" 12 13 /* --CRLSelector Private-Functions-------------------------------------- */ 14 15 /* 16 * FUNCTION: pkix_CRLSelector_Destroy 17 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) 18 */ 19 static PKIX_Error * 20 pkix_CRLSelector_Destroy( 21 PKIX_PL_Object *object, 22 void *plContext) 23 { 24 PKIX_CRLSelector *selector = NULL; 25 26 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Destroy"); 27 PKIX_NULLCHECK_ONE(object); 28 29 PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext), 30 PKIX_OBJECTNOTCRLSELECTOR); 31 32 selector = (PKIX_CRLSelector *)object; 33 34 selector->matchCallback = NULL; 35 36 PKIX_DECREF(selector->params); 37 PKIX_DECREF(selector->context); 38 39 cleanup: 40 41 PKIX_RETURN(CRLSELECTOR); 42 } 43 44 /* 45 * FUNCTION: pkix_CRLSelector_ToString_Helper 46 * 47 * DESCRIPTION: 48 * Helper function that creates a string representation of CRLSelector 49 * pointed to by "crlParams" and stores its address in the object pointed to 50 * by "pString". 51 * 52 * PARAMETERS 53 * "list" 54 * Address of CRLSelector whose string representation is desired. 55 * Must be non-NULL. 56 * "pString" 57 * Address of object pointer's destination. Must be non-NULL. 58 * "plContext" - Platform-specific context pointer. 59 * 60 * THREAD SAFETY: 61 * Conditionally Thread Safe 62 * (see Thread Safety Definitions in Programmer's Guide) 63 * 64 * RETURNS: 65 * Returns NULL if the function succeeds. 66 * Returns a CRLSelector Error if the function fails in a non-fatal way. 67 * Returns a Fatal Error if the function fails in an unrecoverable way. 68 */ 69 static PKIX_Error * 70 pkix_CRLSelector_ToString_Helper( 71 PKIX_CRLSelector *crlSelector, 72 PKIX_PL_String **pString, 73 void *plContext) 74 { 75 PKIX_PL_String *crlSelectorString = NULL; 76 PKIX_PL_String *formatString = NULL; 77 PKIX_PL_String *crlParamsString = NULL; 78 PKIX_PL_String *crlContextString = NULL; 79 char *asciiFormat = NULL; 80 81 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString_Helper"); 82 PKIX_NULLCHECK_TWO(crlSelector, pString); 83 PKIX_NULLCHECK_ONE(crlSelector->params); 84 85 asciiFormat = 86 "\n\t[\n" 87 "\tMatchCallback: 0x%x\n" 88 "\tParams: %s\n" 89 "\tContext: %s\n" 90 "\t]\n"; 91 92 PKIX_CHECK(PKIX_PL_String_Create 93 (PKIX_ESCASCII, 94 asciiFormat, 95 0, 96 &formatString, 97 plContext), 98 PKIX_STRINGCREATEFAILED); 99 100 /* Params */ 101 PKIX_TOSTRING 102 ((PKIX_PL_Object *)crlSelector->params, 103 &crlParamsString, 104 plContext, 105 PKIX_COMCRLSELPARAMSTOSTRINGFAILED); 106 107 /* Context */ 108 PKIX_TOSTRING(crlSelector->context, &crlContextString, plContext, 109 PKIX_LISTTOSTRINGFAILED); 110 111 PKIX_CHECK(PKIX_PL_Sprintf 112 (&crlSelectorString, 113 plContext, 114 formatString, 115 crlSelector->matchCallback, 116 crlParamsString, 117 crlContextString), 118 PKIX_SPRINTFFAILED); 119 120 *pString = crlSelectorString; 121 122 cleanup: 123 124 PKIX_DECREF(crlParamsString); 125 PKIX_DECREF(crlContextString); 126 PKIX_DECREF(formatString); 127 128 PKIX_RETURN(CRLSELECTOR); 129 } 130 131 /* 132 * FUNCTION: pkix_CRLSelector_ToString 133 * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h) 134 */ 135 static PKIX_Error * 136 pkix_CRLSelector_ToString( 137 PKIX_PL_Object *object, 138 PKIX_PL_String **pString, 139 void *plContext) 140 { 141 PKIX_PL_String *crlSelectorString = NULL; 142 PKIX_CRLSelector *crlSelector = NULL; 143 144 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString"); 145 PKIX_NULLCHECK_TWO(object, pString); 146 147 PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext), 148 PKIX_OBJECTNOTCRLSELECTOR); 149 150 crlSelector = (PKIX_CRLSelector *) object; 151 152 PKIX_CHECK(pkix_CRLSelector_ToString_Helper 153 (crlSelector, &crlSelectorString, plContext), 154 PKIX_CRLSELECTORTOSTRINGHELPERFAILED); 155 156 *pString = crlSelectorString; 157 158 cleanup: 159 160 PKIX_RETURN(CRLSELECTOR); 161 } 162 163 /* 164 * FUNCTION: pkix_CRLSelector_Hashcode 165 * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h) 166 */ 167 static PKIX_Error * 168 pkix_CRLSelector_Hashcode( 169 PKIX_PL_Object *object, 170 PKIX_UInt32 *pHashcode, 171 void *plContext) 172 { 173 PKIX_UInt32 paramsHash = 0; 174 PKIX_UInt32 contextHash = 0; 175 PKIX_UInt32 hash = 0; 176 177 PKIX_CRLSelector *crlSelector = NULL; 178 179 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Hashcode"); 180 PKIX_NULLCHECK_TWO(object, pHashcode); 181 182 PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext), 183 PKIX_OBJECTNOTCRLSELECTOR); 184 185 crlSelector = (PKIX_CRLSelector *)object; 186 187 PKIX_HASHCODE(crlSelector->params, ¶msHash, plContext, 188 PKIX_OBJECTHASHCODEFAILED); 189 190 PKIX_HASHCODE(crlSelector->context, &contextHash, plContext, 191 PKIX_OBJECTHASHCODEFAILED); 192 193 hash = 31 * ((PKIX_UInt32)((char *)crlSelector->matchCallback - (char *)NULL) + 194 (contextHash << 3)) + paramsHash; 195 196 *pHashcode = hash; 197 198 cleanup: 199 200 PKIX_RETURN(CRLSELECTOR); 201 } 202 203 /* 204 * FUNCTION: pkix_CRLSelector_Equals 205 * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h) 206 */ 207 static PKIX_Error * 208 pkix_CRLSelector_Equals( 209 PKIX_PL_Object *firstObject, 210 PKIX_PL_Object *secondObject, 211 PKIX_Boolean *pResult, 212 void *plContext) 213 { 214 PKIX_CRLSelector *firstCrlSelector = NULL; 215 PKIX_CRLSelector *secondCrlSelector = NULL; 216 PKIX_UInt32 secondType; 217 PKIX_Boolean cmpResult = PKIX_FALSE; 218 219 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Equals"); 220 PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult); 221 222 /* test that firstObject is a CRLSelector */ 223 PKIX_CHECK(pkix_CheckType 224 (firstObject, PKIX_CRLSELECTOR_TYPE, plContext), 225 PKIX_FIRSTOBJECTNOTCRLSELECTOR); 226 227 firstCrlSelector = (PKIX_CRLSelector *)firstObject; 228 secondCrlSelector = (PKIX_CRLSelector *)secondObject; 229 230 /* 231 * Since we know firstObject is a CRLSelector, if both references are 232 * identical, they must be equal 233 */ 234 if (firstCrlSelector == secondCrlSelector){ 235 *pResult = PKIX_TRUE; 236 goto cleanup; 237 } 238 239 /* 240 * If secondCRLSelector isn't a CRLSelector, we don't throw an error. 241 * We simply return a Boolean result of FALSE 242 */ 243 *pResult = PKIX_FALSE; 244 PKIX_CHECK(PKIX_PL_Object_GetType 245 ((PKIX_PL_Object *)secondCrlSelector, 246 &secondType, 247 plContext), 248 PKIX_COULDNOTGETTYPEOFSECONDARGUMENT); 249 250 if (secondType != PKIX_CRLSELECTOR_TYPE) { 251 goto cleanup; 252 } 253 254 /* Compare MatchCallback address */ 255 cmpResult = (firstCrlSelector->matchCallback == 256 secondCrlSelector->matchCallback); 257 258 if (cmpResult == PKIX_FALSE) { 259 goto cleanup; 260 } 261 262 /* Compare Common CRL Selector Params */ 263 PKIX_EQUALS 264 (firstCrlSelector->params, 265 secondCrlSelector->params, 266 &cmpResult, 267 plContext, 268 PKIX_COMCRLSELPARAMSEQUALSFAILED); 269 270 271 if (cmpResult == PKIX_FALSE) { 272 goto cleanup; 273 } 274 275 /* Compare Context */ 276 PKIX_EQUALS 277 (firstCrlSelector->context, 278 secondCrlSelector->context, 279 &cmpResult, 280 plContext, 281 PKIX_COMCRLSELPARAMSEQUALSFAILED); 282 283 *pResult = cmpResult; 284 285 cleanup: 286 287 PKIX_RETURN(CRLSELECTOR); 288 } 289 290 /* 291 * FUNCTION: pkix_CRLSelector_Duplicate 292 * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h) 293 */ 294 static PKIX_Error * 295 pkix_CRLSelector_Duplicate( 296 PKIX_PL_Object *object, 297 PKIX_PL_Object **pNewObject, 298 void *plContext) 299 { 300 PKIX_CRLSelector *old; 301 PKIX_CRLSelector *new = NULL; 302 303 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Duplicate"); 304 PKIX_NULLCHECK_TWO(object, pNewObject); 305 306 PKIX_CHECK(pkix_CheckType 307 (object, PKIX_CRLSELECTOR_TYPE, plContext), 308 PKIX_OBJECTNOTCRLSELECTOR); 309 310 old = (PKIX_CRLSelector *)object; 311 312 PKIX_CHECK(PKIX_PL_Object_Alloc 313 (PKIX_CRLSELECTOR_TYPE, 314 (PKIX_UInt32)(sizeof (PKIX_CRLSelector)), 315 (PKIX_PL_Object **)&new, 316 plContext), 317 PKIX_CREATECRLSELECTORDUPLICATEOBJECTFAILED); 318 319 new->matchCallback = old->matchCallback; 320 321 PKIX_DUPLICATE(old->params, &new->params, plContext, 322 PKIX_OBJECTDUPLICATEPARAMSFAILED); 323 324 PKIX_DUPLICATE(old->context, &new->context, plContext, 325 PKIX_OBJECTDUPLICATECONTEXTFAILED); 326 327 *pNewObject = (PKIX_PL_Object *)new; 328 329 cleanup: 330 331 if (PKIX_ERROR_RECEIVED){ 332 PKIX_DECREF(new); 333 } 334 335 PKIX_RETURN(CRLSELECTOR); 336 } 337 338 /* 339 * FUNCTION: pkix_CRLSelector_DefaultMatch 340 * 341 * DESCRIPTION: 342 * This function compares the parameter values (Issuer, date, and CRL number) 343 * set in the ComCRLSelParams of the CRLSelector pointed to by "selector" with 344 * the corresponding values in the CRL pointed to by "crl". When all the 345 * criteria set in the parameter values match the values in "crl", PKIX_TRUE is 346 * stored at "pMatch". If the CRL does not match the CRLSelector's criteria, 347 * PKIX_FALSE is stored at "pMatch". 348 * 349 * PARAMETERS 350 * "selector" 351 * Address of CRLSelector which is verified for a match 352 * Must be non-NULL. 353 * "crl" 354 * Address of the CRL object to be verified. Must be non-NULL. 355 * "pMatch" 356 * Address at which Boolean result is stored. Must be non-NULL. 357 * "plContext" 358 * Platform-specific context pointer. 359 * 360 * THREAD SAFETY: 361 * Conditionally Thread Safe 362 * (see Thread Safety Definitions in Programmer's Guide) 363 * 364 * RETURNS: 365 * Returns NULL if the function succeeds. 366 * Returns a CRLSelector Error if the function fails in a non-fatal way. 367 * Returns a Fatal Error if the function fails in an unrecoverable way. 368 */ 369 static PKIX_Error * 370 pkix_CRLSelector_DefaultMatch( 371 PKIX_CRLSelector *selector, 372 PKIX_PL_CRL *crl, 373 PKIX_Boolean *pMatch, 374 void *plContext) 375 { 376 PKIX_ComCRLSelParams *params = NULL; 377 PKIX_PL_X500Name *crlIssuerName = NULL; 378 PKIX_PL_X500Name *issuerName = NULL; 379 PKIX_List *selIssuerNames = NULL; 380 PKIX_PL_Date *selDate = NULL; 381 PKIX_Boolean result = PKIX_TRUE; 382 PKIX_UInt32 numIssuers = 0; 383 PKIX_UInt32 i; 384 PKIX_PL_BigInt *minCRLNumber = NULL; 385 PKIX_PL_BigInt *maxCRLNumber = NULL; 386 PKIX_PL_BigInt *crlNumber = NULL; 387 PKIX_Boolean nistPolicyEnabled = PKIX_FALSE; 388 389 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_DefaultMatch"); 390 PKIX_NULLCHECK_TWO(selector, crl); 391 392 *pMatch = PKIX_TRUE; 393 params = selector->params; 394 395 /* No matching parameter provided, just a match */ 396 if (params == NULL) { 397 goto cleanup; 398 } 399 400 PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames 401 (params, &selIssuerNames, plContext), 402 PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED); 403 404 /* Check for Issuers */ 405 if (selIssuerNames != NULL){ 406 407 result = PKIX_FALSE; 408 409 PKIX_CHECK(PKIX_PL_CRL_GetIssuer 410 (crl, &crlIssuerName, plContext), 411 PKIX_CRLGETISSUERFAILED); 412 413 PKIX_CHECK(PKIX_List_GetLength 414 (selIssuerNames, &numIssuers, plContext), 415 PKIX_LISTGETLENGTHFAILED); 416 417 for (i = 0; i < numIssuers; i++){ 418 419 PKIX_CHECK(PKIX_List_GetItem 420 (selIssuerNames, 421 i, 422 (PKIX_PL_Object **)&issuerName, 423 plContext), 424 PKIX_LISTGETITEMFAILED); 425 426 PKIX_CHECK(PKIX_PL_X500Name_Match 427 (crlIssuerName, 428 issuerName, 429 &result, 430 plContext), 431 PKIX_X500NAMEMATCHFAILED); 432 433 PKIX_DECREF(issuerName); 434 435 if (result == PKIX_TRUE) { 436 break; 437 } 438 } 439 440 if (result == PKIX_FALSE) { 441 PKIX_CRLSELECTOR_DEBUG("Issuer Match Failed\N"); 442 *pMatch = PKIX_FALSE; 443 goto cleanup; 444 } 445 446 } 447 448 PKIX_CHECK(PKIX_ComCRLSelParams_GetDateAndTime 449 (params, &selDate, plContext), 450 PKIX_COMCRLSELPARAMSGETDATEANDTIMEFAILED); 451 452 /* Check for Date */ 453 if (selDate != NULL){ 454 455 PKIX_CHECK(PKIX_ComCRLSelParams_GetNISTPolicyEnabled 456 (params, &nistPolicyEnabled, plContext), 457 PKIX_COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED); 458 459 /* check crl dates only for if NIST policies enforced */ 460 if (nistPolicyEnabled) { 461 result = PKIX_FALSE; 462 463 PKIX_CHECK(PKIX_PL_CRL_VerifyUpdateTime 464 (crl, selDate, &result, plContext), 465 PKIX_CRLVERIFYUPDATETIMEFAILED); 466 467 if (result == PKIX_FALSE) { 468 *pMatch = PKIX_FALSE; 469 goto cleanup; 470 } 471 } 472 473 } 474 475 /* Check for CRL number in range */ 476 PKIX_CHECK(PKIX_PL_CRL_GetCRLNumber(crl, &crlNumber, plContext), 477 PKIX_CRLGETCRLNUMBERFAILED); 478 479 if (crlNumber != NULL) { 480 result = PKIX_FALSE; 481 482 PKIX_CHECK(PKIX_ComCRLSelParams_GetMinCRLNumber 483 (params, &minCRLNumber, plContext), 484 PKIX_COMCRLSELPARAMSGETMINCRLNUMBERFAILED); 485 486 if (minCRLNumber != NULL) { 487 488 PKIX_CHECK(PKIX_PL_Object_Compare 489 ((PKIX_PL_Object *)minCRLNumber, 490 (PKIX_PL_Object *)crlNumber, 491 &result, 492 plContext), 493 PKIX_OBJECTCOMPARATORFAILED); 494 495 if (result == 1) { 496 PKIX_CRLSELECTOR_DEBUG 497 ("CRL MinNumber Range Match Failed\n"); 498 *pMatch = PKIX_FALSE; 499 goto cleanup; 500 } 501 } 502 503 PKIX_CHECK(PKIX_ComCRLSelParams_GetMaxCRLNumber 504 (params, &maxCRLNumber, plContext), 505 PKIX_COMCRLSELPARAMSGETMAXCRLNUMBERFAILED); 506 507 if (maxCRLNumber != NULL) { 508 509 PKIX_CHECK(PKIX_PL_Object_Compare 510 ((PKIX_PL_Object *)crlNumber, 511 (PKIX_PL_Object *)maxCRLNumber, 512 &result, 513 plContext), 514 PKIX_OBJECTCOMPARATORFAILED); 515 516 if (result == 1) { 517 PKIX_CRLSELECTOR_DEBUG 518 (PKIX_CRLMAXNUMBERRANGEMATCHFAILED); 519 *pMatch = PKIX_FALSE; 520 goto cleanup; 521 } 522 } 523 } 524 525 cleanup: 526 527 PKIX_DECREF(selIssuerNames); 528 PKIX_DECREF(selDate); 529 PKIX_DECREF(crlIssuerName); 530 PKIX_DECREF(issuerName); 531 PKIX_DECREF(crlNumber); 532 PKIX_DECREF(minCRLNumber); 533 PKIX_DECREF(maxCRLNumber); 534 535 PKIX_RETURN(CRLSELECTOR); 536 } 537 538 /* 539 * FUNCTION: pkix_CRLSelector_RegisterSelf 540 * DESCRIPTION: 541 * Registers PKIX_CRLSELECTOR_TYPE and its related functions with 542 * systemClasses[] 543 * THREAD SAFETY: 544 * Not Thread Safe - for performance and complexity reasons 545 * 546 * Since this function is only called by PKIX_PL_Initialize, which should 547 * only be called once, it is acceptable that this function is not 548 * thread-safe. 549 */ 550 PKIX_Error * 551 pkix_CRLSelector_RegisterSelf(void *plContext) 552 { 553 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; 554 pkix_ClassTable_Entry entry; 555 556 PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_RegisterSelf"); 557 558 entry.description = "CRLSelector"; 559 entry.objCounter = 0; 560 entry.typeObjectSize = sizeof(PKIX_CRLSelector); 561 entry.destructor = pkix_CRLSelector_Destroy; 562 entry.equalsFunction = pkix_CRLSelector_Equals; 563 entry.hashcodeFunction = pkix_CRLSelector_Hashcode; 564 entry.toStringFunction = pkix_CRLSelector_ToString; 565 entry.comparator = NULL; 566 entry.duplicateFunction = pkix_CRLSelector_Duplicate; 567 568 systemClasses[PKIX_CRLSELECTOR_TYPE] = entry; 569 570 PKIX_RETURN(CRLSELECTOR); 571 } 572 573 /* --CRLSelector-Public-Functions---------------------------------------- */ 574 PKIX_Error * 575 pkix_CRLSelector_Create( 576 PKIX_CRLSelector_MatchCallback callback, 577 PKIX_PL_Object *crlSelectorContext, 578 PKIX_CRLSelector **pSelector, 579 void *plContext) 580 { 581 PKIX_CRLSelector *selector = NULL; 582 583 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Create"); 584 PKIX_NULLCHECK_ONE(pSelector); 585 586 PKIX_CHECK(PKIX_PL_Object_Alloc 587 (PKIX_CRLSELECTOR_TYPE, 588 sizeof (PKIX_CRLSelector), 589 (PKIX_PL_Object **)&selector, 590 plContext), 591 PKIX_COULDNOTCREATECRLSELECTOROBJECT); 592 593 /* 594 * if user specified a particular match callback, we use that one. 595 * otherwise, we use the default match provided. 596 */ 597 598 if (callback != NULL){ 599 selector->matchCallback = callback; 600 } else { 601 selector->matchCallback = pkix_CRLSelector_DefaultMatch; 602 } 603 604 /* initialize other fields */ 605 selector->params = NULL; 606 607 PKIX_INCREF(crlSelectorContext); 608 selector->context = crlSelectorContext; 609 610 *pSelector = selector; 611 selector = NULL; 612 613 cleanup: 614 615 PKIX_DECREF(selector); 616 617 PKIX_RETURN(CRLSELECTOR); 618 } 619 620 /* 621 * FUNCTION: PKIX_CRLSelector_Create (see comments in pkix_crlsel.h) 622 */ 623 PKIX_Error * 624 PKIX_CRLSelector_Create( 625 PKIX_PL_Cert *issuer, 626 PKIX_List *crldpList, 627 PKIX_PL_Date *date, 628 PKIX_CRLSelector **pCrlSelector, 629 void *plContext) 630 { 631 PKIX_PL_X500Name *issuerName = NULL; 632 PKIX_PL_Date *nowDate = NULL; 633 PKIX_ComCRLSelParams *comCrlSelParams = NULL; 634 PKIX_CRLSelector *crlSelector = NULL; 635 636 PKIX_ENTER(CERTCHAINCHECKER, "PKIX_CrlSelector_Create"); 637 PKIX_NULLCHECK_ONE(issuer); 638 639 PKIX_CHECK( 640 PKIX_PL_Cert_GetSubject(issuer, &issuerName, plContext), 641 PKIX_CERTGETISSUERFAILED); 642 643 if (date != NULL) { 644 PKIX_INCREF(date); 645 nowDate = date; 646 } else { 647 PKIX_CHECK( 648 PKIX_PL_Date_Create_UTCTime(NULL, &nowDate, plContext), 649 PKIX_DATECREATEUTCTIMEFAILED); 650 } 651 652 PKIX_CHECK( 653 PKIX_ComCRLSelParams_Create(&comCrlSelParams, plContext), 654 PKIX_COMCRLSELPARAMSCREATEFAILED); 655 656 PKIX_CHECK( 657 PKIX_ComCRLSelParams_AddIssuerName(comCrlSelParams, issuerName, 658 plContext), 659 PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED); 660 661 PKIX_CHECK( 662 PKIX_ComCRLSelParams_SetCrlDp(comCrlSelParams, crldpList, 663 plContext), 664 PKIX_COMCRLSELPARAMSSETCERTFAILED); 665 666 PKIX_CHECK( 667 PKIX_ComCRLSelParams_SetDateAndTime(comCrlSelParams, nowDate, 668 plContext), 669 PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED); 670 671 PKIX_CHECK( 672 pkix_CRLSelector_Create(NULL, NULL, &crlSelector, plContext), 673 PKIX_CRLSELECTORCREATEFAILED); 674 675 PKIX_CHECK( 676 PKIX_CRLSelector_SetCommonCRLSelectorParams(crlSelector, 677 comCrlSelParams, 678 plContext), 679 PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED); 680 681 *pCrlSelector = crlSelector; 682 crlSelector = NULL; 683 684 cleanup: 685 686 PKIX_DECREF(issuerName); 687 PKIX_DECREF(nowDate); 688 PKIX_DECREF(comCrlSelParams); 689 PKIX_DECREF(crlSelector); 690 691 PKIX_RETURN(CERTCHAINCHECKER); 692 } 693 694 /* 695 * FUNCTION: PKIX_CRLSelector_GetMatchCallback (see comments in pkix_crlsel.h) 696 */ 697 PKIX_Error * 698 PKIX_CRLSelector_GetMatchCallback( 699 PKIX_CRLSelector *selector, 700 PKIX_CRLSelector_MatchCallback *pCallback, 701 void *plContext) 702 { 703 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetMatchCallback"); 704 PKIX_NULLCHECK_TWO(selector, pCallback); 705 706 *pCallback = selector->matchCallback; 707 708 PKIX_RETURN(CRLSELECTOR); 709 } 710 711 712 /* 713 * FUNCTION: PKIX_CRLSelector_GetCRLSelectorContext 714 * (see comments in pkix_crlsel.h) 715 */ 716 PKIX_Error * 717 PKIX_CRLSelector_GetCRLSelectorContext( 718 PKIX_CRLSelector *selector, 719 void **pCrlSelectorContext, 720 void *plContext) 721 { 722 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCRLSelectorContext"); 723 PKIX_NULLCHECK_TWO(selector, pCrlSelectorContext); 724 725 PKIX_INCREF(selector->context); 726 727 *pCrlSelectorContext = selector->context; 728 729 cleanup: 730 PKIX_RETURN(CRLSELECTOR); 731 } 732 733 /* 734 * FUNCTION: PKIX_CRLSelector_GetCommonCRLSelectorParams 735 * (see comments in pkix_crlsel.h) 736 */ 737 PKIX_Error * 738 PKIX_CRLSelector_GetCommonCRLSelectorParams( 739 PKIX_CRLSelector *selector, 740 PKIX_ComCRLSelParams **pParams, 741 void *plContext) 742 { 743 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCommonCRLSelectorParams"); 744 PKIX_NULLCHECK_TWO(selector, pParams); 745 746 PKIX_INCREF(selector->params); 747 748 *pParams = selector->params; 749 750 cleanup: 751 PKIX_RETURN(CRLSELECTOR); 752 } 753 754 /* 755 * FUNCTION: PKIX_CRLSelector_SetCommonCRLSelectorParams 756 * (see comments in pkix_crlsel.h) 757 */ 758 PKIX_Error * 759 PKIX_CRLSelector_SetCommonCRLSelectorParams( 760 PKIX_CRLSelector *selector, 761 PKIX_ComCRLSelParams *params, 762 void *plContext) 763 { 764 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_SetCommonCRLSelectorParams"); 765 PKIX_NULLCHECK_TWO(selector, params); 766 767 PKIX_DECREF(selector->params); 768 769 PKIX_INCREF(params); 770 selector->params = params; 771 772 PKIX_CHECK(PKIX_PL_Object_InvalidateCache 773 ((PKIX_PL_Object *)selector, plContext), 774 PKIX_OBJECTINVALIDATECACHEFAILED); 775 776 cleanup: 777 778 PKIX_RETURN(CRLSELECTOR); 779 } 780 781 /* 782 * FUNCTION: pkix_CRLSelector_Select 783 * DESCRIPTION: 784 * 785 * This function applies the selector pointed to by "selector" to each CRL, 786 * in turn, in the List pointed to by "before", and creates a List containing 787 * all the CRLs that matched, or passed the selection process, storing that 788 * List at "pAfter". If no CRLs match, an empty List is stored at "pAfter". 789 * 790 * The List returned in "pAfter" is immutable. 791 * 792 * PARAMETERS: 793 * "selector" 794 * Address of CRLSelelector to be applied to the List. Must be non-NULL. 795 * "before" 796 * Address of List that is to be filtered. Must be non-NULL. 797 * "pAfter" 798 * Address at which resulting List, possibly empty, is stored. Must be 799 * non-NULL. 800 * "plContext" 801 * Platform-specific context pointer. 802 * THREAD SAFETY: 803 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 804 * RETURNS: 805 * Returns NULL if the function succeeds. 806 * Returns a CRLSelector Error if the function fails in a non-fatal way. 807 * Returns a Fatal Error if the function fails in an unrecoverable way. 808 */ 809 PKIX_Error * 810 pkix_CRLSelector_Select( 811 PKIX_CRLSelector *selector, 812 PKIX_List *before, 813 PKIX_List **pAfter, 814 void *plContext) 815 { 816 PKIX_Boolean match = PKIX_FALSE; 817 PKIX_UInt32 numBefore = 0; 818 PKIX_UInt32 i = 0; 819 PKIX_List *filtered = NULL; 820 PKIX_PL_CRL *candidate = NULL; 821 822 PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Select"); 823 PKIX_NULLCHECK_THREE(selector, before, pAfter); 824 825 PKIX_CHECK(PKIX_List_Create(&filtered, plContext), 826 PKIX_LISTCREATEFAILED); 827 828 PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext), 829 PKIX_LISTGETLENGTHFAILED); 830 831 for (i = 0; i < numBefore; i++) { 832 833 PKIX_CHECK(PKIX_List_GetItem 834 (before, i, (PKIX_PL_Object **)&candidate, plContext), 835 PKIX_LISTGETITEMFAILED); 836 837 PKIX_CHECK_ONLY_FATAL(selector->matchCallback 838 (selector, candidate, &match, plContext), 839 PKIX_CRLSELECTORMATCHCALLBACKFAILED); 840 841 if (!(PKIX_ERROR_RECEIVED) && match == PKIX_TRUE) { 842 843 PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem 844 (filtered, 845 (PKIX_PL_Object *)candidate, 846 plContext), 847 PKIX_LISTAPPENDITEMFAILED); 848 } 849 850 pkixTempErrorReceived = PKIX_FALSE; 851 PKIX_DECREF(candidate); 852 } 853 854 PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext), 855 PKIX_LISTSETIMMUTABLEFAILED); 856 857 /* Don't throw away the list if one CRL was bad! */ 858 pkixTempErrorReceived = PKIX_FALSE; 859 860 *pAfter = filtered; 861 filtered = NULL; 862 863 cleanup: 864 865 PKIX_DECREF(filtered); 866 PKIX_DECREF(candidate); 867 868 PKIX_RETURN(CRLSELECTOR); 869 870 }