tor-browser

pkix_verifynode.c (36688B)

---

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* pkix_verifynode.c
*
* Verify Node Object Type Definition
*
*/

#include "pkix_verifynode.h"

/* --Private-VerifyNode-Functions---------------------------------- */

/*
* FUNCTION: pkix_VerifyNode_Create
* DESCRIPTION:
*
*  This function creates a VerifyNode using the Cert pointed to by "cert",
*  the depth given by "depth", and the Error pointed to by "error", storing
*  the result at "pObject".
*
* PARAMETERS
*  "cert"
*      Address of Cert for the node. Must be non-NULL
*  "depth"
*      UInt32 value of the depth for this node.
*  "error"
*      Address of Error for the node.
*  "pObject"
*      Address where the VerifyNode pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_VerifyNode_Create(
       PKIX_PL_Cert *cert,
       PKIX_UInt32 depth,
       PKIX_Error *error,
       PKIX_VerifyNode **pObject,
       void *plContext)
{
       PKIX_VerifyNode *node = NULL;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Create");
       PKIX_NULLCHECK_TWO(cert, pObject);

       PKIX_CHECK(PKIX_PL_Object_Alloc
               (PKIX_VERIFYNODE_TYPE,
               sizeof (PKIX_VerifyNode),
               (PKIX_PL_Object **)&node,
               plContext),
               PKIX_COULDNOTCREATEVERIFYNODEOBJECT);

       PKIX_INCREF(cert);
       node->verifyCert = cert;

       PKIX_INCREF(error);
       node->error = error;

       node->depth = depth;

       node->children = NULL;

       *pObject = node;
       node = NULL;

cleanup:

       PKIX_DECREF(node);

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_AddToChain
* DESCRIPTION:
*
*  Adds the VerifyNode pointed to by "child", at the appropriate depth, to the
*  List of children of the VerifyNode pointed to by "parentNode". The chain of
*  VerifyNodes is traversed until a VerifyNode is found at a depth one less
*  than that specified in "child". An Error is returned if there is no parent
*  at a suitable depth.
*
*  If "parentNode" has a NULL pointer for the List of children, a new List is
*  created containing "child". Otherwise "child" is appended to the existing
*  List.
*
*  Depth, in this context, means distance from the root node, which
*  is at depth zero.
*
* PARAMETERS:
*  "parentNode"
*      Address of VerifyNode whose List of child VerifyNodes is to be
*      created or appended to. Must be non-NULL.
*  "child"
*      Address of VerifyNode to be added to parentNode's List. Must be
*      non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a VerifyNode Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_VerifyNode_AddToChain(
       PKIX_VerifyNode *parentNode,
       PKIX_VerifyNode *child,
       void *plContext)
{
       PKIX_VerifyNode *successor = NULL;
       PKIX_List *listOfChildren = NULL;
       PKIX_UInt32 numChildren = 0;
       PKIX_UInt32 parentDepth = 0;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_AddToChain");
       PKIX_NULLCHECK_TWO(parentNode, child);

       parentDepth = parentNode->depth;
       listOfChildren = parentNode->children;
       if (listOfChildren == NULL) {

               if (parentDepth != (child->depth - 1)) {
                       PKIX_ERROR(PKIX_NODESMISSINGFROMCHAIN);
               }

               PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
                       PKIX_LISTCREATEFAILED);

               PKIX_CHECK(PKIX_List_AppendItem
                       (listOfChildren, (PKIX_PL_Object *)child, plContext),
                       PKIX_COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST);

               parentNode->children = listOfChildren;
       } else {
               /* get number of children */
               PKIX_CHECK(PKIX_List_GetLength
                       (listOfChildren, &numChildren, plContext),
                       PKIX_LISTGETLENGTHFAILED);

               if (numChildren != 1) {
                       PKIX_ERROR(PKIX_AMBIGUOUSPARENTAGEOFVERIFYNODE);
               }

               /* successor = listOfChildren[0] */
               PKIX_CHECK(PKIX_List_GetItem
                       (listOfChildren,
                       0,
                       (PKIX_PL_Object **)&successor,
                       plContext),
                       PKIX_LISTGETITEMFAILED);

               PKIX_CHECK(pkix_VerifyNode_AddToChain
                       (successor, child, plContext),
                       PKIX_VERIFYNODEADDTOCHAINFAILED);
       }

       PKIX_CHECK(PKIX_PL_Object_InvalidateCache
               ((PKIX_PL_Object *)parentNode, plContext),
               PKIX_OBJECTINVALIDATECACHEFAILED);

cleanup:
       PKIX_DECREF(successor);

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_SetDepth
* DESCRIPTION:
*
*  The function sets the depth field of each VerifyNode in the List "children"
*  to the value given by "depth", and recursively sets the depth of any
*  successive generations to the successive values.
*
* PARAMETERS:
*  "children"
*      The List of VerifyNodes. Must be non-NULL.
*  "depth"
*      The value of the depth field to be set in members of the List.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_VerifyNode_SetDepth(PKIX_List *children,
       PKIX_UInt32 depth,
       void *plContext)
{
       PKIX_UInt32 numChildren = 0;
       PKIX_UInt32 chIx = 0;
       PKIX_VerifyNode *child = NULL;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_SetDepth");
       PKIX_NULLCHECK_ONE(children);

       PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext),
               PKIX_LISTGETLENGTHFAILED);

       for (chIx = 0; chIx < numChildren; chIx++) {
              PKIX_CHECK(PKIX_List_GetItem
                       (children, chIx, (PKIX_PL_Object **)&child, plContext),
                       PKIX_LISTGETITEMFAILED);

               child->depth = depth;

               if (child->children != NULL) {
                       PKIX_CHECK(pkix_VerifyNode_SetDepth
                               (child->children, depth + 1, plContext),
                               PKIX_VERIFYNODESETDEPTHFAILED);
               }

               PKIX_DECREF(child);
       }

cleanup:

       PKIX_DECREF(child);

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_AddToTree
* DESCRIPTION:
*
*  Adds the VerifyNode pointed to by "child" to the List of children of the
*  VerifyNode pointed to by "parentNode". If "parentNode" has a NULL pointer
*  for the List of children, a new List is created containing "child".
*  Otherwise "child" is appended to the existing List. The depth field of
*  "child" is set to one more than the corresponding value in "parent", and
*  if the "child" itself has child nodes, their depth fields are updated
*  accordingly.
*
*  Depth, in this context, means distance from the root node, which
*  is at depth zero.
*
* PARAMETERS:
*  "parentNode"
*      Address of VerifyNode whose List of child VerifyNodes is to be
*      created or appended to. Must be non-NULL.
*  "child"
*      Address of VerifyNode to be added to parentNode's List. Must be
*      non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_VerifyNode_AddToTree(
       PKIX_VerifyNode *parentNode,
       PKIX_VerifyNode *child,
       void *plContext)
{
       PKIX_List *listOfChildren = NULL;
       PKIX_UInt32 parentDepth = 0;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_AddToTree");
       PKIX_NULLCHECK_TWO(parentNode, child);

       parentDepth = parentNode->depth;
       listOfChildren = parentNode->children;
       if (listOfChildren == NULL) {

               PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
                       PKIX_LISTCREATEFAILED);

               parentNode->children = listOfChildren;
       }

       child->depth = parentDepth + 1;

       PKIX_CHECK(PKIX_List_AppendItem
               (parentNode->children, (PKIX_PL_Object *)child, plContext),
               PKIX_COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST);

       if (child->children != NULL) {
               PKIX_CHECK(pkix_VerifyNode_SetDepth
                       (child->children, child->depth + 1, plContext),
                       PKIX_VERIFYNODESETDEPTHFAILED);
       }


cleanup:

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_SingleVerifyNode_ToString
* DESCRIPTION:
*
*  Creates a String representation of the attributes of the VerifyNode pointed
*  to by "node", other than its children, and stores the result at "pString".
*
* PARAMETERS:
*  "node"
*      Address of VerifyNode to be described by the string. Must be non-NULL.
*  "pString"
*      Address where object pointer will be stored. Must be non-NULL.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if function succeeds
*  Returns a VerifyNode Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in a fatal way
*/
PKIX_Error *
pkix_SingleVerifyNode_ToString(
       PKIX_VerifyNode *node,
       PKIX_PL_String **pString,
       void *plContext)
{
       PKIX_PL_String *fmtString = NULL;
       PKIX_PL_String *errorString = NULL;
       PKIX_PL_String *outString = NULL;

       PKIX_PL_X500Name *issuerName = NULL;
       PKIX_PL_X500Name *subjectName = NULL;
       PKIX_PL_String *issuerString = NULL;
       PKIX_PL_String *subjectString = NULL;

       PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_ToString");
       PKIX_NULLCHECK_THREE(node, pString, node->verifyCert);

       PKIX_TOSTRING(node->error, &errorString, plContext,
               PKIX_ERRORTOSTRINGFAILED);

       PKIX_CHECK(PKIX_PL_Cert_GetIssuer
               (node->verifyCert, &issuerName, plContext),
               PKIX_CERTGETISSUERFAILED);

       PKIX_TOSTRING(issuerName, &issuerString, plContext,
               PKIX_X500NAMETOSTRINGFAILED);

       PKIX_CHECK(PKIX_PL_Cert_GetSubject
               (node->verifyCert, &subjectName, plContext),
               PKIX_CERTGETSUBJECTFAILED);

       PKIX_TOSTRING(subjectName, &subjectString, plContext,
               PKIX_X500NAMETOSTRINGFAILED);

       PKIX_CHECK(PKIX_PL_String_Create
               (PKIX_ESCASCII,
               "CERT[Issuer:%s, Subject:%s], depth=%d, error=%s",
               0,
               &fmtString,
               plContext),
               PKIX_CANTCREATESTRING);

       PKIX_CHECK(PKIX_PL_Sprintf
               (&outString,
               plContext,
               fmtString,
               issuerString,
               subjectString,
               node->depth,
               errorString),
               PKIX_SPRINTFFAILED);

       *pString = outString;

cleanup:

       PKIX_DECREF(fmtString);
       PKIX_DECREF(errorString);
       PKIX_DECREF(issuerName);
       PKIX_DECREF(subjectName);
       PKIX_DECREF(issuerString);
       PKIX_DECREF(subjectString);
       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_ToString_Helper
* DESCRIPTION:
*
*  Produces a String representation of a VerifyNode tree below the VerifyNode
*  pointed to by "rootNode", with each line of output prefixed by the String
*  pointed to by "indent", and stores the result at "pTreeString". It is
*  called recursively, with ever-increasing indentation, for successively
*  lower nodes on the tree.
*
* PARAMETERS:
*  "rootNode"
*      Address of VerifyNode subtree. Must be non-NULL.
*  "indent"
*      Address of String to be prefixed to each line of output. May be NULL
*      if no indentation is desired
*  "pTreeString"
*      Address where the resulting String will be stored; must be non-NULL
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a VerifyNode Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_VerifyNode_ToString_Helper(
       PKIX_VerifyNode *rootNode,
       PKIX_PL_String *indent,
       PKIX_PL_String **pTreeString,
       void *plContext)
{
       PKIX_PL_String *nextIndentFormat = NULL;
       PKIX_PL_String *thisNodeFormat = NULL;
       PKIX_PL_String *childrenFormat = NULL;
       PKIX_PL_String *nextIndentString = NULL;
       PKIX_PL_String *resultString = NULL;
       PKIX_PL_String *thisItemString = NULL;
       PKIX_PL_String *childString = NULL;
       PKIX_VerifyNode *childNode = NULL;
       PKIX_UInt32 numberOfChildren = 0;
       PKIX_UInt32 childIndex = 0;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_ToString_Helper");

       PKIX_NULLCHECK_TWO(rootNode, pTreeString);

       /* Create a string for this node */
       PKIX_CHECK(pkix_SingleVerifyNode_ToString
               (rootNode, &thisItemString, plContext),
               PKIX_ERRORINSINGLEVERIFYNODETOSTRING);

       if (indent) {
               PKIX_CHECK(PKIX_PL_String_Create
                       (PKIX_ESCASCII,
                       "%s%s",
                       0,
                       &thisNodeFormat,
                       plContext),
                       PKIX_ERRORCREATINGFORMATSTRING);

               PKIX_CHECK(PKIX_PL_Sprintf
                       (&resultString,
                       plContext,
                       thisNodeFormat,
                       indent,
                       thisItemString),
                       PKIX_ERRORINSPRINTF);
       } else {
               PKIX_CHECK(PKIX_PL_String_Create
                       (PKIX_ESCASCII,
                       "%s",
                       0,
                       &thisNodeFormat,
                       plContext),
                       PKIX_ERRORCREATINGFORMATSTRING);

               PKIX_CHECK(PKIX_PL_Sprintf
                       (&resultString,
                       plContext,
                       thisNodeFormat,
                       thisItemString),
                       PKIX_ERRORINSPRINTF);
       }

       PKIX_DECREF(thisItemString);
       thisItemString = resultString;

       /* if no children, we are done */
       if (rootNode->children) {
               PKIX_CHECK(PKIX_List_GetLength
                       (rootNode->children, &numberOfChildren, plContext),
                       PKIX_LISTGETLENGTHFAILED);
       }

       if (numberOfChildren != 0) {
               /*
                * We create a string for each child in turn,
                * concatenating them to thisItemString.
                */

               /* Prepare an indent string for each child */
               if (indent) {
                       PKIX_CHECK(PKIX_PL_String_Create
                               (PKIX_ESCASCII,
                               "%s. ",
                               0,
                               &nextIndentFormat,
                               plContext),
                               PKIX_ERRORCREATINGFORMATSTRING);

                       PKIX_CHECK(PKIX_PL_Sprintf
                               (&nextIndentString,
                               plContext,
                               nextIndentFormat,
                               indent),
                               PKIX_ERRORINSPRINTF);
               } else {
                       PKIX_CHECK(PKIX_PL_String_Create
                               (PKIX_ESCASCII,
                               ". ",
                               0,
                               &nextIndentString,
                               plContext),
                               PKIX_ERRORCREATINGINDENTSTRING);
               }

               /* Prepare the format for concatenation. */
               PKIX_CHECK(PKIX_PL_String_Create
                       (PKIX_ESCASCII,
                       "%s\n%s",
                       0,
                       &childrenFormat,
                       plContext),
                       PKIX_ERRORCREATINGFORMATSTRING);

               for (childIndex = 0;
                       childIndex < numberOfChildren;
                       childIndex++) {
                       PKIX_CHECK(PKIX_List_GetItem
                               (rootNode->children,
                               childIndex,
                               (PKIX_PL_Object **)&childNode,
                               plContext),
                               PKIX_LISTGETITEMFAILED);

                       PKIX_CHECK(pkix_VerifyNode_ToString_Helper
                               (childNode,
                               nextIndentString,
                               &childString,
                               plContext),
                               PKIX_ERRORCREATINGCHILDSTRING);


                       PKIX_CHECK(PKIX_PL_Sprintf
                               (&resultString,
                               plContext,
                               childrenFormat,
                               thisItemString,
                               childString),
                       PKIX_ERRORINSPRINTF);

                       PKIX_DECREF(childNode);
                       PKIX_DECREF(childString);
                       PKIX_DECREF(thisItemString);

                       thisItemString = resultString;
               }
       }

       *pTreeString = thisItemString;

cleanup:
       if (PKIX_ERROR_RECEIVED) {
               PKIX_DECREF(thisItemString);
       }

       PKIX_DECREF(nextIndentFormat);
       PKIX_DECREF(thisNodeFormat);
       PKIX_DECREF(childrenFormat);
       PKIX_DECREF(nextIndentString);
       PKIX_DECREF(childString);
       PKIX_DECREF(childNode);

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_VerifyNode_ToString(
       PKIX_PL_Object *object,
       PKIX_PL_String **pTreeString,
       void *plContext)
{
       PKIX_VerifyNode *rootNode = NULL;
       PKIX_PL_String *resultString = NULL;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_ToString");

       PKIX_NULLCHECK_TWO(object, pTreeString);

       PKIX_CHECK(pkix_CheckType(object, PKIX_VERIFYNODE_TYPE, plContext),
               PKIX_OBJECTNOTVERIFYNODE);

       rootNode = (PKIX_VerifyNode *)object;

       PKIX_CHECK(pkix_VerifyNode_ToString_Helper
               (rootNode, NULL, &resultString, plContext),
               PKIX_ERRORCREATINGSUBTREESTRING);

       *pTreeString = resultString;

cleanup:

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_VerifyNode_Destroy(
       PKIX_PL_Object *object,
       void *plContext)
{
       PKIX_VerifyNode *node = NULL;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Destroy");

       PKIX_NULLCHECK_ONE(object);

       PKIX_CHECK(pkix_CheckType(object, PKIX_VERIFYNODE_TYPE, plContext),
               PKIX_OBJECTNOTVERIFYNODE);

       node = (PKIX_VerifyNode*)object;

       PKIX_DECREF(node->verifyCert);
       PKIX_DECREF(node->children);
       PKIX_DECREF(node->error);

       node->depth = 0;

cleanup:

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_SingleVerifyNode_Hashcode
* DESCRIPTION:
*
*  Computes the hashcode of the attributes of the VerifyNode pointed to by
*  "node", other than its parents and children, and stores the result at
*  "pHashcode".
*
* PARAMETERS:
*  "node"
*      Address of VerifyNode to be hashcoded; must be non-NULL
*  "pHashcode"
*      Address where UInt32 result will be stored; must be non-NULL
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if function succeeds
*  Returns a VerifyNode Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in a fatal way
*/
static PKIX_Error *
pkix_SingleVerifyNode_Hashcode(
       PKIX_VerifyNode *node,
       PKIX_UInt32 *pHashcode,
       void *plContext)
{
       PKIX_UInt32 errorHash = 0;
       PKIX_UInt32 nodeHash = 0;

       PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_Hashcode");
       PKIX_NULLCHECK_TWO(node, pHashcode);

       PKIX_HASHCODE
               (node->verifyCert,
               &nodeHash,
               plContext,
               PKIX_FAILUREHASHINGCERT);

       PKIX_CHECK(PKIX_PL_Object_Hashcode
               ((PKIX_PL_Object *)node->error,
               &errorHash,
               plContext),
               PKIX_FAILUREHASHINGERROR);

       nodeHash = 31*nodeHash + errorHash;
       *pHashcode = nodeHash;

cleanup:

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_Hashcode
* (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_VerifyNode_Hashcode(
       PKIX_PL_Object *object,
       PKIX_UInt32 *pHashcode,
       void *plContext)
{
       PKIX_VerifyNode *node = NULL;
       PKIX_UInt32 childrenHash = 0;
       PKIX_UInt32 nodeHash = 0;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Hashcode");
       PKIX_NULLCHECK_TWO(object, pHashcode);

       PKIX_CHECK(pkix_CheckType
               (object, PKIX_VERIFYNODE_TYPE, plContext),
               PKIX_OBJECTNOTVERIFYNODE);

       node = (PKIX_VerifyNode *)object;

       PKIX_CHECK(pkix_SingleVerifyNode_Hashcode
               (node, &nodeHash, plContext),
               PKIX_SINGLEVERIFYNODEHASHCODEFAILED);

       PKIX_HASHCODE
               (node->children,
               &childrenHash,
               plContext,
               PKIX_OBJECTHASHCODEFAILED);

       nodeHash = 31*nodeHash + childrenHash;

       *pHashcode = nodeHash;

cleanup:

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_SingleVerifyNode_Equals
* DESCRIPTION:
*
*  Compares for equality the components of the VerifyNode pointed to by
*  "firstPN", other than its parents and children, with those of the
*  VerifyNode pointed to by "secondPN" and stores the result at "pResult"
*  (PKIX_TRUE if equal; PKIX_FALSE if not).
*
* PARAMETERS:
*  "firstPN"
*      Address of first of the VerifyNodes to be compared; must be non-NULL
*  "secondPN"
*      Address of second of the VerifyNodes to be compared; must be non-NULL
*  "pResult"
*      Address where Boolean will be stored; must be non-NULL
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if function succeeds
*  Returns a VerifyNode Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in a fatal way
*/
static PKIX_Error *
pkix_SingleVerifyNode_Equals(
       PKIX_VerifyNode *firstVN,
       PKIX_VerifyNode *secondVN,
       PKIX_Boolean *pResult,
       void *plContext)
{
       PKIX_Boolean compResult = PKIX_FALSE;

       PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_Equals");
       PKIX_NULLCHECK_THREE(firstVN, secondVN, pResult);

       /* If both references are identical, they must be equal */
       if (firstVN == secondVN) {
               compResult = PKIX_TRUE;
               goto cleanup;
       }

       /*
        * It seems we have to do the comparisons. Do
        * the easiest ones first.
        */
       if ((firstVN->depth) != (secondVN->depth)) {
               goto cleanup;
       }

       /* These fields must be non-NULL */
       PKIX_NULLCHECK_TWO(firstVN->verifyCert, secondVN->verifyCert);

       PKIX_EQUALS
               (firstVN->verifyCert,
               secondVN->verifyCert,
               &compResult,
               plContext,
               PKIX_OBJECTEQUALSFAILED);

       if (compResult == PKIX_FALSE) {
               goto cleanup;
       }

       PKIX_EQUALS
               (firstVN->error,
               secondVN->error,
               &compResult,
               plContext,
               PKIX_OBJECTEQUALSFAILED);

cleanup:

       *pResult = compResult;

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_Equals
* (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_VerifyNode_Equals(
       PKIX_PL_Object *firstObject,
       PKIX_PL_Object *secondObject,
       PKIX_Boolean *pResult,
       void *plContext)
{
       PKIX_VerifyNode *firstVN = NULL;
       PKIX_VerifyNode *secondVN = NULL;
       PKIX_UInt32 secondType;
       PKIX_Boolean compResult = PKIX_FALSE;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Equals");
       PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);

       /* test that firstObject is a VerifyNode */
       PKIX_CHECK(pkix_CheckType
               (firstObject, PKIX_VERIFYNODE_TYPE, plContext),
               PKIX_FIRSTOBJECTNOTVERIFYNODE);

       /*
        * Since we know firstObject is a VerifyNode,
        * if both references are identical, they must be equal
        */
       if (firstObject == secondObject){
               compResult = PKIX_TRUE;
               goto cleanup;
       }

       /*
        * If secondObject isn't a VerifyNode, we
        * don't throw an error. We simply return FALSE.
        */
       PKIX_CHECK(PKIX_PL_Object_GetType
                   (secondObject, &secondType, plContext),
                   PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);

       if (secondType != PKIX_VERIFYNODE_TYPE) {
               goto cleanup;
       }

       /*
        * Oh, well, we have to do the comparisons. Do
        * the easiest ones first.
        */
       firstVN = (PKIX_VerifyNode *)firstObject;
       secondVN = (PKIX_VerifyNode *)secondObject;

       PKIX_CHECK(pkix_SingleVerifyNode_Equals
               (firstVN, secondVN, &compResult, plContext),
               PKIX_SINGLEVERIFYNODEEQUALSFAILED);

       if (compResult == PKIX_FALSE) {
               goto cleanup;
       }

       PKIX_EQUALS
               (firstVN->children,
               secondVN->children,
               &compResult,
               plContext,
               PKIX_OBJECTEQUALSFAILEDONCHILDREN);

cleanup:

       *pResult = compResult;

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_DuplicateHelper
* DESCRIPTION:
*
*  Duplicates the VerifyNode whose address is pointed to by "original",
*  and stores the result at "pNewNode", if a non-NULL pointer is provided
*  for "pNewNode". In addition, the created VerifyNode is added as a child
*  to "parent", if a non-NULL pointer is provided for "parent". Then this
*  function is called recursively to duplicate each of the children of
*  "original". At the top level this function is called with a null
*  "parent" and a non-NULL "pNewNode". Below the top level "parent" will
*  be non-NULL and "pNewNode" will be NULL.
*
* PARAMETERS:
*  "original"
*      Address of VerifyNode to be copied; must be non-NULL
*  "parent"
*      Address of VerifyNode to which the created node is to be added as a
*      child; NULL for the top-level call and non-NULL below the top level
*  "pNewNode"
*      Address to store the node created; should be NULL if "parent" is
*      non-NULL and vice versa
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Conditionally Thread Safe
*  (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if function succeeds
*  Returns a VerifyNode Error if the function fails in a non-fatal way.
*  Returns a Fatal Error if the function fails in a fatal way
*/
static PKIX_Error *
pkix_VerifyNode_DuplicateHelper(
       PKIX_VerifyNode *original,
       PKIX_VerifyNode *parent,
       PKIX_VerifyNode **pNewNode,
       void *plContext)
{
       PKIX_UInt32 numChildren = 0;
       PKIX_UInt32 childIndex = 0;
       PKIX_List *children = NULL; /* List of PKIX_VerifyNode */
       PKIX_VerifyNode *copy = NULL;
       PKIX_VerifyNode *child = NULL;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_DuplicateHelper");

       PKIX_NULLCHECK_TWO
               (original, original->verifyCert);

       /*
        * These components are immutable, so copying the pointers
        * is sufficient. The create function increments the reference
        * counts as it stores the pointers into the new object.
        */
       PKIX_CHECK(pkix_VerifyNode_Create
               (original->verifyCert,
               original->depth,
               original->error,
               &copy,
               plContext),
               PKIX_VERIFYNODECREATEFAILED);

       /* Are there any children to duplicate? */
       children = original->children;

       if (children) {
           PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext),
               PKIX_LISTGETLENGTHFAILED);
       }

       for (childIndex = 0; childIndex < numChildren; childIndex++) {
               PKIX_CHECK(PKIX_List_GetItem
                       (children,
                       childIndex,
                       (PKIX_PL_Object **)&child,
                       plContext),
                       PKIX_LISTGETITEMFAILED);

               PKIX_CHECK(pkix_VerifyNode_DuplicateHelper
                       (child, copy, NULL, plContext),
                       PKIX_VERIFYNODEDUPLICATEHELPERFAILED);

               PKIX_DECREF(child);
       }

       if (pNewNode) {
               *pNewNode = copy;
               copy = NULL; /* no DecRef if we give our handle away */
       }

cleanup:
       PKIX_DECREF(copy);
       PKIX_DECREF(child);

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_Duplicate
* (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_VerifyNode_Duplicate(
       PKIX_PL_Object *object,
       PKIX_PL_Object **pNewObject,
       void *plContext)
{
       PKIX_VerifyNode *original = NULL;
       PKIX_VerifyNode *copy = NULL;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Duplicate");

       PKIX_NULLCHECK_TWO(object, pNewObject);

       PKIX_CHECK(pkix_CheckType
               (object, PKIX_VERIFYNODE_TYPE, plContext),
               PKIX_OBJECTNOTVERIFYNODE);

       original = (PKIX_VerifyNode *)object;

       PKIX_CHECK(pkix_VerifyNode_DuplicateHelper
               (original, NULL, &copy, plContext),
               PKIX_VERIFYNODEDUPLICATEHELPERFAILED);

       *pNewObject = (PKIX_PL_Object *)copy;

cleanup:

       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: pkix_VerifyNode_RegisterSelf
* DESCRIPTION:
*
*  Registers PKIX_VERIFYNODE_TYPE and its related
*  functions with systemClasses[]
*
* THREAD SAFETY:
*  Not Thread Safe - for performance and complexity reasons
*
*  Since this function is only called by PKIX_PL_Initialize,
*  which should only be called once, it is acceptable that
*  this function is not thread-safe.
*/
PKIX_Error *
pkix_VerifyNode_RegisterSelf(void *plContext)
{

       extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
       pkix_ClassTable_Entry entry;

       PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_RegisterSelf");

       entry.description = "VerifyNode";
       entry.objCounter = 0;
       entry.typeObjectSize = sizeof(PKIX_VerifyNode);
       entry.destructor = pkix_VerifyNode_Destroy;
       entry.equalsFunction = pkix_VerifyNode_Equals;
       entry.hashcodeFunction = pkix_VerifyNode_Hashcode;
       entry.toStringFunction = pkix_VerifyNode_ToString;
       entry.comparator = NULL;
       entry.duplicateFunction = pkix_VerifyNode_Duplicate;

       systemClasses[PKIX_VERIFYNODE_TYPE] = entry;

       PKIX_RETURN(VERIFYNODE);
}

/* --Public-VerifyNode-Functions----------------------------------- */

/*
* FUNCTION: PKIX_VerifyNode_SetError
* DESCRIPTION:
*
*  This function sets the Error field of the VerifyNode pointed to by "node"
*  to contain the Error pointed to by "error".
*
* PARAMETERS:
*  "node"
*      The address of the VerifyNode to be modified. Must be non-NULL.
*  "error"
*      The address of the Error to be stored.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_VerifyNode_SetError(
       PKIX_VerifyNode *node,
       PKIX_Error *error,
       void *plContext)
{

       PKIX_ENTER(VERIFYNODE, "PKIX_VerifyNode_SetError");

       PKIX_NULLCHECK_TWO(node, error);

       PKIX_DECREF(node->error); /* should have been NULL */
       PKIX_INCREF(error);
       node->error = error;

cleanup:
       PKIX_RETURN(VERIFYNODE);
}

/*
* FUNCTION: PKIX_VerifyNode_FindError
* DESCRIPTION:
*
* Finds meaningful error in the log. For now, just returns the first
* error it finds in. In the future the function should be changed to
* return a top priority error.
*
* PARAMETERS:
*  "node"
*      The address of the VerifyNode to be modified. Must be non-NULL.
*  "error"
*      The address of a pointer the error will be returned to.
*  "plContext"
*      Platform-specific context pointer.
* THREAD SAFETY:
*  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
*  Returns NULL if the function succeeds.
*  Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_VerifyNode_FindError(
       PKIX_VerifyNode *node,
       PKIX_Error **error,
       void *plContext)
{
   PKIX_VerifyNode *childNode = NULL;

   PKIX_ENTER(VERIFYNODE, "PKIX_VerifyNode_FindError");

   /* Make sure the return address is initialized with NULL */
   PKIX_DECREF(*error);

   if (!node)
       goto cleanup;
   
   /* First, try to get error from lowest level. */
   if (node->children) {
       PKIX_UInt32 length = 0;
       PKIX_UInt32 index = 0;

       PKIX_CHECK(
           PKIX_List_GetLength(node->children, &length,
                               plContext),
           PKIX_LISTGETLENGTHFAILED);
       for (index = 0;index < length;index++) {
           PKIX_CHECK(
               PKIX_List_GetItem(node->children, index,
                                 (PKIX_PL_Object**)&childNode, plContext),
               PKIX_LISTGETITEMFAILED);
           if (!childNode)
               continue;
           PKIX_CHECK(
               pkix_VerifyNode_FindError(childNode, error,
                                         plContext),
               PKIX_VERIFYNODEFINDERRORFAILED);
           PKIX_DECREF(childNode);
           if (*error) {
               goto cleanup;
           }
       }
   }
   
   if (node->error && node->error->plErr) {
       PKIX_INCREF(node->error);
       *error = node->error;
   }

cleanup:
   PKIX_DECREF(childNode);
   
   PKIX_RETURN(VERIFYNODE);
}