зеркало из https://github.com/mozilla/gecko-dev.git
Fix for bug 175115 . Remove incorrect check for CA cert expiration. Also fix CRL signature verification and clean up internal functions . r=mcgreer,relyea,nelsonb,wtc
This commit is contained in:
Родитель
386dfe8085
Коммит
8083074fbc
|
@ -34,7 +34,7 @@
|
||||||
/*
|
/*
|
||||||
* Moved from secpkcs7.c
|
* Moved from secpkcs7.c
|
||||||
*
|
*
|
||||||
* $Id: crl.c,v 1.27 2002/10/10 20:30:06 relyea%netscape.com Exp $
|
* $Id: crl.c,v 1.28 2002/10/30 23:31:38 jpierre%netscape.com Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "cert.h"
|
#include "cert.h"
|
||||||
|
@ -1170,7 +1170,7 @@ PRBool CRLStillExists(CERTSignedCrl* crl)
|
||||||
}
|
}
|
||||||
|
|
||||||
SECStatus DPCache_Refresh(CRLDPCache* cache, CERTSignedCrl* crlobject,
|
SECStatus DPCache_Refresh(CRLDPCache* cache, CERTSignedCrl* crlobject,
|
||||||
int64 t, void* wincx)
|
void* wincx)
|
||||||
{
|
{
|
||||||
SECStatus rv = SECSuccess;
|
SECStatus rv = SECSuccess;
|
||||||
/* Check if it is an invalid CRL
|
/* Check if it is an invalid CRL
|
||||||
|
@ -1192,17 +1192,20 @@ SECStatus DPCache_Refresh(CRLDPCache* cache, CERTSignedCrl* crlobject,
|
||||||
} else {
|
} else {
|
||||||
SECStatus signstatus = SECFailure;
|
SECStatus signstatus = SECFailure;
|
||||||
if (cache->issuer) {
|
if (cache->issuer) {
|
||||||
signstatus = CERT_VerifySignedData(&crlobject->signatureWrap,
|
int64 issuingDate = 0;
|
||||||
cache->issuer, t, wincx);
|
signstatus = DER_UTCTimeToTime(&issuingDate, &crlobject->crl.lastUpdate);
|
||||||
|
if (SECSuccess == signstatus) {
|
||||||
|
signstatus = CERT_VerifySignedData(&crlobject->signatureWrap,
|
||||||
|
cache->issuer, issuingDate, wincx);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (SECSuccess != signstatus) {
|
if (SECSuccess != signstatus) {
|
||||||
if (0 == t) {
|
if (!cache->issuer) {
|
||||||
/* we tried to verify with a time of t=0 . Most likely this is
|
/* we tried to verify without an issuer cert . This is
|
||||||
because this CRL came through a call to SEC_FindCrlByName,
|
because this CRL came through a call to SEC_FindCrlByName.
|
||||||
not because the signature fails to verify.
|
|
||||||
So we don't cache this verification failure. We'll try
|
So we don't cache this verification failure. We'll try
|
||||||
to verify the CRL again when a certificate from that issuer
|
to verify the CRL again when a certificate from that issuer
|
||||||
gets verified */
|
becomes available */
|
||||||
GetOpaqueCRLFields(crlobject)->unverified = PR_TRUE;
|
GetOpaqueCRLFields(crlobject)->unverified = PR_TRUE;
|
||||||
} else {
|
} else {
|
||||||
GetOpaqueCRLFields(crlobject)->unverified = PR_FALSE;
|
GetOpaqueCRLFields(crlobject)->unverified = PR_FALSE;
|
||||||
|
@ -1298,7 +1301,7 @@ void DPCache_Empty(CRLDPCache* cache)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
SECStatus DPCache_Fetch(CRLDPCache* cache, int64 t, void* wincx)
|
SECStatus DPCache_Fetch(CRLDPCache* cache, void* wincx)
|
||||||
{
|
{
|
||||||
SECStatus rv = SECSuccess;
|
SECStatus rv = SECSuccess;
|
||||||
CERTSignedCrl* crlobject = NULL;
|
CERTSignedCrl* crlobject = NULL;
|
||||||
|
@ -1358,7 +1361,7 @@ SECStatus DPCache_Fetch(CRLDPCache* cache, int64 t, void* wincx)
|
||||||
|
|
||||||
/* update the cache with this new CRL */
|
/* update the cache with this new CRL */
|
||||||
if (SECSuccess == rv) {
|
if (SECSuccess == rv) {
|
||||||
rv = DPCache_Refresh(cache, crlobject, t, wincx);
|
rv = DPCache_Refresh(cache, crlobject, wincx);
|
||||||
}
|
}
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
@ -1421,7 +1424,7 @@ SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn, CERTCrlEntry** returned
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
|
SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer,
|
||||||
void* wincx, PRBool readlocked)
|
void* wincx, PRBool readlocked)
|
||||||
{
|
{
|
||||||
/* Update the CRLDPCache now. We don't cache token CRL lookup misses
|
/* Update the CRLDPCache now. We don't cache token CRL lookup misses
|
||||||
|
@ -1436,10 +1439,10 @@ SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* verify CRLs that couldn't be checked when inserted into the cache
|
/* verify CRLs that couldn't be checked when inserted into the cache
|
||||||
because issuer and time was unavailable. These are CRLs that were
|
because the issuer cert was unavailable. These are CRLs that were
|
||||||
inserted through SEC_FindCrlByName, rather than through a certificate
|
inserted into the cache through SEC_FindCrlByName, rather than
|
||||||
verification */
|
through a certificate verification (CERT_CheckCRL) */
|
||||||
if (t && issuer) {
|
if (issuer) {
|
||||||
/* if we didn't have a valid issuer cert yet, but we do now. add it */
|
/* if we didn't have a valid issuer cert yet, but we do now. add it */
|
||||||
if (NULL == cache->issuer) {
|
if (NULL == cache->issuer) {
|
||||||
/* save the issuer cert */
|
/* save the issuer cert */
|
||||||
|
@ -1447,23 +1450,25 @@ SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* re-process all unverified CRLs */
|
/* re-process all unverified CRLs */
|
||||||
for (i = 0; i < cache->ncrls ; i++) {
|
if (cache->issuer) {
|
||||||
CERTSignedCrl* acrl = cache->crls[i];
|
for (i = 0; i < cache->ncrls ; i++) {
|
||||||
if (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified) {
|
CERTSignedCrl* acrl = cache->crls[i];
|
||||||
DPCache_LockWrite();
|
|
||||||
/* check that we are the first thread to update */
|
|
||||||
if (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified) {
|
if (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified) {
|
||||||
DPCache_Refresh(cache, acrl, t, wincx);
|
DPCache_LockWrite();
|
||||||
/* also check all the other CRLs */
|
/* check that we are the first thread to update */
|
||||||
for (i = i+1 ; i < cache->ncrls ; i++) {
|
if (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified) {
|
||||||
acrl = cache->crls[i];
|
DPCache_Refresh(cache, acrl, wincx);
|
||||||
if (acrl && (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified)) {
|
/* also check all the other CRLs */
|
||||||
DPCache_Refresh(cache, acrl, t, wincx);
|
for (i = i+1 ; i < cache->ncrls ; i++) {
|
||||||
|
acrl = cache->crls[i];
|
||||||
|
if (acrl && (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified)) {
|
||||||
|
DPCache_Refresh(cache, acrl, wincx);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
DPCache_UnlockWrite();
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
DPCache_UnlockWrite();
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1493,7 +1498,7 @@ SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
/* and try to fetch a new one */
|
/* and try to fetch a new one */
|
||||||
rv = DPCache_Fetch(cache, t, wincx);
|
rv = DPCache_Fetch(cache, wincx);
|
||||||
updated = PR_TRUE;
|
updated = PR_TRUE;
|
||||||
if (SECSuccess == rv) {
|
if (SECSuccess == rv) {
|
||||||
rv = DPCache_Cleanup(cache); /* clean up deleted CRLs
|
rv = DPCache_Cleanup(cache); /* clean up deleted CRLs
|
||||||
|
@ -1510,7 +1515,7 @@ SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
|
||||||
if (0 == cache->ncrls)
|
if (0 == cache->ncrls)
|
||||||
{
|
{
|
||||||
/* we are the first */
|
/* we are the first */
|
||||||
rv = DPCache_Fetch(cache, t, wincx);
|
rv = DPCache_Fetch(cache, wincx);
|
||||||
}
|
}
|
||||||
DPCache_UnlockWrite();
|
DPCache_UnlockWrite();
|
||||||
}
|
}
|
||||||
|
@ -1794,7 +1799,7 @@ SECStatus AcquireDPCache(CERTCertificate* issuer, SECItem* subject, SECItem* dp,
|
||||||
if (*dpcache)
|
if (*dpcache)
|
||||||
{
|
{
|
||||||
/* make sure the DP cache is up to date before using it */
|
/* make sure the DP cache is up to date before using it */
|
||||||
rv = DPCache_Update(*dpcache, issuer, t, wincx, PR_FALSE == *writeLocked);
|
rv = DPCache_Update(*dpcache, issuer, wincx, PR_FALSE == *writeLocked);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
@ -1835,18 +1840,6 @@ CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer, SECItem* dp,
|
||||||
if (!cert || !issuer) {
|
if (!cert || !issuer) {
|
||||||
return SECFailure;
|
return SECFailure;
|
||||||
}
|
}
|
||||||
/* we must check the cert issuer (or more appropriately, the CRL
|
|
||||||
signer)'s validity time first. If it's expired, then don't go to the
|
|
||||||
cache.
|
|
||||||
If we do and the cache is empty, a CRL will be fetched, but it won't
|
|
||||||
verify because of the expired issuer, causing us to put the cache in
|
|
||||||
the invalid state.
|
|
||||||
If we do and the cache is already populated, we will lookup the cert
|
|
||||||
in the CRL for no good reason. */
|
|
||||||
validity = CERT_CheckCertValidTimes(issuer, t, PR_FALSE);
|
|
||||||
if ( validity != secCertTimeValid ) {
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
rv = AcquireDPCache(issuer, &issuer->derSubject, dp, t, wincx, &dpcache, &lockedwrite);
|
rv = AcquireDPCache(issuer, &issuer->derSubject, dp, t, wincx, &dpcache, &lockedwrite);
|
||||||
|
|
||||||
|
|
Загрузка…
Ссылка в новой задаче