417024 - Convert libpkix error code into nss error code. patch v2. r=nelson

This commit is contained in:
alexei.volkov.bugs%sun.com 2008-02-26 00:22:38 +00:00
Родитель 79b52ceb34
Коммит 12a2af1411
13 изменённых файлов: 1230 добавлений и 1117 удалений

Просмотреть файл

@ -59,6 +59,8 @@
#include "pkix_pl_common.h"
#include "pkix_pl_ekuchecker.h"
extern PRLogModuleInfo *pkixLog;
#ifdef DEBUG_volkov
/* Temporary declarations of functioins. Will be removed with fix for
* 391183 */
@ -269,7 +271,6 @@ cert_NssCertificateUsageToPkixKUAndEKU(
{
PKIX_List *ekuOidsList = NULL;
PKIX_PL_OID *ekuOid = NULL;
PKIX_UInt32 keyUsage = 0;
int i = 0;
int ekuIndex = ekuIndexUnknown;
@ -572,7 +573,7 @@ cert_CreatePkixProcessingParams(
plContext),
PKIX_PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED);
#ifdef DEBUG_volkov
#ifdef DEBUG_volkov1
/* Enables ocsp rev checking of the chain cert through pkix OCSP
* implementation. */
if (checkAllCertsOCSP) {
@ -663,11 +664,11 @@ cert_PkixToNssCertsChain(
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
PKIX_ERROR(PKIX_PORTNEWARENAFAILED);
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
validChain = (CERTCertList*)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
if (validChain == NULL) {
PKIX_ERROR(PKIX_PORTARENAZNEWFAILED);
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
PR_INIT_CLIST(&validChain->list);
validChain->arena = arena;
@ -692,7 +693,7 @@ cert_PkixToNssCertsChain(
(CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena,
sizeof(CERTCertListNode));
if ( node == NULL ) {
PKIX_ERROR(PKIX_PORTARENAZNEWFAILED);
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
PR_INSERT_BEFORE(&node->links, &validChain->list);
@ -820,15 +821,36 @@ cleanup:
static PKIX_Error *
cert_PkixErrorToNssCode(
PKIX_Error *error,
unsigned long *nssCode,
SECErrorCodes *pNssErr,
void *plContext)
{
PKIX_ERRORCODE errorCode = 0; /* unknown pkix error code */
PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode");
PKIX_NULLCHECK_ONE(nssCode);
int errLevel = 0;
PKIX_UInt32 nssErr = 0;
PKIX_Error *errPtr = error;
/* PKIX-XXX: Convert pkix code to nss code. See bug 391183 */
*nssCode = SEC_ERROR_CERT_NOT_VALID;
PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode");
PKIX_NULLCHECK_TWO(error, pNssErr);
/* Loop until we find at least one error with non-null
* plErr code, that is going to be nss error code. */
while (errPtr) {
if (errPtr->plErr && !nssErr) {
nssErr = errPtr->plErr;
if (!pkixLog) break;
}
if (pkixLog) {
PR_LOG(pkixLog, 1, ("Error at level %d: %s\n", errLevel,
PKIX_ErrorText[error->errCode]));
}
errPtr = errPtr->cause;
errLevel += 1;
}
PORT_Assert(nssErr);
if (!nssErr) {
*pNssErr = SEC_ERROR_LIBPKIX_INTERNAL;
} else {
*pNssErr = nssErr;
}
PKIX_RETURN(CERTVFYPKIX);
}
@ -884,15 +906,13 @@ cert_GetLogFromVerifyNode(
PKIX_PL_Free(string, NULL);
#endif
if (log != NULL) {
unsigned long nssErrorCode = 0;
SECErrorCodes nssErrorCode = 0;
PKIX_CHECK(
PKIX_PL_Cert_GetCERTCertificate(node->verifyCert, &cert,
plContext),
PKIX_CERTGETCERTCERTIFICATEFAILED);
nssErrorCode = PKIX_CERTIFICATEDOESNTHAVEVALIDCRL;
PKIX_CHECK(
cert_PkixErrorToNssCode(node->error, &nssErrorCode,
plContext),
@ -997,7 +1017,7 @@ cert_GetBuildResults(
}
if (error) {
unsigned long nssErrorCode = 0;
SECErrorCodes nssErrorCode = 0;
#ifdef DEBUG_volkov
char *temp = pkix_Error2ASCII(error, plContext);
fprintf(stderr, "BUILD ERROR:\n%s\n", temp);
@ -1660,7 +1680,6 @@ SECStatus CERT_PKIXVerifyCert(
error = PKIX_ProcessingParams_SetTargetCertConstraints
(procParams, certSelector, plContext);
if (error != NULL) {
PORT_SetError(SEC_ERROR_IO); /* need pkix->nss error map */
goto cleanup;
}
@ -1668,7 +1687,6 @@ SECStatus CERT_PKIXVerifyCert(
error = PKIX_ProcessingParams_SetCertStores
(procParams, certStores, plContext);
if (error != NULL) {
PORT_SetError(SEC_ERROR_IO); /* need pkix->nss error map */
goto cleanup;
}
@ -1676,28 +1694,24 @@ SECStatus CERT_PKIXVerifyCert(
&buildState, &buildResult, NULL,
plContext);
if (error != NULL) {
PORT_SetError(SEC_ERROR_IO); /* need pkix->nss error map */
goto cleanup;
}
error = PKIX_BuildResult_GetValidateResult( buildResult, &valResult,
plContext);
if (error != NULL) {
PORT_SetError(SEC_ERROR_IO); /* need pkix->nss error map */
goto cleanup;
}
error = PKIX_ValidateResult_GetTrustAnchor( valResult, &trustAnchor,
plContext);
if (error != NULL) {
PORT_SetError(SEC_ERROR_IO); /* need pkix->nss error map */
goto cleanup;
}
error = PKIX_TrustAnchor_GetTrustedCert( trustAnchor, &trustAnchorCert,
plContext);
if (error != NULL) {
PORT_SetError(SEC_ERROR_IO); /* need pkix->nss error map */
goto cleanup;
}
@ -1734,8 +1748,13 @@ cleanup:
if (certSelector != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
if (error != NULL)
if (error != NULL) {
SECErrorCodes nssErrorCode = 0;
cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
PORT_SetError(nssErrorCode);
PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
}
PKIX_PL_NssContext_Destroy(plContext);

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Просмотреть файл

@ -1573,4 +1573,18 @@ PKIX_PL_BigInt_Create(
}
#endif
/*
* FUNCTION: PKIX_PL_GetPLErrorCode
* DESCRIPTION:
*
* Returns error code from PL layer.
*
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* PL layer error code.
*/
int
PKIX_PL_GetPLErrorCode();
#endif /* _LIBPKIX_SYSTEM_H */

Просмотреть файл

@ -367,7 +367,7 @@ typedef enum { /* Now invoke all those ERRMACROs to assign the numbers */
/* Now define error strings (for internationalization) */
#define PKIX_ERRORENTRY(name,desc) PKIX_ ## name
#define PKIX_ERRORENTRY(name,desc,plerr) PKIX_ ## name
/* Define all the error numbers */
typedef enum {
@ -376,7 +376,6 @@ typedef enum {
extern const char * const PKIX_ErrorText[];
/* String Formats
*
* These formats specify supported encoding formats for Strings.

Просмотреть файл

@ -213,7 +213,7 @@ pkix_CertSelector_Match_BasicConstraint(
PKIX_CERTSELECTOR_DEBUG
("Basic Constraints path length match failed\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
}
}
@ -223,7 +223,7 @@ pkix_CertSelector_Match_BasicConstraint(
PKIX_CERTSELECTOR_DEBUG
("Basic Constraints end-entity match failed\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
}
}

Просмотреть файл

@ -1199,11 +1199,6 @@ pkix_Build_VerifyCertificate(
}
}
pkixErrorResult = PKIX_PL_Cert_VerifyKeyUsage
(candidateCert, PKIX_KEY_CERT_SIGN, plContext);
ERROR_CHECK(PKIX_CERTVERIFYKEYUSAGEFAILED);
*pNeedsCRLChecking = PKIX_TRUE;
}
}
@ -2348,6 +2343,7 @@ pkix_BuildForwardDepthFirstSearch(
PKIX_PL_Cert *trustedCert = NULL;
PKIX_VerifyNode *verifyNode = NULL;
PKIX_Error *verifyError = NULL;
PKIX_Error *finalError = NULL;
void *nbio = NULL;
PKIX_ENTER(BUILD, "pkix_BuildForwardDepthFirstSearch");
@ -2392,7 +2388,9 @@ pkix_BuildForwardDepthFirstSearch(
verifyError,
plContext),
PKIX_VERIFYNODESETERRORFAILED);
PKIX_DECREF(verifyError);
PKIX_DECREF(finalError);
finalError = verifyError;
verifyError = NULL;
}
/* Even if we logged error, we still have to abort */
PKIX_ERROR(PKIX_TIMECONSUMEDEXCEEDSRESOURCELIMITS);
@ -2661,7 +2659,9 @@ pkix_BuildForwardDepthFirstSearch(
PKIX_VERIFYNODEADDTOTREEFAILED);
PKIX_DECREF(verifyNode);
}
PKIX_DECREF(verifyError);
PKIX_DECREF(finalError);
finalError = verifyError;
verifyError = NULL;
if (state->certLoopingDetected) {
PKIX_ERROR
(PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
@ -2740,7 +2740,9 @@ pkix_BuildForwardDepthFirstSearch(
PKIX_VERIFYNODEADDTOTREEFAILED);
PKIX_DECREF(verifyNode);
}
PKIX_DECREF(verifyError);
PKIX_DECREF(finalError);
finalError = verifyError;
verifyError = NULL;
if (state->certLoopingDetected) {
PKIX_ERROR
(PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
@ -2959,7 +2961,9 @@ pkix_BuildForwardDepthFirstSearch(
plContext),
PKIX_VERIFYNODESETERRORFAILED);
}
PKIX_DECREF(verifyError);
PKIX_DECREF(finalError);
finalError = verifyError;
verifyError = NULL;
/* try again with the next trust anchor */
state->status = BUILD_CHECKWITHANCHORS;
} else {
@ -3041,7 +3045,9 @@ pkix_BuildForwardDepthFirstSearch(
(state->verifyNode, verifyNode, plContext),
PKIX_VERIFYNODEADDTOTREEFAILED);
PKIX_DECREF(verifyNode);
PKIX_DECREF(verifyError);
PKIX_DECREF(finalError);
finalError = verifyError;
verifyError = NULL;
}
/* Even if error logged, still need to abort */
PKIX_ERROR(PKIX_DEPTHWOULDEXCEEDRESOURCELIMITS);
@ -3160,7 +3166,9 @@ pkix_BuildForwardDepthFirstSearch(
verifyError,
plContext),
PKIX_VERIFYNODESETERRORFAILED);
PKIX_DECREF(verifyError);
PKIX_DECREF(finalError);
finalError = verifyError;
verifyError = NULL;
}
/* Even if error logged, still need to abort */
PKIX_ERROR
@ -3292,10 +3300,21 @@ cleanup:
state->validityDate = validityDate;
validityDate = NULL;
}
*pState = state;
state = NULL;
if (!*pValResult && !verifyError) {
if (finalError) {
pkixErrorResult = finalError;
pkixErrorCode = finalError->errCode;
finalError = NULL;
goto fatal;
}
pkixErrorCode = PKIX_SECERRORUNKNOWNISSUER;
pkixErrorReceived = PKIX_TRUE;
} else {
pkixErrorResult = verifyError;
verifyError = NULL;
}
*pState = state;
state = NULL;
fatal:
PKIX_DECREF(state);
@ -3303,6 +3322,7 @@ fatal:
PKIX_DECREF(childState);
PKIX_DECREF(valResult);
PKIX_DECREF(verifyError);
PKIX_DECREF(finalError);
PKIX_DECREF(verifyNode);
PKIX_DECREF(candidatePubKey);
PKIX_DECREF(trustedPubKey);

Просмотреть файл

@ -45,13 +45,15 @@
#undef PKIX_ERRORENTRY
#define PKIX_ERRORENTRY(name,desc) #desc
#define PKIX_ERRORENTRY(name,desc,nsserr) #desc
const char * const PKIX_ErrorText[] =
{
#include "pkix_errorstrings.h"
};
extern const int const PKIX_PLErrorIndex[];
/* --Private-Functions-------------------------------------------- */
/*
@ -167,6 +169,10 @@ pkix_Error_Equals(
unequalFlag = PKIX_TRUE;
}
if (firstError->plErr != secondError->plErr) {
unequalFlag = PKIX_TRUE;
}
/* If the unequalFlag was set, return false */
if (unequalFlag) goto cleanup;
@ -459,6 +465,8 @@ PKIX_Error_Create(
error->errCode = errCode;
error->plErr = PKIX_PLErrorIndex[error->errCode];
*pError = error;
error = NULL;

Просмотреть файл

@ -1425,7 +1425,7 @@ PKIX_List_AppendItem(
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_CANNOTCALLAPPENDITEMONIMMUTABLELIST);
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
if (!list->isHeader){
@ -1477,7 +1477,7 @@ PKIX_List_InsertItem(
if (list->immutable){
PKIX_ERROR(PKIX_CANNOTCALLINSERTITEMONIMMUTABLELIST);
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
if (!list->isHeader){
@ -1564,7 +1564,7 @@ PKIX_List_SetItem(
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_CANNOTCALLSETITEMONIMMUTABLELIST);
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
if (!list->isHeader){
@ -1607,7 +1607,7 @@ PKIX_List_DeleteItem(
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_CANNOTCALLDELETEITEMONIMMUTABLELIST);
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
if (!list->isHeader){

Просмотреть файл

@ -168,7 +168,7 @@ pkix_Throw(
PKIX_Error **pError,
void *plContext)
{
PKIX_ERRORCLASS causeClass;
PKIX_Error *error = NULL;
PKIX_ENTER(ERROR, "pkix_Throw");
PKIX_NULLCHECK_TWO(funcName, pError);
@ -188,7 +188,18 @@ pkix_Throw(
}
pkixTempResult = PKIX_Error_Create(errorClass, cause, NULL,
errorCode, pError, plContext);
errorCode, &error, plContext);
if (!pkixTempResult) {
/* Setting plErr error code:
* get it from PORT_GetError if it is a leaf error and
* default error code does not exist(eq 0) */
if (!cause && !error->plErr) {
error->plErr = PKIX_PL_GetPLErrorCode();
}
}
*pError = error;
cleanup:

Просмотреть файл

@ -120,9 +120,9 @@ PKIX_PL_OcspResponse_UseBuildChain(
*pNBIOContext = nbioContext;
/* no buildResult means the build has failed */
} else if (buildError || (pBuildResult == NULL)) {
PKIX_DECREF(buildError);
PKIX_ERROR(PKIX_UNABLETOBUILDCHAIN);
} else if (buildError) {
pkixErrorResult = buildError;
buildError = NULL;
} else {
PKIX_DECREF(*pState);
}
@ -563,7 +563,7 @@ pkix_pl_OcspResponse_Create(
}
if (responseCode != 200) {
PKIX_ERROR(PKIX_BADHTTPRESPONSE);
PKIX_ERROR(PKIX_OCSPBADHTTPRESPONSE);
}

Просмотреть файл

@ -59,19 +59,20 @@ PRIVATE_EXPORTS = \
MODULE = nss
CSRCS = \
pkix_pl_common.c \
pkix_pl_mem.c \
pkix_pl_object.c \
pkix_pl_string.c \
pkix_pl_primhash.c \
pkix_pl_bigint.c \
pkix_pl_mutex.c \
pkix_pl_bytearray.c \
pkix_pl_lifecycle.c \
pkix_pl_oid.c \
pkix_pl_common.c \
pkix_pl_error.c \
pkix_pl_hashtable.c \
pkix_pl_rwlock.c \
pkix_pl_lifecycle.c \
pkix_pl_mem.c \
pkix_pl_monitorlock.c \
pkix_pl_mutex.c \
pkix_pl_object.c \
pkix_pl_oid.c \
pkix_pl_primhash.c \
pkix_pl_rwlock.c \
pkix_pl_string.c \
$(NULL)
REQUIRES = dbm

Просмотреть файл

@ -0,0 +1,59 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the PKIX-C library.
*
* The Initial Developer of the Original Code is
* Sun Microsystems, Inc.
* Portions created by the Initial Developer are
* Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
*
* Contributor(s):
* Sun Microsystems, Inc.
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
* pkix_pl_error.c
*
* PL error functions
*
*/
#include "pkix_pl_common.h"
#undef PKIX_ERRORENTRY
#define PKIX_ERRORENTRY(name,desc,plerr) plerr
const SECErrorCodes const PKIX_PLErrorIndex[] =
{
#include "pkix_errorstrings.h"
};
int
PKIX_PL_GetPLErrorCode()
{
return PORT_GetError();
}

Просмотреть файл

@ -235,7 +235,7 @@ pkix_pl_PrimHashTable_Add(
if ((element->hashCode == hashCode) &&
(compResult == PKIX_TRUE)){
/* Same key already exists in the table */
goto cleanup;
PKIX_ERROR(PKIX_ATTEMPTTOADDDUPLICATEKEY);
}
}