Fix for bug 178894 . Quick decoder updates for lib/certdb and lib/certhigh . r=nelson .

2006-08-07 19:09:41 +00:00 · 2006-08-07 19:09:41 +00:00 · ea2ed3465f
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@ -37,7 +37,7 @@
 /*
 * cert.h - public data structures and prototypes for the certificate library
 *
- * $Id: cert.h,v 1.53 2005-03-09 23:02:47 neil.williams%sun.com Exp $
+ * $Id: cert.h,v 1.54 2006-08-07 19:09:41 julien.pierre.bugs%sun.com Exp $
 */
 #ifndef _CERT_H_
@ -348,7 +348,7 @@ CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
 		       PRArenaPool *arena);
 extern CERTGeneralName *
-CERT_DecodeGeneralName(PRArenaPool *arena, SECItem *encodedName,
+CERT_DecodeGeneralName(PRArenaPool *reqArena, SECItem *encodedName,
 		       CERTGeneralName  *genName);
@ -360,7 +360,8 @@ CERT_DecodeGeneralName(PRArenaPool *arena, SECItem *encodedName,
 **	"derCert" the DER encoded certificate
 **	"key" the returned key
 */
-extern SECStatus CERT_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key);
+extern SECStatus CERT_KeyFromDERCert(PRArenaPool *reqArena, SECItem *derCert,
                                     SECItem *key);
 extern SECStatus CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer,
 					 SECItem *sn, SECItem *key);
@ -1148,7 +1149,7 @@ CERTUserNotice *
 CERT_DecodeUserNotice(SECItem *noticeItem);
 extern CERTGeneralName *
-CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName);
+CERT_DecodeAltNameExtension(PRArenaPool *reqArena, SECItem *EncodedAltName);
 extern CERTNameConstraints *
 CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, 
@ -1156,7 +1157,7 @@ CERT_DecodeNameConstraintsExtension(PRArenaPool *arena,
 /* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
 extern CERTAuthInfoAccess **
-CERT_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
+CERT_DecodeAuthInfoAccessExtension(PRArenaPool *reqArena,
 				   SECItem     *encodedExtension);
 extern CERTPrivKeyUsagePeriod *
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@ -38,7 +38,7 @@
 /*
 * Certificate handling code
 *
- * $Id: certdb.c,v 1.77 2006-02-16 00:06:23 julien.pierre.bugs%sun.com Exp $
+ * $Id: certdb.c,v 1.78 2006-08-07 19:09:41 julien.pierre.bugs%sun.com Exp $
 */
 #include "nssilock.h"
@ -390,27 +390,34 @@ loser:
 * DER certificate.
 */
 SECStatus
-CERT_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key)
+CERT_KeyFromDERCert(PRArenaPool *reqArena, SECItem *derCert, SECItem *key)
 {
    int rv;
    CERTSignedData sd;
    CERTCertKey certkey;
    if (!reqArena) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }
    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
+    rv = SEC_QuickDERDecodeItem(reqArena, &sd, CERT_SignedDataTemplate,
                                derCert);
    if ( rv ) {
 	goto loser;
    }
    PORT_Memset(&certkey, 0, sizeof(CERTCertKey));
-    rv = SEC_ASN1DecodeItem(arena, &certkey, CERT_CertKeyTemplate, &sd.data);
+    rv = SEC_QuickDERDecodeItem(reqArena, &certkey, CERT_CertKeyTemplate,
                                &sd.data);
    if ( rv ) {
 	goto loser;
    }
-    return(CERT_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
+    return(CERT_KeyFromIssuerAndSN(reqArena, &certkey.derIssuer,
 				   &certkey.serialNumber, key));
 loser:
    return(SECFailure);
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@ -37,7 +37,7 @@
 /*
 * Moved from secpkcs7.c
 *
- * $Id: crl.c,v 1.52 2006-05-31 01:57:55 julien.pierre.bugs%sun.com Exp $
+ * $Id: crl.c,v 1.53 2006-08-07 19:09:41 julien.pierre.bugs%sun.com Exp $
 */
 #include "cert.h"
@ -381,23 +381,32 @@ CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key)
    SECStatus rv;
    CERTSignedData sd;
    CERTCrlKey crlkey;
    PRArenaPool* myArena;
    if (!arena) {
        /* arena needed for QuickDER */
        myArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    } else {
        myArena = arena;
    }
    PORT_Memset (&sd, 0, sizeof (sd));
-    rv = SEC_ASN1DecodeItem (arena, &sd, CERT_SignedDataTemplate, derCrl);
+    rv = SEC_QuickDERDecodeItem (myArena, &sd, CERT_SignedDataTemplate, derCrl);
-    if (rv != SECSuccess) {
+    if (SECSuccess == rv) {
-	return rv;
+        PORT_Memset (&crlkey, 0, sizeof (crlkey));
        rv = SEC_QuickDERDecodeItem(myArena, &crlkey, cert_CrlKeyTemplate, &sd.data);
    }
-    PORT_Memset (&crlkey, 0, sizeof (crlkey));
+    /* make a copy so the data doesn't point to memory inside derCrl, which
-    rv = SEC_ASN1DecodeItem(arena, &crlkey, cert_CrlKeyTemplate, &sd.data);
+       may be temporary */
-    if (rv != SECSuccess) {
+    if (SECSuccess == rv) {
-	return rv;
+        rv = SECITEM_CopyItem(arena, key, &crlkey.derName);
    }
-    key->len =  crlkey.derName.len;
+    if (myArena != arena) {
-    key->data = crlkey.derName.data;
+        PORT_FreeArena(myArena, PR_FALSE);
    }
-    return(SECSuccess);
+    return rv;
 }
 #define GetOpaqueCRLFields(x) ((OpaqueCRLFields*)x->opaque)
--- a/security/nss/lib/certdb/genname.c
+++ b/security/nss/lib/certdb/genname.c
@ -413,25 +413,36 @@ loser:
 }
 CERTGeneralName *
-CERT_DecodeGeneralName(PRArenaPool      *arena,
+CERT_DecodeGeneralName(PRArenaPool      *reqArena,
 		       SECItem          *encodedName,
 		       CERTGeneralName  *genName)
 {
    const SEC_ASN1Template *         template;
    CERTGeneralNameType              genNameType;
    SECStatus                        rv = SECSuccess;
    SECItem* newEncodedName;
-    PORT_Assert(arena);
+    if (!reqArena) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }
    /* make a copy for decoding so the data decoded with QuickDER doesn't
       point to temporary memory */
    newEncodedName = SECITEM_ArenaDupItem(reqArena, encodedName);
    if (!newEncodedName) {
        return NULL;
    }
    /* TODO: mark arena */
-    genNameType = (CERTGeneralNameType)((*(encodedName->data) & 0x0f) + 1);
+    genNameType = (CERTGeneralNameType)((*(newEncodedName->data) & 0x0f) + 1);
    if (genName == NULL) {
-	genName = cert_NewGeneralName(arena, genNameType);
+	genName = cert_NewGeneralName(reqArena, genNameType);
 	if (!genName)
 	    goto loser;
    } else {
 	genName->type = genNameType;
 	genName->l.prev = genName->l.next = &genName->l;
    }
    switch (genNameType) {
    case certURI: 		template = CERT_URITemplate;           break;
    case certRFC822Name: 	template = CERT_RFC822NameTemplate;    break;
@ -445,11 +456,11 @@ CERT_DecodeGeneralName(PRArenaPool      *arena,
    default: 
        goto loser;
    }
-    rv = SEC_ASN1DecodeItem(arena, genName, template, encodedName);
+    rv = SEC_QuickDERDecodeItem(reqArena, genName, template, newEncodedName);
    if (rv != SECSuccess) 
 	goto loser;
    if (genNameType == certDirectoryName) {
-	rv = SEC_ASN1DecodeItem(arena, &(genName->name.directoryName), 
+	rv = SEC_QuickDERDecodeItem(reqArena, &(genName->name.directoryName), 
 				CERT_NameTemplate, 
 				&(genName->derDirectoryName));
        if (rv != SECSuccess)
@ -624,25 +635,34 @@ loser:
 CERTNameConstraint *
-cert_DecodeNameConstraint(PRArenaPool       *arena,
+cert_DecodeNameConstraint(PRArenaPool       *reqArena,
 			  SECItem           *encodedConstraint)
 {
    CERTNameConstraint     *constraint;
    SECStatus              rv = SECSuccess;
    CERTGeneralName        *temp;
    SECItem*               newEncodedConstraint;
-    PORT_Assert(arena);
+    if (!reqArena) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }
    newEncodedConstraint = SECITEM_ArenaDupItem(reqArena, encodedConstraint);
    if (!newEncodedConstraint) {
        return NULL;
    }
    /* TODO: mark arena */
-    constraint = PORT_ArenaZNew(arena, CERTNameConstraint);
+    constraint = PORT_ArenaZNew(reqArena, CERTNameConstraint);
    if (!constraint)
    	goto loser;
-    rv = SEC_ASN1DecodeItem(arena, constraint, CERTNameConstraintTemplate, 
+    rv = SEC_QuickDERDecodeItem(reqArena, constraint,
-                            encodedConstraint);
+                                CERTNameConstraintTemplate,
                                newEncodedConstraint);
    if (rv != SECSuccess) {
 	goto loser;
    }
-    temp = CERT_DecodeGeneralName(arena, &(constraint->DERName), 
+    temp = CERT_DecodeGeneralName(reqArena, &(constraint->DERName),
-                                         &(constraint->name));
+                                  &(constraint->name));
    if (temp != &(constraint->name)) {
 	goto loser;
    }
@ -693,29 +713,37 @@ loser:
 }
 CERTNameConstraints *
-cert_DecodeNameConstraints(PRArenaPool   *arena,
+cert_DecodeNameConstraints(PRArenaPool   *reqArena,
 			   SECItem       *encodedConstraints)
 {
    CERTNameConstraints   *constraints;
    SECStatus             rv;
    SECItem*              newEncodedConstraints;
-    PORT_Assert(arena);
+    if (!reqArena) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }
    PORT_Assert(encodedConstraints);
    newEncodedConstraints = SECITEM_ArenaDupItem(reqArena, encodedConstraints);
    /* TODO: mark arena */
-    constraints = PORT_ArenaZNew(arena, CERTNameConstraints);
+    constraints = PORT_ArenaZNew(reqArena, CERTNameConstraints);
    if (constraints == NULL) {
 	goto loser;
    }
-    rv = SEC_ASN1DecodeItem(arena, constraints, CERTNameConstraintsTemplate, 
+    rv = SEC_QuickDERDecodeItem(reqArena, constraints,
-			    encodedConstraints);
+                                CERTNameConstraintsTemplate,
                                newEncodedConstraints);
    if (rv != SECSuccess) {
 	goto loser;
    }
    if (constraints->DERPermited != NULL && 
        constraints->DERPermited[0] != NULL) {
 	constraints->permited = 
-	    cert_DecodeNameConstraintSubTree(arena, constraints->DERPermited,
+	    cert_DecodeNameConstraintSubTree(reqArena,
-					     PR_TRUE);
+                                             constraints->DERPermited,
                                             PR_TRUE);
 	if (constraints->permited == NULL) {
 	    goto loser;
 	}
@ -723,8 +751,9 @@ cert_DecodeNameConstraints(PRArenaPool   *arena,
    if (constraints->DERExcluded != NULL && 
        constraints->DERExcluded[0] != NULL) {
 	constraints->excluded = 
-	    cert_DecodeNameConstraintSubTree(arena, constraints->DERExcluded,
+	    cert_DecodeNameConstraintSubTree(reqArena,
-					     PR_FALSE);
+                                             constraints->DERExcluded,
                                             PR_FALSE);
 	if (constraints->excluded == NULL) {
 	    goto loser;
 	}
@ -1458,7 +1487,7 @@ SECStatus
 CERT_CompareNameSpace(CERTCertificate  *cert,
 		      CERTGeneralName  *namesList,
 		      CERTCertificate **certsList,
- 		      PRArenaPool      *arena,
+ 		      PRArenaPool      *reqArena,
 		      CERTCertificate **pBadCert)
 {
    SECStatus            rv;
@ -1481,7 +1510,7 @@ CERT_CompareNameSpace(CERTCertificate  *cert,
 	goto done;
    }
    /* TODO: mark arena */
-    constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
+    constraints = cert_DecodeNameConstraints(reqArena, &constraintsExtension);
    PORT_Free(constraintsExtension.data);
    currentName = namesList;
    if (constraints == NULL) { /* decode failed */
@ -1493,7 +1522,7 @@ CERT_CompareNameSpace(CERTCertificate  *cert,
 	if (constraints->excluded != NULL) {
 	    rv = CERT_GetNameConstraintByType(constraints->excluded, 
 	                                      currentName->type, 
- 					      &matchingConstraints, arena);
+ 					      &matchingConstraints, reqArena);
 	    if (rv == SECSuccess && matchingConstraints != NULL) {
 		rv = cert_CompareNameWithConstraints(currentName, 
 		                                     matchingConstraints,
@ -1505,7 +1534,7 @@ CERT_CompareNameSpace(CERTCertificate  *cert,
 	if (constraints->permited != NULL) {
 	    rv = CERT_GetNameConstraintByType(constraints->permited, 
 	                                      currentName->type, 
- 					      &matchingConstraints, arena);
+ 					      &matchingConstraints, reqArena);
            if (rv == SECSuccess && matchingConstraints != NULL) {
 		rv = cert_CompareNameWithConstraints(currentName, 
 		                                     matchingConstraints,
@ -1582,7 +1611,7 @@ CERT_GetNickName(CERTCertificate   *cert,
    if (!found)
    	goto loser;
-    rv = SEC_ASN1DecodeItem(arena, &nick, SEC_IA5StringTemplate, 
+    rv = SEC_QuickDERDecodeItem(arena, &nick, SEC_IA5StringTemplate, 
 			    &current->name.OthName.name);
    if (rv != SECSuccess) {
 	goto loser;
--- a/security/nss/lib/certdb/genname.h
+++ b/security/nss/lib/certdb/genname.h
@ -130,7 +130,7 @@ SECStatus
 CERT_CompareNameSpace(CERTCertificate  *cert,
 		      CERTGeneralName  *namesList,
 		      CERTCertificate **certsList,
- 		      PRArenaPool      *arena,
+ 		      PRArenaPool      *reqArena,
 		      CERTCertificate **pBadCert);
 SEC_END_PROTOS
--- a/security/nss/lib/certdb/xconst.c
+++ b/security/nss/lib/certdb/xconst.c
@ -205,20 +205,32 @@ CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECIte
 }
 CERTGeneralName *
-CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName)
+CERT_DecodeAltNameExtension(PRArenaPool *reqArena, SECItem *EncodedAltName)
 {
-    SECStatus              rv = SECSuccess;
+    SECStatus                  rv = SECSuccess;
    CERTAltNameEncodedContext  encodedContext;
    SECItem*                   newEncodedAltName;
    if (!reqArena) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }
    newEncodedAltName = SECITEM_ArenaDupItem(reqArena, EncodedAltName);
    if (!newEncodedAltName) {
        return NULL;
    }
    encodedContext.encodedGenName = NULL;
    PORT_Memset(&encodedContext, 0, sizeof(CERTAltNameEncodedContext));
-    rv = SEC_ASN1DecodeItem (arena, &encodedContext, CERT_GeneralNamesTemplate,
+    rv = SEC_QuickDERDecodeItem (reqArena, &encodedContext,
-			     EncodedAltName);
+                                 CERT_GeneralNamesTemplate, newEncodedAltName);
    if (rv == SECFailure) {
 	goto loser;
    }
    if (encodedContext.encodedGenName && encodedContext.encodedGenName[0])
-	return cert_DecodeGeneralNames(arena, encodedContext.encodedGenName);
+	return cert_DecodeGeneralNames(reqArena,
                                       encodedContext.encodedGenName);
    /* Extension contained an empty GeneralNames sequence */
    /* Treat as extension not found */
    PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
@ -248,21 +260,32 @@ CERT_DecodeNameConstraintsExtension(PRArenaPool          *arena,
 CERTAuthInfoAccess **
-CERT_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
+CERT_DecodeAuthInfoAccessExtension(PRArenaPool *reqArena,
 				   SECItem     *encodedExtension)
 {
    CERTAuthInfoAccess **info = NULL;
    SECStatus rv;
    int i;
    SECItem* newEncodedExtension;
-    rv = SEC_ASN1DecodeItem(arena, &info, CERTAuthInfoAccessTemplate, 
+    if (!reqArena) {
-			    encodedExtension);
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }
    newEncodedExtension = SECITEM_ArenaDupItem(reqArena, encodedExtension);
    if (!newEncodedExtension) {
        return NULL;
    }
    rv = SEC_QuickDERDecodeItem(reqArena, &info, CERTAuthInfoAccessTemplate, 
 			    newEncodedExtension);
    if (rv != SECSuccess || info == NULL) {
 	return NULL;
    }
    for (i = 0; info[i] != NULL; i++) {
-	info[i]->location = CERT_DecodeGeneralName(arena,
+	info[i]->location = CERT_DecodeGeneralName(reqArena,
 						   &(info[i]->derLocation),
 						   NULL);
    }
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@ -38,7 +38,7 @@
 * Implementation of OCSP services, for both client and server.
 * (XXX, really, mostly just for client right now, but intended to do both.)
 *
- * $Id: ocsp.c,v 1.26 2006-07-19 00:08:52 nelson%bolyard.com Exp $
+ * $Id: ocsp.c,v 1.27 2006-08-07 19:09:41 julien.pierre.bugs%sun.com Exp $
 */
 #include "prerror.h"
@ -1280,7 +1280,7 @@ ocsp_CertStatusTypeByTag(int derTag)
 * have allocated; it expects its caller to do that.
 */
 static SECStatus
-ocsp_FinishDecodingSingleResponses(PRArenaPool *arena,
+ocsp_FinishDecodingSingleResponses(PRArenaPool *reqArena,
 				   CERTOCSPSingleResponse **responses)
 {
    ocspCertStatus *certStatus;
@ -1290,10 +1290,16 @@ ocsp_FinishDecodingSingleResponses(PRArenaPool *arena,
    int i;
    SECStatus rv = SECFailure;
    if (!reqArena) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }
    if (responses == NULL)			/* nothing to do */
 	return SECSuccess;
    for (i = 0; responses[i] != NULL; i++) {
        SECItem* newStatus;
 	/*
 	 * The following assert points out internal errors (problems in
 	 * the template definitions or in the ASN.1 decoder itself, etc.).
@ -1304,12 +1310,16 @@ ocsp_FinishDecodingSingleResponses(PRArenaPool *arena,
 	certStatusType = ocsp_CertStatusTypeByTag(derTag);
 	certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType);
-	certStatus = PORT_ArenaZAlloc(arena, sizeof(ocspCertStatus));
+	certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus));
 	if (certStatus == NULL) {
 	    goto loser;
 	}
-	rv = SEC_ASN1DecodeItem(arena, certStatus, certStatusTemplate,
+        newStatus = SECITEM_ArenaDupItem(reqArena, &responses[i]->derCertStatus);
-				&responses[i]->derCertStatus);
+        if (!newStatus) {
            goto loser;
        }
 	rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate,
 				newStatus);
 	if (rv != SECSuccess) {
 	    if (PORT_GetError() == SEC_ERROR_BAD_DER)
 		PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);