зеркало из https://github.com/mozilla/pjs.git
178 строки
5.5 KiB
C
178 строки
5.5 KiB
C
/* ***** BEGIN LICENSE BLOCK *****
|
|
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
*
|
|
* The contents of this file are subject to the Mozilla Public License Version
|
|
* 1.1 (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
* http://www.mozilla.org/MPL/
|
|
*
|
|
* Software distributed under the License is distributed on an "AS IS" basis,
|
|
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
* for the specific language governing rights and limitations under the
|
|
* License.
|
|
*
|
|
* The Original Code is the Netscape security libraries.
|
|
*
|
|
* The Initial Developer of the Original Code is
|
|
* Netscape Communications Corporation.
|
|
* Portions created by the Initial Developer are Copyright (C) 1994-2000
|
|
* the Initial Developer. All Rights Reserved.
|
|
*
|
|
* Contributor(s):
|
|
*
|
|
* Alternatively, the contents of this file may be used under the terms of
|
|
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
|
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
* in which case the provisions of the GPL or the LGPL are applicable instead
|
|
* of those above. If you wish to allow use of your version of this file only
|
|
* under the terms of either the GPL or the LGPL, and not to allow others to
|
|
* use your version of this file under the terms of the MPL, indicate your
|
|
* decision by deleting the provisions above and replace them with the notice
|
|
* and other provisions required by the GPL or the LGPL. If you do not delete
|
|
* the provisions above, a recipient may use your version of this file under
|
|
* the terms of any one of the MPL, the GPL or the LGPL.
|
|
*
|
|
* ***** END LICENSE BLOCK ***** */
|
|
|
|
/*
|
|
* X.509 v3 Basic Constraints Extension
|
|
*/
|
|
|
|
#include "prtypes.h"
|
|
#include "mcom_db.h"
|
|
#include "seccomon.h"
|
|
#include "secdert.h"
|
|
#include "secoidt.h"
|
|
#include "secasn1t.h"
|
|
#include "secasn1.h"
|
|
#include "certt.h"
|
|
#include "secder.h"
|
|
#include "prprf.h"
|
|
#include "secerr.h"
|
|
|
|
typedef struct EncodedContext{
|
|
SECItem isCA;
|
|
SECItem pathLenConstraint;
|
|
SECItem encodedValue;
|
|
PRArenaPool *arena;
|
|
}EncodedContext;
|
|
|
|
static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = {
|
|
{ SEC_ASN1_SEQUENCE,
|
|
0, NULL, sizeof(EncodedContext) },
|
|
{ SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */
|
|
offsetof(EncodedContext,isCA)},
|
|
{ SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
|
|
offsetof(EncodedContext,pathLenConstraint) },
|
|
{ 0, }
|
|
};
|
|
|
|
static unsigned char hexTrue = 0xff;
|
|
static unsigned char hexFalse = 0x00;
|
|
|
|
#define GEN_BREAK(status) rv = status; break;
|
|
|
|
SECStatus CERT_EncodeBasicConstraintValue
|
|
(PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue)
|
|
{
|
|
EncodedContext encodeContext;
|
|
PRArenaPool *our_pool = NULL;
|
|
SECStatus rv = SECSuccess;
|
|
|
|
do {
|
|
PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
|
|
if (!value->isCA && value->pathLenConstraint >= 0) {
|
|
PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
|
|
GEN_BREAK (SECFailure);
|
|
}
|
|
|
|
encodeContext.arena = arena;
|
|
if (value->isCA == PR_TRUE) {
|
|
encodeContext.isCA.data = &hexTrue ;
|
|
encodeContext.isCA.len = 1;
|
|
}
|
|
|
|
/* If the pathLenConstraint is less than 0, then it should be
|
|
* omitted from the encoding.
|
|
*/
|
|
if (value->isCA && value->pathLenConstraint >= 0) {
|
|
our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
|
|
if (our_pool == NULL) {
|
|
PORT_SetError (SEC_ERROR_NO_MEMORY);
|
|
GEN_BREAK (SECFailure);
|
|
}
|
|
if (SEC_ASN1EncodeUnsignedInteger
|
|
(our_pool, &encodeContext.pathLenConstraint,
|
|
(unsigned long)value->pathLenConstraint) == NULL) {
|
|
PORT_SetError (SEC_ERROR_NO_MEMORY);
|
|
GEN_BREAK (SECFailure);
|
|
}
|
|
}
|
|
if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
|
|
CERTBasicConstraintsTemplate) == NULL) {
|
|
GEN_BREAK (SECFailure);
|
|
}
|
|
} while (0);
|
|
if (our_pool)
|
|
PORT_FreeArena (our_pool, PR_FALSE);
|
|
return(rv);
|
|
|
|
}
|
|
|
|
SECStatus CERT_DecodeBasicConstraintValue
|
|
(CERTBasicConstraints *value, SECItem *encodedValue)
|
|
{
|
|
EncodedContext decodeContext;
|
|
PRArenaPool *our_pool;
|
|
SECStatus rv = SECSuccess;
|
|
|
|
do {
|
|
PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
|
|
/* initialize the value just in case we got "0x30 00", or when the
|
|
pathLenConstraint is omitted.
|
|
*/
|
|
decodeContext.isCA.data =&hexFalse;
|
|
decodeContext.isCA.len = 1;
|
|
|
|
our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
|
|
if (our_pool == NULL) {
|
|
PORT_SetError (SEC_ERROR_NO_MEMORY);
|
|
GEN_BREAK (SECFailure);
|
|
}
|
|
|
|
rv = SEC_QuickDERDecodeItem
|
|
(our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue);
|
|
if (rv == SECFailure)
|
|
break;
|
|
|
|
value->isCA = decodeContext.isCA.data
|
|
? (PRBool)(decodeContext.isCA.data[0] != 0)
|
|
: PR_FALSE;
|
|
if (decodeContext.pathLenConstraint.data == NULL) {
|
|
/* if the pathLenConstraint is not encoded, and the current setting
|
|
is CA, then the pathLenConstraint should be set to a negative number
|
|
for unlimited certificate path.
|
|
*/
|
|
if (value->isCA)
|
|
value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
|
|
} else if (value->isCA) {
|
|
long len = DER_GetInteger (&decodeContext.pathLenConstraint);
|
|
if (len < 0 || len == LONG_MAX) {
|
|
PORT_SetError (SEC_ERROR_BAD_DER);
|
|
GEN_BREAK (SECFailure);
|
|
}
|
|
value->pathLenConstraint = len;
|
|
} else {
|
|
/* here we get an error where the subject is not a CA, but
|
|
the pathLenConstraint is set */
|
|
PORT_SetError (SEC_ERROR_BAD_DER);
|
|
GEN_BREAK (SECFailure);
|
|
break;
|
|
}
|
|
|
|
} while (0);
|
|
PORT_FreeArena (our_pool, PR_FALSE);
|
|
return (rv);
|
|
|
|
}
|