Source code

Revision control

Copy as Markdown

Other Tools

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* pkix_policychecker.c
*
* Functions for Policy Checker
*
*/
#include "pkix_policychecker.h"
/* --Forward declarations----------------------------------------------- */
static PKIX_Error *
pkix_PolicyChecker_MakeSingleton(
PKIX_PL_Object *listItem,
PKIX_Boolean immutability,
PKIX_List **pList,
void *plContext);
/* --Private-PolicyCheckerState-Functions---------------------------------- */
/*
* FUNCTION:pkix_PolicyCheckerState_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_PolicyCheckerState_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_PolicyCheckerState *checkerState = NULL;
PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType
(object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
PKIX_OBJECTNOTPOLICYCHECKERSTATE);
checkerState = (PKIX_PolicyCheckerState *)object;
PKIX_DECREF(checkerState->certPoliciesExtension);
PKIX_DECREF(checkerState->policyMappingsExtension);
PKIX_DECREF(checkerState->policyConstraintsExtension);
PKIX_DECREF(checkerState->inhibitAnyPolicyExtension);
PKIX_DECREF(checkerState->anyPolicyOID);
PKIX_DECREF(checkerState->validPolicyTree);
PKIX_DECREF(checkerState->userInitialPolicySet);
PKIX_DECREF(checkerState->mappedUserInitialPolicySet);
checkerState->policyQualifiersRejected = PKIX_FALSE;
checkerState->explicitPolicy = 0;
checkerState->inhibitAnyPolicy = 0;
checkerState->policyMapping = 0;
checkerState->numCerts = 0;
checkerState->certsProcessed = 0;
checkerState->certPoliciesCritical = PKIX_FALSE;
PKIX_DECREF(checkerState->anyPolicyNodeAtBottom);
PKIX_DECREF(checkerState->newAnyPolicyNode);
PKIX_DECREF(checkerState->mappedPolicyOIDs);
cleanup:
PKIX_RETURN(CERTPOLICYCHECKERSTATE);
}
/*
* FUNCTION: pkix_PolicyCheckerState_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_PolicyCheckerState_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pCheckerStateString,
void *plContext)
{
PKIX_PolicyCheckerState *state = NULL;
PKIX_PL_String *resultString = NULL;
PKIX_PL_String *policiesExtOIDString = NULL;
PKIX_PL_String *policyMapOIDString = NULL;
PKIX_PL_String *policyConstrOIDString = NULL;
PKIX_PL_String *inhAnyPolOIDString = NULL;
PKIX_PL_String *anyPolicyOIDString = NULL;
PKIX_PL_String *validPolicyTreeString = NULL;
PKIX_PL_String *userInitialPolicySetString = NULL;
PKIX_PL_String *mappedUserPolicySetString = NULL;
PKIX_PL_String *mappedPolicyOIDsString = NULL;
PKIX_PL_String *anyAtBottomString = NULL;
PKIX_PL_String *newAnyPolicyString = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *trueString = NULL;
PKIX_PL_String *falseString = NULL;
PKIX_PL_String *nullString = NULL;
PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE;
PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
PKIX_Boolean certPoliciesCritical = PKIX_FALSE;
char *asciiFormat =
"{\n"
"\tcertPoliciesExtension: \t%s\n"
"\tpolicyMappingsExtension: \t%s\n"
"\tpolicyConstraintsExtension:\t%s\n"
"\tinhibitAnyPolicyExtension:\t%s\n"
"\tanyPolicyOID: \t%s\n"
"\tinitialIsAnyPolicy: \t%s\n"
"\tvalidPolicyTree: \t%s\n"
"\tuserInitialPolicySet: \t%s\n"
"\tmappedUserPolicySet: \t%s\n"
"\tpolicyQualifiersRejected: \t%s\n"
"\tinitialPolMappingInhibit: \t%s\n"
"\tinitialExplicitPolicy: \t%s\n"
"\tinitialAnyPolicyInhibit: \t%s\n"
"\texplicitPolicy: \t%d\n"
"\tinhibitAnyPolicy: \t%d\n"
"\tpolicyMapping: \t%d\n"
"\tnumCerts: \t%d\n"
"\tcertsProcessed: \t%d\n"
"\tanyPolicyNodeAtBottom: \t%s\n"
"\tnewAnyPolicyNode: \t%s\n"
"\tcertPoliciesCritical: \t%s\n"
"\tmappedPolicyOIDs: \t%s\n"
"}";
PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString");
PKIX_NULLCHECK_TWO(object, pCheckerStateString);
PKIX_CHECK(pkix_CheckType
(object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
PKIX_OBJECTNOTPOLICYCHECKERSTATE);
state = (PKIX_PolicyCheckerState *)object;
PKIX_NULLCHECK_THREE
(state->certPoliciesExtension,
state->policyMappingsExtension,
state->policyConstraintsExtension);
PKIX_NULLCHECK_THREE
(state->inhibitAnyPolicyExtension,
state->anyPolicyOID,
state->userInitialPolicySet);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
PKIX_STRINGCREATEFAILED);
/*
* Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a
* PKIX_PL_String is complicated enough, it's worth checking, for
* each, to make sure the string is needed.
*/
initialPolicyMappingInhibit = state->initialPolicyMappingInhibit;
initialExplicitPolicy = state->initialExplicitPolicy;
initialAnyPolicyInhibit = state->initialAnyPolicyInhibit;
initialIsAnyPolicy = state->initialIsAnyPolicy;
policyQualifiersRejected = state->policyQualifiersRejected;
certPoliciesCritical = state->certPoliciesCritical;
if (initialPolicyMappingInhibit || initialExplicitPolicy ||
initialAnyPolicyInhibit || initialIsAnyPolicy ||
policyQualifiersRejected || certPoliciesCritical) {
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, "TRUE", 0, &trueString, plContext),
PKIX_STRINGCREATEFAILED);
}
if (!initialPolicyMappingInhibit || !initialExplicitPolicy ||
!initialAnyPolicyInhibit || !initialIsAnyPolicy ||
!policyQualifiersRejected || !certPoliciesCritical) {
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, "FALSE", 0, &falseString, plContext),
PKIX_STRINGCREATEFAILED);
}
if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) {
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, "(null)", 0, &nullString, plContext),
PKIX_STRINGCREATEFAILED);
}
PKIX_TOSTRING
(state->certPoliciesExtension, &policiesExtOIDString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->policyMappingsExtension,
&policyMapOIDString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->policyConstraintsExtension,
&policyConstrOIDString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->inhibitAnyPolicyExtension,
&inhAnyPolOIDString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->userInitialPolicySet,
&userInitialPolicySetString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(state->mappedUserInitialPolicySet,
&mappedUserPolicySetString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
if (state->anyPolicyNodeAtBottom) {
PKIX_CHECK(pkix_SinglePolicyNode_ToString
(state->anyPolicyNodeAtBottom,
&anyAtBottomString,
plContext),
PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
} else {
PKIX_INCREF(nullString);
anyAtBottomString = nullString;
}
if (state->newAnyPolicyNode) {
PKIX_CHECK(pkix_SinglePolicyNode_ToString
(state->newAnyPolicyNode,
&newAnyPolicyString,
plContext),
PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
} else {
PKIX_INCREF(nullString);
newAnyPolicyString = nullString;
}
PKIX_TOSTRING
(state->mappedPolicyOIDs,
&mappedPolicyOIDsString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(&resultString,
plContext,
formatString,
policiesExtOIDString,
policyMapOIDString,
policyConstrOIDString,
inhAnyPolOIDString,
anyPolicyOIDString,
initialIsAnyPolicy?trueString:falseString,
validPolicyTreeString,
userInitialPolicySetString,
mappedUserPolicySetString,
policyQualifiersRejected?trueString:falseString,
initialPolicyMappingInhibit?trueString:falseString,
initialExplicitPolicy?trueString:falseString,
initialAnyPolicyInhibit?trueString:falseString,
state->explicitPolicy,
state->inhibitAnyPolicy,
state->policyMapping,
state->numCerts,
state->certsProcessed,
anyAtBottomString,
newAnyPolicyString,
certPoliciesCritical?trueString:falseString,
mappedPolicyOIDsString),
PKIX_SPRINTFFAILED);
*pCheckerStateString = resultString;
cleanup:
PKIX_DECREF(policiesExtOIDString);
PKIX_DECREF(policyMapOIDString);
PKIX_DECREF(policyConstrOIDString);
PKIX_DECREF(inhAnyPolOIDString);
PKIX_DECREF(anyPolicyOIDString);
PKIX_DECREF(validPolicyTreeString);
PKIX_DECREF(userInitialPolicySetString);
PKIX_DECREF(mappedUserPolicySetString);
PKIX_DECREF(anyAtBottomString);
PKIX_DECREF(newAnyPolicyString);
PKIX_DECREF(mappedPolicyOIDsString);
PKIX_DECREF(formatString);
PKIX_DECREF(trueString);
PKIX_DECREF(falseString);
PKIX_DECREF(nullString);
PKIX_RETURN(CERTPOLICYCHECKERSTATE);
}
/*
* FUNCTION: pkix_PolicyCheckerState_RegisterSelf
* DESCRIPTION:
*
* Registers PKIX_POLICYCHECKERSTATE_TYPE and its related functions
* with systemClasses[]
*
* PARAMETERS:
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe - for performance and complexity reasons
*
* Since this function is only called by PKIX_PL_Initialize, which should
* only be called once, it is acceptable that this function is not
* thread-safe.
*/
PKIX_Error *
pkix_PolicyCheckerState_RegisterSelf(void *plContext)
{
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
pkix_ClassTable_Entry entry;
PKIX_ENTER
(CERTPOLICYCHECKERSTATE,
"pkix_PolicyCheckerState_RegisterSelf");
entry.description = "PolicyCheckerState";
entry.objCounter = 0;
entry.typeObjectSize = sizeof(PKIX_PolicyCheckerState);
entry.destructor = pkix_PolicyCheckerState_Destroy;
entry.equalsFunction = NULL;
entry.hashcodeFunction = NULL;
entry.toStringFunction = pkix_PolicyCheckerState_ToString;
entry.comparator = NULL;
entry.duplicateFunction = NULL;
systemClasses[PKIX_CERTPOLICYCHECKERSTATE_TYPE] = entry;
PKIX_RETURN(CERTPOLICYCHECKERSTATE);
}
/*
* FUNCTION:pkix_PolicyCheckerState_Create
* DESCRIPTION:
*
* Creates a PolicyCheckerState Object, using the List pointed to
* by "initialPolicies" for the user-initial-policy-set, the Boolean value
* of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
* the Boolean value of "initialPolicyMappingInhibit" for the
* inhibitPolicyMappings parameter, the Boolean value of
* "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
* Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
* parameter, and the UInt32 value of "numCerts" as the number of
* certificates in the chain; and stores the Object at "pCheckerState".
*
* PARAMETERS:
* "initialPolicies"
* Address of List of OIDs comprising the user-initial-policy-set; the List
* may be empty, but must be non-NULL
* "policyQualifiersRejected"
* Boolean value of the policyQualifiersRejected parameter
* "initialPolicyMappingInhibit"
* Boolean value of the inhibitPolicyMappings parameter
* "initialExplicitPolicy"
* Boolean value of the initialExplicitPolicy parameter
* "initialAnyPolicyInhibit"
* Boolean value of the inhibitAnyPolicy parameter
* "numCerts"
* Number of certificates in the chain to be validated
* "pCheckerState"
* Address where PolicyCheckerState will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertPolicyCheckerState Error if the functions fails in a
* non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyCheckerState_Create(
PKIX_List *initialPolicies,
PKIX_Boolean policyQualifiersRejected,
PKIX_Boolean initialPolicyMappingInhibit,
PKIX_Boolean initialExplicitPolicy,
PKIX_Boolean initialAnyPolicyInhibit,
PKIX_UInt32 numCerts,
PKIX_PolicyCheckerState **pCheckerState,
void *plContext)
{
PKIX_PolicyCheckerState *checkerState = NULL;
PKIX_PolicyNode *policyNode = NULL;
PKIX_List *anyPolicyList = NULL;
PKIX_Boolean initialPoliciesIsEmpty = PKIX_FALSE;
PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Create");
PKIX_NULLCHECK_TWO(initialPolicies, pCheckerState);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_CERTPOLICYCHECKERSTATE_TYPE,
sizeof (PKIX_PolicyCheckerState),
(PKIX_PL_Object **)&checkerState,
plContext),
PKIX_COULDNOTCREATEPOLICYCHECKERSTATEOBJECT);
/* Create constant PKIX_PL_OIDs: */
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_CERTIFICATEPOLICIES_OID,
&(checkerState->certPoliciesExtension),
plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_POLICYMAPPINGS_OID,
&(checkerState->policyMappingsExtension),
plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_POLICYCONSTRAINTS_OID,
&(checkerState->policyConstraintsExtension),
plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_INHIBITANYPOLICY_OID,
&(checkerState->inhibitAnyPolicyExtension),
plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID,
&(checkerState->anyPolicyOID),
plContext),
PKIX_OIDCREATEFAILED);
/* Create an initial policy set from argument supplied */
PKIX_INCREF(initialPolicies);
checkerState->userInitialPolicySet = initialPolicies;
PKIX_INCREF(initialPolicies);
checkerState->mappedUserInitialPolicySet = initialPolicies;
PKIX_CHECK(PKIX_List_IsEmpty
(initialPolicies,
&initialPoliciesIsEmpty,
plContext),
PKIX_LISTISEMPTYFAILED);
if (initialPoliciesIsEmpty) {
checkerState->initialIsAnyPolicy = PKIX_TRUE;
} else {
PKIX_CHECK(pkix_List_Contains
(initialPolicies,
(PKIX_PL_Object *)(checkerState->anyPolicyOID),
&(checkerState->initialIsAnyPolicy),
plContext),
PKIX_LISTCONTAINSFAILED);
}
checkerState->policyQualifiersRejected =
policyQualifiersRejected;
checkerState->initialExplicitPolicy = initialExplicitPolicy;
checkerState->explicitPolicy =
(initialExplicitPolicy? 0: numCerts + 1);
checkerState->initialAnyPolicyInhibit = initialAnyPolicyInhibit;
checkerState->inhibitAnyPolicy =
(initialAnyPolicyInhibit? 0: numCerts + 1);
checkerState->initialPolicyMappingInhibit = initialPolicyMappingInhibit;
checkerState->policyMapping =
(initialPolicyMappingInhibit? 0: numCerts + 1);
;
checkerState->numCerts = numCerts;
checkerState->certsProcessed = 0;
checkerState->certPoliciesCritical = PKIX_FALSE;
/* Create a valid_policy_tree as in RFC3280 6.1.2(a) */
PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
((PKIX_PL_Object *)(checkerState->anyPolicyOID),
PKIX_TRUE,
&anyPolicyList,
plContext),
PKIX_POLICYCHECKERMAKESINGLETONFAILED);
PKIX_CHECK(pkix_PolicyNode_Create
(checkerState->anyPolicyOID, /* validPolicy */
NULL, /* qualifier set */
PKIX_FALSE, /* criticality */
anyPolicyList, /* expectedPolicySet */
&policyNode,
plContext),
PKIX_POLICYNODECREATEFAILED);
checkerState->validPolicyTree = policyNode;
/*
* Since the initial validPolicyTree specifies
* ANY_POLICY, begin with a pointer to the root node.
*/
PKIX_INCREF(policyNode);
checkerState->anyPolicyNodeAtBottom = policyNode;
checkerState->newAnyPolicyNode = NULL;
checkerState->mappedPolicyOIDs = NULL;
*pCheckerState = checkerState;
checkerState = NULL;
cleanup:
PKIX_DECREF(checkerState);
PKIX_DECREF(anyPolicyList);
PKIX_RETURN(CERTPOLICYCHECKERSTATE);
}
/* --Private-PolicyChecker-Functions--------------------------------------- */
/*
* FUNCTION: pkix_PolicyChecker_MapContains
* DESCRIPTION:
*
* Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to
* determine whether the OID pointed to by "policy" is among the
* issuerDomainPolicies or subjectDomainPolicies of "certPolicyMaps", and
* stores the result in "pFound".
*
* This function is intended to allow an efficient check that the proscription
* against anyPolicy being mapped, described in RFC3280 Section 6.1.4(a), is
* not violated.
*
* PARAMETERS:
* "certPolicyMaps"
* Address of List of CertPolicyMaps to be searched. May be empty, but
* must be non-NULL
* "policy"
* Address of OID to be checked for. Must be non-NULL
* "pFound"
* Address where the result of the search will be stored. Must be non-NULL.
* "plContext"
* platform-specific context pointer
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
PKIX_Error *
pkix_PolicyChecker_MapContains(
PKIX_List *certPolicyMaps,
PKIX_PL_OID *policy,
PKIX_Boolean *pFound,
void *plContext)
{
PKIX_PL_CertPolicyMap *map = NULL;
PKIX_UInt32 numEntries = 0;
PKIX_UInt32 index = 0;
PKIX_Boolean match = PKIX_FALSE;
PKIX_PL_OID *issuerDomainPolicy = NULL;
PKIX_PL_OID *subjectDomainPolicy = NULL;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MapContains");
PKIX_NULLCHECK_THREE(certPolicyMaps, policy, pFound);
PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
PKIX_LISTGETLENGTHFAILED);
for (index = 0; (!match) && (index < numEntries); index++) {
PKIX_CHECK(PKIX_List_GetItem
(certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
PKIX_LISTGETITEMFAILED);
PKIX_NULLCHECK_ONE(map);
PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
(map, &issuerDomainPolicy, plContext),
PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
PKIX_EQUALS
(policy, issuerDomainPolicy, &match, plContext,
PKIX_OBJECTEQUALSFAILED);
if (!match) {
PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
(map, &subjectDomainPolicy, plContext),
PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
PKIX_EQUALS
(policy, subjectDomainPolicy, &match, plContext,
PKIX_OBJECTEQUALSFAILED);
}
PKIX_DECREF(map);
PKIX_DECREF(issuerDomainPolicy);
PKIX_DECREF(subjectDomainPolicy);
}
*pFound = match;
cleanup:
PKIX_DECREF(map);
PKIX_DECREF(issuerDomainPolicy);
PKIX_DECREF(subjectDomainPolicy);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_MapGetSubjectDomainPolicies
* DESCRIPTION:
*
* Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to create
* a list of all SubjectDomainPolicies for which the IssuerDomainPolicy is the
* policy pointed to by "policy", and stores the result in
* "pSubjectDomainPolicies".
*
* If the List of CertPolicyMaps provided in "certPolicyMaps" is NULL, the
* resulting List will be NULL. If there are CertPolicyMaps, but none that
* include "policy" as an IssuerDomainPolicy, the returned List pointer will
* be NULL. Otherwise, the returned List will contain the SubjectDomainPolicies
* of all CertPolicyMaps for which "policy" is the IssuerDomainPolicy. If a
* List is returned it will be immutable.
*
* PARAMETERS:
* "certPolicyMaps"
* Address of List of CertPolicyMaps to be searched. May be empty or NULL.
* "policy"
* Address of OID to be checked for. Must be non-NULL
* "pSubjectDomainPolicies"
* Address where the result of the search will be stored. Must be non-NULL.
* "plContext"
* platform-specific context pointer
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
PKIX_Error *
pkix_PolicyChecker_MapGetSubjectDomainPolicies(
PKIX_List *certPolicyMaps,
PKIX_PL_OID *policy,
PKIX_List **pSubjectDomainPolicies,
void *plContext)
{
PKIX_PL_CertPolicyMap *map = NULL;
PKIX_List *subjectList = NULL;
PKIX_UInt32 numEntries = 0;
PKIX_UInt32 index = 0;
PKIX_Boolean match = PKIX_FALSE;
PKIX_PL_OID *issuerDomainPolicy = NULL;
PKIX_PL_OID *subjectDomainPolicy = NULL;
PKIX_ENTER
(CERTCHAINCHECKER,
"pkix_PolicyChecker_MapGetSubjectDomainPolicies");
PKIX_NULLCHECK_TWO(policy, pSubjectDomainPolicies);
if (certPolicyMaps) {
PKIX_CHECK(PKIX_List_GetLength
(certPolicyMaps,
&numEntries,
plContext),
PKIX_LISTGETLENGTHFAILED);
}
for (index = 0; index < numEntries; index++) {
PKIX_CHECK(PKIX_List_GetItem
(certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
PKIX_LISTGETITEMFAILED);
PKIX_NULLCHECK_ONE(map);
PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
(map, &issuerDomainPolicy, plContext),
PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
PKIX_EQUALS
(policy, issuerDomainPolicy, &match, plContext,
PKIX_OBJECTEQUALSFAILED);
if (match) {
if (!subjectList) {
PKIX_CHECK(PKIX_List_Create(&subjectList, plContext),
PKIX_LISTCREATEFAILED);
}
PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
(map, &subjectDomainPolicy, plContext),
PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(subjectList,
(PKIX_PL_Object *)subjectDomainPolicy,
plContext),
PKIX_LISTAPPENDITEMFAILED);
}
PKIX_DECREF(map);
PKIX_DECREF(issuerDomainPolicy);
PKIX_DECREF(subjectDomainPolicy);
}
if (subjectList) {
PKIX_CHECK(PKIX_List_SetImmutable(subjectList, plContext),
PKIX_LISTSETIMMUTABLEFAILED);
}
*pSubjectDomainPolicies = subjectList;
cleanup:
if (PKIX_ERROR_RECEIVED) {
PKIX_DECREF(subjectList);
}
PKIX_DECREF(map);
PKIX_DECREF(issuerDomainPolicy);
PKIX_DECREF(subjectDomainPolicy);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_MapGetMappedPolicies
* DESCRIPTION:
*
* Checks the List of CertPolicyMaps pointed to by "certPolicyMaps" to create a
* List of all IssuerDomainPolicies, and stores the result in
* "pMappedPolicies".
*
* The caller may not rely on the IssuerDomainPolicies to be in any particular
* order. IssuerDomainPolicies that appear in more than one CertPolicyMap will
* only appear once in "pMappedPolicies". If "certPolicyMaps" is empty the
* result will be an empty List. The created List is mutable.
*
* PARAMETERS:
* "certPolicyMaps"
* Address of List of CertPolicyMaps to be searched. May be empty, but
* must be non-NULL.
* "pMappedPolicies"
* Address where the result will be stored. Must be non-NULL.
* "plContext"
* platform-specific context pointer
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
PKIX_Error *
pkix_PolicyChecker_MapGetMappedPolicies(
PKIX_List *certPolicyMaps,
PKIX_List **pMappedPolicies,
void *plContext)
{
PKIX_PL_CertPolicyMap *map = NULL;
PKIX_List *mappedList = NULL;
PKIX_UInt32 numEntries = 0;
PKIX_UInt32 index = 0;
PKIX_Boolean isContained = PKIX_FALSE;
PKIX_PL_OID *issuerDomainPolicy = NULL;
PKIX_ENTER
(CERTCHAINCHECKER, "pkix_PolicyChecker_MapGetMappedPolicies");
PKIX_NULLCHECK_TWO(certPolicyMaps, pMappedPolicies);
PKIX_CHECK(PKIX_List_Create(&mappedList, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
PKIX_LISTGETLENGTHFAILED);
for (index = 0; index < numEntries; index++) {
PKIX_CHECK(PKIX_List_GetItem
(certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
PKIX_LISTGETITEMFAILED);
PKIX_NULLCHECK_ONE(map);
PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
(map, &issuerDomainPolicy, plContext),
PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
PKIX_CHECK(pkix_List_Contains
(mappedList,
(PKIX_PL_Object *)issuerDomainPolicy,
&isContained,
plContext),
PKIX_LISTCONTAINSFAILED);
if (isContained == PKIX_FALSE) {
PKIX_CHECK(PKIX_List_AppendItem
(mappedList,
(PKIX_PL_Object *)issuerDomainPolicy,
plContext),
PKIX_LISTAPPENDITEMFAILED);
}
PKIX_DECREF(map);
PKIX_DECREF(issuerDomainPolicy);
}
*pMappedPolicies = mappedList;
cleanup:
if (PKIX_ERROR_RECEIVED) {
PKIX_DECREF(mappedList);
}
PKIX_DECREF(map);
PKIX_DECREF(issuerDomainPolicy);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_MakeMutableCopy
* DESCRIPTION:
*
* Creates a mutable copy of the List pointed to by "list", which may or may
* not be immutable, and stores the address at "pMutableCopy".
*
* PARAMETERS:
* "list"
* Address of List to be copied. Must be non-NULL.
* "pMutableCopy"
* Address where mutable copy will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyChecker_MakeMutableCopy(
PKIX_List *list,
PKIX_List **pMutableCopy,
void *plContext)
{
PKIX_List *newList = NULL;
PKIX_UInt32 listLen = 0;
PKIX_UInt32 listIx = 0;
PKIX_PL_Object *object = NULL;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeMutableCopy");
PKIX_NULLCHECK_TWO(list, pMutableCopy);
PKIX_CHECK(PKIX_List_Create(&newList, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_GetLength(list, &listLen, plContext),
PKIX_LISTGETLENGTHFAILED);
for (listIx = 0; listIx < listLen; listIx++) {
PKIX_CHECK(PKIX_List_GetItem(list, listIx, &object, plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(PKIX_List_AppendItem(newList, object, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(object);
}
*pMutableCopy = newList;
newList = NULL;
cleanup:
PKIX_DECREF(newList);
PKIX_DECREF(object);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_MakeSingleton
* DESCRIPTION:
*
* Creates a new List containing the Object pointed to by "listItem", using
* the Boolean value of "immutability" to determine whether to set the List
* immutable, and stores the address at "pList".
*
* PARAMETERS:
* "listItem"
* Address of Object to be inserted into the new List. Must be non-NULL.
* "immutability"
* Boolean value indicating whether new List is to be immutable
* "pList"
* Address where List will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyChecker_MakeSingleton(
PKIX_PL_Object *listItem,
PKIX_Boolean immutability,
PKIX_List **pList,
void *plContext)
{
PKIX_List *newList = NULL;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeSingleton");
PKIX_NULLCHECK_TWO(listItem, pList);
PKIX_CHECK(PKIX_List_Create(&newList, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(newList, (PKIX_PL_Object *)listItem, plContext),
PKIX_LISTAPPENDITEMFAILED);
if (immutability) {
PKIX_CHECK(PKIX_List_SetImmutable(newList, plContext),
PKIX_LISTSETIMMUTABLEFAILED);
}
*pList = newList;
cleanup:
if (PKIX_ERROR_RECEIVED) {
PKIX_DECREF(newList);
}
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_Spawn
* DESCRIPTION:
*
* Creates a new childNode for the parent pointed to by "parent", using
* the OID pointed to by "policyOID", the List of CertPolicyQualifiers
* pointed to by "qualifiers", the List of OIDs pointed to by
* "subjectDomainPolicies", and the PolicyCheckerState pointed to by
* "state". The new node will be added to "parent".
*
* The validPolicy of the new node is set from the OID pointed to by
* "policyOID". The policy qualifiers for the new node is set from the
* List of qualifiers pointed to by "qualifiers", and may be NULL or
* empty if the argument provided was NULL or empty. The criticality is
* set according to the criticality obtained from the PolicyCheckerState.
* If "subjectDomainPolicies" is NULL, the expectedPolicySet of the
* child is set to contain the same policy as the validPolicy. If
* "subjectDomainPolicies" is not NULL, it is used as the value for
* the expectedPolicySet.
*
* The PolicyCheckerState also contains a constant, anyPolicy, which is
* compared to "policyOID". If they match, the address of the childNode
* is saved in the state's newAnyPolicyNode.
*
* PARAMETERS:
* "parent"
* Address of PolicyNode to which the child will be linked. Must be
* non-NULL.
* "policyOID"
* Address of OID of the new child's validPolicy and also, if
* subjectDomainPolicies is NULL, of the new child's expectedPolicySet.
* Must be non-NULL.
* "qualifiers"
* Address of List of CertPolicyQualifiers. May be NULL or empty.
* "subjectDomainPolicies"
* Address of List of OIDs indicating the policies to which "policy" is
* mapped. May be empty or NULL.
* "state"
* Address of the current PKIX_PolicyCheckerState. Must be non-NULL..
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyChecker_Spawn(
PKIX_PolicyNode *parent,
PKIX_PL_OID *policyOID,
PKIX_List *qualifiers, /* CertPolicyQualifiers */
PKIX_List *subjectDomainPolicies,
PKIX_PolicyCheckerState *state,
void *plContext)
{
PKIX_List *expectedSet = NULL; /* OIDs */
PKIX_PolicyNode *childNode = NULL;
PKIX_Boolean match = PKIX_FALSE;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Spawn");
PKIX_NULLCHECK_THREE(policyOID, parent, state);
if (subjectDomainPolicies) {
PKIX_INCREF(subjectDomainPolicies);
expectedSet = subjectDomainPolicies;
} else {
/* Create the child's ExpectedPolicy Set */
PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
((PKIX_PL_Object *)policyOID,
PKIX_TRUE, /* make expectedPolicySet immutable */
&expectedSet,
plContext),
PKIX_POLICYCHECKERMAKESINGLETONFAILED);
}
PKIX_CHECK(pkix_PolicyNode_Create
(policyOID,
qualifiers,
state->certPoliciesCritical,
expectedSet,
&childNode,
plContext),
PKIX_POLICYNODECREATEFAILED);
/*
* If we had a non-empty mapping, we know the new node could not
* have been created with a validPolicy of anyPolicy. Otherwise,
* check whether we just created a new node with anyPolicy, because
* in that case we want to save the child pointer in newAnyPolicyNode.
*/
if (!subjectDomainPolicies) {
PKIX_EQUALS(policyOID, state->anyPolicyOID, &match, plContext,
PKIX_OBJECTEQUALSFAILED);
if (match) {
PKIX_DECREF(state->newAnyPolicyNode);
PKIX_INCREF(childNode);
state->newAnyPolicyNode = childNode;
}
}
PKIX_CHECK(pkix_PolicyNode_AddToParent(parent, childNode, plContext),
PKIX_POLICYNODEADDTOPARENTFAILED);
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
cleanup:
PKIX_DECREF(childNode);
PKIX_DECREF(expectedSet);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_CheckPolicyRecursive
* DESCRIPTION:
*
* Performs policy processing for the policy whose OID is pointed to by
* "policyOID" and whose List of CertPolicyQualifiers is pointed to by
* "policyQualifiers", using the List of policy OIDs pointed to by
* "subjectDomainPolicies" and the PolicyNode pointed to by "currentNode",
* in accordance with the current PolicyCheckerState pointed to by "state",
* and setting "pChildNodeCreated" to TRUE if a new childNode is created.
* Note: "pChildNodeCreated" is not set to FALSE if no childNode is created.
* The intent of the design is that the caller can set a variable to FALSE
* initially, prior to a recursive set of calls. At the end, the variable
* can be tested to see whether *any* of the calls created a child node.
*
* If the currentNode is not at the bottom of the tree, this function
* calls itself recursively for each child of currentNode. At the bottom of
* the tree, it creates new child nodes as appropriate. This function will
* never be called with policy = anyPolicy.
*
* This function implements the processing described in RFC3280
* Section 6.1.3(d)(1)(i).
*
* PARAMETERS:
* "policyOID"
* Address of OID of the policy to be checked for. Must be non-NULL.
* "policyQualifiers"
* Address of List of CertPolicyQualifiers of the policy to be checked for.
* May be empty or NULL.
* "subjectDomainPolicies"
* Address of List of OIDs indicating the policies to which "policy" is
* mapped. May be empty or NULL.
* "currentNode"
* Address of PolicyNode whose descendants will be checked, if not at the
* bottom of the tree; or whose expectedPolicySet will be compared to
* "policy", if at the bottom. Must be non-NULL.
* "state"
* Address of PolicyCheckerState of the current PolicyChecker. Must be
* non-NULL.
* "pChildNodeCreated"
* Address of the Boolean that will be set TRUE if this function
* creates a child node. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyChecker_CheckPolicyRecursive(
PKIX_PL_OID *policyOID,
PKIX_List *policyQualifiers,
PKIX_List *subjectDomainPolicies,
PKIX_PolicyNode *currentNode,
PKIX_PolicyCheckerState *state,
PKIX_Boolean *pChildNodeCreated,
void *plContext)
{
PKIX_UInt32 depth = 0;
PKIX_UInt32 numChildren = 0;
PKIX_UInt32 childIx = 0;
PKIX_Boolean isIncluded = PKIX_FALSE;
PKIX_List *children = NULL; /* PolicyNodes */
PKIX_PolicyNode *childNode = NULL;
PKIX_List *expectedPolicies = NULL; /* OIDs */
PKIX_ENTER
(CERTCHAINCHECKER,
"pkix_PolicyChecker_CheckPolicyRecursive");
PKIX_NULLCHECK_FOUR(policyOID, currentNode, state, pChildNodeCreated);
/* if not at the bottom of the tree */
PKIX_CHECK(PKIX_PolicyNode_GetDepth
(currentNode, &depth, plContext),
PKIX_POLICYNODEGETDEPTHFAILED);
if (depth < (state->certsProcessed)) {
PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
(currentNode, &children, plContext),
PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
if (children) {
PKIX_CHECK(PKIX_List_GetLength
(children, &numChildren, plContext),
PKIX_LISTGETLENGTHFAILED);
}
for (childIx = 0; childIx < numChildren; childIx++) {
PKIX_CHECK(PKIX_List_GetItem
(children,
childIx,
(PKIX_PL_Object **)&childNode,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
(policyOID,
policyQualifiers,
subjectDomainPolicies,
childNode,
state,
pChildNodeCreated,
plContext),
PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
PKIX_DECREF(childNode);
}
} else { /* if at the bottom of the tree */
/* Check whether policy is in this node's expectedPolicySet */
PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
(currentNode, &expectedPolicies, plContext),
PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
PKIX_NULLCHECK_ONE(expectedPolicies);
PKIX_CHECK(pkix_List_Contains
(expectedPolicies,
(PKIX_PL_Object *)policyOID,
&isIncluded,
plContext),
PKIX_LISTCONTAINSFAILED);
if (isIncluded) {
PKIX_CHECK(pkix_PolicyChecker_Spawn
(currentNode,
policyOID,
policyQualifiers,
subjectDomainPolicies,
state,
plContext),
PKIX_POLICYCHECKERSPAWNFAILED);
*pChildNodeCreated = PKIX_TRUE;
}
}
cleanup:
PKIX_DECREF(children);
PKIX_DECREF(childNode);
PKIX_DECREF(expectedPolicies);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_CheckPolicy
* DESCRIPTION:
*
* Performs the non-recursive portion of the policy processing for the policy
* whose OID is pointed to by "policyOID" and whose List of
* CertPolicyQualifiers is pointed to by "policyQualifiers", for the
* Certificate pointed to by "cert" with the List of CertPolicyMaps pointed
* to by "maps", in accordance with the current PolicyCheckerState pointed
* to by "state".
*
* This function implements the processing described in RFC3280
* Section 6.1.3(d)(1)(i).
*
* PARAMETERS:
* "policyOID"
* Address of OID of the policy to be checked for. Must be non-NULL.
* "policyQualifiers"
* Address of List of CertPolicyQualifiers of the policy to be checked for.
* May be empty or NULL.
* "cert"
* Address of the current certificate. Must be non-NULL.
* "maps"
* Address of List of CertPolicyMaps for the current certificate
* "state"
* Address of PolicyCheckerState of the current PolicyChecker. Must be
* non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyChecker_CheckPolicy(
PKIX_PL_OID *policyOID,
PKIX_List *policyQualifiers,
PKIX_PL_Cert *cert,
PKIX_List *maps,
PKIX_PolicyCheckerState *state,
void *plContext)
{
PKIX_Boolean childNodeCreated = PKIX_FALSE;
PKIX_Boolean okToSpawn = PKIX_FALSE;
PKIX_Boolean found = PKIX_FALSE;
PKIX_List *subjectDomainPolicies = NULL;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckPolicy");
PKIX_NULLCHECK_THREE(policyOID, cert, state);
/*
* If this is not the last certificate, get the set of
* subjectDomainPolicies that "policy" maps to, according to the
* current cert's policy mapping extension. That set will be NULL
* if the current cert does not have a policy mapping extension,
* or if the current policy is not mapped.
*/
if (state->certsProcessed != (state->numCerts - 1)) {
PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
(maps, policyOID, &subjectDomainPolicies, plContext),
PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
}
/*
* Section 6.1.4(b)(2) tells us that if policyMapping is zero, we
* will have to delete any nodes created with validPolicies equal to
* policies that appear as issuerDomainPolicies in a policy mapping
* extension. Let's avoid creating any such nodes.
*/
if ((state->policyMapping) == 0) {
if (subjectDomainPolicies) {
goto cleanup;
}
}
PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
(policyOID,
policyQualifiers,
subjectDomainPolicies,
state->validPolicyTree,
state,
&childNodeCreated,
plContext),
PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
if (!childNodeCreated) {
/*
* Section 6.1.3(d)(1)(ii)
* There was no match. If there was a node at
* depth i-1 with valid policy anyPolicy,
* generate a node subordinate to that.
*
* But that means this created node would be in
* the valid-policy-node-set, and will be
* pruned in 6.1.5(g)(iii)(2) unless it is in
* the user-initial-policy-set or the user-
* initial-policy-set is {anyPolicy}. So check,
* and don't create it if it will be pruned.
*/
if (state->anyPolicyNodeAtBottom) {
if (state->initialIsAnyPolicy) {
okToSpawn = PKIX_TRUE;
} else {
PKIX_CHECK(pkix_List_Contains
(state->mappedUserInitialPolicySet,
(PKIX_PL_Object *)policyOID,
&okToSpawn,
plContext),
PKIX_LISTCONTAINSFAILED);
}
if (okToSpawn) {
PKIX_CHECK(pkix_PolicyChecker_Spawn
(state->anyPolicyNodeAtBottom,
policyOID,
policyQualifiers,
subjectDomainPolicies,
state,
plContext),
PKIX_POLICYCHECKERSPAWNFAILED);
childNodeCreated = PKIX_TRUE;
}
}
}
if (childNodeCreated) {
/*
* If this policy had qualifiers, and the certificate policies
* extension was marked critical, and the user cannot deal with
* policy qualifiers, throw an error.
*/
if (policyQualifiers &&
state->certPoliciesCritical &&
state->policyQualifiersRejected) {
PKIX_ERROR
(PKIX_QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION);
}
/*
* If the policy we just propagated was in the list of mapped
* policies, remove it from the list. That list is used, at the
* end, to determine policies that have not been propagated.
*/
if (state->mappedPolicyOIDs) {
PKIX_CHECK(pkix_List_Contains
(state->mappedPolicyOIDs,
(PKIX_PL_Object *)policyOID,
&found,
plContext),
PKIX_LISTCONTAINSFAILED);
if (found) {
PKIX_CHECK(pkix_List_Remove
(state->mappedPolicyOIDs,
(PKIX_PL_Object *)policyOID,
plContext),
PKIX_LISTREMOVEFAILED);
}
}
}
cleanup:
PKIX_DECREF(subjectDomainPolicies);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_CheckAny
* DESCRIPTION:
* Performs the creation of PolicyNodes, for the PolicyNode pointed to by
* "currentNode" and PolicyNodes subordinate to it, using the List of
* qualifiers pointed to by "qualsOfAny", in accordance with the current
* certificate's PolicyMaps pointed to by "policyMaps" and the current
* PolicyCheckerState pointed to by "state".
*
* If the currentNode is not just above the bottom of the validPolicyTree, this
* function calls itself recursively for each child of currentNode. At the
* level just above the bottom, for each policy in the currentNode's
* expectedPolicySet not already present in a child node, it creates a new
* child node. The validPolicy of the child created, and its expectedPolicySet,
* will be the policy from the currentNode's expectedPolicySet. The policy
* qualifiers will be the qualifiers from the current certificate's anyPolicy,
* the "qualsOfAny" parameter. If the currentNode's expectedSet includes
* anyPolicy, a childNode will be created with a policy of anyPolicy. This is
* the only way such a node can be created.
*
* This function is called only when anyPolicy is one of the current
* certificate's policies. This function implements the processing described
* in RFC3280 Section 6.1.3(d)(2).
*
* PARAMETERS:
* "currentNode"
* Address of PolicyNode whose descendants will be checked, if not at the
* bottom of the tree; or whose expectedPolicySet will be compared to those
* in "alreadyPresent", if at the bottom. Must be non-NULL.
* "qualsOfAny"
* Address of List of qualifiers of the anyPolicy in the current
* certificate. May be empty or NULL.
* "policyMaps"
* Address of the List of PolicyMaps of the current certificate. May be
* empty or NULL.
* "state"
* Address of the current state of the PKIX_PolicyChecker.
* Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyChecker_CheckAny(
PKIX_PolicyNode *currentNode,
PKIX_List *qualsOfAny, /* CertPolicyQualifiers */
PKIX_List *policyMaps, /* CertPolicyMaps */
PKIX_PolicyCheckerState *state,
void *plContext)
{
PKIX_UInt32 depth = 0;
PKIX_UInt32 numChildren = 0;
PKIX_UInt32 childIx = 0;
PKIX_UInt32 numPolicies = 0;
PKIX_UInt32 polx = 0;
PKIX_Boolean isIncluded = PKIX_FALSE;
PKIX_List *children = NULL; /* PolicyNodes */
PKIX_PolicyNode *childNode = NULL;
PKIX_List *expectedPolicies = NULL; /* OIDs */
PKIX_PL_OID *policyOID = NULL;
PKIX_PL_OID *childPolicy = NULL;
PKIX_List *subjectDomainPolicies = NULL; /* OIDs */
PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckAny");
PKIX_NULLCHECK_TWO(currentNode, state);
PKIX_CHECK(PKIX_PolicyNode_GetDepth
(currentNode, &depth, plContext),
PKIX_POLICYNODEGETDEPTHFAILED);
PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
(currentNode, &children, plContext),
PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
if (children) {
PKIX_CHECK(PKIX_List_GetLength
(children, &numChildren, plContext),
PKIX_LISTGETLENGTHFAILED);
}
if (depth < (state->certsProcessed)) {
for (childIx = 0; childIx < numChildren; childIx++) {
PKIX_CHECK(PKIX_List_GetItem
(children,
childIx,
(PKIX_PL_Object **)&childNode,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_NULLCHECK_ONE(childNode);
PKIX_CHECK(pkix_PolicyChecker_CheckAny
(childNode,
qualsOfAny,
policyMaps,
state,
plContext),
PKIX_POLICYCHECKERCHECKANYFAILED);
PKIX_DECREF(childNode);
}
} else { /* if at the bottom of the tree */
PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
(currentNode, &expectedPolicies, plContext),
PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
/* Expected Policy Set is not allowed to be NULL */
PKIX_NULLCHECK_ONE(expectedPolicies);
PKIX_CHECK(PKIX_List_GetLength
(expectedPolicies, &numPolicies, plContext),
PKIX_LISTGETLENGTHFAILED);
for (polx = 0; polx < numPolicies; polx++) {
PKIX_CHECK(PKIX_List_GetItem
(expectedPolicies,
polx,
(PKIX_PL_Object **)&policyOID,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_NULLCHECK_ONE(policyOID);
isIncluded = PKIX_FALSE;
for (childIx = 0;
(!isIncluded && (childIx < numChildren));
childIx++) {
PKIX_CHECK(PKIX_List_GetItem
(children,
childIx,
(PKIX_PL_Object **)&childNode,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_NULLCHECK_ONE(childNode);
PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
(childNode, &childPolicy, plContext),
PKIX_POLICYNODEGETVALIDPOLICYFAILED);
PKIX_NULLCHECK_ONE(childPolicy);
PKIX_EQUALS(policyOID, childPolicy, &isIncluded, plContext,
PKIX_OBJECTEQUALSFAILED);
PKIX_DECREF(childNode);
PKIX_DECREF(childPolicy);
}
if (!isIncluded) {
if (policyMaps) {
PKIX_CHECK
(pkix_PolicyChecker_MapGetSubjectDomainPolicies
(policyMaps,
policyOID,
&subjectDomainPolicies,
plContext),
PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
}
PKIX_CHECK(pkix_PolicyChecker_Spawn
(currentNode,
policyOID,
qualsOfAny,
subjectDomainPolicies,
state,
plContext),
PKIX_POLICYCHECKERSPAWNFAILED);
PKIX_DECREF(subjectDomainPolicies);
}
PKIX_DECREF(policyOID);
}
}
cleanup:
PKIX_DECREF(children);
PKIX_DECREF(childNode);
PKIX_DECREF(expectedPolicies);
PKIX_DECREF(policyOID);
PKIX_DECREF(childPolicy);
PKIX_DECREF(subjectDomainPolicies);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_CalculateIntersection
* DESCRIPTION:
*
* Processes the PolicyNode pointed to by "currentNode", and its descendants,
* using the PolicyCheckerState pointed to by "state", using the List at
* the address pointed to by "nominees" the OIDs of policies that are in the
* user-initial-policy-set but are not represented among the nodes at the
* bottom of the tree, and storing at "pShouldBePruned" the value TRUE if
* currentNode is childless at the end of this processing, FALSE if it has
* children or is at the bottom of the tree.
*
* When this function is called at the top level, "nominees" should be the List
* of all policies in the user-initial-policy-set. Policies that are
* represented in the valid-policy-node-set are removed from this List. As a
* result when nodes are created according to 6.1.5.(g)(iii)(3)(b), a node will
* be created for each policy remaining in this List.
*
* This function implements the calculation of the intersection of the
* validPolicyTree with the user-initial-policy-set, as described in
* RFC 3280 6.1.5(g)(iii).
*
* PARAMETERS:
* "currentNode"
* Address of PolicyNode whose descendants will be processed as described.
* Must be non-NULL.
* "state"
* Address of the current state of the PKIX_PolicyChecker. Must be non-NULL
* "nominees"
* Address of List of the OIDs for which nodes should be created to replace
* anyPolicy nodes. Must be non-NULL but may be empty.
* "pShouldBePruned"
* Address where Boolean return value, set to TRUE if this PolicyNode
* should be deleted, is stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyChecker_CalculateIntersection(
PKIX_PolicyNode *currentNode,
PKIX_PolicyCheckerState *state,
PKIX_List *nominees, /* OIDs */
PKIX_Boolean *pShouldBePruned,
void *plContext)
{
PKIX_Boolean currentPolicyIsAny = PKIX_FALSE;
PKIX_Boolean parentPolicyIsAny = PKIX_FALSE;
PKIX_Boolean currentPolicyIsValid = PKIX_FALSE;
PKIX_Boolean shouldBePruned = PKIX_FALSE;
PKIX_Boolean priorCriticality = PKIX_FALSE;
PKIX_UInt32 depth = 0;
PKIX_UInt32 numChildren = 0;
PKIX_UInt32 childIndex = 0;
PKIX_UInt32 numNominees = 0;
PKIX_UInt32 polIx = 0;
PKIX_PL_OID *currentPolicy = NULL;
PKIX_PL_OID *parentPolicy = NULL;
PKIX_PL_OID *substPolicy = NULL;
PKIX_PolicyNode *parent = NULL;
PKIX_PolicyNode *child = NULL;
PKIX_List *children = NULL; /* PolicyNodes */
PKIX_List *policyQualifiers = NULL;
PKIX_ENTER
(CERTCHAINCHECKER,
"pkix_PolicyChecker_CalculateIntersection");
/*
* We call this function if the valid_policy_tree is not NULL and
* the user-initial-policy-set is not any-policy.
*/
if (!state->validPolicyTree || state->initialIsAnyPolicy) {
PKIX_ERROR(PKIX_PRECONDITIONFAILED);
}
PKIX_NULLCHECK_FOUR(currentNode, state, nominees, pShouldBePruned);
PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
(currentNode, &currentPolicy, plContext),
PKIX_POLICYNODEGETVALIDPOLICYFAILED);
PKIX_NULLCHECK_TWO(state->anyPolicyOID, currentPolicy);
PKIX_EQUALS
(state->anyPolicyOID,
currentPolicy,
&currentPolicyIsAny,
plContext,
PKIX_OBJECTEQUALSFAILED);
PKIX_CHECK(PKIX_PolicyNode_GetParent(currentNode, &parent, plContext),
PKIX_POLICYNODEGETPARENTFAILED);
if (currentPolicyIsAny == PKIX_FALSE) {
/*
* If we are at the top of the tree, or if our
* parent's validPolicy is anyPolicy, we are in
* the valid policy node set.
*/
if (parent) {
PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
(parent, &parentPolicy, plContext),
PKIX_POLICYNODEGETVALIDPOLICYFAILED);
PKIX_NULLCHECK_ONE(parentPolicy);
PKIX_EQUALS
(state->anyPolicyOID,
parentPolicy,
&parentPolicyIsAny,
plContext,
PKIX_OBJECTEQUALSFAILED);
}
/*
* Section 6.1.5(g)(iii)(2)
* If this node's policy is not in the user-initial-policy-set,
* it is not in the intersection. Prune it.
*/
if (!parent || parentPolicyIsAny) {
PKIX_CHECK(pkix_List_Contains
(state->userInitialPolicySet,
(PKIX_PL_Object *)currentPolicy,
&currentPolicyIsValid,
plContext),
PKIX_LISTCONTAINSFAILED);
if (!currentPolicyIsValid) {
*pShouldBePruned = PKIX_TRUE;
goto cleanup;
}
/*
* If this node's policy is in the user-initial-policy-
* set, it will propagate that policy into the next
* level of the tree. Remove the policy from the list
* of policies that an anyPolicy will spawn.
*/
PKIX_CHECK(pkix_List_Remove
(nominees,
(PKIX_PL_Object *)currentPolicy,
plContext),
PKIX_LISTREMOVEFAILED);
}
}
/* Are we at the bottom of the tree? */
PKIX_CHECK(PKIX_PolicyNode_GetDepth
(currentNode, &depth, plContext),
PKIX_POLICYNODEGETDEPTHFAILED);
if (depth == (state->numCerts)) {
/*
* Section 6.1.5(g)(iii)(3)
* Replace anyPolicy nodes...
*/
if (currentPolicyIsAny == PKIX_TRUE) {
/* replace this node */
PKIX_CHECK(PKIX_List_GetLength
(nominees, &numNominees, plContext),
PKIX_LISTGETLENGTHFAILED);
if (numNominees) {
PKIX_CHECK(PKIX_PolicyNode_GetPolicyQualifiers
(currentNode,
&policyQualifiers,
plContext),
PKIX_POLICYNODEGETPOLICYQUALIFIERSFAILED);
PKIX_CHECK(PKIX_PolicyNode_IsCritical
(currentNode, &priorCriticality, plContext),
PKIX_POLICYNODEISCRITICALFAILED);
}
PKIX_NULLCHECK_ONE(parent);
for (polIx = 0; polIx < numNominees; polIx++) {
PKIX_CHECK(PKIX_List_GetItem
(nominees,
polIx,
(PKIX_PL_Object **)&substPolicy,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_PolicyChecker_Spawn
(parent,
substPolicy,
policyQualifiers,
NULL,
state,
plContext),
PKIX_POLICYCHECKERSPAWNFAILED);
PKIX_DECREF(substPolicy);
}
/* remove currentNode from parent */
*pShouldBePruned = PKIX_TRUE;
/*
* We can get away with augmenting the parent's List
* of children because we started at the end and went
* toward the beginning. New nodes are added at the end.
*/
}
} else {
/*
* Section 6.1.5(g)(iii)(4)
* Prune any childless nodes above the bottom level
*/
PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
(currentNode, &children, plContext),
PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
/* CurrentNode should have been pruned if childless. */
PKIX_NULLCHECK_ONE(children);
PKIX_CHECK(PKIX_List_GetLength
(children, &numChildren, plContext),
PKIX_LISTGETLENGTHFAILED);
for (childIndex = numChildren; childIndex > 0; childIndex--) {
PKIX_CHECK(PKIX_List_GetItem
(children,
childIndex - 1,
(PKIX_PL_Object **)&child,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
(child, state, nominees, &shouldBePruned, plContext),
PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
if (PKIX_TRUE == shouldBePruned) {
PKIX_CHECK(PKIX_List_DeleteItem
(children, childIndex - 1, plContext),
PKIX_LISTDELETEITEMFAILED);
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
}
PKIX_DECREF(child);
}
PKIX_CHECK(PKIX_List_GetLength
(children, &numChildren, plContext),
PKIX_LISTGETLENGTHFAILED);
if (numChildren == 0) {
*pShouldBePruned = PKIX_TRUE;
}
}
cleanup:
PKIX_DECREF(currentPolicy);
PKIX_DECREF(parentPolicy);
PKIX_DECREF(substPolicy);
PKIX_DECREF(parent);
PKIX_DECREF(child);
PKIX_DECREF(children);
PKIX_DECREF(policyQualifiers);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_PolicyMapProcessing
* DESCRIPTION:
*
* Performs the processing of Policies in the List of CertPolicyMaps pointed
* to by "policyMaps", using and updating the PolicyCheckerState pointed to by
* "state".
*
* This function implements the policyMap processing described in RFC3280
* Section 6.1.4(b)(1), after certificate i has been processed, in preparation
* for certificate i+1. Section references are to that document.
*
* PARAMETERS:
* "policyMaps"
* Address of the List of CertPolicyMaps presented by certificate i.
* Must be non-NULL.
* "certPoliciesIncludeAny"
* Boolean value which is PKIX_TRUE if the current certificate asserts
* anyPolicy, PKIX_FALSE otherwise.
* "qualsOfAny"
* Address of List of qualifiers of the anyPolicy in the current
* certificate. May be empty or NULL.
* "state"
* Address of the current state of the PKIX_PolicyChecker.
* Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyChecker_PolicyMapProcessing(
PKIX_List *policyMaps, /* CertPolicyMaps */
PKIX_Boolean certPoliciesIncludeAny,
PKIX_List *qualsOfAny,
PKIX_PolicyCheckerState *state,
void *plContext)
{
PKIX_UInt32 numPolicies = 0;
PKIX_UInt32 polX = 0;
PKIX_PL_OID *policyOID = NULL;
PKIX_List *newMappedPolicies = NULL; /* OIDs */
PKIX_List *subjectDomainPolicies = NULL; /* OIDs */
PKIX_ENTER
(CERTCHAINCHECKER,
"pkix_PolicyChecker_PolicyMapProcessing");
PKIX_NULLCHECK_THREE
(policyMaps,
state,
state->mappedUserInitialPolicySet);
/*
* For each policy in mappedUserInitialPolicySet, if it is not mapped,
* append it to new policySet; if it is mapped, append its
* subjectDomainPolicies to new policySet. When done, this new
* policySet will replace mappedUserInitialPolicySet.
*/
PKIX_CHECK(PKIX_List_Create
(&newMappedPolicies, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_GetLength
(state->mappedUserInitialPolicySet,
&numPolicies,
plContext),
PKIX_LISTGETLENGTHFAILED);
for (polX = 0; polX < numPolicies; polX++) {
PKIX_CHECK(PKIX_List_GetItem
(state->mappedUserInitialPolicySet,
polX,
(PKIX_PL_Object **)&policyOID,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
(policyMaps,
policyOID,
&subjectDomainPolicies,
plContext),
PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
if (subjectDomainPolicies) {
PKIX_CHECK(pkix_List_AppendUnique
(newMappedPolicies,
subjectDomainPolicies,
plContext),
PKIX_LISTAPPENDUNIQUEFAILED);
PKIX_DECREF(subjectDomainPolicies);
} else {
PKIX_CHECK(PKIX_List_AppendItem
(newMappedPolicies,
(PKIX_PL_Object *)policyOID,
plContext),
PKIX_LISTAPPENDITEMFAILED);
}
PKIX_DECREF(policyOID);
}
/*
* For each policy ID-P remaining in mappedPolicyOIDs, it has not been
* propagated to the bottom of the tree (depth i). If policyMapping
* is greater than zero and this cert contains anyPolicy and the tree
* contains an anyPolicy node at depth i-1, then we must create a node
* with validPolicy ID-P, the policy qualifiers of anyPolicy in
* this certificate, and expectedPolicySet the subjectDomainPolicies
* that ID-P maps to. We also then add those subjectDomainPolicies to
* the list of policies that will be accepted in the next certificate,
* the mappedUserInitialPolicySet.
*/
if ((state->policyMapping > 0) && (certPoliciesIncludeAny) &&
(state->anyPolicyNodeAtBottom) && (state->mappedPolicyOIDs)) {
PKIX_CHECK(PKIX_List_GetLength
(state->mappedPolicyOIDs,
&numPolicies,
plContext),
PKIX_LISTGETLENGTHFAILED);
for (polX = 0; polX < numPolicies; polX++) {
PKIX_CHECK(PKIX_List_GetItem
(state->mappedPolicyOIDs,
polX,
(PKIX_PL_Object **)&policyOID,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
(policyMaps,
policyOID,
&subjectDomainPolicies,
plContext),
PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
PKIX_CHECK(pkix_PolicyChecker_Spawn
(state->anyPolicyNodeAtBottom,
policyOID,
qualsOfAny,
subjectDomainPolicies,
state,
plContext),
PKIX_POLICYCHECKERSPAWNFAILED);
PKIX_CHECK(pkix_List_AppendUnique
(newMappedPolicies,
subjectDomainPolicies,
plContext),
PKIX_LISTAPPENDUNIQUEFAILED);
PKIX_DECREF(subjectDomainPolicies);
PKIX_DECREF(policyOID);
}
}
PKIX_CHECK(PKIX_List_SetImmutable(newMappedPolicies, plContext),
PKIX_LISTSETIMMUTABLEFAILED);
PKIX_DECREF(state->mappedUserInitialPolicySet);
PKIX_INCREF(newMappedPolicies);
state->mappedUserInitialPolicySet = newMappedPolicies;
cleanup:
PKIX_DECREF(policyOID);
PKIX_DECREF(newMappedPolicies);
PKIX_DECREF(subjectDomainPolicies);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_WrapUpProcessing
* DESCRIPTION:
*
* Performs the wrap-up processing for the Cert pointed to by "cert",
* using and updating the PolicyCheckerState pointed to by "state".
*
* This function implements the wrap-up processing described in RFC3280
* Section 6.1.5, after the final certificate has been processed. Section
* references in the comments are to that document.
*
* PARAMETERS:
* "cert"
* Address of the current (presumably the end entity) certificate.
* Must be non-NULL.
* "state"
* Address of the current state of the PKIX_PolicyChecker.
* Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
static PKIX_Error *
pkix_PolicyChecker_WrapUpProcessing(
PKIX_PL_Cert *cert,
PKIX_PolicyCheckerState *state,
void *plContext)
{
PKIX_Int32 explicitPolicySkipCerts = 0;
PKIX_Boolean isSelfIssued = PKIX_FALSE;
PKIX_Boolean shouldBePruned = PKIX_FALSE;
PKIX_List *nominees = NULL; /* OIDs */
#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
PKIX_PL_String *stateString = NULL;
char *stateAscii = NULL;
PKIX_UInt32 length;
#endif
PKIX_ENTER
(CERTCHAINCHECKER,
"pkix_PolicyChecker_WrapUpProcessing");
PKIX_NULLCHECK_THREE(cert, state, state->userInitialPolicySet);
#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object*)state, &stateString, plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_GetEncoded
(stateString,
PKIX_ESCASCII,
(void **)&stateAscii,
&length,
plContext),
PKIX_STRINGGETENCODEDFAILED);
PKIX_DEBUG_ARG("%s\n", stateAscii);
PKIX_FREE(stateAscii);
PKIX_DECREF(stateString);
#endif
/* Section 6.1.5(a) ... */
PKIX_CHECK(pkix_IsCertSelfIssued
(cert, &isSelfIssued, plContext),
PKIX_ISCERTSELFISSUEDFAILED);
if (!isSelfIssued) {
if (state->explicitPolicy > 0) {
state->explicitPolicy--;
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
}
}
/* Section 6.1.5(b) ... */
PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
(cert, &explicitPolicySkipCerts, plContext),
PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
if (explicitPolicySkipCerts == 0) {
state->explicitPolicy = 0;
}
/* Section 6.1.5(g)(i) ... */
if (!(state->validPolicyTree)) {
goto cleanup;
}
/* Section 6.1.5(g)(ii) ... */
if (state->initialIsAnyPolicy) {
goto cleanup;
}
/*
* Section 6.1.5(g)(iii) ...
* Create a list of policies which could be substituted for anyPolicy.
* Start with a (mutable) copy of user-initial-policy-set.
*/
PKIX_CHECK(pkix_PolicyChecker_MakeMutableCopy
(state->userInitialPolicySet, &nominees, plContext),
PKIX_POLICYCHECKERMAKEMUTABLECOPYFAILED);
PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
(state->validPolicyTree, /* node at top of tree */
state,
nominees,
&shouldBePruned,
plContext),
PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
if (PKIX_TRUE == shouldBePruned) {
PKIX_DECREF(state->validPolicyTree);
}
if (state->validPolicyTree) {
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state->validPolicyTree, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
}
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
if (state->validPolicyTree) {
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object*)state, &stateString, plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_GetEncoded
(stateString,
PKIX_ESCASCII,
(void **)&stateAscii,
&length,
plContext),
PKIX_STRINGGETENCODEDFAILED);
PKIX_DEBUG_ARG
("After CalculateIntersection:\n%s\n", stateAscii);
PKIX_FREE(stateAscii);
PKIX_DECREF(stateString);
} else {
PKIX_DEBUG("validPolicyTree is NULL\n");
}
#endif
/* Section 6.1.5(g)(iii)(4) ... */
if (state->validPolicyTree) {
PKIX_CHECK(pkix_PolicyNode_Prune
(state->validPolicyTree,
state->numCerts,
&shouldBePruned,
plContext),
PKIX_POLICYNODEPRUNEFAILED);
if (shouldBePruned) {
PKIX_DECREF(state->validPolicyTree);
}
}
if (state->validPolicyTree) {
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state->validPolicyTree, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
}
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object*)state, &stateString, plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_GetEncoded
(stateString,
PKIX_ESCASCII,
(void **)&stateAscii,
&length,
plContext),
PKIX_STRINGGETENCODEDFAILED);
PKIX_DEBUG_ARG("%s\n", stateAscii);
PKIX_FREE(stateAscii);
PKIX_DECREF(stateString);
#endif
cleanup:
PKIX_DECREF(nominees);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_Check
* (see comments in pkix_checker.h for PKIX_CertChainChecker_CheckCallback)
*
* Labels referring to sections, such as "Section 6.1.3(d)", refer to
* sections of RFC3280, Section 6.1.3 Basic Certificate Processing.
*
* If a non-fatal error occurs, it is unlikely that policy processing can
* continue. But it is still possible that chain validation could succeed if
* policy processing is non-critical. So if this function receives a non-fatal
* error from a lower level routine, it aborts policy processing by setting
* the validPolicyTree to NULL and tries to continue.
*
*/
static PKIX_Error *
pkix_PolicyChecker_Check(
PKIX_CertChainChecker *checker,
PKIX_PL_Cert *cert,
PKIX_List *unresolvedCriticals, /* OIDs */
void **pNBIOContext,
void *plContext)
{
PKIX_UInt32 numPolicies = 0;
PKIX_UInt32 polX = 0;
PKIX_Boolean result = PKIX_FALSE;
PKIX_Int32 inhibitMappingSkipCerts = 0;
PKIX_Int32 explicitPolicySkipCerts = 0;
PKIX_Int32 inhibitAnyPolicySkipCerts = 0;
PKIX_Boolean shouldBePruned = PKIX_FALSE;
PKIX_Boolean isSelfIssued = PKIX_FALSE;
PKIX_Boolean certPoliciesIncludeAny = PKIX_FALSE;
PKIX_Boolean doAnyPolicyProcessing = PKIX_FALSE;
PKIX_PolicyCheckerState *state = NULL;
PKIX_List *certPolicyInfos = NULL; /* CertPolicyInfos */
PKIX_PL_CertPolicyInfo *policy = NULL;
PKIX_PL_OID *policyOID = NULL;
PKIX_List *qualsOfAny = NULL; /* CertPolicyQualifiers */
PKIX_List *policyQualifiers = NULL; /* CertPolicyQualifiers */
PKIX_List *policyMaps = NULL; /* CertPolicyMaps */
PKIX_List *mappedPolicies = NULL; /* OIDs */
PKIX_Error *subroutineErr = NULL;
#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
PKIX_PL_String *stateString = NULL;
char *stateAscii = NULL;
PKIX_PL_String *certString = NULL;
char *certAscii = NULL;
PKIX_UInt32 length;
#endif
PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Check");
PKIX_NULLCHECK_FOUR(checker, cert, unresolvedCriticals, pNBIOContext);
*pNBIOContext = NULL; /* we never block on pending I/O */
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
(checker, (PKIX_PL_Object **)&state, plContext),
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
PKIX_NULLCHECK_TWO(state, state->certPoliciesExtension);
#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object*)state, &stateString, plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_GetEncoded
(stateString,
PKIX_ESCASCII,
(void **)&stateAscii,
&length,
plContext),
PKIX_STRINGGETENCODEDFAILED);
PKIX_DEBUG_ARG("On entry %s\n", stateAscii);
PKIX_FREE(stateAscii);
PKIX_DECREF(stateString);
#endif
/*
* Section 6.1.4(a)
* If this is not the last certificate, and if
* policyMapping extension is present, check that no
* issuerDomainPolicy or subjectDomainPolicy is equal to the
* special policy anyPolicy.
*/
if (state->certsProcessed != (state->numCerts - 1)) {
PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings
(cert, &policyMaps, plContext),
PKIX_CERTGETPOLICYMAPPINGSFAILED);
}
if (policyMaps) {
PKIX_CHECK(pkix_PolicyChecker_MapContains
(policyMaps, state->anyPolicyOID, &result, plContext),
PKIX_POLICYCHECKERMAPCONTAINSFAILED);
if (result) {
PKIX_ERROR(PKIX_INVALIDPOLICYMAPPINGINCLUDESANYPOLICY);
}
PKIX_CHECK(pkix_PolicyChecker_MapGetMappedPolicies
(policyMaps, &mappedPolicies, plContext),
PKIX_POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED);
PKIX_DECREF(state->mappedPolicyOIDs);
PKIX_INCREF(mappedPolicies);
state->mappedPolicyOIDs = mappedPolicies;
}
/* Section 6.1.3(d) */
if (state->validPolicyTree) {
PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
(cert, &certPolicyInfos, plContext),
PKIX_CERTGETPOLICYINFORMATIONFAILED);
if (certPolicyInfos) {
PKIX_CHECK(PKIX_List_GetLength
(certPolicyInfos, &numPolicies, plContext),
PKIX_LISTGETLENGTHFAILED);
}
if (numPolicies > 0) {
PKIX_CHECK(PKIX_PL_Cert_AreCertPoliciesCritical
(cert, &(state->certPoliciesCritical), plContext),
PKIX_CERTARECERTPOLICIESCRITICALFAILED);
/* Section 6.1.3(d)(1) For each policy not equal to anyPolicy */
for (polX = 0; polX < numPolicies; polX++) {
PKIX_CHECK(PKIX_List_GetItem
(certPolicyInfos,
polX,
(PKIX_PL_Object **)&policy,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
(policy, &policyOID, plContext),
PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolQualifiers
(policy, &policyQualifiers, plContext),
PKIX_CERTPOLICYINFOGETPOLQUALIFIERSFAILED);
PKIX_EQUALS
(state->anyPolicyOID,
policyOID,
&result,
plContext,
PKIX_OIDEQUALFAILED);
if (result == PKIX_FALSE) {
/* Section 6.1.3(d)(1)(i) */
subroutineErr = pkix_PolicyChecker_CheckPolicy
(policyOID,
policyQualifiers,
cert,
policyMaps,
state,
plContext);
if (subroutineErr) {
goto subrErrorCleanup;
}
} else {
/*
* No descent (yet) for anyPolicy, but we will need
* the policyQualifiers for anyPolicy in 6.1.3(d)(2)
*/
PKIX_DECREF(qualsOfAny);
PKIX_INCREF(policyQualifiers);
qualsOfAny = policyQualifiers;
certPoliciesIncludeAny = PKIX_TRUE;
}
PKIX_DECREF(policy);
PKIX_DECREF(policyOID);
PKIX_DECREF(policyQualifiers);
}
/* Section 6.1.3(d)(2) */
if (certPoliciesIncludeAny == PKIX_TRUE) {
if (state->inhibitAnyPolicy > 0) {
doAnyPolicyProcessing = PKIX_TRUE;
} else {
/* We haven't yet counted the current cert */
if (((state->certsProcessed) + 1) <
(state->numCerts)) {
PKIX_CHECK(pkix_IsCertSelfIssued
(cert,
&doAnyPolicyProcessing,
plContext),
PKIX_ISCERTSELFISSUEDFAILED);
}
}
if (doAnyPolicyProcessing) {
subroutineErr = pkix_PolicyChecker_CheckAny
(state->validPolicyTree,
qualsOfAny,
policyMaps,
state,
plContext);
if (subroutineErr) {
goto subrErrorCleanup;
}
}
}
/* Section 6.1.3(d)(3) */
if (state->validPolicyTree) {
subroutineErr = pkix_PolicyNode_Prune
(state->validPolicyTree,
state->certsProcessed + 1,
&shouldBePruned,
plContext);
if (subroutineErr) {
goto subrErrorCleanup;
}
if (shouldBePruned) {
PKIX_DECREF(state->validPolicyTree);
PKIX_DECREF(state->anyPolicyNodeAtBottom);
}
}
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
} else {
/* Section 6.1.3(e) */
PKIX_DECREF(state->validPolicyTree);
PKIX_DECREF(state->anyPolicyNodeAtBottom);
PKIX_DECREF(state->newAnyPolicyNode);
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
}
}
/* Section 6.1.3(f) */
if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
}
/*
* Remove Policy OIDs from list of unresolved critical
* extensions, if present.
*/
PKIX_CHECK(pkix_List_Remove
(unresolvedCriticals,
(PKIX_PL_Object *)state->certPoliciesExtension,
plContext),
PKIX_LISTREMOVEFAILED);
PKIX_CHECK(pkix_List_Remove
(unresolvedCriticals,
(PKIX_PL_Object *)state->policyMappingsExtension,
plContext),
PKIX_LISTREMOVEFAILED);
PKIX_CHECK(pkix_List_Remove
(unresolvedCriticals,
(PKIX_PL_Object *)state->policyConstraintsExtension,
plContext),
PKIX_LISTREMOVEFAILED);
PKIX_CHECK(pkix_List_Remove
(unresolvedCriticals,
(PKIX_PL_Object *)state->inhibitAnyPolicyExtension,
plContext),
PKIX_LISTREMOVEFAILED);
state->certsProcessed++;
/* If this was not the last certificate, do next-cert preparation */
if (state->certsProcessed != state->numCerts) {
if (policyMaps) {
subroutineErr = pkix_PolicyChecker_PolicyMapProcessing
(policyMaps,
certPoliciesIncludeAny,
qualsOfAny,
state,
plContext);
if (subroutineErr) {
goto subrErrorCleanup;
}
}
/* update anyPolicyNodeAtBottom pointer */
PKIX_DECREF(state->anyPolicyNodeAtBottom);
state->anyPolicyNodeAtBottom = state->newAnyPolicyNode;
state->newAnyPolicyNode = NULL;
/* Section 6.1.4(h) */
PKIX_CHECK(pkix_IsCertSelfIssued
(cert, &isSelfIssued, plContext),
PKIX_ISCERTSELFISSUEDFAILED);
if (!isSelfIssued) {
if (state->explicitPolicy > 0) {
state->explicitPolicy--;
}
if (state->policyMapping > 0) {
state->policyMapping--;
}
if (state->inhibitAnyPolicy > 0) {
state->inhibitAnyPolicy--;
}
}
/* Section 6.1.4(i) */
PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
(cert, &explicitPolicySkipCerts, plContext),
PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
if (explicitPolicySkipCerts != -1) {
if (((PKIX_UInt32)explicitPolicySkipCerts) <
(state->explicitPolicy)) {
state->explicitPolicy =
((PKIX_UInt32) explicitPolicySkipCerts);
}
}
PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited
(cert, &inhibitMappingSkipCerts, plContext),
PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED);
if (inhibitMappingSkipCerts != -1) {
if (((PKIX_UInt32)inhibitMappingSkipCerts) <
(state->policyMapping)) {
state->policyMapping =
((PKIX_UInt32)inhibitMappingSkipCerts);
}
}
PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy
(cert, &inhibitAnyPolicySkipCerts, plContext),
PKIX_CERTGETINHIBITANYPOLICYFAILED);
if (inhibitAnyPolicySkipCerts != -1) {
if (((PKIX_UInt32)inhibitAnyPolicySkipCerts) <
(state->inhibitAnyPolicy)) {
state->inhibitAnyPolicy =
((PKIX_UInt32)inhibitAnyPolicySkipCerts);
}
}
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)state, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
} else { /* If this was the last certificate, do wrap-up processing */
/* Section 6.1.5 */
subroutineErr = pkix_PolicyChecker_WrapUpProcessing
(cert, state, plContext);
if (subroutineErr) {
goto subrErrorCleanup;
}
if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
}
PKIX_DECREF(state->anyPolicyNodeAtBottom);
PKIX_DECREF(state->newAnyPolicyNode);
}
if (subroutineErr) {
subrErrorCleanup:
/* We had an error. Was it a fatal error? */
pkixErrorClass = subroutineErr->errClass;
if (pkixErrorClass == PKIX_FATAL_ERROR) {
pkixErrorResult = subroutineErr;
subroutineErr = NULL;
goto cleanup;
}
/*
* Abort policy processing, and then determine whether
* we can continue without policy processing.
*/
PKIX_DECREF(state->validPolicyTree);
PKIX_DECREF(state->anyPolicyNodeAtBottom);
PKIX_DECREF(state->newAnyPolicyNode);
if (state->explicitPolicy == 0) {
PKIX_ERROR
(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
}
}
/* Checking is complete. Save state for the next certificate. */
PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
(checker, (PKIX_PL_Object *)state, plContext),
PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
cleanup:
#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
if (cert) {
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object*)cert, &certString, plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_GetEncoded
(certString,
PKIX_ESCASCII,
(void **)&certAscii,
&length,
plContext),
PKIX_STRINGGETENCODEDFAILED);
PKIX_DEBUG_ARG("Cert was %s\n", certAscii);
PKIX_FREE(certAscii);
PKIX_DECREF(certString);
}
if (state) {
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object*)state, &stateString, plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_GetEncoded
(stateString,
PKIX_ESCASCII,
(void **)&stateAscii,
&length,
plContext),
PKIX_STRINGGETENCODEDFAILED);
PKIX_DEBUG_ARG("On exit %s\n", stateAscii);
PKIX_FREE(stateAscii);
PKIX_DECREF(stateString);
}
#endif
PKIX_DECREF(state);
PKIX_DECREF(certPolicyInfos);
PKIX_DECREF(policy);
PKIX_DECREF(qualsOfAny);
PKIX_DECREF(policyQualifiers);
PKIX_DECREF(policyOID);
PKIX_DECREF(subroutineErr);
PKIX_DECREF(policyMaps);
PKIX_DECREF(mappedPolicies);
PKIX_RETURN(CERTCHAINCHECKER);
}
/*
* FUNCTION: pkix_PolicyChecker_Initialize
* DESCRIPTION:
*
* Creates and initializes a PolicyChecker, using the List pointed to
* by "initialPolicies" for the user-initial-policy-set, the Boolean value
* of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
* the Boolean value of "initialPolicyMappingInhibit" for the
* inhibitPolicyMappings parameter, the Boolean value of
* "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
* Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
* parameter, and the UInt32 value of "numCerts" as the number of
* certificates in the chain; and stores the Checker at "pChecker".
*
* PARAMETERS:
* "initialPolicies"
* Address of List of OIDs comprising the user-initial-policy-set; the List
* may be empty or NULL
* "policyQualifiersRejected"
* Boolean value of the policyQualifiersRejected parameter
* "initialPolicyMappingInhibit"
* Boolean value of the inhibitPolicyMappings parameter
* "initialExplicitPolicy"
* Boolean value of the initialExplicitPolicy parameter
* "initialAnyPolicyInhibit"
* Boolean value of the inhibitAnyPolicy parameter
* "numCerts"
* Number of certificates in the chain to be validated
* "pChecker"
* Address to store the created PolicyChecker. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a CertChainChecker Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
PKIX_Error *
pkix_PolicyChecker_Initialize(
PKIX_List *initialPolicies,
PKIX_Boolean policyQualifiersRejected,
PKIX_Boolean initialPolicyMappingInhibit,
PKIX_Boolean initialExplicitPolicy,
PKIX_Boolean initialAnyPolicyInhibit,
PKIX_UInt32 numCerts,
PKIX_CertChainChecker **pChecker,
void *plContext)
{
PKIX_PolicyCheckerState *polCheckerState = NULL;
PKIX_List *policyExtensions = NULL; /* OIDs */
PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Initialize");
PKIX_NULLCHECK_ONE(pChecker);
PKIX_CHECK(pkix_PolicyCheckerState_Create
(initialPolicies,
policyQualifiersRejected,
initialPolicyMappingInhibit,
initialExplicitPolicy,
initialAnyPolicyInhibit,
numCerts,
&polCheckerState,
plContext),
PKIX_POLICYCHECKERSTATECREATEFAILED);
/* Create the list of extensions that we handle */
PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
((PKIX_PL_Object *)(polCheckerState->certPoliciesExtension),
PKIX_TRUE,
&policyExtensions,
plContext),
PKIX_POLICYCHECKERMAKESINGLETONFAILED);
PKIX_CHECK(PKIX_CertChainChecker_Create
(pkix_PolicyChecker_Check,
PKIX_FALSE, /* forwardCheckingSupported */
PKIX_FALSE,
policyExtensions,
(PKIX_PL_Object *)polCheckerState,
pChecker,
plContext),
PKIX_CERTCHAINCHECKERCREATEFAILED);
cleanup:
PKIX_DECREF(polCheckerState);
PKIX_DECREF(policyExtensions);
PKIX_RETURN(CERTCHAINCHECKER);
}