genname.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 1,611 行 · 第 1/3 页

    PORT_Assert(arena);
    if (constraints->permited != NULL) {
	rv = cert_EncodeNameConstraintSubTree(constraints->permited, arena,
					      &constraints->DERPermited, PR_TRUE);
	if (rv == SECFailure) {
	    goto loser;
	}
    }
    if (constraints->excluded != NULL) {
	rv = cert_EncodeNameConstraintSubTree(constraints->excluded, arena,
					      &constraints->DERExcluded, PR_FALSE);
	if (rv == SECFailure) {
	    goto loser;
	}
    }
    dest = SEC_ASN1EncodeItem(arena, dest, constraints, 
			      CERTNameConstraintsTemplate);
    if (dest == NULL) {
	goto loser;
    }
    return SECSuccess;
loser:
    return SECFailure;
}


CERTNameConstraint *
cert_DecodeNameConstraint(PRArenaPool       *arena,
			  SECItem           *encodedConstraint)
{
    CERTNameConstraint     *constraint;
    SECStatus              rv = SECSuccess;
    CERTGeneralName        *temp;



    PORT_Assert(arena);
    constraint = (CERTNameConstraint *) PORT_ArenaZAlloc(arena, sizeof(CERTNameConstraint));
    rv = SEC_ASN1DecodeItem(arena, constraint, CERTNameConstraintTemplate, encodedConstraint);
    if (rv != SECSuccess) {
	goto loser;
    }
    temp = cert_DecodeGeneralName(arena, &(constraint->DERName), &(constraint->name));
    if (temp != &(constraint->name)) {
	goto loser;
    }

    /* ### sjlee: since the name constraint contains only one 
     *            CERTGeneralName, the list within CERTGeneralName shouldn't 
     *            point anywhere else.  Otherwise, bad things will happen.
     */
    constraint->name.l.prev = constraint->name.l.next = &(constraint->name.l);
    return constraint;
loser:
    return NULL;
}


CERTNameConstraint *
cert_DecodeNameConstraintSubTree(PRArenaPool   *arena,
				 SECItem       **subTree,
				 PRBool        permited)
{
    CERTNameConstraint   *current = NULL;
    CERTNameConstraint   *first = NULL;
    CERTNameConstraint   *last = NULL;
    CERTNameConstraint   *next = NULL;
    int                  i = 0;

    while (subTree[i] != NULL) {
	current = cert_DecodeNameConstraint(arena, subTree[i]);
	if (current == NULL) {
	    goto loser;
	}
	if (last == NULL) {
	    first = last = current;
	}
	current->l.prev = &(last->l);
	current->l.next = last->l.next;
	last->l.next = &(current->l);
	i++;
    }
    first->l.prev = &(current->l);
    return first;
loser:
    if (first) {
	current = first;
	do {
	    next = cert_get_next_name_constraint(current);
	    PORT_Free(current);
	    current = next;
	}while (current != first);
    }
    return NULL;
}

CERTNameConstraints *
cert_DecodeNameConstraints(PRArenaPool   *arena,
			   SECItem       *encodedConstraints)
{
    CERTNameConstraints   *constraints;
    SECStatus             rv;

    PORT_Assert(arena);
    PORT_Assert(encodedConstraints);
    constraints = (CERTNameConstraints *) PORT_ArenaZAlloc(arena, 
							   sizeof(CERTNameConstraints));
    if (constraints == NULL) {
	goto loser;
    }
    rv = SEC_ASN1DecodeItem(arena, constraints, CERTNameConstraintsTemplate, 
			    encodedConstraints);
    if (rv != SECSuccess) {
	goto loser;
    }
    if (constraints->DERPermited != NULL && constraints->DERPermited[0] != NULL) {
	constraints->permited = cert_DecodeNameConstraintSubTree(arena,
								 constraints->DERPermited,
								 PR_TRUE);
	if (constraints->permited == NULL) {
	    goto loser;
	}
    }
    if (constraints->DERExcluded != NULL && constraints->DERExcluded[0] != NULL) {
	constraints->excluded = cert_DecodeNameConstraintSubTree(arena,
								 constraints->DERExcluded,
								 PR_FALSE);
	if (constraints->excluded == NULL) {
	    goto loser;
	}
    }
    return constraints;
loser:
    return NULL;
}


SECStatus
CERT_CopyGeneralName(PRArenaPool      *arena, 
		     CERTGeneralName  *dest, 
		     CERTGeneralName  *src)
{
    SECStatus rv;
    CERTGeneralName *destHead = dest;
    CERTGeneralName *srcHead = src;
    CERTGeneralName *temp;

    PORT_Assert(dest != NULL);
    dest->type = src->type;
    do {
	switch (src->type) {
	  case certDirectoryName: {
	      rv = SECITEM_CopyItem(arena, &dest->derDirectoryName, &src->derDirectoryName);
	      if (rv != SECSuccess) {
		  return rv;
	      }
	      rv = CERT_CopyName(arena, &dest->name.directoryName, &src->name.directoryName);
	      break;
	  }
	  case certOtherName: {
	      rv = SECITEM_CopyItem(arena, &dest->name.OthName.name, &src->name.OthName.name);
	      if (rv != SECSuccess) {
		  return rv;
	      }
	      rv = SECITEM_CopyItem(arena, &dest->name.OthName.oid, &src->name.OthName.oid);
	      break;
	  }
	  default: {
	      rv = SECITEM_CopyItem(arena, &dest->name.other, &src->name.other);
	  }
	}
	src = cert_get_next_general_name(src);
	/* if there is only one general name, we shouldn't do this */
	if (src != srcHead) {
	    if (dest->l.next == &destHead->l) {
		if (arena) {
		    temp = (CERTGeneralName *) 
		      PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
		} else {
		    temp = (CERTGeneralName *)
		      PORT_ZAlloc(sizeof(CERTGeneralName));
		}
		temp->l.next = &destHead->l;
		temp->l.prev = &dest->l;
		destHead->l.prev = &temp->l;
		dest->l.next = &temp->l;
		dest = temp;
	    } else {
		dest = cert_get_next_general_name(dest);
	    }
	}
    } while (src != srcHead && rv == SECSuccess);
    return rv;
}


CERTGeneralNameList *
CERT_DupGeneralNameList(CERTGeneralNameList *list)
{
    if (list != NULL) {
	PR_Lock(list->lock);
	list->refCount++;
	PR_Unlock(list->lock);
    }
    return list;
}

CERTNameConstraint *
CERT_CopyNameConstraint(PRArenaPool         *arena, 
			CERTNameConstraint  *dest, 
			CERTNameConstraint  *src)
{
    SECStatus  rv;
    
    if (dest == NULL) {
	dest = (CERTNameConstraint *) PORT_ArenaZAlloc(arena, sizeof(CERTNameConstraint));
	/* mark that it is not linked */
	dest->name.l.prev = dest->name.l.next = &(dest->name.l);
    }
    rv = CERT_CopyGeneralName(arena, &dest->name, &src->name);
    if (rv != SECSuccess) {
	goto loser;
    }
    rv = SECITEM_CopyItem(arena, &dest->DERName, &src->DERName);
    if (rv != SECSuccess) {
	goto loser;
    }
    rv = SECITEM_CopyItem(arena, &dest->min, &src->min);
    if (rv != SECSuccess) {
	goto loser;
    }
    rv = SECITEM_CopyItem(arena, &dest->max, &src->max);
    if (rv != SECSuccess) {
	goto loser;
    }
    dest->l.prev = dest->l.next = &dest->l;
    return dest;
loser:
    return NULL;
}


CERTGeneralName *
cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2)
{
    PRCList *begin1;
    PRCList *begin2;
    PRCList *end1;
    PRCList *end2;

    if (list1 == NULL){
	return list2;
    } else if (list2 == NULL) {
	return list1;
    } else {
	begin1 = &list1->l;
	begin2 = &list2->l;
	end1 = list1->l.prev;
	end2 = list2->l.prev;
	end1->next = begin2;
	end2->next = begin1;
	begin1->prev = end2;
	begin2->prev = end1;
	return list1;
    }
}


CERTNameConstraint *
cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2)
{
    PRCList *begin1;
    PRCList *begin2;
    PRCList *end1;
    PRCList *end2;

    if (list1 == NULL){
	return list2;
    } else if (list2 == NULL) {
	return list1;
    } else {
	begin1 = &list1->l;
	begin2 = &list2->l;
	end1 = list1->l.prev;
	end2 = list2->l.prev;
	end1->next = begin2;
	end2->next = begin1;
	begin1->prev = end2;
	begin2->prev = end1;
	return list1;
    }
}


CERTNameConstraint *
CERT_AddNameConstraint(CERTNameConstraint *list, 
		       CERTNameConstraint *constraint)
{
    PORT_Assert(constraint != NULL);
    constraint->l.next = constraint->l.prev = &constraint->l;
    list = cert_CombineConstraintsLists(list, constraint);
    return list;
}


SECStatus
CERT_GetNameConstriantByType (CERTNameConstraint *constraints,
			      CERTGeneralNameType type, 
			      CERTNameConstraint **returnList,
			      PRArenaPool *arena)
{
    CERTNameConstraint *current;
    CERTNameConstraint *temp;
    
    *returnList = NULL;
    if (!constraints)
	return SECSuccess;
    current = constraints;

    do {
	if (current->name.type == type || 
	    (type == certDirectoryName && current->name.type == certRFC822Name)) {
	    temp = NULL;
	    temp = CERT_CopyNameConstraint(arena, temp, current);
	    if (temp == NULL) {
		goto loser;
	    }
	    *returnList = CERT_AddNameConstraint(*returnList, temp);
	}
	current = cert_get_next_name_constraint(current);
    } while (current != constraints);
    return SECSuccess;
loser:
    return SECFailure;
}


void *
CERT_GetGeneralNameByType (CERTGeneralName *genNames,
			   CERTGeneralNameType type, PRBool derFormat)
{
    CERTGeneralName *current;
    
    if (!genNames)
	return (NULL);
    current = genNames;

    do {
	if (current->type == type) {
	    switch (type) {
	      case certDNSName:
	      case certEDIPartyName:
	      case certIPAddress:
	      case certRegisterID:
	      case certRFC822Name:
	      case certX400Address:
	      case certURI: {
		    return &(current->name.other);
	      }
	      case certOtherName: {
		  return &(current->name.OthName);
		  break;
	      }
	      case certDirectoryName: {
		  if (derFormat) {
		      return &(current->derDirectoryName);
		  } else{
		      return &(current->name.directoryName);
		  }
		  break;
	      }
	    }
	}
	current = cert_get_next_general_name(current);
    } while (current != genNames);
    return (NULL);
}

int
CERT_GetNamesLength(CERTGeneralName *names)
{
    int              length = 0;
    CERTGeneralName  *first;

    first = names;
    if (names != NULL) {
	do {
	    length++;
	    names = cert_get_next_general_name(names);
	} while (names != first);
    }
    return length;
}

CERTGeneralName *
CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena)
{
    CERTGeneralName  *DN;
    CERTGeneralName  *altName;
    SECItem          altNameExtension;
    SECStatus        rv;


    DN = (CERTGeneralName *) PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
    if (DN == NULL) {
	goto loser;
    }
    rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject);
    DN->type = certDirectoryName;
    DN->l.next = DN->l.prev = &DN->l;
    if (rv != SECSuccess) {
	goto loser;
    }
    rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject);
    if (rv != SECSuccess) {
	goto loser;
    }
    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
				&altNameExtension);
    if (rv != SECSuccess) {
	return DN;
    }
    altName = CERT_DecodeAltNameExtension(arena, &altNameExtension);
    if (altName == NULL) {
	goto loser;
    }
    DN = cert_CombineNamesLists(DN, altName);
    return DN;
loser:
    return NULL;
}

static SECStatus
compareNameToConstraint(char *name, char *constraint, PRBool substring)
{
    SECStatus  rv;

    if (*constraint == '\0' && *name == '\0') {
	return SECSuccess;
    }
    if (*constraint == '*') {
	return compareNameToConstraint(name, constraint + 1, PR_TRUE);
    }
    if (substring) {
	if (*constraint == '\0') {
	    return SECSuccess;
	}
	while (*name != *constraint) {
	    if (*name == '\0') {
		return SECFailure;
	    }
	    name++;
	}
	rv = compareNameToConstraint(name + 1, constraint + 1, PR_FALSE);
	if (rv == SECSuccess) {
	    return rv;
	}
	name++;
    } else {
	if (*name == *constraint) {
	    name++;
	    constraint++;
	} else {
	    return SECFailure;
	}
    }
    return compareNameToConstraint(name, constraint, substring);
}

SECStatus
cert_CompareNameWithConstraints(CERTGeneralName     *name, 
				CERTNameConstraint  *constraints,
				PRBool              excluded)
{
    SECStatus           rv = SECSuccess;
    char                *nameString = NULL;
    char                *constraintString = NULL;
    int                 start;
    int                 end;
    int                 tag;
    CERTRDN             **nameRDNS, *nameRDN;
    CERTRDN             **constraintRDNS, *constraintRDN;
    CERTAVA             **nameAVAS, *nameAVA;
    CERTAVA             **constraintAVAS, *constraintAVA;
    CERTNameConstraint  *current;
    SECItem             *avaValue;
    CERTName            constraintName;
    CERTName            certName;
    SECComparison       status = SECEqual;
    PRArenaPool         *certNameArena;
    PRArenaPool         *constraintNameArena;

    certName.arena = NULL;
    certName.rdns = NULL;
    constraintName.arena = NULL;
    constraintName.rdns = NULL;
    if (constraints != NULL) {
	current = constraints;
	if (name->type == certDirectoryName) {
	    certNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
	    CERT_CopyName(certNameArena, &certName, &name->name.directoryName);
	    nameRDNS = certName.rdns;
	    for (;;) {
		nameRDN = *nameRDNS++;
		nameAVAS = nameRDN->avas;
		for(;;) {
		    nameAVA = *nameAVAS++;
		    tag = CERT_GetAVATag(nameAVA);
		    if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS ||
			 tag == SEC_OID_RFC1274_MAIL) {
			avaValue = CERT_DecodeAVAValue(&nameAVA->value);
			nameString = (char*)PORT_ZAlloc(avaValue->len + 1);
			nameString = PORT_Strncpy(nameString, (char *) avaValue->data, avaValue->len);
			start = 0;
			while(nameString[start] != '@' && nameString[start + 1] != '\0') {
			    start++;
			} 
			start++;
			do{
			    if (current->name.type == certRFC822Name) {
				constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1);
				constraintString = PORT_Strncpy(constraintString, 
								(char *) current->name.name.other.data,
								current->name.name.other.len);
				rv = compareNameToConstraint(nameString + start, constraintString, 
							     PR_FALSE);

				if (constraintString != NULL) {
				    PORT_Free(constraintString);
				    constraintString = NULL;
				}
				if (nameString != NULL) {
				    PORT_Free(nameString);
				    nameString = NULL;
				}
				if (rv == SECSuccess && excluded == PR_TRUE) {