pkixcheck.c

PGP8.0源码 请认真阅读您的文件包然后写出其具体功能

/****************************************************************************
 *
 * Copyright (C) 2002 PGP Corporation
 *
 ****************************************************************************/

#include <sys/types.h> 
#include <time.h>

#include "cms.h"

#define ALG_UNKNOWN 0
#define ALG_RSA 1
#define ALG_DSA 2

static int GetAlgorithm(PKIOBJECT_ID alg)
{
    if (alg.len == TC_ALG_RSA_MD2_LEN &&
	memcmp(alg.val, TC_ALG_RSA_MD2, TC_ALG_RSA_MD2_LEN) == 0)
	return ALG_RSA;

    else if (alg.len == TC_ALG_RSA_MD5_LEN &&
	memcmp(alg.val, TC_ALG_RSA_MD5, TC_ALG_RSA_MD5_LEN) == 0)
	return ALG_RSA;

    else if (alg.len == TC_ALG_RSA_SHA1_LEN &&
	memcmp(alg.val, TC_ALG_RSA_SHA1, TC_ALG_RSA_SHA1_LEN) == 0)
	return ALG_RSA;

    else if (alg.len == TC_ALG_RSA_LEN &&
	memcmp(alg.val, TC_ALG_RSA, TC_ALG_RSA_LEN) == 0)
	return ALG_RSA;

    else if (alg.len == TC_ALG_DSA_SHA1_LEN &&
	     memcmp(alg.val, TC_ALG_DSA_SHA1, TC_ALG_DSA_SHA1_LEN) == 0)
	return ALG_DSA;

    else if (alg.len == TC_ALG_DSA_LEN &&
	     memcmp(alg.val, TC_ALG_DSA, TC_ALG_DSA_LEN) == 0)
	return ALG_DSA;

    else
	return ALG_UNKNOWN;
    
}

#define EXT_UNKNOWN       0
#define EXT_AUTHKEYID     1
#define EXT_SUBJKEYID     2
#define EXT_KEYUSAGE      3
#define EXT_PRIVKEYUSAGE  4
#define EXT_POLICYMAP     5
#define EXT_SUBALTNAME    6
#define EXT_ISSUERALTNAME 7
#define EXT_SUBJDIRATTR   8
#define EXT_BASICCON      9
#define EXT_NAMECON      10 
#define EXT_POLICYCON    11

static int ExtType(PKIOBJECT_ID oid)
{
    if (oid.len == PKIid_ce_authorityKeyIdentifier_OID_LEN &&
	memcmp(oid.val, PKIid_ce_authorityKeyIdentifier_OID,
	       PKIid_ce_authorityKeyIdentifier_OID_LEN) == 0)
	return EXT_AUTHKEYID;

    else if (oid.len == PKIid_ce_subjectKeyIdentifier_OID_LEN &&
	     memcmp(oid.val, PKIid_ce_subjectKeyIdentifier_OID,
		    PKIid_ce_subjectKeyIdentifier_OID_LEN) == 0)
	return EXT_SUBJKEYID;

    else if (oid.len == PKIid_ce_keyUsage_OID_LEN &&
	     memcmp(oid.val, PKIid_ce_keyUsage_OID,
		    PKIid_ce_keyUsage_OID_LEN) == 0)
	return EXT_KEYUSAGE;

    else if (oid.len == PKIid_ce_issuerAltName_OID_LEN &&
	      memcmp(oid.val, PKIid_ce_issuerAltName_OID,
		     PKIid_ce_issuerAltName_OID_LEN) == 0)
	return EXT_ISSUERALTNAME;

    else if (oid.len == PKIid_ce_subjectAltName_OID_LEN &&
	     memcmp(oid.val, PKIid_ce_subjectAltName_OID,
		    PKIid_ce_subjectAltName_OID_LEN) == 0)
	return EXT_SUBALTNAME;

    else if (oid.len == PKIid_ce_privateKeyUsagePeriod_OID_LEN &&
	     memcmp(oid.val, PKIid_ce_privateKeyUsagePeriod_OID,
		    PKIid_ce_privateKeyUsagePeriod_OID_LEN) == 0)
	return EXT_PRIVKEYUSAGE;

    else if (oid.len == PKIid_ce_policyMappings_OID_LEN &&
	     memcmp(oid.val, PKIid_ce_policyMappings_OID,
		    PKIid_ce_policyMappings_OID_LEN) == 0)
	return EXT_POLICYMAP;

    else if (oid.len == PKIid_ce_subjectDirectoryAttributes_OID_LEN &&
	     memcmp(oid.val, PKIid_ce_subjectDirectoryAttributes_OID,
		    PKIid_ce_subjectDirectoryAttributes_OID_LEN) == 0)
	return EXT_SUBJDIRATTR;

    else if (oid.len == PKIid_ce_basicConstraints_OID_LEN &&
	     memcmp(oid.val, PKIid_ce_basicConstraints_OID,
		    PKIid_ce_basicConstraints_OID_LEN) == 0)
	return EXT_BASICCON;

    else if (oid.len == PKIid_ce_nameConstraints_OID_LEN &&
	     memcmp(oid.val, PKIid_ce_nameConstraints_OID,
		    PKIid_ce_nameConstraints_OID_LEN) == 0)
	return EXT_NAMECON;

    else if (oid.len == PKIid_ce_policyConstraints_OID_LEN &&
	     memcmp(oid.val, PKIid_ce_policyConstraints_OID,
		    PKIid_ce_policyConstraints_OID_LEN) == 0)
	return EXT_POLICYCON;

    else
        return EXT_UNKNOWN;
}

static int CheckDname()
{
    /* if its a DirectoryString components, then its must be
       PrintableString, BMPString, or UTF8String; 4.2.1.4, 4.1.2.6,  */


    return 0;
}

static void CheckExtensions(
			    const TC_TBSCertificate *tbsCert,
			    TC_CertType      certType,
			    int              errorList[],
			    int              *numErrors,
			    TC_CONTEXT       *ctx)
{
  int localNumErrors = *numErrors;
  TC_ExtensionList *exts = tbsCert->extensions;
  int i, j;

  /* only one instance of an extension type in a cert; 4.2 */
  for (i = 0; i < exts->n - 1; i++)
    for (j = i+1; j < exts->n; j++)
      if (exts->elt[i]->extnID.len == exts->elt[j]->extnID.len &&
	  memcmp(exts->elt[i]->extnID.val,
		 exts->elt[j]->extnID.val,
		 exts->elt[j]->extnID.len) == 0)
      {
	errorList[localNumErrors] = TC_E_DuplicateExtensionEntry;
	localNumErrors++;
      }


  for (i = 0; i < exts->n; i++) {

    switch(ExtType(exts->elt[i]->extnID))
    {

	case EXT_AUTHKEYID:
	    /* authority key identifier uses the keyIdentifier field; 4.2.1.1 */
	        /* ext. not supported yet */

	    /* authority key identifier not critical; 4.2.1.1 */
	    if (exts->elt[i]->critical != NULL &&
		PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) != PKIFALSE)
	    {
		errorList[localNumErrors] = TC_E_AuthKeyIDMarkedCritical;
		localNumErrors++;
	    }
	    
	    break;

	case EXT_SUBJKEYID:
	    /* subject key identifier must be present in CA certs; 4.2.1.2 */
	    /* subject key identifier should be present in EE certs; 4.2.1.2 */
                    /* ext. not supported yet */

	    /* subject key identifier not critical; 4.2.1.2 */
	    /* policy mappings not critical; 4.2.1.6 */
	    if (exts->elt[i]->critical != NULL &&
		PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) != PKIFALSE) {
		errorList[localNumErrors] = TC_E_SubjectKeyIDMarkedCritical;
		localNumErrors++;
	    }

	    break;

	case EXT_KEYUSAGE:
	    /* key usage is critical; 4.2.1.3 */
	    if (exts->elt[i]->critical == NULL) {
		errorList[localNumErrors] = TC_E_KeyUsageNotMarkedCritical;
		localNumErrors++;
	    }
	    else if (PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) == PKIFALSE) {
		errorList[localNumErrors] = TC_E_KeyUsageNotMarkedCritical;
		localNumErrors++;
	    }

	    break;

	case EXT_PRIVKEYUSAGE:
	    /* do not use private key usage extension; 4.2.1.4 */
	    errorList[localNumErrors] = TC_E_DontUsePrivateKeyUsage;
	    localNumErrors++;

	    break;

	case EXT_POLICYMAP:
	    /* policy mappings not critical; 4.2.1.6 */
	    if (exts->elt[i]->critical != NULL &&
		PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) != PKIFALSE) {
		errorList[localNumErrors] = TC_E_PolicyMappingMarkedCritical;
		localNumErrors++;
	    }

	    break;

	case EXT_SUBALTNAME:
	    /* if subject field is empty then subjectAltName is critical
	       (if present); 4.2.1.7 */
	    /* ip address in sub/issuer altName is either 4 or
	       16 bytes; 4.2.1.7 */
	    /* as least one entry in sub/issuer altName; 4.2.1.7, 4.2.1.8 */
	    /* names sub/issuer altName are not blank or just
	       whitespace; 4.2.1.7, 4.2.1.8 */

	    break;

	case EXT_ISSUERALTNAME:
	    /* issuerAltName is not critical; 4.2.1.8 */
	    if (exts->elt[i]->critical != NULL &&
		PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) != PKIFALSE) {
		errorList[localNumErrors] = TC_E_IssuerAltNameMarkedCritical;
		localNumErrors++;
	    }

	    /* ip address in sub/issuer altName is either 4 or
	       16 bytes; 4.2.1.7 */
	    /* as least one entry in sub/issuer altName; 4.2.1.7, 4.2.1.8 */
	    /* names sub/issuer altName are not blank or just
	       whitespace; 4.2.1.7, 4.2.1.8 */

	    break;
    
	case EXT_SUBJDIRATTR:
	    /* subject directory attributes is not critical; 4.2.1.9 */
	    if (exts->elt[i]->critical != NULL &&
		PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) != PKIFALSE) {
		errorList[localNumErrors] = TC_E_SubjectDirAttrMarkedCritical;
		localNumErrors++;
	    }

	    break;

	case EXT_BASICCON:
	    /* CA certs must have basic constraints; 4.2.1.10 */

	    /* EE certs do not have basic constraints; 4.2.1.10 */
	    if (certType == TC_EndEntity){
		errorList[localNumErrors] = TC_E_EECertWithBasicConstraints;
		localNumErrors++;
	    }

	    /* by default extensions should be false; 4.2 */
	    if (exts->elt[i]->critical != NULL &&
		PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) != PKIFALSE) {
		errorList[localNumErrors] = TC_E_BasicConstraintsMarkedCritical;
		localNumErrors++;
	    }

	    break;

	case EXT_NAMECON:  /* ext. not supported yet */
	    /* name constraints only in CA certs; 4.2.1.11 */
	    if (certType != TC_RootCertAuthority ||
		certType != TC_CertificateAuthority) {
		errorList[localNumErrors] = TC_E_NonCACertWithNameConstraints;
		localNumErrors++;
	    }

	    /* name constraints is critical; 4.2.1.11 */
	    if (exts->elt[i]->critical == NULL) {
		errorList[localNumErrors] = 
		          TC_E_NameConstraintsNotMarkedCritical;
		localNumErrors++;
	    }
	    else if (PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) == PKIFALSE) {
		errorList[localNumErrors] =
		          TC_E_NameConstraintsNotMarkedCritical;
		localNumErrors++;
	    }

	    break;

	case EXT_POLICYCON:
	    /* one field present in policy constraints; 4.2.1.12*/
	        /* ext. not supported yet */

	    /* by default extensions should be false; 4.2 */
	    if (exts->elt[i]->critical != NULL &&
		PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) != PKIFALSE) {
		errorList[localNumErrors] = TC_E_PolicyConstraintsMarkedCritical;
		localNumErrors++;
	    }

	    break;

	default:
	    /* by default extensions should be false; 4.2 */
	    if (exts->elt[i]->critical != NULL &&
		PKIGetBoolVal(ctx->certasnctx,
				   exts->elt[i]->critical) != PKIFALSE) {
		errorList[localNumErrors] = TC_E_UnknownExtensionMarkedCritical;
		localNumErrors++;
	    }

	    break;
	} /* switch */

    }/* for each extension */

    *numErrors = localNumErrors;
    return;
}