Back to index

lightning-sunbird  0.9+nobinonly
xbsconst.c
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 
00037 /*
00038  * X.509 v3 Basic Constraints Extension 
00039  */
00040 
00041 #include "prtypes.h"
00042 #include "mcom_db.h"
00043 #include "seccomon.h"
00044 #include "secdert.h"
00045 #include "secoidt.h"
00046 #include "secasn1t.h"
00047 #include "secasn1.h"
00048 #include "certt.h"
00049 #include "secder.h"
00050 #include "prprf.h"
00051 #include "secerr.h"
00052 
00053 typedef struct EncodedContext{
00054     SECItem isCA;
00055     SECItem pathLenConstraint;
00056     SECItem encodedValue;
00057     PRArenaPool *arena;
00058 }EncodedContext;
00059 
00060 static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = {
00061     { SEC_ASN1_SEQUENCE,
00062          0, NULL, sizeof(EncodedContext) },
00063     { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,             /* XXX DER_DEFAULT */
00064          offsetof(EncodedContext,isCA)},
00065     { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
00066          offsetof(EncodedContext,pathLenConstraint) },
00067     { 0, }
00068 };
00069 
00070 static unsigned char hexTrue = 0xff;
00071 static unsigned char hexFalse = 0x00;
00072 
00073 #define GEN_BREAK(status) rv = status; break;
00074 
00075 SECStatus CERT_EncodeBasicConstraintValue
00076    (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue)
00077 {
00078     EncodedContext encodeContext;
00079     PRArenaPool *our_pool = NULL;   
00080     SECStatus rv = SECSuccess;
00081 
00082     do {
00083        PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
00084        if (!value->isCA && value->pathLenConstraint >= 0) {
00085            PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
00086            GEN_BREAK (SECFailure);
00087        }
00088 
00089         encodeContext.arena = arena;
00090        if (value->isCA == PR_TRUE) {
00091            encodeContext.isCA.data =  &hexTrue ;
00092            encodeContext.isCA.len = 1;
00093        }
00094 
00095        /* If the pathLenConstraint is less than 0, then it should be
00096         * omitted from the encoding.
00097         */
00098        if (value->isCA && value->pathLenConstraint >= 0) {
00099            our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
00100            if (our_pool == NULL) {
00101               PORT_SetError (SEC_ERROR_NO_MEMORY);
00102               GEN_BREAK (SECFailure);
00103            }
00104            if (SEC_ASN1EncodeUnsignedInteger
00105               (our_pool, &encodeContext.pathLenConstraint,
00106                (unsigned long)value->pathLenConstraint) == NULL) {
00107               PORT_SetError (SEC_ERROR_NO_MEMORY);
00108               GEN_BREAK (SECFailure);
00109            }
00110        }
00111        if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
00112                             CERTBasicConstraintsTemplate) == NULL) {
00113            GEN_BREAK (SECFailure);
00114        }
00115     } while (0);
00116     if (our_pool)
00117        PORT_FreeArena (our_pool, PR_FALSE);
00118     return(rv);
00119 
00120 }
00121 
00122 SECStatus CERT_DecodeBasicConstraintValue
00123    (CERTBasicConstraints *value, SECItem *encodedValue)
00124 {
00125     EncodedContext decodeContext;
00126     PRArenaPool *our_pool;
00127     SECStatus rv = SECSuccess;
00128 
00129     do {
00130        PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
00131        /* initialize the value just in case we got "0x30 00", or when the
00132           pathLenConstraint is omitted.
00133          */
00134        decodeContext.isCA.data =&hexFalse;
00135        decodeContext.isCA.len = 1;
00136        
00137        our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
00138        if (our_pool == NULL) {
00139            PORT_SetError (SEC_ERROR_NO_MEMORY);
00140            GEN_BREAK (SECFailure);
00141        }
00142 
00143         rv = SEC_QuickDERDecodeItem
00144             (our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue);
00145        if (rv == SECFailure)
00146            break;
00147        
00148        value->isCA = decodeContext.isCA.data 
00149                      ? (PRBool)(decodeContext.isCA.data[0] != 0)
00150                     : PR_FALSE;
00151        if (decodeContext.pathLenConstraint.data == NULL) {
00152            /* if the pathLenConstraint is not encoded, and the current setting
00153              is CA, then the pathLenConstraint should be set to a negative number
00154              for unlimited certificate path.
00155             */
00156            if (value->isCA)
00157               value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
00158        } else if (value->isCA) {
00159            long len = DER_GetInteger (&decodeContext.pathLenConstraint);
00160            if (len < 0 || len == LONG_MAX) {
00161               PORT_SetError (SEC_ERROR_BAD_DER);
00162               GEN_BREAK (SECFailure);
00163            }
00164            value->pathLenConstraint = len;
00165        } else {
00166            /* here we get an error where the subject is not a CA, but
00167               the pathLenConstraint is set */
00168            PORT_SetError (SEC_ERROR_BAD_DER);
00169            GEN_BREAK (SECFailure);
00170            break;
00171        }
00172         
00173     } while (0);
00174     PORT_FreeArena (our_pool, PR_FALSE);
00175     return (rv);
00176 
00177 }