| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 | 4 |
| 5 /* | 5 /* |
| 6 * Moved from secpkcs7.c | 6 * Moved from secpkcs7.c |
| 7 */ | 7 */ |
| 8 | 8 |
| 9 #include "cert.h" | 9 #include "cert.h" |
| 10 #include "certi.h" | 10 #include "certi.h" |
| (...skipping 1105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1116 { | 1116 { |
| 1117 return SECFailure; | 1117 return SECFailure; |
| 1118 } | 1118 } |
| 1119 } | 1119 } |
| 1120 /* free the array of CRLs */ | 1120 /* free the array of CRLs */ |
| 1121 if (cache->crls) | 1121 if (cache->crls) |
| 1122 { | 1122 { |
| 1123 PORT_Free(cache->crls); | 1123 PORT_Free(cache->crls); |
| 1124 } | 1124 } |
| 1125 /* destroy the cert */ | 1125 /* destroy the cert */ |
| 1126 if (cache->issuer) | 1126 if (cache->issuerDERCert) |
| 1127 { | 1127 { |
| 1128 CERT_DestroyCertificate(cache->issuer); | 1128 SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE); |
| 1129 } | 1129 } |
| 1130 /* free the subject */ | 1130 /* free the subject */ |
| 1131 if (cache->subject) | 1131 if (cache->subject) |
| 1132 { | 1132 { |
| 1133 SECITEM_FreeItem(cache->subject, PR_TRUE); | 1133 SECITEM_FreeItem(cache->subject, PR_TRUE); |
| 1134 } | 1134 } |
| 1135 /* free the distribution points */ | 1135 /* free the distribution points */ |
| 1136 if (cache->distributionPoint) | 1136 if (cache->distributionPoint) |
| 1137 { | 1137 { |
| 1138 SECITEM_FreeItem(cache->distributionPoint, PR_TRUE); | 1138 SECITEM_FreeItem(cache->distributionPoint, PR_TRUE); |
| (...skipping 425 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1564 if (PR_TRUE == GetOpaqueCRLFields(crlobject->crl)->decodingError) | 1564 if (PR_TRUE == GetOpaqueCRLFields(crlobject->crl)->decodingError) |
| 1565 { | 1565 { |
| 1566 crlobject->sigChecked = PR_TRUE; /* we can never verify a CRL | 1566 crlobject->sigChecked = PR_TRUE; /* we can never verify a CRL |
| 1567 with bogus DER. Mark it checked so we won't try again */ | 1567 with bogus DER. Mark it checked so we won't try again */ |
| 1568 PORT_SetError(SEC_ERROR_BAD_DER); | 1568 PORT_SetError(SEC_ERROR_BAD_DER); |
| 1569 return SECSuccess; | 1569 return SECSuccess; |
| 1570 } | 1570 } |
| 1571 else | 1571 else |
| 1572 { | 1572 { |
| 1573 SECStatus signstatus = SECFailure; | 1573 SECStatus signstatus = SECFailure; |
| 1574 if (cache->issuer) | 1574 if (cache->issuerDERCert) |
| 1575 { | 1575 { |
| 1576 signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate, | 1576 » CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle, |
| 1577 » » cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE); |
| 1578 |
| 1579 » if (issuer) { |
| 1580 signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate, |
| 1577 wincx); | 1581 wincx); |
| 1582 CERT_DestroyCertificate(issuer); |
| 1583 } |
| 1578 } | 1584 } |
| 1579 if (SECSuccess != signstatus) | 1585 if (SECSuccess != signstatus) |
| 1580 { | 1586 { |
| 1581 if (!cache->issuer) | 1587 if (!cache->issuerDERCert) |
| 1582 { | 1588 { |
| 1583 /* we tried to verify without an issuer cert . This is | 1589 /* we tried to verify without an issuer cert . This is |
| 1584 because this CRL came through a call to SEC_FindCrlByName. | 1590 because this CRL came through a call to SEC_FindCrlByName. |
| 1585 So, we don't cache this verification failure. We'll try | 1591 So, we don't cache this verification failure. We'll try |
| 1586 to verify the CRL again when a certificate from that issuer | 1592 to verify the CRL again when a certificate from that issuer |
| 1587 becomes available */ | 1593 becomes available */ |
| 1588 } else | 1594 } else |
| 1589 { | 1595 { |
| 1590 crlobject->sigChecked = PR_TRUE; | 1596 crlobject->sigChecked = PR_TRUE; |
| 1591 } | 1597 } |
| (...skipping 326 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1918 } | 1924 } |
| 1919 if (PR_TRUE == mustunlock) | 1925 if (PR_TRUE == mustunlock) |
| 1920 { | 1926 { |
| 1921 cache->lastcheck = PR_Now(); | 1927 cache->lastcheck = PR_Now(); |
| 1922 DPCache_UnlockWrite(); | 1928 DPCache_UnlockWrite(); |
| 1923 mustunlock = PR_FALSE; | 1929 mustunlock = PR_FALSE; |
| 1924 } | 1930 } |
| 1925 } | 1931 } |
| 1926 | 1932 |
| 1927 /* add issuer certificate if it was previously unavailable */ | 1933 /* add issuer certificate if it was previously unavailable */ |
| 1928 if (issuer && (NULL == cache->issuer) && | 1934 if (issuer && (NULL == cache->issuerDERCert) && |
| 1929 (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN))) | 1935 (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN))) |
| 1930 { | 1936 { |
| 1931 /* if we didn't have a valid issuer cert yet, but we do now. add it */ | 1937 /* if we didn't have a valid issuer cert yet, but we do now. add it */ |
| 1932 DPCache_LockWrite(); | 1938 DPCache_LockWrite(); |
| 1933 if (!cache->issuer) | 1939 if (!cache->issuerDERCert) |
| 1934 { | 1940 { |
| 1935 dirty = PR_TRUE; | 1941 dirty = PR_TRUE; |
| 1936 cache->issuer = CERT_DupCertificate(issuer); | 1942 » cache->dbHandle = issuer->dbhandle; |
| 1943 » cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert); |
| 1937 } | 1944 } |
| 1938 DPCache_UnlockWrite(); | 1945 DPCache_UnlockWrite(); |
| 1939 } | 1946 } |
| 1940 | 1947 |
| 1941 /* verify CRLs that couldn't be checked when inserted into the cache | 1948 /* verify CRLs that couldn't be checked when inserted into the cache |
| 1942 because the issuer cert or a verification date was unavailable. | 1949 because the issuer cert or a verification date was unavailable. |
| 1943 These are CRLs that were inserted into the cache through | 1950 These are CRLs that were inserted into the cache through |
| 1944 SEC_FindCrlByName, or through manual insertion, rather than through a | 1951 SEC_FindCrlByName, or through manual insertion, rather than through a |
| 1945 certificate verification (CERT_CheckCRL) */ | 1952 certificate verification (CERT_CheckCRL) */ |
| 1946 | 1953 |
| 1947 if (cache->issuer && vfdate ) | 1954 if (cache->issuerDERCert && vfdate ) |
| 1948 { | 1955 { |
| 1949 mustunlock = PR_FALSE; | 1956 mustunlock = PR_FALSE; |
| 1950 /* re-process all unverified CRLs */ | 1957 /* re-process all unverified CRLs */ |
| 1951 for (i = 0; i < cache->ncrls ; i++) | 1958 for (i = 0; i < cache->ncrls ; i++) |
| 1952 { | 1959 { |
| 1953 CachedCrl* savcrl = cache->crls[i]; | 1960 CachedCrl* savcrl = cache->crls[i]; |
| 1954 if (!savcrl) | 1961 if (!savcrl) |
| 1955 { | 1962 { |
| 1956 continue; | 1963 continue; |
| 1957 } | 1964 } |
| (...skipping 236 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2194 #else | 2201 #else |
| 2195 cache->lock = PR_NewLock(); | 2202 cache->lock = PR_NewLock(); |
| 2196 #endif | 2203 #endif |
| 2197 if (!cache->lock) | 2204 if (!cache->lock) |
| 2198 { | 2205 { |
| 2199 PORT_Free(cache); | 2206 PORT_Free(cache); |
| 2200 return SECFailure; | 2207 return SECFailure; |
| 2201 } | 2208 } |
| 2202 if (issuer) | 2209 if (issuer) |
| 2203 { | 2210 { |
| 2204 cache->issuer = CERT_DupCertificate(issuer); | 2211 » cache->dbHandle = issuer->dbhandle; |
| 2212 » cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert); |
| 2205 } | 2213 } |
| 2206 cache->distributionPoint = SECITEM_DupItem(dp); | 2214 cache->distributionPoint = SECITEM_DupItem(dp); |
| 2207 cache->subject = SECITEM_DupItem(subject); | 2215 cache->subject = SECITEM_DupItem(subject); |
| 2208 cache->lastfetch = 0; | 2216 cache->lastfetch = 0; |
| 2209 cache->lastcheck = 0; | 2217 cache->lastcheck = 0; |
| 2210 *returned = cache; | 2218 *returned = cache; |
| 2211 return SECSuccess; | 2219 return SECSuccess; |
| 2212 } | 2220 } |
| 2213 | 2221 |
| 2214 /* create an issuer cache object (per CA subject ) */ | 2222 /* create an issuer cache object (per CA subject ) */ |
| (...skipping 1147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3362 to CERT_CacheCRL previously. That API takes a SECItem*, thus, we | 3370 to CERT_CacheCRL previously. That API takes a SECItem*, thus, we |
| 3363 just do a pointer comparison here. | 3371 just do a pointer comparison here. |
| 3364 */ | 3372 */ |
| 3365 if (b->crl->derCrl == a->crl->derCrl) | 3373 if (b->crl->derCrl == a->crl->derCrl) |
| 3366 { | 3374 { |
| 3367 *isDupe = PR_TRUE; | 3375 *isDupe = PR_TRUE; |
| 3368 } | 3376 } |
| 3369 } | 3377 } |
| 3370 return SECSuccess; | 3378 return SECSuccess; |
| 3371 } | 3379 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1017413002:
Uprev NSS to 3.18 RTM (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/nss.git@nspr_uprev