19 #ifdef USE_CERTIFICATES
27 #ifdef USE_CERTLEVEL_PKIX_PARTIAL
47 #ifdef USE_CERTLEVEL_PKIX_FULL
80 #ifdef USE_CERTLEVEL_PKIX_FULL
103 status = getAttributeFieldValue( certInfoPtr->
attributes,
116 #ifdef USE_CERTLEVEL_PKIX_FULL
138 const BYTE *constrainingString, *constrainedString;
139 int constrainingStringLength, constrainedStringLength;
146 REQUIRES_B( matchType >= MATCH_NONE && matchType < MATCH_LAST );
148 status = getAttributeDataPtr( constrainingAttribute,
149 (
void ** ) &constrainingString,
150 &constrainingStringLength );
153 status = getAttributeDataPtr( constrainedAttribute,
154 (
void ** ) &constrainedString,
155 &constrainedStringLength );
158 isWildcardMatch = ( *constrainingString ==
'.' ) ?
TRUE :
FALSE;
171 startPos = constrainedStringLength - constrainingStringLength;
185 ENSURES_B( startPos <= constrainedStringLength );
186 if( !isWildcardMatch && \
187 ( startPos < 1 || constrainedString[ startPos - 1 ] !=
'@' ) )
199 status = sNetParseURL( &urlInfo, constrainedString,
231 constrainedString = urlInfo.host;
232 startPos = urlInfo.
hostLen - constrainingStringLength;
233 if( startPos < 0 || startPos > MAX_INTLENGTH_SHORT )
244 if( !isWildcardMatch && startPos != 0 )
249 constrainedStringLength ) );
256 return( !
strCompare( constrainedString + startPos, constrainingString,
257 constrainingStringLength ) ?
TRUE :
FALSE );
277 void **constrainedDnPtr, **constrainingDnPtr;
280 status = getAttributeDataDN( constrainedAttribute,
284 status = getAttributeDataDN( constrainingAttribute, &constrainingDnPtr );
287 return(
compareDN( *constrainingDnPtr, *constrainedDnPtr,
TRUE,
293 return( wildcardMatch( constrainedAttribute, constrainingAttribute,
327 if( attributePtr == NULL )
330 for( constrainedAttributePtr = \
334 constrainedAttributePtr != NULL && \
336 constrainedAttributePtr = \
337 findNextFieldInstance( constrainedAttributePtr ), \
341 int innerIterationCount;
348 for( attributeCursor = attributePtr, \
349 innerIterationCount = 0;
350 attributeCursor != NULL && !isMatch && \
353 findNextFieldInstance( attributeCursor ), \
354 innerIterationCount++ )
356 isMatch = matchAltnameComponent( constrainedAttributePtr,
360 ENSURES_B( innerIterationCount < FAILSAFE_ITERATIONS_LARGE );
361 if( isExcluded == isMatch )
364 ENSURES_B( iterationCount < FAILSAFE_ITERATIONS_LARGE );
409 if( isPathKludge( subjectCertInfoPtr ) )
419 if( attributePtr != NULL && subjectCertInfoPtr->
subjectName != NULL )
423 for( iterationCount = 0;
424 attributePtr != NULL && !isMatch && \
431 status = getAttributeDataDN( attributePtr, &dnPtrPtr );
443 attributePtr = findNextFieldInstance( attributePtr );
445 ENSURES( iterationCount < FAILSAFE_ITERATIONS_LARGE );
446 if( isExcluded == isMatch )
457 if( !checkAltnameConstraints( subjectAttributes, issuerAttributes,
469 if( !checkAltnameConstraints( subjectAttributes, issuerAttributes,
471 !checkAltnameConstraints( subjectAttributes, issuerAttributes,
473 !checkAltnameConstraints( subjectAttributes, issuerAttributes,
492 #ifdef USE_CERTLEVEL_PKIX_FULL
500 int policyOidLength,
status;
504 status = getAttributeDataPtr( attributePtr, &policyOidPtr,
525 REQUIRES_B( attributeType >= CRYPT_CERTINFO_FIRST_EXTENSION && \
531 attributePtr != NULL && \
533 attributePtr = findNextFieldInstance( attributePtr ), \
536 if( isAnyPolicy( attributePtr ) )
539 ENSURES_B( iterationCount < FAILSAFE_ITERATIONS_LARGE );
551 const BOOLEAN inhibitAnyPolicy )
555 assert( attributePtr == NULL || \
561 *hasPolicy = *hasAnyPolicy =
FALSE;
567 if( attributePtr == NULL )
569 for( iterationCount = 0;
571 attributePtr = findNextFieldInstance( attributePtr ), iterationCount++ )
573 if( isAnyPolicy( attributePtr ) )
574 *hasAnyPolicy =
TRUE;
578 ENSURES_B( iterationCount < FAILSAFE_ITERATIONS_LARGE );
579 if( inhibitAnyPolicy )
586 *hasAnyPolicy =
FALSE;
597 const void *issuerPolicyValue,
601 int iterationCount,
status;
604 assert(
isReadPtr( issuerPolicyValue, issuerPolicyValueLength ) );
607 issuerPolicyValueLength < MAX_POLICY_SIZE );
609 for( attributeCursor = subjectAttributes, iterationCount = 0;
611 attributeCursor = findNextFieldInstance( attributeCursor ), \
614 void *subjectPolicyValuePtr;
615 int subjectPolicyValueLength;
617 status = getAttributeDataPtr( attributeCursor, &subjectPolicyValuePtr,
618 &subjectPolicyValueLength );
621 if( issuerPolicyValueLength == subjectPolicyValueLength && \
622 !memcmp( issuerPolicyValue, subjectPolicyValuePtr,
623 issuerPolicyValueLength ) )
626 ENSURES_B( iterationCount < FAILSAFE_ITERATIONS_LARGE );
635 int checkPolicyConstraints(
const CERT_INFO *subjectCertInfoPtr,
638 IN_OPT const POLICY_INFO *policyInfo,
640 const BOOLEAN allowMappedPolicies,
647 findAttributeField( issuerAttributes,
651 findAttributeField( subjectCertInfoPtr->
attributes,
654 BOOLEAN subjectHasPolicy, issuerHasPolicy;
655 BOOLEAN subjectHasAnyPolicy, issuerHasAnyPolicy;
660 assert( ( policyInfo == NULL && policyLevel == 0 ) || \
661 (
isReadPtr( policyInfo,
sizeof( POLICY_INFO ) ) && \
672 if( containsAnyPolicy( issuerAttributes,
674 containsAnyPolicy( issuerAttributes,
684 if( policyType ==
POLICY_NONE && constrainedAttributePtr == NULL )
688 if( !checkPolicyType( constrainedAttributePtr, &subjectHasPolicy,
689 &subjectHasAnyPolicy,
704 constrainingAttributePtr == NULL )
708 if( !checkPolicyType( constrainingAttributePtr , &issuerHasPolicy,
721 if( subjectHasAnyPolicy || issuerHasAnyPolicy )
732 if( policyInfo != NULL )
734 const POLICY_DATA *policyData = policyInfo->policies;
737 for( i = 0; i < policyInfo->noPolicies && \
740 if( policyData[ i ].isMapped && !allowMappedPolicies )
742 if( isPolicyPresent( constrainedAttributePtr,
743 policyData[ i ].
data,
744 policyData[ i ].
length ) )
747 ENSURES( i < FAILSAFE_ITERATIONS_MED );
753 for( constrainingAttributeCursor = \
756 constrainingAttributeCursor != NULL && \
758 constrainingAttributeCursor = \
759 findNextFieldInstance( constrainingAttributeCursor ), \
762 void *constrainingPolicyValuePtr;
763 int constrainingPolicyValueLength,
status;
765 status = getAttributeDataPtr( constrainingAttributeCursor,
766 &constrainingPolicyValuePtr,
767 &constrainingPolicyValueLength );
770 if( isPolicyPresent( constrainedAttributePtr,
771 constrainingPolicyValuePtr,
772 constrainingPolicyValueLength ) )
775 ENSURES( iterationCount < FAILSAFE_ITERATIONS_LARGE );
790 #ifdef USE_CERTLEVEL_PKIX_PARTIAL
796 int checkPathConstraints(
const CERT_INFO *subjectCertInfoPtr,
809 REQUIRES( pathLength >= 0 && pathLength < MAX_INTLENGTH_SHORT );
811 #ifdef USE_CERTLEVEL_PKIX_FULL
816 if( isPathKludge( subjectCertInfoPtr ) )
835 status = getAttributeFieldValue( subjectCertInfoPtr->
attributes,
864 static
int checkRPKIAttributes(
const ATTRIBUTE_PTR *subjectAttributes,
883 status = getAttributeFieldValue( subjectAttributes,
945 if( attributePtr == NULL )
951 status = getAttributeDataPtr( attributePtr, &policyOidPtr,
979 static
int checkCrlConsistency(
const CERT_INFO *crlInfoPtr,
983 const int complianceLevel,
989 int deltaCRLindicator,
status;
992 assert( issuerCertInfoPtr == NULL || \
1002 status = getAttributeFieldValue( crlInfoPtr->
attributes,
1005 &deltaCRLindicator );
1010 status = getAttributeFieldValue( crlInfoPtr->
attributes,
1013 if(
cryptStatusOK( status ) && crlNumber >= deltaCRLindicator )
1023 if( issuerCertInfoPtr == NULL )
1028 return( checkKeyUsage( issuerCertInfoPtr,
1031 errorLocus, errorType ) );
1048 const time_t currentTime =
getTime();
1049 int complianceLevel,
status;
1068 if( certInfoPtr->cCertCert->trustedUsage == 0 )
1089 if( certInfoPtr->startTime >= certInfoPtr->endTime || \
1090 ( certInfoPtr->certificate != NULL && \
1091 currentTime < certInfoPtr->startTime ) )
1096 if( currentTime > certInfoPtr->endTime )
1121 const ATTRIBUTE_PTR *subjectAttributes = subjectCertInfoPtr->attributes;
1123 ( issuerCertInfoPtr != NULL ) ? \
1124 issuerCertInfoPtr->attributes : NULL;
1126 const BOOLEAN subjectSelfSigned = \
1133 assert( issuerCertInfoPtr == NULL || \
1142 if( subjectCertInfoPtr->certificate == NULL )
1156 switch( subjectCertInfoPtr->type )
1163 REQUIRES( issuerCertInfoPtr != NULL );
1190 assert( issuerCertInfoPtr == NULL || \
1194 return( checkCrlConsistency( subjectCertInfoPtr,
1195 issuerCertInfoPtr, complianceLevel,
1196 errorLocus, errorType ) );
1215 ENSURES( issuerCertInfoPtr != NULL );
1221 status = checkCertBasic( subjectCertInfoPtr );
1229 if( issuerCertInfoPtr->cCertCert->trustedUsage !=
CRYPT_ERROR )
1234 errorLocus, errorType );
1247 if( ( subjectSelfSigned || shortCircuitCheck ) && \
1248 ( subjectCertInfoPtr->cCertCert->maxCheckLevel >= complianceLevel ) )
1252 if( !subjectSelfSigned )
1257 if( subjectCertInfoPtr->certificate != NULL )
1259 if( subjectCertInfoPtr->issuerDNsize != \
1260 issuerCertInfoPtr->subjectDNsize || \
1261 memcmp( subjectCertInfoPtr->issuerDNptr,
1262 issuerCertInfoPtr->subjectDNptr,
1263 subjectCertInfoPtr->issuerDNsize ) )
1272 if( !
compareDN( subjectCertInfoPtr->issuerName,
1273 issuerCertInfoPtr->subjectName, FALSE, NULL ) )
1283 status = getAttributeFieldValue( subjectAttributes,
1287 subjectIsCA = ( value > 0 ) ?
TRUE : FALSE;
1288 status = getAttributeFieldValue( issuerAttributes,
1292 issuerIsCA = ( value > 0 ) ?
TRUE : FALSE;
1297 if( subjectCertInfoPtr->cCertCert->maxCheckLevel < complianceLevel )
1298 subjectCertInfoPtr->cCertCert->maxCheckLevel = complianceLevel;
1311 errorLocus, errorType );
1317 if( !subjectSelfSigned )
1321 errorLocus, errorType );
1336 if( subjectCertInfoPtr->certificate != NULL )
1341 for( attributePtr = getFirstAttribute( &attrEnumInfo, subjectAttributes,
1344 attributePtr != NULL && \
1346 attributePtr = getNextAttribute( &attrEnumInfo ), \
1354 if( checkAttributeProperty( attributePtr, \
1356 !checkAttributeProperty( attributePtr, \
1364 ENSURES( iterationCount < FAILSAFE_ITERATIONS_LARGE );
1367 #ifdef USE_CERTLEVEL_PKIX_PARTIAL
1371 if( subjectCertInfoPtr->cCertCert->maxCheckLevel < complianceLevel )
1372 subjectCertInfoPtr->cCertCert->maxCheckLevel = complianceLevel;
1380 if( subjectAttributes != NULL )
1382 if( !subjectIsCA && invalidAttributesPresent( subjectAttributes, FALSE,
1383 errorLocus, errorType ) )
1385 if( !issuerIsCA && invalidAttributesPresent( subjectAttributes,
TRUE,
1386 errorLocus, errorType ) )
1398 status = getAttributeFieldValue( issuerAttributes,
1403 status = checkPathConstraints( subjectCertInfoPtr, value,
1404 errorLocus, errorType );
1423 if( attributePtr != NULL && \
1442 status = checkRPKIAttributes( subjectAttributes, subjectIsCA,
1443 subjectSelfSigned, errorLocus,
1449 #ifdef USE_CERTLEVEL_PKIX_FULL
1456 if( subjectCertInfoPtr->cCertCert->maxCheckLevel < complianceLevel )
1457 subjectCertInfoPtr->cCertCert->maxCheckLevel = complianceLevel;
1465 if( !subjectSelfSigned )
1470 if( attributePtr != NULL && \
1472 checkNameConstraints( subjectCertInfoPtr, attributePtr,
1473 TRUE, errorLocus, errorType ) ) )
1478 if( attributePtr != NULL && \
1480 checkNameConstraints( subjectCertInfoPtr, attributePtr,
1481 FALSE, errorLocus, errorType ) ) )
1488 status = getAttributeFieldValue( issuerAttributes,
1497 attributePtr =
findAttribute( issuerCertInfoPtr->attributes,
1500 if( attributePtr != NULL && \
1507 status = checkPolicyConstraints( subjectCertInfoPtr,
1508 issuerAttributes, policyType,
1509 NULL, 0, FALSE, errorLocus,
1517 if( subjectCertInfoPtr->cCertCert->maxCheckLevel < complianceLevel )
1518 subjectCertInfoPtr->cCertCert->maxCheckLevel = complianceLevel;