97 #ifdef USE_CERTIFICATES
120 certChainIndex < certChainInfo->chainEnd && \
124 *certChainPtr = NULL;
128 if( certChainIndex >= 0 && certChainIndex < certChainInfo->chainEnd )
130 return( krnlAcquireObject( certChainInfo->chain[ certChainIndex ],
132 (
void ** ) certChainPtr,
137 if( certChainIndex == -1 )
139 *certChainPtr = (
CERT_INFO * ) certInfoPtr;
144 *certChainPtr = NULL;
156 static
int performAbsTrustOperation(
INOUT CERT_INFO *certInfoPtr,
160 const int certChainIndex,
169 assert( iIssuerCert == NULL || \
173 certChainIndex < certChainInfo->chainEnd && \
177 if( iIssuerCert != NULL )
182 certChainInfo->
chainPos = certChainIndex;
183 if( certChainIndex == -1 )
186 iLocalCert = certInfoPtr->objectHandle;
192 iLocalCert = certChainInfo->chain[ certChainIndex ];
200 if( iIssuerCert != NULL )
201 *iIssuerCert = iLocalCert;
237 int *trustAnchorIndexPtr,
242 int trustAnchorIndex,
status;
245 assert(
isWritePtr( trustAnchorIndexPtr,
sizeof(
int ) ) );
281 for( trustAnchorIndex = 0;
282 trustAnchorIndex <= certChainInfo->
chainEnd && \
286 status = performAbsTrustOperation( certInfoPtr,
288 trustAnchorIndex - 1,
293 ENSURES( trustAnchorIndex < MAX_CHAINLENGTH );
295 trustAnchorIndex > certChainInfo->
chainEnd )
297 *trustAnchorIndexPtr = trustAnchorIndex;
298 *trustAnchorCert = iIssuerCert;
304 if( trustAnchorIndex < certChainInfo->chainEnd - 1 )
310 *trustAnchorCert = certChainInfo->chain[ trustAnchorIndex ];
319 static
int setTrustAnchorErrorInfo(
INOUT CERT_INFO *certInfoPtr )
324 const int lastCertIndex = certChainInfo->
chainEnd - 1;
329 ENSURES( lastCertIndex >= 0 && lastCertIndex < certChainInfo->chainEnd );
333 certChainInfo->
chainPos = lastCertIndex;
358 status = getCertInfo( certInfoPtr, &subjectCertInfoPtr,
367 if( certInfoPtr != subjectCertInfoPtr )
380 #ifdef USE_CERTLEVEL_PKIX_FULL
385 static
BOOLEAN isPolicyPresent(
const POLICY_DATA *policyData,
386 IN_RANGE( 0, MAX_POLICIES )
const int policyCount,
387 IN_BUFFER( policyValueLength )
const void *policyValue,
392 assert(
isReadPtr( policyData,
sizeof( POLICY_DATA ) ) );
393 assert(
isReadPtr( policyValue, policyValueLength ) );
395 REQUIRES_B( policyCount >= 0 && policyCount < MAX_POLICIES );
396 REQUIRES_B( policyValueLength > 0 && policyValueLength < MAX_POLICY_SIZE );
402 const POLICY_DATA *policyDataPtr = &policyData[ i ];
404 if( policyDataPtr->length == policyValueLength && \
405 !memcmp( policyDataPtr->data, policyValue, policyValueLength ) )
408 ENSURES_B( i < FAILSAFE_ITERATIONS_MED );
416 static
int addPolicy(
INOUT POLICY_DATA *policyData,
417 IN_RANGE( 0, MAX_POLICIES )
const int policyCount,
419 IN_RANGE( -1, MAX_CHAINLENGTH - 1 ) \
420 const int certChainIndex,
423 POLICY_DATA *policyDataPtr;
424 void *policyValuePtr;
425 int policyValueLength,
status;
427 assert(
isWritePtr( policyData,
sizeof( POLICY_DATA ) ) );
431 REQUIRES( policyCount >= 0 && policyCount < MAX_POLICIES );
432 REQUIRES( certChainIndex >= -1 && certChainIndex < MAX_CHAINLENGTH );
435 status = getAttributeDataPtr( policyAttributePtr, &policyValuePtr,
436 &policyValueLength );
444 if( isPolicyPresent( policyData, policyCount, policyValuePtr,
445 policyValueLength ) )
453 policyDataPtr = &policyData[ policyCount ];
454 memset( policyDataPtr, 0,
sizeof( POLICY_DATA ) );
455 policyDataPtr->level = certChainIndex + 1;
456 policyDataPtr->isMapped = isMapped;
457 return( attributeCopyParams( policyDataPtr->data, MAX_POLICY_SIZE,
458 &policyDataPtr->length, policyValuePtr,
459 policyValueLength ) );
465 static
int addExplicitPolicies(
INOUT POLICY_INFO *policyInfo,
467 IN_RANGE( -1, MAX_CHAINLENGTH - 1 ) \
468 const int certChainIndex )
471 int policyCount = policyInfo->noPolicies, iterationCount,
status;
473 assert(
isWritePtr( policyInfo,
sizeof( POLICY_INFO ) ) );
476 REQUIRES( certChainIndex >= -1 && certChainIndex < MAX_CHAINLENGTH );
482 attributeCursor != NULL && \
484 attributeCursor = findNextFieldInstance( attributeCursor ),
487 if( policyCount >= MAX_POLICIES )
489 status = addPolicy( policyInfo->policies, policyCount,
490 attributeCursor, certChainIndex,
FALSE );
501 ENSURES( iterationCount < FAILSAFE_ITERATIONS_LARGE );
502 policyInfo->noPolicies = policyCount;
510 static
int addMappedPolicies(
INOUT POLICY_INFO *policyInfo,
512 IN_RANGE( -1, MAX_CHAINLENGTH - 1 ) \
513 const int certChainIndex )
516 findAttributeField( attributes,
520 findAttributeField( attributes,
523 int policyCount = policyInfo->noPolicies, iterationCount;
526 assert(
isWritePtr( policyInfo,
sizeof( POLICY_INFO ) ) );
529 REQUIRES( certChainIndex >= -1 && certChainIndex < MAX_CHAINLENGTH );
532 if( sourcePolicyAttributeCursor == NULL )
536 for( iterationCount = 0;
537 sourcePolicyAttributeCursor != NULL && \
539 sourcePolicyAttributeCursor = \
540 findNextFieldInstance( sourcePolicyAttributeCursor ), \
541 destPolicyAttributeCursor = \
542 findNextFieldInstance( destPolicyAttributeCursor ), \
545 void *policyValuePtr;
546 int policyValueLength;
548 REQUIRES( sourcePolicyAttributeCursor != NULL && \
549 destPolicyAttributeCursor != NULL );
553 if( isAnyPolicy( sourcePolicyAttributeCursor ) || \
554 isAnyPolicy( destPolicyAttributeCursor ) )
559 status = getAttributeDataPtr( sourcePolicyAttributeCursor, &policyValuePtr,
560 &policyValueLength );
563 if( !isPolicyPresent( policyInfo->policies, policyCount,
564 policyValuePtr, policyValueLength ) )
569 if( policyCount >= MAX_POLICIES )
571 status = addPolicy( policyInfo->policies, policyCount,
572 destPolicyAttributeCursor, certChainIndex,
TRUE );
584 ENSURES( iterationCount < FAILSAFE_ITERATIONS_LARGE );
585 policyInfo->noPolicies = policyCount;
593 static
int createPolicySet(
OUT POLICY_INFO *policyInfo,
596 IN_RANGE( -1, MAX_CHAINLENGTH - 1 ) \
597 const int startCertIndex )
600 int certIndex = startCertIndex, iterationCount,
status;
602 assert(
isWritePtr( policyInfo,
sizeof( POLICY_INFO ) ) );
603 assert( ( trustAnchorAttributes == NULL ) || \
608 REQUIRES( startCertIndex >= -1 && startCertIndex < MAX_CHAINLENGTH );
611 memset( policyInfo, 0,
sizeof( POLICY_INFO ) );
614 if( trustAnchorAttributes != NULL && \
618 status = addExplicitPolicies( policyInfo, trustAnchorAttributes,
622 status = addMappedPolicies( policyInfo, trustAnchorAttributes,
636 if( policyInfo->noPolicies <= 0 )
637 addImplicitPolicy =
TRUE;
643 for( iterationCount = 0;
645 certIndex--, iterationCount++ )
650 status = getCertInfo( certInfoPtr, &subjectCertInfoPtr, certIndex );
654 if( addImplicitPolicy && \
658 status = addExplicitPolicies( policyInfo,
663 if( policyInfo->noPolicies > 0 )
664 addImplicitPolicy =
FALSE;
668 status = addMappedPolicies( policyInfo,
682 ENSURES( iterationCount < MAX_CHAINLENGTH );
694 #ifdef USE_CERTLEVEL_PKIX_FULL
784 IN_RANGE( -1, MAX_CHAINLENGTH - 1 ) \
785 const int startCertIndex,
789 const POLICY_INFO *policyInfo,
792 const ATTRIBUTE_PTR *nameConstraintPtr = NULL, *policyConstraintPtr = NULL;
798 int requireExplicitPolicyLevel, inhibitPolicyMapLevel;
799 int inhibitAnyPolicyLevel;
800 int pathLength =
DUMMY_INIT, certIndex = startCertIndex;
805 assert(
isWritePtr( errorCertIndex,
sizeof(
int ) ) );
806 assert(
isReadPtr( policyInfo,
sizeof( POLICY_INFO ) ) );
808 REQUIRES( startCertIndex >= -1 && startCertIndex < MAX_CHAINLENGTH );
814 status = getAttributeFieldValue( issuerAttributes,
820 hasPathLength =
TRUE;
824 if( explicitPolicy && \
834 if( attributePtr != NULL )
838 if( attributePtr != NULL )
844 if( attributePtr != NULL )
847 hasExcludedSubtrees = \
848 checkAttributeFieldPresent( nameConstraintPtr,
850 hasPermittedSubtrees = \
851 checkAttributeFieldPresent( nameConstraintPtr,
857 if( !hasPolicy && !hasPathLength && \
858 policyConstraintPtr == NULL && inhibitPolicyPtr == NULL && \
859 nameConstraintPtr == NULL )
865 requireExplicitPolicyLevel = inhibitPolicyMapLevel = inhibitAnyPolicyLevel = 0;
866 status = getAttributeFieldValue( policyConstraintPtr,
871 requireExplicitPolicyLevel =
value;
872 hasExplicitPolicy =
TRUE;
874 status = getAttributeFieldValue( policyConstraintPtr,
879 inhibitPolicyMapLevel =
value;
880 hasInhibitPolicyMap =
TRUE;
882 if( inhibitPolicyPtr != NULL )
884 status = getAttributeDataValue( inhibitPolicyPtr,
885 &inhibitAnyPolicyLevel );
888 hasInhibitAnyPolicy =
TRUE;
893 for( certIndex = startCertIndex, iterationCount = 0;
896 certIndex--, iterationCount++ )
903 status = getCertInfo( certInfoPtr, &subjectCertInfoPtr, certIndex );
911 status = getAttributeFieldValue( subjectCertInfoPtr->
attributes,
916 if( !hasExplicitPolicy || policyLevel < requireExplicitPolicyLevel )
917 requireExplicitPolicyLevel = policyLevel;
918 hasExplicitPolicy =
TRUE;
920 status = getAttributeFieldValue( subjectCertInfoPtr->
attributes,
925 if( !hasInhibitPolicyMap || policyLevel < inhibitPolicyMapLevel )
926 inhibitPolicyMapLevel = policyLevel;
927 hasInhibitPolicyMap =
TRUE;
929 status = getAttributeFieldValue( subjectCertInfoPtr->
attributes,
934 if( !hasInhibitAnyPolicy || policyLevel < inhibitAnyPolicyLevel )
935 inhibitAnyPolicyLevel = policyLevel;
936 hasInhibitAnyPolicy =
TRUE;
942 if( ( hasExplicitPolicy && requireExplicitPolicyLevel <= 0 ) || \
943 ( hasInhibitAnyPolicy && inhibitAnyPolicyLevel <= 0 ) )
951 const BOOLEAN inhibitAnyPolicy = \
952 ( hasInhibitAnyPolicy && inhibitAnyPolicyLevel <= 0 ) ? \
955 if( hasExplicitPolicy )
957 if( requireExplicitPolicyLevel > 0 )
958 policyType = inhibitAnyPolicy ? \
961 if( requireExplicitPolicyLevel == 0 )
962 policyType = inhibitAnyPolicy ? \
965 if( requireExplicitPolicyLevel < 0 )
966 policyType = inhibitAnyPolicy ? \
970 policyType = inhibitAnyPolicy ? \
977 if( hasExcludedSubtrees )
979 status = checkNameConstraints( subjectCertInfoPtr,
980 nameConstraintPtr,
TRUE,
986 status = checkNameConstraints( subjectCertInfoPtr,
987 nameConstraintPtr,
FALSE,
998 status = checkPolicyConstraints( subjectCertInfoPtr,
999 issuerAttributes, policyType,
1000 policyInfo, certIndex + 1,
1001 ( hasInhibitPolicyMap && \
1002 inhibitPolicyMapLevel <= 0 ) ? \
1009 status = checkPathConstraints( subjectCertInfoPtr, pathLength,
1016 *errorCertIndex = certIndex;
1047 if( hasPathLength && \
1050 if( hasExplicitPolicy )
1051 requireExplicitPolicyLevel--;
1052 if( hasInhibitPolicyMap )
1053 inhibitPolicyMapLevel--;
1054 if( hasInhibitAnyPolicy )
1055 inhibitAnyPolicyLevel--;
1060 if( certInfoPtr != subjectCertInfoPtr )
1063 ENSURES( iterationCount < MAX_CHAINLENGTH );
1083 #ifdef USE_CERTLEVEL_PKIX_FULL
1084 POLICY_INFO policyInfo;
1087 int certIndex, complianceLevel, iterationCount,
status;
1097 #ifdef USE_CERTLEVEL_PKIX_FULL
1106 explicitPolicy =
FALSE;
1111 status = findTrustAnchor( certInfoPtr, &certIndex, &iIssuerCert );
1118 return( setTrustAnchorErrorInfo( certInfoPtr ) );
1121 (
void ** ) &issuerCertInfoPtr,
1128 #ifdef USE_CERTLEVEL_PKIX_FULL
1129 status = createPolicySet( &policyInfo, issuerCertInfoPtr->
attributes,
1130 certInfoPtr, certIndex );
1142 if( certIndex >= certChainInfo->
chainEnd )
1149 status = checkCertDetails( issuerCertInfoPtr, issuerCertInfoPtr,
1152 NULL,
TRUE,
TRUE, &dummyLocus, &dummyType );
1159 status = checkCertDetails( issuerCertInfoPtr, issuerCertInfoPtr,
1168 if( certIndex < certChainInfo->chainEnd )
1171 certChainInfo->
chainPos = certIndex;
1181 for( iterationCount = 0;
1183 ( status = getCertInfo( certInfoPtr, &subjectCertInfoPtr,
1185 iterationCount < MAX_CHAINLENGTH;
1186 certIndex--, iterationCount++ )
1189 status = checkCertDetails( subjectCertInfoPtr, issuerCertInfoPtr,
1207 #ifdef USE_CERTLEVEL_PKIX_FULL
1214 status = checkConstraints( certInfoPtr, certIndex,
1216 &errorCertIndex, &policyInfo,
1220 certIndex = errorCertIndex;
1230 ENSURES( iterationCount < MAX_CHAINLENGTH );
1238 certChainInfo->
chainPos = certIndex ;
1239 if( issuerCertInfoPtr != certInfoPtr )