Bug 358785: Merge NSS_LIBPKIX_BRANCH back to trunk. r=julien, r=alexei

sailfishos-mirror · May 25, 2007 · 5359a8b · 5359a8b
1 parent 5470890
commit 5359a8b
Show file tree

Hide file tree

Showing 36 changed files with 1,130 additions and 141 deletions.
diff --git a/security/nss/cmd/Makefile b/security/nss/cmd/Makefile
@@ -42,6 +42,10 @@ DEPTH = ../..
 include manifest.mn
 include $(CORE_DEPTH)/coreconf/config.mk
 
+ifdef BUILD_LIBPKIX_TESTS
+DIRS += libpkix
+endif
+
 ifndef USE_SYSTEM_ZLIB
 ZLIB_SRCDIR = zlib  # Add the zlib directory to DIRS.
 endif

diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk
@@ -89,6 +89,19 @@ ifdef MOZILLA_BSAFE_BUILD
 	CRYPTOLIB+=$(DIST)/lib/freebl.lib
 endif
 
+PKIXLIB = \
+	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX)
+
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
@@ -107,6 +120,7 @@ EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(PKIXLIB) \
 	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
@@ -129,6 +143,21 @@ ifdef MOZILLA_BSAFE_BUILD
 	CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)bsafe.$(LIB_SUFFIX)
 	CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 endif
+
+PKIXLIB = \
+	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
+
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
@@ -151,6 +180,8 @@ EXTRA_LIBS += \
 	$(CRYPTOLIB) \
 	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
+	$(PKIXLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
 	$(NULL)
 
 ifeq ($(OS_ARCH), AIX) 

diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
@@ -257,7 +257,7 @@ void *
 CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req);
 
 /*
-** Reformat the certifcate extension list into a CertificateRequest
+** Reformat the certificate extension list into a CertificateRequest
 ** attribute list.
 */
 SECStatus
@@ -1016,7 +1016,11 @@ extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle,
 /*
 ** Finds the crlNumber extension and decodes its value into 'value'
 */
-extern SECStatus CERT_FindCRLNumberExten (CERTCrl *crl, CERTCrlNumber *value);
+extern SECStatus CERT_FindCRLNumberExten (PRArenaPool *arena, CERTCrl *crl,
+                                          SECItem *value);
+
+extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
+					       CERTCRLEntryReasonCode *value);
 
 extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
 
@@ -1135,6 +1139,19 @@ CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue);
 void
 CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
 
+CERTCertificatePolicyMappings *
+CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps);
+
+SECStatus
+CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings);
+
+SECStatus
+CERT_DecodePolicyConstraintsExtension(
+    CERTCertificatePolicyConstraints *decodedValue, SECItem *encodedValue);
+
+SECStatus CERT_DecodeInhibitAnyExtension
+    (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue);
+
 CERTUserNotice *
 CERT_DecodeUserNotice(SECItem *noticeItem);
 
@@ -1514,6 +1531,46 @@ SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
                         SECItem* dp, int64 t, void* wincx);
 
 
+/*
+ * Add a CERTNameConstraint to the CERTNameConstraint list
+ */
+extern CERTNameConstraint *
+CERT_AddNameConstraint(CERTNameConstraint *list, 
+		       CERTNameConstraint *constraint);
+
+/*
+ * Allocate space and copy CERTNameConstraint from src to dest.
+ * Arena is used to allocate result(if dest eq NULL) and its members
+ * SECItem data.
+ */
+extern CERTNameConstraint *
+CERT_CopyNameConstraint(PRArenaPool         *arena, 
+			CERTNameConstraint  *dest, 
+			CERTNameConstraint  *src);
+
+/*
+ * Verify name against all the constraints relevant to that type of
+ * the name.
+ */
+extern SECStatus
+CERT_CheckNameSpace(PRArenaPool          *arena,
+		    CERTNameConstraints  *constraints,
+		    CERTGeneralName      *currentName);
+
+/*
+ * Extract and allocate the name constraints extension from the CA cert.
+ */
+extern SECStatus
+CERT_FindNameConstraintsExten(PRArenaPool      *arena,
+			      CERTCertificate  *cert,
+			      CERTNameConstraints **constraints);
+
+/*
+ * Initialize a new GERTGeneralName fields (link)
+ */
+extern CERTGeneralName *
+CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type);
+
 SEC_END_PROTOS
 
 #endif /* _CERT_H_ */
diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h
@@ -121,7 +121,9 @@ struct CachedCrlStr {
     PreAllocator* prebuffer; /* big pre-allocated buffer mentioned above */
     PRBool sigChecked; /* this CRL signature has already been checked */
     PRBool sigValid; /* signature verification status .
-                     Only meaningful if checked is PR_TRUE . */
+                        Only meaningful if checked is PR_TRUE . */
+    PRBool unbuildable; /* Avoid using assosiated CRL is it fails
+                         * a decoding step */
 };
 
 /*  CRL distribution point cache object
@@ -243,5 +245,25 @@ cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID);
 /* return maximum length of AVA value based on its type OID tag. */
 extern int cert_AVAOidTagToMaxLen(SECOidTag tag);
 
+/*
+ * get a DPCache object for the given issuer subject and dp
+ * Automatically creates the cache object if it doesn't exist yet.
+ */
+SECStatus AcquireDPCache(CERTCertificate* issuer, SECItem* subject,
+                         SECItem* dp, int64 t, void* wincx,
+                         CRLDPCache** dpcache, PRBool* writeLocked);
+
+/* release a DPCache object that was previously acquired */
+void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked);
+
+/* this function assumes the caller holds a lock on the DPCache */
+SECStatus DPCache_GetAllCRLs(CRLDPCache* dpc, PRArenaPool* arena,
+                             CERTSignedCrl*** crls, PRUint16* status);
+
+/* this function assumes the caller holds a lock on the DPCache */
+SECStatus DPCache_GetCRLEntry(CRLDPCache* cache, PRBool readlocked,
+                              CERTSignedCrl* crl, SECItem* sn,
+                              CERTCrlEntry** returned);
+
 #endif /* _CERTI_H_ */
 
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
@@ -627,6 +627,20 @@ struct CERTBasicConstraintsStr {
 #define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
 #define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */
 
+/* enum for CRL Entry Reason Code */
+typedef enum CERTCRLEntryReasonCodeEnum {
+    crlEntryReasonUnspecified = 0,
+    crlEntryReasonKeyCompromise = 1,
+    crlEntryReasonCaCompromise = 2,
+    crlEntryReasonAffiliationChanged = 3,
+    crlEntryReasonSuperseded = 4,
+    crlEntryReasonCessationOfOperation = 5,
+    crlEntryReasoncertificatedHold = 6,
+    crlEntryReasonRemoveFromCRL = 8,
+    crlEntryReasonPrivilegeWithdrawn = 9,
+    crlEntryReasonAaCompromise = 10
+} CERTCRLEntryReasonCode;
+
 /* If we needed to extract the general name field, use this */
 /* General Name types */
 typedef enum CERTGeneralNameTypeEnum {
@@ -839,6 +853,33 @@ typedef struct {
     SECItem **oids;
 } CERTOidSequence;
 
+/*
+ * these types are for the PKIX Policy Mappings extension
+ */
+typedef struct {
+    SECItem issuerDomainPolicy;
+    SECItem subjectDomainPolicy;
+} CERTPolicyMap;
+
+typedef struct {
+    PRArenaPool *arena;
+    CERTPolicyMap **policyMaps;
+} CERTCertificatePolicyMappings;
+
+/*
+ * these types are for the PKIX inhibitAnyPolicy extension
+ */
+typedef struct {
+    SECItem inhibitAnySkipCerts;
+} CERTCertificateInhibitAny;
+
+/*
+ * these types are for the PKIX Policy Constraints extension
+ */
+typedef struct {
+    SECItem explicitPolicySkipCerts;
+    SECItem inhibitMappingSkipCerts;
+} CERTCertificatePolicyConstraints;
 
 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */