-/*
- * Copyright (c) 2000-2010 Apple Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-
-/*
- * CLCertExtensions.cpp - extensions support. A major component of DecodedCert.
- *
- */
-
-#include "DecodedCert.h"
-#include "cldebugging.h"
-#include "CLCertExtensions.h"
-#include "CLFieldsCommon.h"
-#include "clNssUtils.h"
-#include "clNameUtils.h"
-#include <security_utilities/utilities.h>
-#include <Security/oidscert.h>
-#include <Security/oidsattr.h>
-#include <Security/cssmerr.h>
-#include <Security/x509defs.h>
-#include <Security/certextensions.h>
-#include <security_utilities/globalizer.h>
-#include <Security/certExtensionTemplates.h>
-#include <Security/SecAsn1Templates.h>
-
-/***
- *** get/set/free functions called out from CertFields.cpp
- ***/
-
-/***
- *** KeyUsage
- *** CDSA format CE_KeyUsage
- *** NSS format CSSM_DATA, length 2
- *** OID CSSMOID_KeyUsage
- ***/
-
-void setFieldKeyUsage(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue,
- false);
- CE_KeyUsage *cdsaObj = (CE_KeyUsage *)cssmExt->value.parsedValue;
-
- /* Alloc an NSS-style key usage in cert.coder's memory */
- SecNssCoder &coder = cert.coder();
- CSSM_DATA *nssObj = (CSSM_DATA *)coder.malloc(sizeof(CSSM_DATA));
- coder.allocItem(*nssObj, 2);
-
- /* cdsaObj --> nssObj */
- nssObj->Data[0] = (*cdsaObj) >> 8;
- nssObj->Data[1] = *cdsaObj;
-
- /* Adjust length for BIT STRING encoding */
- clCssmBitStringToNss(*nssObj);
-
- /* add to mExtensions */
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1KeyUsageTemplate);
-}
-
-
-bool getFieldKeyUsage(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- CSSM_DATA *nssObj;
- CE_KeyUsage *cdsaObj;
- bool brtn;
-
- brtn = cert.GetExtenTop<CSSM_DATA, CE_KeyUsage>(
- index,
- numFields,
- fieldValue.allocator,
- CSSMOID_KeyUsage,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
-
- /* make a copy - can't modify length in place */
- CSSM_DATA bitString = *nssObj;
- clNssBitStringToCssm(bitString);
- size_t toCopy = bitString.Length;
- if(toCopy > 2) {
- /* I hope I never see this... */
- clErrorLog("getFieldKeyUsage: KeyUsage larger than 2 bytes!");
- toCopy = 2;
- }
- unsigned char bits[2] = {0, 0};
- memmove(bits, bitString.Data, toCopy);
- *cdsaObj = (((unsigned)bits[0]) << 8) | bits[1];
-
- /* pass back to caller */
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-/***
- *** Basic Constraints
- *** CDSA format: CE_BasicConstraints
- *** NSS format CE_BasicConstraints
- *** OID CSSMOID_BasicConstraints
- ***/
-
-void setFieldBasicConstraints(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt =
- verifySetFreeExtension(fieldValue, false);
- CE_BasicConstraints *cdsaObj =
- (CE_BasicConstraints *)cssmExt->value.parsedValue;
-
- /* Alloc an NSS-style BasicConstraints in cert.coder's memory */
- SecNssCoder &coder = cert.coder();
- NSS_BasicConstraints *nssObj =
- (NSS_BasicConstraints *)coder.malloc(sizeof(NSS_BasicConstraints));
- memset(nssObj, 0, sizeof(*nssObj));
-
- /* cdsaObj --> nssObj */
- ArenaAllocator arenaAlloc(coder);
- clCssmBoolToNss(cdsaObj->cA, nssObj->cA, arenaAlloc);
- if(cdsaObj->pathLenConstraintPresent) {
- clIntToData(cdsaObj->pathLenConstraint,
- nssObj->pathLenConstraint, arenaAlloc);
- }
-
- /* add to mExtensions */
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1BasicConstraintsTemplate);
-}
-
-
-bool getFieldBasicConstraints(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_BasicConstraints *nssObj;
- CE_BasicConstraints *cdsaObj;
- bool brtn;
-
- brtn = cert.GetExtenTop<NSS_BasicConstraints, CE_BasicConstraints>(
- index,
- numFields,
- fieldValue.allocator,
- CSSMOID_BasicConstraints,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
-
- if(nssObj->cA.Data == NULL) {
- /* default */
- cdsaObj->cA = CSSM_FALSE;
- }
- else {
- cdsaObj->cA = clNssBoolToCssm(nssObj->cA);
- }
- if(nssObj->pathLenConstraint.Data == NULL) {
- /* optional */
- cdsaObj->pathLenConstraintPresent = CSSM_FALSE;
- cdsaObj->pathLenConstraint = 0;
- }
- else {
- cdsaObj->pathLenConstraintPresent = CSSM_TRUE;
- cdsaObj->pathLenConstraint = clDataToInt(nssObj->pathLenConstraint);
- }
-
- /* pass back to caller */
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-/***
- *** Extended Key Usage
- *** CDSA format: CE_ExtendedKeyUsage
- *** NSS format: NSS_ExtKeyUsage
- *** OID CSSMOID_ExtendedKeyUsage
- ***/
-void setFieldExtKeyUsage(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue,
- false);
- CE_ExtendedKeyUsage *cdsaObj =
- (CE_ExtendedKeyUsage *)cssmExt->value.parsedValue;
-
- SecNssCoder &coder = cert.coder();
- NSS_ExtKeyUsage *nssObj =
- (NSS_ExtKeyUsage *)coder.malloc(sizeof(NSS_ExtKeyUsage));
- memset(nssObj, 0, sizeof(*nssObj));
- if(cdsaObj->numPurposes != 0) {
- nssObj->purposes =
- (CSSM_OID **)clNssNullArray(cdsaObj->numPurposes, coder);
- }
-
- /* cdsaObj --> nssObj, one 'purpose' (OID) at a time */
- for(unsigned dex=0; dex<cdsaObj->numPurposes; dex++) {
- nssObj->purposes[dex] = (CSSM_OID *)coder.malloc(sizeof(CSSM_OID));
- coder.allocCopyItem(cdsaObj->purposes[dex],
- *nssObj->purposes[dex]);
- }
-
- /* add to mExtensions */
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1ExtKeyUsageTemplate);
-}
-
-bool getFieldExtKeyUsage(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_ExtKeyUsage *nssObj;
- CE_ExtendedKeyUsage *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<NSS_ExtKeyUsage, CE_ExtendedKeyUsage>(
- index,
- numFields,
- alloc,
- CSSMOID_ExtendedKeyUsage,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
-
- /* nssObj --> cdsaObj, one purpose at a time */
- unsigned numPurposes = clNssArraySize((const void **)nssObj->purposes);
- cdsaObj->numPurposes = numPurposes;
- if(numPurposes) {
- unsigned len = numPurposes * sizeof(CSSM_OID);
- cdsaObj->purposes = (CSSM_OID_PTR)alloc.malloc(len);
- memset(cdsaObj->purposes, 0, len);
- }
- for(unsigned dex=0; dex<numPurposes; dex++) {
- clAllocCopyData(alloc, *nssObj->purposes[dex], cdsaObj->purposes[dex]);
- }
-
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldExtKeyUsage(
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_ExtendedKeyUsage *cdsaObj =
- (CE_ExtendedKeyUsage *)cssmExt->value.parsedValue;
- unsigned oidDex;
- for(oidDex=0; oidDex<cdsaObj->numPurposes; oidDex++) {
- alloc.free(cdsaObj->purposes[oidDex].Data);
- }
- alloc.free(cdsaObj->purposes);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-}
-
-/***
- *** Subject Key Identifier
- *** CDSA format: CE_SubjectKeyID, which is just a CSSM_DATA
- *** OID CSSMOID_SubjectKeyIdentifier
- ***/
-
-void setFieldSubjectKeyId(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue,
- false);
- CE_SubjectKeyID *cdsaObj = (CE_SubjectKeyID *)cssmExt->value.parsedValue;
- SecNssCoder &coder = cert.coder();
- CSSM_DATA *nssObj = (CSSM_DATA *)coder.malloc(sizeof(CSSM_DATA));
- coder.allocCopyItem(*cdsaObj, *nssObj);
-
- /* add to mExtensions */
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1SubjectKeyIdTemplate);
-}
-
-bool getFieldSubjectKeyId(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- CSSM_DATA *nssObj;
- CE_SubjectKeyID *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<CSSM_DATA, CE_SubjectKeyID>(
- index,
- numFields,
- alloc,
- CSSMOID_SubjectKeyIdentifier,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
-
- /* if this fails, we're out of sync with nssExtenInfo[] in
- * CLFieldsCommon.cpp */
- assert(nssObj != NULL);
- clAllocCopyData(alloc, *nssObj, *cdsaObj);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldSubjectKeyId (
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_SubjectKeyID *cdsaObj = (CE_SubjectKeyID *)cssmExt->value.parsedValue;
- alloc.free(cdsaObj->Data);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-}
-
-/***
- *** Authority Key Identifier
- *** CDSA format: CE_AuthorityKeyID
- *** NSS format: NSS_AuthorityKeyId
- *** OID CSSMOID_AuthorityKeyIdentifier
- ***/
-
-void setFieldAuthorityKeyId(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue,
- false);
- CE_AuthorityKeyID *cdsaObj =
- (CE_AuthorityKeyID *)cssmExt->value.parsedValue;
-
- /* Alloc an NSS-style AuthorityKeyId in cert.coder's memory */
- SecNssCoder &coder = cert.coder();
- NSS_AuthorityKeyId *nssObj =
- (NSS_AuthorityKeyId *)coder.malloc(sizeof(NSS_AuthorityKeyId));
- memset(nssObj, 0, sizeof(*nssObj));
-
- /* convert caller's CDSA-style CE_AuthorityKeyID to NSS */
- CL_cssmAuthorityKeyIdToNss(*cdsaObj, *nssObj, coder);
-
- /* add to mExtensions */
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1AuthorityKeyIdTemplate);
-}
-
-bool getFieldAuthorityKeyId(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_AuthorityKeyId *nssObj;
- CE_AuthorityKeyID *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<NSS_AuthorityKeyId, CE_AuthorityKeyID>(
- index,
- numFields,
- alloc,
- CSSMOID_AuthorityKeyIdentifier,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- assert(nssObj != NULL);
-
- /* nssObj --> cdsaObj */
- CL_nssAuthorityKeyIdToCssm(*nssObj, *cdsaObj, cert.coder(), alloc);
-
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldAuthorityKeyId (
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_AuthorityKeyID *cdsaObj = (CE_AuthorityKeyID *)cssmExt->value.parsedValue;
- CL_freeAuthorityKeyId(*cdsaObj, alloc);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-}
-
-/***
- *** Subject/Issuer alternate name
- *** CDSA Format: CE_GeneralNames
- *** NSS format: NSS_GeneralNames
- *** OID: CSSMOID_SubjectAltName, CSSMOID_IssuerAltName
- ***/
-void setFieldSubjIssuerAltName(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt =
- verifySetFreeExtension(fieldValue, false);
- CE_GeneralNames *cdsaObj = (CE_GeneralNames *)cssmExt->value.parsedValue;
-
- /* Alloc an NSS-style GeneralNames in cert.coder's memory */
- SecNssCoder &coder = cert.coder();
- NSS_GeneralNames *nssObj =
- (NSS_GeneralNames *)coder.malloc(sizeof(NSS_GeneralNames));
- memset(nssObj, 0, sizeof(*nssObj));
-
- /* cdsaObj --> nssObj */
- CL_cssmGeneralNamesToNss(*cdsaObj, *nssObj, coder);
-
- /* add to mExtensions */
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1GeneralNamesTemplate);
-}
-
-bool getFieldSubjAltName(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_GeneralNames *nssObj;
- CE_GeneralNames *cdsaObj;
- bool brtn;
-
- brtn = cert.GetExtenTop<NSS_GeneralNames, CE_GeneralNames>(
- index,
- numFields,
- fieldValue.allocator,
- CSSMOID_SubjectAltName,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- CL_nssGeneralNamesToCssm(*nssObj, *cdsaObj,
- cert.coder(), fieldValue.allocator);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-bool getFieldIssuerAltName(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_GeneralNames *nssObj;
- CE_GeneralNames *cdsaObj;
- bool brtn;
-
- brtn = cert.GetExtenTop<NSS_GeneralNames, CE_GeneralNames>(
- index,
- numFields,
- fieldValue.allocator,
- CSSMOID_IssuerAltName,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- CL_nssGeneralNamesToCssm(*nssObj, *cdsaObj,
- cert.coder(), fieldValue.allocator);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldSubjIssuerAltName (
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_GeneralNames *cdsaObj = (CE_GeneralNames *)cssmExt->value.parsedValue;
- CL_freeCssmGeneralNames(cdsaObj, alloc);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-}
-
-/***
- *** Certificate Policies
- *** CDSA Format: CE_CertPolicies
- *** NSS format : NSS_CertPolicies
- *** OID: CSSMOID_CertificatePolicies
- ***/
-
-#define MAX_IA5_NAME_SIZE 1024
-
-void setFieldCertPolicies(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt =
- verifySetFreeExtension(fieldValue, false);
- SecNssCoder &coder = cert.coder();
- NSS_CertPolicies *nssObj =
- (NSS_CertPolicies *)coder.malloc(sizeof(NSS_CertPolicies));
- memset(nssObj, 0, sizeof(NSS_CertPolicies));
- CE_CertPolicies *cdsaObj =
- (CE_CertPolicies *)cssmExt->value.parsedValue;
-
- if(cdsaObj->numPolicies) {
- nssObj->policies =
- (NSS_PolicyInformation **)clNssNullArray(
- cdsaObj->numPolicies, coder);
- }
- for(unsigned polDex=0; polDex<cdsaObj->numPolicies; polDex++) {
- CE_PolicyInformation *cPolInfo = &cdsaObj->policies[polDex];
- NSS_PolicyInformation *nPolInfo = (NSS_PolicyInformation *)
- coder.malloc(sizeof(NSS_PolicyInformation));
- memset(nPolInfo, 0, sizeof(*nPolInfo));
- nssObj->policies[polDex] = nPolInfo;
-
- coder.allocCopyItem(cPolInfo->certPolicyId, nPolInfo->certPolicyId);
-
- unsigned numQual = cPolInfo->numPolicyQualifiers;
- if(numQual != 0) {
- nPolInfo->policyQualifiers =
- (NSS_PolicyQualifierInfo **)clNssNullArray(numQual,
- coder);
- }
- for(unsigned qualDex=0; qualDex<numQual; qualDex++) {
- CE_PolicyQualifierInfo *cQualInfo =
- &cPolInfo->policyQualifiers[qualDex];
- NSS_PolicyQualifierInfo *nQualInfo =
- (NSS_PolicyQualifierInfo *)coder.malloc(
- sizeof(NSS_PolicyQualifierInfo));
- memset(nQualInfo, 0, sizeof(NSS_PolicyQualifierInfo));
- nPolInfo->policyQualifiers[qualDex] = nQualInfo;
-
- /*
- * OK we're at the lowest level.
- * policyQualifierId == id_qt_cps: qualifier is
- * an IA5 string, incoming data is its contents.
- * Else incoming data is an encoded blob we pass on directly.
- */
- coder.allocCopyItem(cQualInfo->policyQualifierId,
- nQualInfo->policyQualifierId);
-
- if(clCompareCssmData(&cQualInfo->policyQualifierId,
- &CSSMOID_QT_CPS)) {
- if(coder.encodeItem(&cQualInfo->qualifier,
- kSecAsn1IA5StringTemplate,
- nQualInfo->qualifier)) {
- clErrorLog("setFieldCertPOlicies: IA5 encode error\n");
- CssmError::throwMe(CSSMERR_CL_MEMORY_ERROR);
- }
- }
- else {
- /* uninterpreted, copy over directly */
- coder.allocCopyItem(cQualInfo->qualifier,
- nQualInfo->qualifier);
- }
- } /* for each qualifier */
- } /* for each policy */
-
- /* add to mExtensions */
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1CertPoliciesTemplate);
-}
-
-bool getFieldCertPolicies(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_CertPolicies *nssObj;
- CE_CertPolicies *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
- brtn = cert.GetExtenTop<NSS_CertPolicies, CE_CertPolicies>(
- index,
- numFields,
- fieldValue.allocator,
- CSSMOID_CertificatePolicies,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- assert(nssObj != NULL);
-
- memset(cdsaObj, 0, sizeof(*cdsaObj));
- cdsaObj->numPolicies =
- clNssArraySize((const void **)nssObj->policies);
- unsigned sz = cdsaObj->numPolicies * sizeof(CE_PolicyInformation);
- if(sz) {
- cdsaObj->policies = (CE_PolicyInformation *)alloc.malloc(sz);
- memset(cdsaObj->policies, 0, sz);
- }
-
- for(unsigned polDex=0; polDex<cdsaObj->numPolicies; polDex++) {
- CE_PolicyInformation *cPolInfo = &cdsaObj->policies[polDex];
- NSS_PolicyInformation *nPolInfo = nssObj->policies[polDex];
- clAllocCopyData(alloc, nPolInfo->certPolicyId,
- cPolInfo->certPolicyId);
- if(nPolInfo->policyQualifiers == NULL) {
- continue;
- }
-
- cPolInfo->numPolicyQualifiers =
- clNssArraySize((const void **)nPolInfo->policyQualifiers);
- sz = cPolInfo->numPolicyQualifiers *
- sizeof(CE_PolicyQualifierInfo);
- cPolInfo->policyQualifiers = (CE_PolicyQualifierInfo *)
- alloc.malloc(sz);
- memset(cPolInfo->policyQualifiers, 0, sz);
-
- for(unsigned qualDex=0; qualDex<cPolInfo->numPolicyQualifiers;
- qualDex++) {
- NSS_PolicyQualifierInfo *nQualInfo =
- nPolInfo->policyQualifiers[qualDex];
- CE_PolicyQualifierInfo *cQualInfo =
- &cPolInfo->policyQualifiers[qualDex];
-
- /*
- * leaf.
- * policyQualifierId == CSSMOID_QT_CPS :
- * IA5String - decode and return contents.
- * Else return whole thing.
- */
- clAllocCopyData(alloc, nQualInfo->policyQualifierId,
- cQualInfo->policyQualifierId);
- CSSM_DATA toCopy = nQualInfo->qualifier;
- if(clCompareCssmData(&nQualInfo->policyQualifierId,
- &CSSMOID_QT_CPS)) {
- /* decode as IA5String to temp memory */
- toCopy.Data = NULL;
- toCopy.Length = 0;
- if(cert.coder().decodeItem(nQualInfo->qualifier,
- kSecAsn1IA5StringTemplate,
- &toCopy)) {
- clErrorLog("***getCertPolicies: bad IA5String!\n");
- CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
- }
- }
- /* else copy out nQualInfo->qualifier */
- clAllocCopyData(alloc, toCopy, cQualInfo->qualifier);
- } /* for each qualifier */
- } /* for each policy info */
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldCertPolicies (
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_CertPolicies *cdsaObj = (CE_CertPolicies *)cssmExt->value.parsedValue;
- for(unsigned polDex=0; polDex<cdsaObj->numPolicies; polDex++) {
- CE_PolicyInformation *cPolInfo = &cdsaObj->policies[polDex];
- alloc.free(cPolInfo->certPolicyId.Data);
- for(unsigned qualDex=0;
- qualDex<cPolInfo->numPolicyQualifiers;
- qualDex++) {
- CE_PolicyQualifierInfo *cQualInfo =
- &cPolInfo->policyQualifiers[qualDex];
- alloc.free(cQualInfo->policyQualifierId.Data);
- alloc.free(cQualInfo->qualifier.Data);
- }
- alloc.free(cPolInfo->policyQualifiers);
- }
- alloc.free(cdsaObj->policies);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue,
- // BERvalue
-}
-
-/***
- *** Netscape cert type
- *** CDSA Format: CE_NetscapeCertType (a uint16)
- *** NSS format CSSM_DATA, length 2
- *** OID: CSSMOID_NetscapeCertType
- ***/
-void setFieldNetscapeCertType(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue,
- false);
- CE_NetscapeCertType *cdsaObj =
- (CE_NetscapeCertType *)cssmExt->value.parsedValue;
-
- /* Alloc an NSS-style key usage in cert.coder's memory */
- SecNssCoder &coder = cert.coder();
- CSSM_DATA *nssObj = (CSSM_DATA *)coder.malloc(sizeof(CSSM_DATA));
- coder.allocItem(*nssObj, 2);
-
- /* cdsaObj --> nssObj */
- nssObj->Data[0] = (*cdsaObj) >> 8;
- nssObj->Data[1] = *cdsaObj;
-
- /* Adjust length for BIT STRING encoding */
- clCssmBitStringToNss(*nssObj);
-
- /* add to mExtensions */
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1NetscapeCertTypeTemplate);
-}
-
-bool getFieldNetscapeCertType(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- CSSM_DATA *nssObj;
- CE_NetscapeCertType *cdsaObj;
- bool brtn;
-
- brtn = cert.GetExtenTop<CSSM_DATA, CE_NetscapeCertType>(
- index,
- numFields,
- fieldValue.allocator,
- CSSMOID_NetscapeCertType,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
-
- /* make a copy - can't modify length in place */
- CSSM_DATA bitString = *nssObj;
- clNssBitStringToCssm(bitString);
- size_t toCopy = bitString.Length;
- if(toCopy > 2) {
- /* I hope I never see this... */
- clErrorLog("getFieldKeyUsage: CertType larger than 2 bytes!");
- toCopy = 2;
- }
- unsigned char bits[2] = {0, 0};
- memmove(bits, bitString.Data, toCopy);
- *cdsaObj = (((unsigned)bits[0]) << 8) | bits[1];
-
- /* pass back to caller */
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-/***
- *** CRL Distribution points
- *** CDSA Format: CE_CRLDistPointsSyntax
- *** NSS format: NSS_CRLDistributionPoints
- *** OID: CSSMOID_CrlDistributionPoints
- ***/
-void setFieldCrlDistPoints(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt =
- verifySetFreeExtension(fieldValue, false);
- CE_CRLDistPointsSyntax *cdsaObj =
- (CE_CRLDistPointsSyntax *)cssmExt->value.parsedValue;
- SecNssCoder &coder = cert.coder();
- NSS_CRLDistributionPoints *nssObj =
- (NSS_CRLDistributionPoints *)coder.malloc(
- sizeof(NSS_CRLDistributionPoints));
-
- CL_cssmDistPointsToNss(*cdsaObj, *nssObj, coder);
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1CRLDistributionPointsTemplate);
-}
-
-bool getFieldCrlDistPoints(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_CRLDistributionPoints *nssObj;
- CE_CRLDistPointsSyntax *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<NSS_CRLDistributionPoints,
- CE_CRLDistPointsSyntax>(
- index,
- numFields,
- alloc,
- CSSMOID_CrlDistributionPoints,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- assert(nssObj != NULL);
- CL_nssDistPointsToCssm(*nssObj, *cdsaObj, cert.coder(), alloc);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldCrlDistPoints (
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_CRLDistPointsSyntax *cdsaObj =
- (CE_CRLDistPointsSyntax *)cssmExt->value.parsedValue;
- CL_freeCssmDistPoints(cdsaObj, alloc);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-}
-
-/***
- *** {Subject,Authority}InfoAccess
- ***
- *** CDSA Format: CE_AuthorityInfoAccess
- *** NSS format: NSS_AuthorityInfoAccess
- *** OID: CSSMOID_AuthorityInfoAccess, CSSMOID_SubjectInfoAccess
- ***/
-void setFieldAuthInfoAccess(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt =
- verifySetFreeExtension(fieldValue, false);
- CE_AuthorityInfoAccess *cdsaObj =
- (CE_AuthorityInfoAccess *)cssmExt->value.parsedValue;
- SecNssCoder &coder = cert.coder();
- NSS_AuthorityInfoAccess *nssObj =
- (NSS_AuthorityInfoAccess *)coder.malloc(
- sizeof(NSS_AuthorityInfoAccess));
-
- CL_cssmInfoAccessToNss(*cdsaObj, *nssObj, coder);
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1AuthorityInfoAccessTemplate);
-}
-
-bool getFieldAuthInfoAccess(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_AuthorityInfoAccess *nssObj;
- CE_AuthorityInfoAccess *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<NSS_AuthorityInfoAccess,
- CE_AuthorityInfoAccess>(
- index,
- numFields,
- alloc,
- CSSMOID_AuthorityInfoAccess,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- assert(nssObj != NULL);
- CL_infoAccessToCssm(*nssObj, *cdsaObj, cert.coder(), alloc);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-bool getFieldSubjInfoAccess(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_AuthorityInfoAccess *nssObj;
- CE_AuthorityInfoAccess *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<NSS_AuthorityInfoAccess,
- CE_AuthorityInfoAccess>(
- index,
- numFields,
- alloc,
- CSSMOID_SubjectInfoAccess,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- assert(nssObj != NULL);
- CL_infoAccessToCssm(*nssObj, *cdsaObj, cert.coder(), alloc);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldInfoAccess (
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_AuthorityInfoAccess *cdsaObj =
- (CE_AuthorityInfoAccess *)cssmExt->value.parsedValue;
- CL_freeInfoAccess(*cdsaObj, alloc);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-
-}
-
-/***
- *** Qualfied Cert Statements
- ***
- *** CDSA Format: CE_QC_Statements
- *** NSS format: NSS_QC_Statements
- *** OID: CSSMOID_QC_Statements
- ***/
-void setFieldQualCertStatements(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt =
- verifySetFreeExtension(fieldValue, false);
- CE_QC_Statements *cdsaObj =
- (CE_QC_Statements *)cssmExt->value.parsedValue;
- SecNssCoder &coder = cert.coder();
- NSS_QC_Statements *nssObj =
- (NSS_QC_Statements *)coder.malloc(
- sizeof(NSS_QC_Statements));
-
- CL_cssmQualCertStatementsToNss(*cdsaObj, *nssObj, coder);
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1QC_StatementsTemplate);
-}
-
-bool getFieldQualCertStatements(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_QC_Statements *nssObj;
- CE_QC_Statements *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<NSS_QC_Statements,
- CE_QC_Statements>(
- index,
- numFields,
- alloc,
- CSSMOID_QC_Statements,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- assert(nssObj != NULL);
- CL_qualCertStatementsToCssm(*nssObj, *cdsaObj, cert.coder(), alloc);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldQualCertStatements(
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_QC_Statements *cdsaObj =
- (CE_QC_Statements *)cssmExt->value.parsedValue;
- CL_freeQualCertStatements(*cdsaObj, alloc);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-}
-
-/***
- *** Name Constraints
- *** CDSA Format: CE_NameConstraints
- *** NSS format: NSS_NameConstraints
- *** OID: CSSMOID_NameConstraints
- ***/
-void setFieldNameConstraints(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt =
- verifySetFreeExtension(fieldValue, false);
- CE_NameConstraints *cdsaObj =
- (CE_NameConstraints *)cssmExt->value.parsedValue;
- SecNssCoder &coder = cert.coder();
- NSS_NameConstraints *nssObj =
- (NSS_NameConstraints *)coder.malloc(
- sizeof(NSS_NameConstraints));
- CL_cssmNameConstraintsToNss(*cdsaObj, *nssObj, coder);
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1NameConstraintsTemplate);
-}
-
-bool getFieldNameConstraints(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_NameConstraints *nssObj;
- CE_NameConstraints *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<NSS_NameConstraints,
- CE_NameConstraints>(
- index,
- numFields,
- alloc,
- CSSMOID_NameConstraints,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- assert(nssObj != NULL);
- CL_nssNameConstraintsToCssm(*nssObj, *cdsaObj, cert.coder(), alloc);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldNameConstraints (
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_NameConstraints *cdsaObj =
- (CE_NameConstraints *)cssmExt->value.parsedValue;
- CL_freeCssmNameConstraints(cdsaObj, alloc);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-}
-
-/***
- *** Policy Mappings
- *** CDSA Format: CE_PolicyMappings
- *** NSS format: NSS_PolicyMappings
- *** OID: CSSMOID_PolicyMappings
- ***/
-void setFieldPolicyMappings(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt =
- verifySetFreeExtension(fieldValue, false);
- CE_PolicyMappings *cdsaObj =
- (CE_PolicyMappings *)cssmExt->value.parsedValue;
- SecNssCoder &coder = cert.coder();
- NSS_PolicyMappings *nssObj =
- (NSS_PolicyMappings *)coder.malloc(
- sizeof(NSS_PolicyMappings));
- CL_cssmPolicyMappingsToNss(*cdsaObj, *nssObj, coder);
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1PolicyMappingsTemplate);
-}
-
-bool getFieldPolicyMappings(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_PolicyMappings *nssObj;
- CE_PolicyMappings *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<NSS_PolicyMappings,
- CE_PolicyMappings>(
- index,
- numFields,
- alloc,
- CSSMOID_PolicyMappings,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- assert(nssObj != NULL);
- CL_nssPolicyMappingsToCssm(*nssObj, *cdsaObj, cert.coder(), alloc);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldPolicyMappings (
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_PolicyMappings *cdsaObj =
- (CE_PolicyMappings *)cssmExt->value.parsedValue;
- CL_freeCssmPolicyMappings(cdsaObj, alloc);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-}
-
-/***
- *** Policy Constraints
- *** CDSA Format: CE_PolicyConstraints
- *** NSS format: NSS_PolicyConstraints
- *** OID: CSSMOID_PolicyConstraints
- ***/
-void setFieldPolicyConstraints(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt =
- verifySetFreeExtension(fieldValue, false);
- CE_PolicyConstraints *cdsaObj =
- (CE_PolicyConstraints *)cssmExt->value.parsedValue;
- SecNssCoder &coder = cert.coder();
- NSS_PolicyConstraints *nssObj =
- (NSS_PolicyConstraints *)coder.malloc(
- sizeof(NSS_PolicyConstraints));
- CL_cssmPolicyConstraintsToNss(cdsaObj, nssObj, coder);
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1PolicyConstraintsTemplate);
-}
-
-bool getFieldPolicyConstraints(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- NSS_PolicyConstraints *nssObj;
- CE_PolicyConstraints *cdsaObj;
- bool brtn;
- Allocator &alloc = fieldValue.allocator;
-
- brtn = cert.GetExtenTop<NSS_PolicyConstraints,
- CE_PolicyConstraints>(
- index,
- numFields,
- alloc,
- CSSMOID_PolicyConstraints,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
- assert(nssObj != NULL);
- CL_nssPolicyConstraintsToCssm(nssObj, cdsaObj, cert.coder(), alloc);
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
-void freeFieldPolicyConstraints (
- CssmOwnedData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue, false);
- Allocator &alloc = fieldValue.allocator;
- CE_PolicyConstraints *cdsaObj =
- (CE_PolicyConstraints *)cssmExt->value.parsedValue;
- CL_freeCssmPolicyConstraints(cdsaObj, alloc);
- freeFieldExtenCommon(cssmExt, alloc); // frees extnId, parsedValue, BERvalue
-}
-
-/***
- *** Inhibit Any Policy
- *** CDSA Format: CE_InhibitAnyPolicy (an integer)
- *** NSS format: CSSM_DATA, sizeof(uint32)
- *** OID: CSSMOID_InhibitAnyPolicy
- ***/
-void setFieldInhibitAnyPolicy(
- DecodedItem &cert,
- const CssmData &fieldValue)
-{
- CSSM_X509_EXTENSION_PTR cssmExt = verifySetFreeExtension(fieldValue,
- false);
- CE_InhibitAnyPolicy *cdsaObj =
- (CE_InhibitAnyPolicy *)cssmExt->value.parsedValue;
-
- /* Alloc in cert.coder's memory */
- SecNssCoder &coder = cert.coder();
- CSSM_DATA *nssObj = (CSSM_DATA *)coder.malloc(sizeof(CSSM_DATA));
- coder.allocItem(*nssObj, sizeof(uint32));
-
- /* cdsaObj --> nssObj */
- nssObj->Data[0] = (*cdsaObj) >> 24;
- nssObj->Data[1] = (*cdsaObj) >> 16;
- nssObj->Data[2] = (*cdsaObj) >> 8;
- nssObj->Data[3] = *cdsaObj;
-
- /* add to mExtensions */
- cert.addExtension(nssObj, cssmExt->extnId, cssmExt->critical, false,
- kSecAsn1IntegerTemplate);
-}
-
-bool getFieldInhibitAnyPolicy(
- DecodedItem &cert,
- unsigned index, // which occurrence (0 = first)
- uint32 &numFields, // RETURNED
- CssmOwnedData &fieldValue)
-{
- const DecodedExten *decodedExt;
- CSSM_DATA *nssObj;
- CE_InhibitAnyPolicy *cdsaObj;
- bool brtn;
-
- brtn = cert.GetExtenTop<CSSM_DATA, CE_InhibitAnyPolicy>(
- index,
- numFields,
- fieldValue.allocator,
- CSSMOID_InhibitAnyPolicy,
- nssObj,
- cdsaObj,
- decodedExt);
- if(!brtn) {
- return false;
- }
-
- *cdsaObj = *(nssObj->Data); //%%%FIXME check this
-
- /* pass back to caller */
- getFieldExtenCommon(cdsaObj, *decodedExt, fieldValue);
- return true;
-}
-
projects / apple / security.git / blobdiff