summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/certdb/certdb.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/certdb/certdb.c')
-rw-r--r--security/nss/lib/certdb/certdb.c176
1 files changed, 63 insertions, 113 deletions
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 85b5f2917..0796fe5d7 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -447,71 +447,39 @@ cert_GetCertType(CERTCertificate *cert)
}
PRBool
-cert_EKUAllowsIPsecIKE(CERTCertificate *cert, PRBool *isCritical)
+cert_IsIPsecOID(CERTOidSequence *extKeyUsage)
{
- SECStatus rv;
- SECItem encodedExtKeyUsage;
- CERTOidSequence *extKeyUsage = NULL;
- PRBool result = PR_FALSE;
-
- rv = CERT_GetExtenCriticality(cert->extensions,
- SEC_OID_X509_EXT_KEY_USAGE,
- isCritical);
- if (rv != SECSuccess) {
- *isCritical = PR_FALSE;
- }
-
- encodedExtKeyUsage.data = NULL;
- rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,
- &encodedExtKeyUsage);
- if (rv != SECSuccess) {
- /* EKU not present, allowed. */
- result = PR_TRUE;
- goto done;
- }
-
- extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
- if (!extKeyUsage) {
- /* failure */
- goto done;
+ if (findOIDinOIDSeqByTagNum(
+ extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) == SECSuccess) {
+ return PR_TRUE;
}
-
- if (findOIDinOIDSeqByTagNum(extKeyUsage,
- SEC_OID_X509_ANY_EXT_KEY_USAGE) ==
- SECSuccess) {
- result = PR_TRUE;
- goto done;
+ if (findOIDinOIDSeqByTagNum(
+ extKeyUsage, SEC_OID_IPSEC_IKE_END) == SECSuccess) {
+ return PR_TRUE;
}
-
- if (findOIDinOIDSeqByTagNum(extKeyUsage,
- SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) ==
- SECSuccess) {
- result = PR_TRUE;
- goto done;
+ if (findOIDinOIDSeqByTagNum(
+ extKeyUsage, SEC_OID_IPSEC_IKE_INTERMEDIATE) == SECSuccess) {
+ return PR_TRUE;
}
-
- if (findOIDinOIDSeqByTagNum(extKeyUsage,
- SEC_OID_IPSEC_IKE_END) ==
- SECSuccess) {
- result = PR_TRUE;
- goto done;
+ /* these are now deprecated, but may show up. Treat them the same as IKE */
+ if (findOIDinOIDSeqByTagNum(
+ extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_END) == SECSuccess) {
+ return PR_TRUE;
}
-
- if (findOIDinOIDSeqByTagNum(extKeyUsage,
- SEC_OID_IPSEC_IKE_INTERMEDIATE) ==
- SECSuccess) {
- result = PR_TRUE;
- goto done;
+ if (findOIDinOIDSeqByTagNum(
+ extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL) == SECSuccess) {
+ return PR_TRUE;
}
-
-done:
- if (encodedExtKeyUsage.data != NULL) {
- PORT_Free(encodedExtKeyUsage.data);
+ if (findOIDinOIDSeqByTagNum(
+ extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_USER) == SECSuccess) {
+ return PR_TRUE;
}
- if (extKeyUsage != NULL) {
- CERT_DestroyOidSequence(extKeyUsage);
+ /* this one should probably be in cert_ComputeCertType and set all usages? */
+ if (findOIDinOIDSeqByTagNum(
+ extKeyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE) == SECSuccess) {
+ return PR_TRUE;
}
- return result;
+ return PR_FALSE;
}
PRUint32
@@ -521,9 +489,9 @@ cert_ComputeCertType(CERTCertificate *cert)
SECItem tmpitem;
SECItem encodedExtKeyUsage;
CERTOidSequence *extKeyUsage = NULL;
- PRBool basicConstraintPresent = PR_FALSE;
CERTBasicConstraints basicConstraint;
PRUint32 nsCertType = 0;
+ PRBool isCA = PR_FALSE;
tmpitem.data = NULL;
CERT_FindNSCertTypeExtension(cert, &tmpitem);
@@ -535,7 +503,7 @@ cert_ComputeCertType(CERTCertificate *cert)
}
rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
if (rv == SECSuccess) {
- basicConstraintPresent = PR_TRUE;
+ isCA = basicConstraint.isCA;
}
if (tmpitem.data != NULL || extKeyUsage != NULL) {
if (tmpitem.data == NULL) {
@@ -571,19 +539,11 @@ cert_ComputeCertType(CERTCertificate *cert)
if (findOIDinOIDSeqByTagNum(extKeyUsage,
SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
SECSuccess) {
- if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
- nsCertType |= NS_CERT_TYPE_EMAIL_CA;
- } else {
- nsCertType |= NS_CERT_TYPE_EMAIL;
- }
+ nsCertType |= isCA ? NS_CERT_TYPE_EMAIL_CA : NS_CERT_TYPE_EMAIL;
}
if (findOIDinOIDSeqByTagNum(
extKeyUsage, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) == SECSuccess) {
- if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
- nsCertType |= NS_CERT_TYPE_SSL_CA;
- } else {
- nsCertType |= NS_CERT_TYPE_SSL_SERVER;
- }
+ nsCertType |= isCA ? NS_CERT_TYPE_SSL_CA : NS_CERT_TYPE_SSL_SERVER;
}
/*
* Treat certs with step-up OID as also having SSL server type.
@@ -592,27 +552,18 @@ cert_ComputeCertType(CERTCertificate *cert)
if (findOIDinOIDSeqByTagNum(extKeyUsage,
SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
SECSuccess) {
- if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
- nsCertType |= NS_CERT_TYPE_SSL_CA;
- } else {
- nsCertType |= NS_CERT_TYPE_SSL_SERVER;
- }
+ nsCertType |= isCA ? NS_CERT_TYPE_SSL_CA : NS_CERT_TYPE_SSL_SERVER;
}
if (findOIDinOIDSeqByTagNum(
extKeyUsage, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == SECSuccess) {
- if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
- nsCertType |= NS_CERT_TYPE_SSL_CA;
- } else {
- nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
- }
+ nsCertType |= isCA ? NS_CERT_TYPE_SSL_CA : NS_CERT_TYPE_SSL_CLIENT;
+ }
+ if (cert_IsIPsecOID(extKeyUsage)) {
+ nsCertType |= isCA ? NS_CERT_TYPE_IPSEC_CA : NS_CERT_TYPE_IPSEC;
}
if (findOIDinOIDSeqByTagNum(
extKeyUsage, SEC_OID_EXT_KEY_USAGE_CODE_SIGN) == SECSuccess) {
- if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
- nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
- } else {
- nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
- }
+ nsCertType |= isCA ? NS_CERT_TYPE_OBJECT_SIGNING_CA : NS_CERT_TYPE_OBJECT_SIGNING;
}
if (findOIDinOIDSeqByTagNum(
extKeyUsage, SEC_OID_EXT_KEY_USAGE_TIME_STAMP) == SECSuccess) {
@@ -629,7 +580,7 @@ cert_ComputeCertType(CERTCertificate *cert)
nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
/* if the basic constraint extension says the cert is a CA, then
allow SSL CA and EMAIL CA and Status Responder */
- if (basicConstraintPresent && basicConstraint.isCA) {
+ if (isCA) {
nsCertType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
EXT_KEY_USAGE_STATUS_RESPONDER);
}
@@ -638,6 +589,14 @@ cert_ComputeCertType(CERTCertificate *cert)
NS_CERT_TYPE_EMAIL;
}
+ /* IPSEC is allowed to use SSL client and server certs as well as email certs */
+ if (nsCertType & (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL)) {
+ nsCertType |= NS_CERT_TYPE_IPSEC;
+ }
+ if (nsCertType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA)) {
+ nsCertType |= NS_CERT_TYPE_IPSEC_CA;
+ }
+
if (encodedExtKeyUsage.data != NULL) {
PORT_Free(encodedExtKeyUsage.data);
}
@@ -1153,7 +1112,7 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
break;
case certUsageIPsec:
requiredKeyUsage = KU_KEY_CERT_SIGN;
- requiredCertType = NS_CERT_TYPE_SSL_CA;
+ requiredCertType = NS_CERT_TYPE_IPSEC_CA;
break;
case certUsageSSLCA:
requiredKeyUsage = KU_KEY_CERT_SIGN;
@@ -1200,7 +1159,7 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
case certUsageIPsec:
/* RFC 4945 Section 5.1.3.2 */
requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;
- requiredCertType = 0;
+ requiredCertType = NS_CERT_TYPE_IPSEC;
break;
case certUsageSSLServerWithStepUp:
requiredKeyUsage =
@@ -1314,6 +1273,17 @@ CERT_DupCertificate(CERTCertificate *c)
return c;
}
+SECStatus
+CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der)
+{
+ if (!c || !der) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ *der = c->derCert;
+ return SECSuccess;
+}
+
/*
* Allow use of default cert database, so that apps(such as mozilla) don't
* have to pass the handle all over the place.
@@ -2919,15 +2889,8 @@ void
CERT_UnlockCertRefCount(CERTCertificate *cert)
{
PORT_Assert(certRefCountLock != NULL);
-
-#ifdef DEBUG
- {
- PRStatus prstat = PZ_Unlock(certRefCountLock);
- PORT_Assert(prstat == PR_SUCCESS);
- }
-#else
- PZ_Unlock(certRefCountLock);
-#endif
+ PRStatus prstat = PZ_Unlock(certRefCountLock);
+ PORT_AssertArg(prstat == PR_SUCCESS);
}
static PZLock *certTrustLock = NULL;
@@ -3031,15 +2994,8 @@ void
CERT_UnlockCertTrust(const CERTCertificate *cert)
{
PORT_Assert(certTrustLock != NULL);
-
-#ifdef DEBUG
- {
- PRStatus prstat = PZ_Unlock(certTrustLock);
- PORT_Assert(prstat == PR_SUCCESS);
- }
-#else
- PZ_Unlock(certTrustLock);
-#endif
+ PRStatus prstat = PZ_Unlock(certTrustLock);
+ PORT_AssertArg(prstat == PR_SUCCESS);
}
/*
@@ -3049,14 +3005,8 @@ void
CERT_UnlockCertTempPerm(const CERTCertificate *cert)
{
PORT_Assert(certTempPermLock != NULL);
-#ifdef DEBUG
- {
- PRStatus prstat = PZ_Unlock(certTempPermLock);
- PORT_Assert(prstat == PR_SUCCESS);
- }
-#else
- (void)PZ_Unlock(certTempPermLock);
-#endif
+ PRStatus prstat = PZ_Unlock(certTempPermLock);
+ PORT_AssertArg(prstat == PR_SUCCESS);
}
/*
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-07 11:31:55 +0000