/src/nss-nspr/nss/lib/certdb/polcyxtn.c

Source (jump to first uncovered line)
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * Support for various policy related extensions
 */

#include "seccomon.h"
#include "secport.h"
#include "secder.h"
#include "cert.h"
#include "secoid.h"
#include "secasn1.h"
#include "secerr.h"
#include "nspr.h"

SEC_ASN1_MKSUB(SEC_IntegerTemplate)
SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)

const SEC_ASN1Template CERT_DisplayTextTypeTemplate[] = {
    { SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) },
    { SEC_ASN1_IA5_STRING, 0, 0, siAsciiString },
    { SEC_ASN1_VISIBLE_STRING, 0, 0, siVisibleString },
    { SEC_ASN1_BMP_STRING, 0, 0, siBMPString },
    { SEC_ASN1_UTF8_STRING, 0, 0, siUTF8String },
    { 0 }
};

const SEC_ASN1Template CERT_NoticeReferenceTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNoticeReference) },
    { SEC_ASN1_INLINE, offsetof(CERTNoticeReference, organization),
      CERT_DisplayTextTypeTemplate, 0 },
    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN,
      offsetof(CERTNoticeReference, noticeNumbers),
      SEC_ASN1_SUB(SEC_IntegerTemplate) },
    { 0 }
};

const SEC_ASN1Template CERT_UserNoticeTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTUserNotice) },
    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
      offsetof(CERTUserNotice, noticeReference), CERT_NoticeReferenceTemplate,
      0 },
    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
      offsetof(CERTUserNotice, displayText), CERT_DisplayTextTypeTemplate, 0 },
    { 0 }
};

const SEC_ASN1Template CERT_PolicyQualifierTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPolicyQualifier) },
    { SEC_ASN1_OBJECT_ID, offsetof(CERTPolicyQualifier, qualifierID) },
    { SEC_ASN1_ANY, offsetof(CERTPolicyQualifier, qualifierValue) },
    { 0 }
};

const SEC_ASN1Template CERT_PolicyInfoTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPolicyInfo) },
    { SEC_ASN1_OBJECT_ID, offsetof(CERTPolicyInfo, policyID) },
    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL,
      offsetof(CERTPolicyInfo, policyQualifiers),
      CERT_PolicyQualifierTemplate },
    { 0 }
};

const SEC_ASN1Template CERT_CertificatePoliciesTemplate[] = {
    { SEC_ASN1_SEQUENCE_OF, offsetof(CERTCertificatePolicies, policyInfos),
      CERT_PolicyInfoTemplate, sizeof(CERTCertificatePolicies) }
};

const SEC_ASN1Template CERT_PolicyMapTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPolicyMap) },
    { SEC_ASN1_OBJECT_ID, offsetof(CERTPolicyMap, issuerDomainPolicy) },
    { SEC_ASN1_OBJECT_ID, offsetof(CERTPolicyMap, subjectDomainPolicy) },
    { 0 }
};

const SEC_ASN1Template CERT_PolicyMappingsTemplate[] = {
    { SEC_ASN1_SEQUENCE_OF, offsetof(CERTCertificatePolicyMappings, policyMaps),
      CERT_PolicyMapTemplate, sizeof(CERTPolicyMap) }
};

const SEC_ASN1Template CERT_PolicyConstraintsTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTCertificatePolicyConstraints) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
      offsetof(CERTCertificatePolicyConstraints, explicitPolicySkipCerts),
      SEC_ASN1_SUB(SEC_IntegerTemplate) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
      offsetof(CERTCertificatePolicyConstraints, inhibitMappingSkipCerts),
      SEC_ASN1_SUB(SEC_IntegerTemplate) },
    { 0 }
};

const SEC_ASN1Template CERT_InhibitAnyTemplate[] = {
    { SEC_ASN1_INTEGER,
      offsetof(CERTCertificateInhibitAny, inhibitAnySkipCerts), NULL,
      sizeof(CERTCertificateInhibitAny) }
};

static void
breakLines(char *string)
{
    char *tmpstr;
    char *lastspace = NULL;
    int curlen = 0;
    int c;

    tmpstr = string;

    while ((c = *tmpstr) != '\0') {
        switch (c) {
            case ' ':
                lastspace = tmpstr;
                break;
            case '\n':
                lastspace = NULL;
                curlen = 0;
                break;
        }

        if ((curlen >= 55) && (lastspace != NULL)) {
            *lastspace = '\n';
            curlen = (tmpstr - lastspace);
            lastspace = NULL;
        }

        curlen++;
        tmpstr++;
    }

    return;
}

CERTCertificatePolicies *
CERT_DecodeCertificatePoliciesExtension(const SECItem *extnValue)
{
    PLArenaPool *arena = NULL;
    SECStatus rv;
    CERTCertificatePolicies *policies;
    CERTPolicyInfo **policyInfos, *policyInfo;
    CERTPolicyQualifier **policyQualifiers, *policyQualifier;
    SECItem newExtnValue;

    /* make a new arena */
    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if (!arena) {
        goto loser;
    }

    /* allocate the certificate policies structure */
    policies = (CERTCertificatePolicies *)PORT_ArenaZAlloc(
        arena, sizeof(CERTCertificatePolicies));

    if (policies == NULL) {
        goto loser;
    }

    policies->arena = arena;

    /* copy the DER into the arena, since Quick DER returns data that points
       into the DER input, which may get freed by the caller */
    rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
    if (rv != SECSuccess) {
        goto loser;
    }

    /* decode the policy info */
    rv = SEC_QuickDERDecodeItem(
        arena, policies, CERT_CertificatePoliciesTemplate, &newExtnValue);

    if (rv != SECSuccess) {
        goto loser;
    }

    /* initialize the oid tags */
    policyInfos = policies->policyInfos;
    while (*policyInfos != NULL) {
        policyInfo = *policyInfos;
        policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID);
        policyQualifiers = policyInfo->policyQualifiers;
        while (policyQualifiers != NULL && *policyQualifiers != NULL) {
            policyQualifier = *policyQualifiers;
            policyQualifier->oid =
                SECOID_FindOIDTag(&policyQualifier->qualifierID);
            policyQualifiers++;
        }
        policyInfos++;
    }

    return (policies);

loser:
    if (arena != NULL) {
        PORT_FreeArena(arena, PR_FALSE);
    }

    return (NULL);
}

void
CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies)
{
    if (policies != NULL) {
        PORT_FreeArena(policies->arena, PR_FALSE);
    }
    return;
}

CERTCertificatePolicyMappings *
CERT_DecodePolicyMappingsExtension(SECItem *extnValue)
{
    PLArenaPool *arena = NULL;
    SECStatus rv;
    CERTCertificatePolicyMappings *mappings;
    SECItem newExtnValue;

    /* make a new arena */
    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    if (!arena) {
        goto loser;
    }

    /* allocate the policy mappings structure */
    mappings = (CERTCertificatePolicyMappings *)PORT_ArenaZAlloc(
        arena, sizeof(CERTCertificatePolicyMappings));
    if (mappings == NULL) {
        goto loser;
    }
    mappings->arena = arena;

    /* copy the DER into the arena, since Quick DER returns data that points
       into the DER input, which may get freed by the caller */
    rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
    if (rv != SECSuccess) {
        goto loser;
    }

    /* decode the policy mappings */
    rv = SEC_QuickDERDecodeItem(arena, mappings, CERT_PolicyMappingsTemplate,
                                &newExtnValue);
    if (rv != SECSuccess) {
        goto loser;
    }

    return (mappings);

loser:
    if (arena != NULL) {
        PORT_FreeArena(arena, PR_FALSE);
    }

    return (NULL);
}

SECStatus
CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings)
{
    if (mappings != NULL) {
        PORT_FreeArena(mappings->arena, PR_FALSE);
    }
    return SECSuccess;
}

SECStatus
CERT_DecodePolicyConstraintsExtension(
    CERTCertificatePolicyConstraints *decodedValue, const SECItem *encodedValue)
{
    CERTCertificatePolicyConstraints decodeContext;
    PLArenaPool *arena = NULL;
    SECStatus rv = SECSuccess;

    /* initialize so we can tell when an optional component is omitted */
    PORT_Memset(&decodeContext, 0, sizeof(decodeContext));

    /* make a new arena */
    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
    if (!arena) {
        return SECFailure;
    }

    do {
        /* decode the policy constraints */
        rv = SEC_QuickDERDecodeItem(arena, &decodeContext,
                                    CERT_PolicyConstraintsTemplate,
                                    encodedValue);

        if (rv != SECSuccess) {
            break;
        }

        if (decodeContext.explicitPolicySkipCerts.len == 0) {
            *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data = -1;
        } else {
            *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data =
                DER_GetInteger(&decodeContext.explicitPolicySkipCerts);
        }

        if (decodeContext.inhibitMappingSkipCerts.len == 0) {
            *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data = -1;
        } else {
            *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data =
                DER_GetInteger(&decodeContext.inhibitMappingSkipCerts);
        }

        if ((*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
             PR_INT32_MIN) ||
            (*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
             PR_INT32_MAX) ||
            (*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data ==
             PR_INT32_MIN) ||
            (*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data ==
             PR_INT32_MAX)) {
            rv = SECFailure;
        }

    } while (0);

    PORT_FreeArena(arena, PR_FALSE);
    return (rv);
}

SECStatus
CERT_DecodeInhibitAnyExtension(CERTCertificateInhibitAny *decodedValue,
                               SECItem *encodedValue)
{
    CERTCertificateInhibitAny decodeContext;
    PLArenaPool *arena = NULL;
    SECStatus rv = SECSuccess;

    /* make a new arena */
    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
    if (!arena) {
        return SECFailure;
    }

    do {

        /* decode the policy mappings */
        decodeContext.inhibitAnySkipCerts.type = siUnsignedInteger;
        rv = SEC_QuickDERDecodeItem(arena, &decodeContext,
                                    CERT_InhibitAnyTemplate, encodedValue);

        if (rv != SECSuccess) {
            break;
        }

        *(PRInt32 *)decodedValue->inhibitAnySkipCerts.data =
            DER_GetInteger(&decodeContext.inhibitAnySkipCerts);

    } while (0);

    PORT_FreeArena(arena, PR_FALSE);
    return (rv);
}

CERTUserNotice *
CERT_DecodeUserNotice(SECItem *noticeItem)
{
    PLArenaPool *arena = NULL;
    SECStatus rv;
    CERTUserNotice *userNotice;
    SECItem newNoticeItem;

    /* make a new arena */
    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if (!arena) {
        goto loser;
    }

    /* allocate the userNotice structure */
    userNotice =
        (CERTUserNotice *)PORT_ArenaZAlloc(arena, sizeof(CERTUserNotice));

    if (userNotice == NULL) {
        goto loser;
    }

    userNotice->arena = arena;

    /* copy the DER into the arena, since Quick DER returns data that points
       into the DER input, which may get freed by the caller */
    rv = SECITEM_CopyItem(arena, &newNoticeItem, noticeItem);
    if (rv != SECSuccess) {
        goto loser;
    }

    /* decode the user notice */
    rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate,
                                &newNoticeItem);

    if (rv != SECSuccess) {
        goto loser;
    }

    if (userNotice->derNoticeReference.data != NULL) {

        rv = SEC_QuickDERDecodeItem(arena, &userNotice->noticeReference,
                                    CERT_NoticeReferenceTemplate,
                                    &userNotice->derNoticeReference);
        if (rv == SECFailure) {
            goto loser;
        }
    }

    return (userNotice);

loser:
    if (arena != NULL) {
        PORT_FreeArena(arena, PR_FALSE);
    }

    return (NULL);
}

void
CERT_DestroyUserNotice(CERTUserNotice *userNotice)
{
    if (userNotice != NULL) {
        PORT_FreeArena(userNotice->arena, PR_FALSE);
    }
    return;
}

static CERTPolicyStringCallback policyStringCB = NULL;
static void *policyStringCBArg = NULL;

void
CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg)
{
    policyStringCB = cb;
    policyStringCBArg = cbarg;
    return;
}

char *
stringFromUserNotice(SECItem *noticeItem)
{
    SECItem *org;
    unsigned int len, headerlen;
    char *stringbuf;
    CERTUserNotice *userNotice;
    char *policystr;
    char *retstr = NULL;
    SECItem *displayText;
    SECItem **noticeNumbers;
    unsigned int strnum;

    /* decode the user notice */
    userNotice = CERT_DecodeUserNotice(noticeItem);
    if (userNotice == NULL) {
        return (NULL);
    }

    org = &userNotice->noticeReference.organization;
    if ((org->len != 0) && (policyStringCB != NULL)) {
        /* has a noticeReference */

        /* extract the org string */
        len = org->len;
        stringbuf = (char *)PORT_Alloc(len + 1);
        if (stringbuf != NULL) {
            PORT_Memcpy(stringbuf, org->data, len);
            stringbuf[len] = '\0';

            noticeNumbers = userNotice->noticeReference.noticeNumbers;
            while (*noticeNumbers != NULL) {
                /* XXX - only one byte integers right now*/
                strnum = (*noticeNumbers)->data[0];
                policystr =
                    (*policyStringCB)(stringbuf, strnum, policyStringCBArg);
                if (policystr != NULL) {
                    if (retstr != NULL) {
                        retstr = PR_sprintf_append(retstr, "\n%s", policystr);
                    } else {
                        retstr = PR_sprintf_append(retstr, "%s", policystr);
                    }

                    PORT_Free(policystr);
                }

                noticeNumbers++;
            }

            PORT_Free(stringbuf);
        }
    }

    if (retstr == NULL) {
        if (userNotice->displayText.len != 0) {
            displayText = &userNotice->displayText;

            if (displayText->len > 2) {
                if (displayText->data[0] == SEC_ASN1_VISIBLE_STRING) {
                    headerlen = 2;
                    if (displayText->data[1] & 0x80) {
                        /* multibyte length */
                        headerlen += (displayText->data[1] & 0x7f);
                    }

                    len = displayText->len - headerlen;
                    retstr = (char *)PORT_Alloc(len + 1);
                    if (retstr != NULL) {
                        PORT_Memcpy(retstr, &displayText->data[headerlen], len);
                        retstr[len] = '\0';
                    }
                }
            }
        }
    }

    CERT_DestroyUserNotice(userNotice);

    return (retstr);
}

char *
CERT_GetCertCommentString(CERTCertificate *cert)
{
    char *retstring = NULL;
    SECStatus rv;
    SECItem policyItem;
    CERTCertificatePolicies *policies = NULL;
    CERTPolicyInfo **policyInfos;
    CERTPolicyQualifier **policyQualifiers, *qualifier;

    policyItem.data = NULL;

    rv = CERT_FindCertExtension(cert, SEC_OID_X509_CERTIFICATE_POLICIES,
                                &policyItem);
    if (rv != SECSuccess) {
        goto nopolicy;
    }

    policies = CERT_DecodeCertificatePoliciesExtension(&policyItem);
    if (policies == NULL) {
        goto nopolicy;
    }

    policyInfos = policies->policyInfos;
    /* search through policyInfos looking for the verisign policy */
    while (*policyInfos != NULL) {
        if ((*policyInfos)->oid == SEC_OID_VERISIGN_USER_NOTICES) {
            policyQualifiers = (*policyInfos)->policyQualifiers;
            /* search through the policy qualifiers looking for user notice */
            while (policyQualifiers != NULL && *policyQualifiers != NULL) {
                qualifier = *policyQualifiers;
                if (qualifier->oid == SEC_OID_PKIX_USER_NOTICE_QUALIFIER) {
                    retstring =
                        stringFromUserNotice(&qualifier->qualifierValue);
                    break;
                }

                policyQualifiers++;
            }
            break;
        }
        policyInfos++;
    }

nopolicy:
    if (policyItem.data != NULL) {
        PORT_Free(policyItem.data);
    }

    if (policies != NULL) {
        CERT_DestroyCertificatePoliciesExtension(policies);
    }

    if (retstring == NULL) {
        retstring =
            CERT_FindNSStringExtension(cert, SEC_OID_NS_CERT_EXT_COMMENT);
    }

    if (retstring != NULL) {
        breakLines(retstring);
    }

    return (retstring);
}

const SEC_ASN1Template CERT_OidSeqTemplate[] = {
    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, offsetof(CERTOidSequence, oids),
      SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
};

CERTOidSequence *
CERT_DecodeOidSequence(const SECItem *seqItem)
{
    PLArenaPool *arena = NULL;
    SECStatus rv;
    CERTOidSequence *oidSeq;
    SECItem newSeqItem;

    /* make a new arena */
    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if (!arena) {
        goto loser;
    }

    /* allocate the userNotice structure */
    oidSeq =
        (CERTOidSequence *)PORT_ArenaZAlloc(arena, sizeof(CERTOidSequence));

    if (oidSeq == NULL) {
        goto loser;
    }

    oidSeq->arena = arena;

    /* copy the DER into the arena, since Quick DER returns data that points
       into the DER input, which may get freed by the caller */
    rv = SECITEM_CopyItem(arena, &newSeqItem, seqItem);
    if (rv != SECSuccess) {
        goto loser;
    }

    /* decode the user notice */
    rv =
        SEC_QuickDERDecodeItem(arena, oidSeq, CERT_OidSeqTemplate, &newSeqItem);

    if (rv != SECSuccess) {
        goto loser;
    }

    return (oidSeq);

loser:
    if (arena) {
        PORT_FreeArena(arena, PR_FALSE);
    }
    return (NULL);
}

void
CERT_DestroyOidSequence(CERTOidSequence *oidSeq)
{
    if (oidSeq != NULL) {
        PORT_FreeArena(oidSeq->arena, PR_FALSE);
    }
    return;
}

PRBool
CERT_GovtApprovedBitSet(CERTCertificate *cert)
{
    SECStatus rv;
    SECItem extItem;
    CERTOidSequence *oidSeq = NULL;
    PRBool ret;
    SECItem **oids;
    SECItem *oid;
    SECOidTag oidTag;

    extItem.data = NULL;
    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
    if (rv != SECSuccess) {
        goto loser;
    }

    oidSeq = CERT_DecodeOidSequence(&extItem);
    if (oidSeq == NULL) {
        goto loser;
    }

    oids = oidSeq->oids;
    while (oids != NULL && *oids != NULL) {
        oid = *oids;

        oidTag = SECOID_FindOIDTag(oid);

        if (oidTag == SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) {
            goto success;
        }

        oids++;
    }

loser:
    ret = PR_FALSE;
    goto done;
success:
    ret = PR_TRUE;
done:
    if (oidSeq != NULL) {
        CERT_DestroyOidSequence(oidSeq);
    }
    if (extItem.data != NULL) {
        PORT_Free(extItem.data);
    }
    return (ret);
}

SECStatus
CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena,
                                      CERTCertificatePolicyConstraints *constr,
                                      SECItem *dest)
{
    SECStatus rv = SECSuccess;

    PORT_Assert(constr != NULL && dest != NULL);
    if (constr == NULL || dest == NULL) {
        return SECFailure;
    }

    if (SEC_ASN1EncodeItem(arena, dest, constr,
                           CERT_PolicyConstraintsTemplate) == NULL) {
        rv = SECFailure;
    }
    return (rv);
}

SECStatus
CERT_EncodePolicyMappingExtension(PLArenaPool *arena,
                                  CERTCertificatePolicyMappings *mapping,
                                  SECItem *dest)
{
    SECStatus rv = SECSuccess;

    PORT_Assert(mapping != NULL && dest != NULL);
    if (mapping == NULL || dest == NULL) {
        return SECFailure;
    }

    if (SEC_ASN1EncodeItem(arena, dest, mapping, CERT_PolicyMappingsTemplate) ==
        NULL) {
        rv = SECFailure;
    }
    return (rv);
}

SECStatus
CERT_EncodeCertPoliciesExtension(PLArenaPool *arena, CERTPolicyInfo **info,
                                 SECItem *dest)
{
    SECStatus rv = SECSuccess;

    PORT_Assert(info != NULL && dest != NULL);
    if (info == NULL || dest == NULL) {
        return SECFailure;
    }

    if (SEC_ASN1EncodeItem(arena, dest, info,
                           CERT_CertificatePoliciesTemplate) == NULL) {
        rv = SECFailure;
    }
    return (rv);
}

SECStatus
CERT_EncodeUserNotice(PLArenaPool *arena, CERTUserNotice *notice, SECItem *dest)
{
    SECStatus rv = SECSuccess;

    PORT_Assert(notice != NULL && dest != NULL);
    if (notice == NULL || dest == NULL) {
        return SECFailure;
    }

    if (SEC_ASN1EncodeItem(arena, dest, notice, CERT_UserNoticeTemplate) ==
        NULL) {
        rv = SECFailure;
    }

    return (rv);
}

SECStatus
CERT_EncodeNoticeReference(PLArenaPool *arena, CERTNoticeReference *reference,
                           SECItem *dest)
{
    SECStatus rv = SECSuccess;

    PORT_Assert(reference != NULL && dest != NULL);
    if (reference == NULL || dest == NULL) {
        return SECFailure;
    }

    if (SEC_ASN1EncodeItem(arena, dest, reference,
                           CERT_NoticeReferenceTemplate) == NULL) {
        rv = SECFailure;
    }

    return (rv);
}

SECStatus
CERT_EncodeInhibitAnyExtension(PLArenaPool *arena,
                               CERTCertificateInhibitAny *certInhibitAny,
                               SECItem *dest)
{
    SECStatus rv = SECSuccess;

    PORT_Assert(certInhibitAny != NULL && dest != NULL);
    if (certInhibitAny == NULL || dest == NULL) {
        return SECFailure;
    }

    if (SEC_ASN1EncodeItem(arena, dest, certInhibitAny,
                           CERT_InhibitAnyTemplate) == NULL) {
        rv = SECFailure;
    }
    return (rv);
}

Coverage Report

Created: 2024-11-21 07:03

Line	Count	Source (jump to first uncovered line)
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5		/*
6		* Support for various policy related extensions
7		*/
8
9		#include "seccomon.h"
10		#include "secport.h"
11		#include "secder.h"
12		#include "cert.h"
13		#include "secoid.h"
14		#include "secasn1.h"
15		#include "secerr.h"
16		#include "nspr.h"
17
18		SEC_ASN1_MKSUB(SEC_IntegerTemplate)
19		SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
20
21		const SEC_ASN1Template CERT_DisplayTextTypeTemplate[] = {
22		{ SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) },
23		{ SEC_ASN1_IA5_STRING, 0, 0, siAsciiString },
24		{ SEC_ASN1_VISIBLE_STRING, 0, 0, siVisibleString },
25		{ SEC_ASN1_BMP_STRING, 0, 0, siBMPString },
26		{ SEC_ASN1_UTF8_STRING, 0, 0, siUTF8String },
27		{ 0 }
28		};
29
30		const SEC_ASN1Template CERT_NoticeReferenceTemplate[] = {
31		{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNoticeReference) },
32		{ SEC_ASN1_INLINE, offsetof(CERTNoticeReference, organization),
33		CERT_DisplayTextTypeTemplate, 0 },
34		{ SEC_ASN1_SEQUENCE_OF \| SEC_ASN1_XTRN,
35		offsetof(CERTNoticeReference, noticeNumbers),
36		SEC_ASN1_SUB(SEC_IntegerTemplate) },
37		{ 0 }
38		};
39
40		const SEC_ASN1Template CERT_UserNoticeTemplate[] = {
41		{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTUserNotice) },
42		{ SEC_ASN1_INLINE \| SEC_ASN1_OPTIONAL,
43		offsetof(CERTUserNotice, noticeReference), CERT_NoticeReferenceTemplate,
44		0 },
45		{ SEC_ASN1_INLINE \| SEC_ASN1_OPTIONAL,
46		offsetof(CERTUserNotice, displayText), CERT_DisplayTextTypeTemplate, 0 },
47		{ 0 }
48		};
49
50		const SEC_ASN1Template CERT_PolicyQualifierTemplate[] = {
51		{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPolicyQualifier) },
52		{ SEC_ASN1_OBJECT_ID, offsetof(CERTPolicyQualifier, qualifierID) },
53		{ SEC_ASN1_ANY, offsetof(CERTPolicyQualifier, qualifierValue) },
54		{ 0 }
55		};
56
57		const SEC_ASN1Template CERT_PolicyInfoTemplate[] = {
58		{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPolicyInfo) },
59		{ SEC_ASN1_OBJECT_ID, offsetof(CERTPolicyInfo, policyID) },
60		{ SEC_ASN1_SEQUENCE_OF \| SEC_ASN1_OPTIONAL,
61		offsetof(CERTPolicyInfo, policyQualifiers),
62		CERT_PolicyQualifierTemplate },
63		{ 0 }
64		};
65
66		const SEC_ASN1Template CERT_CertificatePoliciesTemplate[] = {
67		{ SEC_ASN1_SEQUENCE_OF, offsetof(CERTCertificatePolicies, policyInfos),
68		CERT_PolicyInfoTemplate, sizeof(CERTCertificatePolicies) }
69		};
70
71		const SEC_ASN1Template CERT_PolicyMapTemplate[] = {
72		{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPolicyMap) },
73		{ SEC_ASN1_OBJECT_ID, offsetof(CERTPolicyMap, issuerDomainPolicy) },
74		{ SEC_ASN1_OBJECT_ID, offsetof(CERTPolicyMap, subjectDomainPolicy) },
75		{ 0 }
76		};
77
78		const SEC_ASN1Template CERT_PolicyMappingsTemplate[] = {
79		{ SEC_ASN1_SEQUENCE_OF, offsetof(CERTCertificatePolicyMappings, policyMaps),
80		CERT_PolicyMapTemplate, sizeof(CERTPolicyMap) }
81		};
82
83		const SEC_ASN1Template CERT_PolicyConstraintsTemplate[] = {
84		{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTCertificatePolicyConstraints) },
85		{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \| SEC_ASN1_XTRN \| 0,
86		offsetof(CERTCertificatePolicyConstraints, explicitPolicySkipCerts),
87		SEC_ASN1_SUB(SEC_IntegerTemplate) },
88		{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONTEXT_SPECIFIC \| SEC_ASN1_XTRN \| 1,
89		offsetof(CERTCertificatePolicyConstraints, inhibitMappingSkipCerts),
90		SEC_ASN1_SUB(SEC_IntegerTemplate) },
91		{ 0 }
92		};
93
94		const SEC_ASN1Template CERT_InhibitAnyTemplate[] = {
95		{ SEC_ASN1_INTEGER,
96		offsetof(CERTCertificateInhibitAny, inhibitAnySkipCerts), NULL,
97		sizeof(CERTCertificateInhibitAny) }
98		};
99
100		static void
101		breakLines(char *string)
102	0	{
103	0	char *tmpstr;
104	0	char *lastspace = NULL;
105	0	int curlen = 0;
106	0	int c;
107
108	0	tmpstr = string;
109
110	0	while ((c = *tmpstr) != '\0') {
111	0	switch (c) {
112	0	case ' ':
113	0	lastspace = tmpstr;
114	0	break;
115	0	case '\n':
116	0	lastspace = NULL;
117	0	curlen = 0;
118	0	break;
119	0	}
120
121	0	if ((curlen >= 55) && (lastspace != NULL)) {
122	0	*lastspace = '\n';
123	0	curlen = (tmpstr - lastspace);
124	0	lastspace = NULL;
125	0	}
126
127	0	curlen++;
128	0	tmpstr++;
129	0	}
130
131	0	return;
132	0	}
133
134		CERTCertificatePolicies *
135		CERT_DecodeCertificatePoliciesExtension(const SECItem *extnValue)
136	0	{
137	0	PLArenaPool *arena = NULL;
138	0	SECStatus rv;
139	0	CERTCertificatePolicies *policies;
140	0	CERTPolicyInfo *policyInfos, policyInfo;
141	0	CERTPolicyQualifier *policyQualifiers, policyQualifier;
142	0	SECItem newExtnValue;
143
144		/* make a new arena */
145	0	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
146
147	0	if (!arena) {
148	0	goto loser;
149	0	}
150
151		/* allocate the certificate policies structure */
152	0	policies = (CERTCertificatePolicies *)PORT_ArenaZAlloc(
153	0	arena, sizeof(CERTCertificatePolicies));
154
155	0	if (policies == NULL) {
156	0	goto loser;
157	0	}
158
159	0	policies->arena = arena;
160
161		/* copy the DER into the arena, since Quick DER returns data that points
162		into the DER input, which may get freed by the caller */
163	0	rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
164	0	if (rv != SECSuccess) {
165	0	goto loser;
166	0	}
167
168		/* decode the policy info */
169	0	rv = SEC_QuickDERDecodeItem(
170	0	arena, policies, CERT_CertificatePoliciesTemplate, &newExtnValue);
171
172	0	if (rv != SECSuccess) {
173	0	goto loser;
174	0	}
175
176		/* initialize the oid tags */
177	0	policyInfos = policies->policyInfos;
178	0	while (*policyInfos != NULL) {
179	0	policyInfo = *policyInfos;
180	0	policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID);
181	0	policyQualifiers = policyInfo->policyQualifiers;
182	0	while (policyQualifiers != NULL && *policyQualifiers != NULL) {
183	0	policyQualifier = *policyQualifiers;
184	0	policyQualifier->oid =
185	0	SECOID_FindOIDTag(&policyQualifier->qualifierID);
186	0	policyQualifiers++;
187	0	}
188	0	policyInfos++;
189	0	}
190
191	0	return (policies);
192
193	0	loser:
194	0	if (arena != NULL) {
195	0	PORT_FreeArena(arena, PR_FALSE);
196	0	}
197
198	0	return (NULL);
199	0	}
200
201		void
202		CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies)
203	0	{
204	0	if (policies != NULL) {
205	0	PORT_FreeArena(policies->arena, PR_FALSE);
206	0	}
207	0	return;
208	0	}
209
210		CERTCertificatePolicyMappings *
211		CERT_DecodePolicyMappingsExtension(SECItem *extnValue)
212	0	{
213	0	PLArenaPool *arena = NULL;
214	0	SECStatus rv;
215	0	CERTCertificatePolicyMappings *mappings;
216	0	SECItem newExtnValue;
217
218		/* make a new arena */
219	0	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
220	0	if (!arena) {
221	0	goto loser;
222	0	}
223
224		/* allocate the policy mappings structure */
225	0	mappings = (CERTCertificatePolicyMappings *)PORT_ArenaZAlloc(
226	0	arena, sizeof(CERTCertificatePolicyMappings));
227	0	if (mappings == NULL) {
228	0	goto loser;
229	0	}
230	0	mappings->arena = arena;
231
232		/* copy the DER into the arena, since Quick DER returns data that points
233		into the DER input, which may get freed by the caller */
234	0	rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
235	0	if (rv != SECSuccess) {
236	0	goto loser;
237	0	}
238
239		/* decode the policy mappings */
240	0	rv = SEC_QuickDERDecodeItem(arena, mappings, CERT_PolicyMappingsTemplate,
241	0	&newExtnValue);
242	0	if (rv != SECSuccess) {
243	0	goto loser;
244	0	}
245
246	0	return (mappings);
247
248	0	loser:
249	0	if (arena != NULL) {
250	0	PORT_FreeArena(arena, PR_FALSE);
251	0	}
252
253	0	return (NULL);
254	0	}
255
256		SECStatus
257		CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings)
258	0	{
259	0	if (mappings != NULL) {
260	0	PORT_FreeArena(mappings->arena, PR_FALSE);
261	0	}
262	0	return SECSuccess;
263	0	}
264
265		SECStatus
266		CERT_DecodePolicyConstraintsExtension(
267		CERTCertificatePolicyConstraints decodedValue, const SECItem encodedValue)
268	0	{
269	0	CERTCertificatePolicyConstraints decodeContext;
270	0	PLArenaPool *arena = NULL;
271	0	SECStatus rv = SECSuccess;
272
273		/* initialize so we can tell when an optional component is omitted */
274	0	PORT_Memset(&decodeContext, 0, sizeof(decodeContext));
275
276		/* make a new arena */
277	0	arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
278	0	if (!arena) {
279	0	return SECFailure;
280	0	}
281
282	0	do {
283		/* decode the policy constraints */
284	0	rv = SEC_QuickDERDecodeItem(arena, &decodeContext,
285	0	CERT_PolicyConstraintsTemplate,
286	0	encodedValue);
287
288	0	if (rv != SECSuccess) {
289	0	break;
290	0	}
291
292	0	if (decodeContext.explicitPolicySkipCerts.len == 0) {
293	0	(PRInt32 )decodedValue->explicitPolicySkipCerts.data = -1;
294	0	} else {
295	0	(PRInt32 )decodedValue->explicitPolicySkipCerts.data =
296	0	DER_GetInteger(&decodeContext.explicitPolicySkipCerts);
297	0	}
298
299	0	if (decodeContext.inhibitMappingSkipCerts.len == 0) {
300	0	(PRInt32 )decodedValue->inhibitMappingSkipCerts.data = -1;
301	0	} else {
302	0	(PRInt32 )decodedValue->inhibitMappingSkipCerts.data =
303	0	DER_GetInteger(&decodeContext.inhibitMappingSkipCerts);
304	0	}
305
306	0	if (((PRInt32 )decodedValue->explicitPolicySkipCerts.data ==
307	0	PR_INT32_MIN) \|\|
308	0	((PRInt32 )decodedValue->explicitPolicySkipCerts.data ==
309	0	PR_INT32_MAX) \|\|
310	0	((PRInt32 )decodedValue->inhibitMappingSkipCerts.data ==
311	0	PR_INT32_MIN) \|\|
312	0	((PRInt32 )decodedValue->inhibitMappingSkipCerts.data ==
313	0	PR_INT32_MAX)) {
314	0	rv = SECFailure;
315	0	}
316
317	0	} while (0);
318
319	0	PORT_FreeArena(arena, PR_FALSE);
320	0	return (rv);
321	0	}
322
323		SECStatus
324		CERT_DecodeInhibitAnyExtension(CERTCertificateInhibitAny *decodedValue,
325		SECItem *encodedValue)
326	0	{
327	0	CERTCertificateInhibitAny decodeContext;
328	0	PLArenaPool *arena = NULL;
329	0	SECStatus rv = SECSuccess;
330
331		/* make a new arena */
332	0	arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
333	0	if (!arena) {
334	0	return SECFailure;
335	0	}
336
337	0	do {
338
339		/* decode the policy mappings */
340	0	decodeContext.inhibitAnySkipCerts.type = siUnsignedInteger;
341	0	rv = SEC_QuickDERDecodeItem(arena, &decodeContext,
342	0	CERT_InhibitAnyTemplate, encodedValue);
343
344	0	if (rv != SECSuccess) {
345	0	break;
346	0	}
347
348	0	(PRInt32 )decodedValue->inhibitAnySkipCerts.data =
349	0	DER_GetInteger(&decodeContext.inhibitAnySkipCerts);
350
351	0	} while (0);
352
353	0	PORT_FreeArena(arena, PR_FALSE);
354	0	return (rv);
355	0	}
356
357		CERTUserNotice *
358		CERT_DecodeUserNotice(SECItem *noticeItem)
359	0	{
360	0	PLArenaPool *arena = NULL;
361	0	SECStatus rv;
362	0	CERTUserNotice *userNotice;
363	0	SECItem newNoticeItem;
364
365		/* make a new arena */
366	0	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
367
368	0	if (!arena) {
369	0	goto loser;
370	0	}
371
372		/* allocate the userNotice structure */
373	0	userNotice =
374	0	(CERTUserNotice *)PORT_ArenaZAlloc(arena, sizeof(CERTUserNotice));
375
376	0	if (userNotice == NULL) {
377	0	goto loser;
378	0	}
379
380	0	userNotice->arena = arena;
381
382		/* copy the DER into the arena, since Quick DER returns data that points
383		into the DER input, which may get freed by the caller */
384	0	rv = SECITEM_CopyItem(arena, &newNoticeItem, noticeItem);
385	0	if (rv != SECSuccess) {
386	0	goto loser;
387	0	}
388
389		/* decode the user notice */
390	0	rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate,
391	0	&newNoticeItem);
392
393	0	if (rv != SECSuccess) {
394	0	goto loser;
395	0	}
396
397	0	if (userNotice->derNoticeReference.data != NULL) {
398
399	0	rv = SEC_QuickDERDecodeItem(arena, &userNotice->noticeReference,
400	0	CERT_NoticeReferenceTemplate,
401	0	&userNotice->derNoticeReference);
402	0	if (rv == SECFailure) {
403	0	goto loser;
404	0	}
405	0	}
406
407	0	return (userNotice);
408
409	0	loser:
410	0	if (arena != NULL) {
411	0	PORT_FreeArena(arena, PR_FALSE);
412	0	}
413
414	0	return (NULL);
415	0	}
416
417		void
418		CERT_DestroyUserNotice(CERTUserNotice *userNotice)
419	0	{
420	0	if (userNotice != NULL) {
421	0	PORT_FreeArena(userNotice->arena, PR_FALSE);
422	0	}
423	0	return;
424	0	}
425
426		static CERTPolicyStringCallback policyStringCB = NULL;
427		static void *policyStringCBArg = NULL;
428
429		void
430		CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg)
431	0	{
432	0	policyStringCB = cb;
433	0	policyStringCBArg = cbarg;
434	0	return;
435	0	}
436
437		char *
438		stringFromUserNotice(SECItem *noticeItem)
439	0	{
440	0	SECItem *org;
441	0	unsigned int len, headerlen;
442	0	char *stringbuf;
443	0	CERTUserNotice *userNotice;
444	0	char *policystr;
445	0	char *retstr = NULL;
446	0	SECItem *displayText;
447	0	SECItem **noticeNumbers;
448	0	unsigned int strnum;
449
450		/* decode the user notice */
451	0	userNotice = CERT_DecodeUserNotice(noticeItem);
452	0	if (userNotice == NULL) {
453	0	return (NULL);
454	0	}
455
456	0	org = &userNotice->noticeReference.organization;
457	0	if ((org->len != 0) && (policyStringCB != NULL)) {
458		/* has a noticeReference */
459
460		/* extract the org string */
461	0	len = org->len;
462	0	stringbuf = (char *)PORT_Alloc(len + 1);
463	0	if (stringbuf != NULL) {
464	0	PORT_Memcpy(stringbuf, org->data, len);
465	0	stringbuf[len] = '\0';
466
467	0	noticeNumbers = userNotice->noticeReference.noticeNumbers;
468	0	while (*noticeNumbers != NULL) {
469		/* XXX - only one byte integers right now*/
470	0	strnum = (*noticeNumbers)->data[0];
471	0	policystr =
472	0	(*policyStringCB)(stringbuf, strnum, policyStringCBArg);
473	0	if (policystr != NULL) {
474	0	if (retstr != NULL) {
475	0	retstr = PR_sprintf_append(retstr, "\n%s", policystr);
476	0	} else {
477	0	retstr = PR_sprintf_append(retstr, "%s", policystr);
478	0	}
479
480	0	PORT_Free(policystr);
481	0	}
482
483	0	noticeNumbers++;
484	0	}
485
486	0	PORT_Free(stringbuf);
487	0	}
488	0	}
489
490	0	if (retstr == NULL) {
491	0	if (userNotice->displayText.len != 0) {
492	0	displayText = &userNotice->displayText;
493
494	0	if (displayText->len > 2) {
495	0	if (displayText->data[0] == SEC_ASN1_VISIBLE_STRING) {
496	0	headerlen = 2;
497	0	if (displayText->data[1] & 0x80) {
498		/* multibyte length */
499	0	headerlen += (displayText->data[1] & 0x7f);
500	0	}
501
502	0	len = displayText->len - headerlen;
503	0	retstr = (char *)PORT_Alloc(len + 1);
504	0	if (retstr != NULL) {
505	0	PORT_Memcpy(retstr, &displayText->data[headerlen], len);
506	0	retstr[len] = '\0';
507	0	}
508	0	}
509	0	}
510	0	}
511	0	}
512
513	0	CERT_DestroyUserNotice(userNotice);
514
515	0	return (retstr);
516	0	}
517
518		char *
519		CERT_GetCertCommentString(CERTCertificate *cert)
520	0	{
521	0	char *retstring = NULL;
522	0	SECStatus rv;
523	0	SECItem policyItem;
524	0	CERTCertificatePolicies *policies = NULL;
525	0	CERTPolicyInfo **policyInfos;
526	0	CERTPolicyQualifier *policyQualifiers, qualifier;
527
528	0	policyItem.data = NULL;
529
530	0	rv = CERT_FindCertExtension(cert, SEC_OID_X509_CERTIFICATE_POLICIES,
531	0	&policyItem);
532	0	if (rv != SECSuccess) {
533	0	goto nopolicy;
534	0	}
535
536	0	policies = CERT_DecodeCertificatePoliciesExtension(&policyItem);
537	0	if (policies == NULL) {
538	0	goto nopolicy;
539	0	}
540
541	0	policyInfos = policies->policyInfos;
542		/* search through policyInfos looking for the verisign policy */
543	0	while (*policyInfos != NULL) {
544	0	if ((*policyInfos)->oid == SEC_OID_VERISIGN_USER_NOTICES) {
545	0	policyQualifiers = (*policyInfos)->policyQualifiers;
546		/* search through the policy qualifiers looking for user notice */
547	0	while (policyQualifiers != NULL && *policyQualifiers != NULL) {
548	0	qualifier = *policyQualifiers;
549	0	if (qualifier->oid == SEC_OID_PKIX_USER_NOTICE_QUALIFIER) {
550	0	retstring =
551	0	stringFromUserNotice(&qualifier->qualifierValue);
552	0	break;
553	0	}
554
555	0	policyQualifiers++;
556	0	}
557	0	break;
558	0	}
559	0	policyInfos++;
560	0	}
561
562	0	nopolicy:
563	0	if (policyItem.data != NULL) {
564	0	PORT_Free(policyItem.data);
565	0	}
566
567	0	if (policies != NULL) {
568	0	CERT_DestroyCertificatePoliciesExtension(policies);
569	0	}
570
571	0	if (retstring == NULL) {
572	0	retstring =
573	0	CERT_FindNSStringExtension(cert, SEC_OID_NS_CERT_EXT_COMMENT);
574	0	}
575
576	0	if (retstring != NULL) {
577	0	breakLines(retstring);
578	0	}
579
580	0	return (retstring);
581	0	}
582
583		const SEC_ASN1Template CERT_OidSeqTemplate[] = {
584		{ SEC_ASN1_SEQUENCE_OF \| SEC_ASN1_XTRN, offsetof(CERTOidSequence, oids),
585		SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
586		};
587
588		CERTOidSequence *
589		CERT_DecodeOidSequence(const SECItem *seqItem)
590	0	{
591	0	PLArenaPool *arena = NULL;
592	0	SECStatus rv;
593	0	CERTOidSequence *oidSeq;
594	0	SECItem newSeqItem;
595
596		/* make a new arena */
597	0	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
598
599	0	if (!arena) {
600	0	goto loser;
601	0	}
602
603		/* allocate the userNotice structure */
604	0	oidSeq =
605	0	(CERTOidSequence *)PORT_ArenaZAlloc(arena, sizeof(CERTOidSequence));
606
607	0	if (oidSeq == NULL) {
608	0	goto loser;
609	0	}
610
611	0	oidSeq->arena = arena;
612
613		/* copy the DER into the arena, since Quick DER returns data that points
614		into the DER input, which may get freed by the caller */
615	0	rv = SECITEM_CopyItem(arena, &newSeqItem, seqItem);
616	0	if (rv != SECSuccess) {
617	0	goto loser;
618	0	}
619
620		/* decode the user notice */
621	0	rv =
622	0	SEC_QuickDERDecodeItem(arena, oidSeq, CERT_OidSeqTemplate, &newSeqItem);
623
624	0	if (rv != SECSuccess) {
625	0	goto loser;
626	0	}
627
628	0	return (oidSeq);
629
630	0	loser:
631	0	if (arena) {
632	0	PORT_FreeArena(arena, PR_FALSE);
633	0	}
634	0	return (NULL);
635	0	}
636
637		void
638		CERT_DestroyOidSequence(CERTOidSequence *oidSeq)
639	0	{
640	0	if (oidSeq != NULL) {
641	0	PORT_FreeArena(oidSeq->arena, PR_FALSE);
642	0	}
643	0	return;
644	0	}
645
646		PRBool
647		CERT_GovtApprovedBitSet(CERTCertificate *cert)
648	0	{
649	0	SECStatus rv;
650	0	SECItem extItem;
651	0	CERTOidSequence *oidSeq = NULL;
652	0	PRBool ret;
653	0	SECItem **oids;
654	0	SECItem *oid;
655	0	SECOidTag oidTag;
656
657	0	extItem.data = NULL;
658	0	rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
659	0	if (rv != SECSuccess) {
660	0	goto loser;
661	0	}
662
663	0	oidSeq = CERT_DecodeOidSequence(&extItem);
664	0	if (oidSeq == NULL) {
665	0	goto loser;
666	0	}
667
668	0	oids = oidSeq->oids;
669	0	while (oids != NULL && *oids != NULL) {
670	0	oid = *oids;
671
672	0	oidTag = SECOID_FindOIDTag(oid);
673
674	0	if (oidTag == SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) {
675	0	goto success;
676	0	}
677
678	0	oids++;
679	0	}
680
681	0	loser:
682	0	ret = PR_FALSE;
683	0	goto done;
684	0	success:
685	0	ret = PR_TRUE;
686	0	done:
687	0	if (oidSeq != NULL) {
688	0	CERT_DestroyOidSequence(oidSeq);
689	0	}
690	0	if (extItem.data != NULL) {
691	0	PORT_Free(extItem.data);
692	0	}
693	0	return (ret);
694	0	}
695
696		SECStatus
697		CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena,
698		CERTCertificatePolicyConstraints *constr,
699		SECItem *dest)
700	0	{
701	0	SECStatus rv = SECSuccess;
702
703	0	PORT_Assert(constr != NULL && dest != NULL);
704	0	if (constr == NULL \|\| dest == NULL) {
705	0	return SECFailure;
706	0	}
707
708	0	if (SEC_ASN1EncodeItem(arena, dest, constr,
709	0	CERT_PolicyConstraintsTemplate) == NULL) {
710	0	rv = SECFailure;
711	0	}
712	0	return (rv);
713	0	}
714
715		SECStatus
716		CERT_EncodePolicyMappingExtension(PLArenaPool *arena,
717		CERTCertificatePolicyMappings *mapping,
718		SECItem *dest)
719	0	{
720	0	SECStatus rv = SECSuccess;
721
722	0	PORT_Assert(mapping != NULL && dest != NULL);
723	0	if (mapping == NULL \|\| dest == NULL) {
724	0	return SECFailure;
725	0	}
726
727	0	if (SEC_ASN1EncodeItem(arena, dest, mapping, CERT_PolicyMappingsTemplate) ==
728	0	NULL) {
729	0	rv = SECFailure;
730	0	}
731	0	return (rv);
732	0	}
733
734		SECStatus
735		CERT_EncodeCertPoliciesExtension(PLArenaPool arena, CERTPolicyInfo *info,
736		SECItem *dest)
737	0	{
738	0	SECStatus rv = SECSuccess;
739
740	0	PORT_Assert(info != NULL && dest != NULL);
741	0	if (info == NULL \|\| dest == NULL) {
742	0	return SECFailure;
743	0	}
744
745	0	if (SEC_ASN1EncodeItem(arena, dest, info,
746	0	CERT_CertificatePoliciesTemplate) == NULL) {
747	0	rv = SECFailure;
748	0	}
749	0	return (rv);
750	0	}
751
752		SECStatus
753		CERT_EncodeUserNotice(PLArenaPool arena, CERTUserNotice notice, SECItem *dest)
754	0	{
755	0	SECStatus rv = SECSuccess;
756
757	0	PORT_Assert(notice != NULL && dest != NULL);
758	0	if (notice == NULL \|\| dest == NULL) {
759	0	return SECFailure;
760	0	}
761
762	0	if (SEC_ASN1EncodeItem(arena, dest, notice, CERT_UserNoticeTemplate) ==
763	0	NULL) {
764	0	rv = SECFailure;
765	0	}
766
767	0	return (rv);
768	0	}
769
770		SECStatus
771		CERT_EncodeNoticeReference(PLArenaPool arena, CERTNoticeReference reference,
772		SECItem *dest)
773	0	{
774	0	SECStatus rv = SECSuccess;
775
776	0	PORT_Assert(reference != NULL && dest != NULL);
777	0	if (reference == NULL \|\| dest == NULL) {
778	0	return SECFailure;
779	0	}
780
781	0	if (SEC_ASN1EncodeItem(arena, dest, reference,
782	0	CERT_NoticeReferenceTemplate) == NULL) {
783	0	rv = SECFailure;
784	0	}
785
786	0	return (rv);
787	0	}
788
789		SECStatus
790		CERT_EncodeInhibitAnyExtension(PLArenaPool *arena,
791		CERTCertificateInhibitAny *certInhibitAny,
792		SECItem *dest)
793	0	{
794	0	SECStatus rv = SECSuccess;
795
796	0	PORT_Assert(certInhibitAny != NULL && dest != NULL);
797	0	if (certInhibitAny == NULL \|\| dest == NULL) {
798	0	return SECFailure;
799	0	}
800
801	0	if (SEC_ASN1EncodeItem(arena, dest, certInhibitAny,
802	0	CERT_InhibitAnyTemplate) == NULL) {
803	0	rv = SECFailure;
804	0	}
805	0	return (rv);
806	0	}