diff options
Diffstat (limited to 'chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c')
-rwxr-xr-x | chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c | 124 |
1 files changed, 6 insertions, 118 deletions
diff --git a/chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c b/chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c index c35163a480b..0fd4fadca2e 100755 --- a/chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c @@ -65,7 +65,6 @@ pkix_ForwardBuilderState_Destroy( state->numFanout = 0; state->numDepth = 0; state->reasonCode = 0; - state->revCheckDelayed = PKIX_FALSE; state->canBeCached = PKIX_FALSE; state->useOnlyLocal = PKIX_FALSE; state->revChecking = PKIX_FALSE; @@ -126,9 +125,6 @@ cleanup: * Number of Certs that can be considered at this level (0 = no limit) * "numDepth" * Number of additional levels that can be searched (0 = no limit) - * "revCheckDelayed" - * Boolean value indicating whether rev check is delayed until after - * entire chain is built. * "canBeCached" * Boolean value indicating whether all certs on the chain can be cached. * "validityDate" @@ -159,7 +155,6 @@ pkix_ForwardBuilderState_Create( PKIX_Int32 traversedCACerts, PKIX_UInt32 numFanout, PKIX_UInt32 numDepth, - PKIX_Boolean revCheckDelayed, PKIX_Boolean canBeCached, PKIX_PL_Date *validityDate, PKIX_PL_Cert *prevCert, @@ -195,7 +190,6 @@ pkix_ForwardBuilderState_Create( state->numDepth = numDepth; state->reasonCode = 0; state->revChecking = numDepth; - state->revCheckDelayed = revCheckDelayed; state->canBeCached = canBeCached; state->useOnlyLocal = PKIX_TRUE; state->revChecking = PKIX_FALSE; @@ -371,7 +365,6 @@ pkix_ForwardBuilderState_ToString "\tnumFanout: \t%d\n" "\tnumDepth: \t%d\n" "\treasonCode: \t%d\n" - "\trevCheckDelayed: \t%d\n" "\tcanBeCached: \t%d\n" "\tuseOnlyLocal: \t%d\n" "\trevChecking: \t%d\n" @@ -416,10 +409,6 @@ pkix_ForwardBuilderState_ToString break; case BUILD_ABANDONNODE: asciiStatus = "BUILD_ABANDONNODE"; break; - case BUILD_CRLPREP: asciiStatus = "BUILD_CRLPREP"; - break; - case BUILD_CRL1: asciiStatus = "BUILD_CRL1"; - break; case BUILD_DATEPREP: asciiStatus = "BUILD_DATEPREP"; break; case BUILD_CHECKTRUSTED: asciiStatus = "BUILD_CHECKTRUSTED"; @@ -428,8 +417,6 @@ pkix_ForwardBuilderState_ToString break; case BUILD_ADDTOCHAIN: asciiStatus = "BUILD_ADDTOCHAIN"; break; - case BUILD_CRL2: asciiStatus = "BUILD_CRL2"; - break; case BUILD_VALCHAIN: asciiStatus = "BUILD_VALCHAIN"; break; case BUILD_VALCHAIN2: asciiStatus = "BUILD_VALCHAIN2"; @@ -498,7 +485,6 @@ pkix_ForwardBuilderState_ToString (PKIX_UInt32)state->numFanout, (PKIX_UInt32)state->numDepth, (PKIX_UInt32)state->reasonCode, - state->revCheckDelayed, state->canBeCached, state->useOnlyLocal, state->revChecking, @@ -656,8 +642,6 @@ pkix_ForwardBuilderState_IsIOPending( PKIX_NULLCHECK_TWO(state, pPending); if ((state->status == BUILD_GATHERPENDING) || - (state->status == BUILD_CRL1) || - (state->status == BUILD_CRL2) || (state->status == BUILD_CHECKTRUSTED2) || (state->status == BUILD_VALCHAIN2) || (state->status == BUILD_AIAPENDING)) { @@ -780,16 +764,12 @@ cleanup: * Checks whether the previous Cert stored in the ForwardBuilderState pointed * to by "state" successfully chains, including signature verification, to the * candidate Cert also stored in "state", using the Boolean value in "trusted" - * to determine whether "candidateCert" is trusted. Using the Boolean value in - * "revocationChecking" for the existence of revocation checking, it sets - * "pNeedsCRLChecking" to PKIX_TRUE if the candidate Cert needs to be checked - * against Certificate Revocation Lists. + * to determine whether "candidateCert" is trusted. * * First it checks whether "candidateCert" has already been traversed by - * determining whether it is contained in the List of traversed Certs. It + * determining whether it is contained in the List of traversed Certs. It then * checks the candidate Cert with user checkers, if any, in the List pointed to - * by "userCheckers". It then runs the signature validation. Finally, it - * determines the appropriate value for "pNeedsCRLChecking". + * by "userCheckers". Finally, it runs the signature validation. * * If this Certificate fails verification, and state->verifyNode is non-NULL, * this function sets the Error code into the verifyNode. @@ -800,14 +780,8 @@ cleanup: * "userCheckers" * Address of a List of CertChainCheckers to be used, if present, to * validate the candidateCert. - * "revocationChecking" - * Boolean indication of whether revocation checking is available, either - * as a CertChainChecker or a List of RevocationCheckers. * "trusted" * Boolean value of trust for the candidate Cert - * "pNeedsCRLChecking" - * Address where Boolean CRL-checking-needed value is stored. - * Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: @@ -821,9 +795,7 @@ static PKIX_Error * pkix_Build_VerifyCertificate( PKIX_ForwardBuilderState *state, PKIX_List *userCheckers, - PKIX_Boolean revocationChecking, PKIX_Boolean *pTrusted, - PKIX_Boolean *pNeedsCRLChecking, PKIX_VerifyNode *verifyNode, void *plContext) { @@ -841,12 +813,10 @@ pkix_Build_VerifyCertificate( void *nbioContext = NULL; PKIX_ENTER(BUILD, "pkix_Build_VerifyCertificate"); - PKIX_NULLCHECK_THREE(state, pTrusted, pNeedsCRLChecking); + PKIX_NULLCHECK_TWO(state, pTrusted); PKIX_NULLCHECK_THREE (state->candidateCerts, state->prevCert, state->trustChain); - *pNeedsCRLChecking = PKIX_FALSE; - PKIX_INCREF(state->candidateCert); candidateCert = state->candidateCert; @@ -944,26 +914,6 @@ pkix_Build_VerifyCertificate( PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS); } } - - - if (revocationChecking) { - if (!trusted) { - if (state->revCheckDelayed) { - goto cleanup; - } else { - PKIX_Boolean isSelfIssued = PKIX_FALSE; - PKIX_CHECK( - pkix_IsCertSelfIssued(candidateCert, &isSelfIssued, - plContext), - PKIX_ISCERTSELFISSUEDFAILED); - if (isSelfIssued) { - state->revCheckDelayed = PKIX_TRUE; - goto cleanup; - } - } - } - *pNeedsCRLChecking = PKIX_TRUE; - } cleanup: PKIX_DECREF(candidateCert); @@ -1348,9 +1298,8 @@ pkix_Build_ValidateEntireChain( ERROR_CHECK(PKIX_CHECKCHAINFAILED); - if (state->reasonCode != 0) { - PKIX_ERROR(PKIX_CHAINREJECTEDBYREVOCATIONCHECKER); - } + /* XXX Remove this assertion after 2014-12-31. See bug 946984. */ + PORT_Assert(state->reasonCode == 0); PKIX_CHECK(pkix_ValidateResult_Create (subjPubKey, anchor, policyTree, &valResult, plContext), @@ -2080,8 +2029,6 @@ pkix_BuildForwardDepthFirstSearch( PKIX_Boolean trusted = PKIX_FALSE; PKIX_Boolean isSelfIssued = PKIX_FALSE; PKIX_Boolean canBeCached = PKIX_FALSE; - PKIX_Boolean revocationCheckingExists = PKIX_FALSE; - PKIX_Boolean needsCRLChecking = PKIX_FALSE; PKIX_Boolean ioPending = PKIX_FALSE; PKIX_PL_Date *validityDate = NULL; PKIX_PL_Date *currTime = NULL; @@ -2392,9 +2339,6 @@ pkix_BuildForwardDepthFirstSearch( #endif if (state->status == BUILD_CERTVALIDATING) { - revocationCheckingExists = - (state->buildConstants.revChecker != NULL); - PKIX_DECREF(state->candidateCert); PKIX_CHECK(PKIX_List_GetItem (state->candidateCerts, @@ -2417,9 +2361,7 @@ pkix_BuildForwardDepthFirstSearch( verifyError = pkix_Build_VerifyCertificate (state, state->buildConstants.userCheckers, - revocationCheckingExists, &trusted, - &needsCRLChecking, verifyNode, plContext); @@ -2454,63 +2396,11 @@ pkix_BuildForwardDepthFirstSearch( (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED); } state->status = BUILD_GETNEXTCERT; - } else if (needsCRLChecking) { - state->status = BUILD_CRLPREP; } else { state->status = BUILD_DATEPREP; } } - if (state->status == BUILD_CRLPREP) { - PKIX_RevocationStatus revStatus; - PKIX_UInt32 reasonCode; - - verifyError = - PKIX_RevocationChecker_Check( - state->prevCert, state->candidateCert, - state->buildConstants.revChecker, - state->buildConstants.procParams, - PKIX_FALSE, - (state->parentState == NULL) ? - PKIX_TRUE : PKIX_FALSE, - &revStatus, &reasonCode, - &nbio, plContext); - if (nbio != NULL) { - *pNBIOContext = nbio; - goto cleanup; - } - if (revStatus == PKIX_RevStatus_Revoked || verifyError) { - if (!verifyError) { - /* if verifyError is returned then use it as - * it has a detailed revocation error code. - * Otherwise create a new error */ - PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED, - verifyError); - } - if (state->verifyNode != NULL) { - PKIX_CHECK_FATAL(pkix_VerifyNode_SetError - (verifyNode, verifyError, plContext), - PKIX_VERIFYNODESETERRORFAILED); - PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree - (state->verifyNode, - verifyNode, - plContext), - PKIX_VERIFYNODEADDTOTREEFAILED); - PKIX_DECREF(verifyNode); - } - PKIX_DECREF(finalError); - finalError = verifyError; - verifyError = NULL; - if (state->certLoopingDetected) { - PKIX_ERROR - (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED); - } - state->status = BUILD_GETNEXTCERT; - } else { - state->status = BUILD_DATEPREP; - } - } - if (state->status == BUILD_DATEPREP) { /* Keep track of whether this chain can be cached */ PKIX_CHECK(pkix_Build_UpdateDate(state, plContext), @@ -2712,7 +2602,6 @@ pkix_BuildForwardDepthFirstSearch( (childTraversedCACerts, state->buildConstants.maxFanout, state->numDepth - 1, - state->revCheckDelayed, canBeCached, validityDate, state->candidateCert, @@ -3522,7 +3411,6 @@ pkix_Build_InitiateBuildChain( (0, /* PKIX_UInt32 traversedCACerts */ buildConstants.maxFanout, buildConstants.maxDepth, - PKIX_FALSE, /* PKIX_Boolean revCheckDelayed */ PKIX_TRUE, /* PKIX_Boolean canBeCached */ NULL, /* PKIX_Date *validityDate */ targetCert, /* PKIX_PL_Cert *prevCert */ |