summaryrefslogtreecommitdiffstats
path: root/chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c')
-rwxr-xr-xchromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c124
1 files changed, 6 insertions, 118 deletions
diff --git a/chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c b/chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c
index c35163a480b..0fd4fadca2e 100755
--- a/chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/chromium/third_party/nss/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -65,7 +65,6 @@ pkix_ForwardBuilderState_Destroy(
state->numFanout = 0;
state->numDepth = 0;
state->reasonCode = 0;
- state->revCheckDelayed = PKIX_FALSE;
state->canBeCached = PKIX_FALSE;
state->useOnlyLocal = PKIX_FALSE;
state->revChecking = PKIX_FALSE;
@@ -126,9 +125,6 @@ cleanup:
* Number of Certs that can be considered at this level (0 = no limit)
* "numDepth"
* Number of additional levels that can be searched (0 = no limit)
- * "revCheckDelayed"
- * Boolean value indicating whether rev check is delayed until after
- * entire chain is built.
* "canBeCached"
* Boolean value indicating whether all certs on the chain can be cached.
* "validityDate"
@@ -159,7 +155,6 @@ pkix_ForwardBuilderState_Create(
PKIX_Int32 traversedCACerts,
PKIX_UInt32 numFanout,
PKIX_UInt32 numDepth,
- PKIX_Boolean revCheckDelayed,
PKIX_Boolean canBeCached,
PKIX_PL_Date *validityDate,
PKIX_PL_Cert *prevCert,
@@ -195,7 +190,6 @@ pkix_ForwardBuilderState_Create(
state->numDepth = numDepth;
state->reasonCode = 0;
state->revChecking = numDepth;
- state->revCheckDelayed = revCheckDelayed;
state->canBeCached = canBeCached;
state->useOnlyLocal = PKIX_TRUE;
state->revChecking = PKIX_FALSE;
@@ -371,7 +365,6 @@ pkix_ForwardBuilderState_ToString
"\tnumFanout: \t%d\n"
"\tnumDepth: \t%d\n"
"\treasonCode: \t%d\n"
- "\trevCheckDelayed: \t%d\n"
"\tcanBeCached: \t%d\n"
"\tuseOnlyLocal: \t%d\n"
"\trevChecking: \t%d\n"
@@ -416,10 +409,6 @@ pkix_ForwardBuilderState_ToString
break;
case BUILD_ABANDONNODE: asciiStatus = "BUILD_ABANDONNODE";
break;
- case BUILD_CRLPREP: asciiStatus = "BUILD_CRLPREP";
- break;
- case BUILD_CRL1: asciiStatus = "BUILD_CRL1";
- break;
case BUILD_DATEPREP: asciiStatus = "BUILD_DATEPREP";
break;
case BUILD_CHECKTRUSTED: asciiStatus = "BUILD_CHECKTRUSTED";
@@ -428,8 +417,6 @@ pkix_ForwardBuilderState_ToString
break;
case BUILD_ADDTOCHAIN: asciiStatus = "BUILD_ADDTOCHAIN";
break;
- case BUILD_CRL2: asciiStatus = "BUILD_CRL2";
- break;
case BUILD_VALCHAIN: asciiStatus = "BUILD_VALCHAIN";
break;
case BUILD_VALCHAIN2: asciiStatus = "BUILD_VALCHAIN2";
@@ -498,7 +485,6 @@ pkix_ForwardBuilderState_ToString
(PKIX_UInt32)state->numFanout,
(PKIX_UInt32)state->numDepth,
(PKIX_UInt32)state->reasonCode,
- state->revCheckDelayed,
state->canBeCached,
state->useOnlyLocal,
state->revChecking,
@@ -656,8 +642,6 @@ pkix_ForwardBuilderState_IsIOPending(
PKIX_NULLCHECK_TWO(state, pPending);
if ((state->status == BUILD_GATHERPENDING) ||
- (state->status == BUILD_CRL1) ||
- (state->status == BUILD_CRL2) ||
(state->status == BUILD_CHECKTRUSTED2) ||
(state->status == BUILD_VALCHAIN2) ||
(state->status == BUILD_AIAPENDING)) {
@@ -780,16 +764,12 @@ cleanup:
* Checks whether the previous Cert stored in the ForwardBuilderState pointed
* to by "state" successfully chains, including signature verification, to the
* candidate Cert also stored in "state", using the Boolean value in "trusted"
- * to determine whether "candidateCert" is trusted. Using the Boolean value in
- * "revocationChecking" for the existence of revocation checking, it sets
- * "pNeedsCRLChecking" to PKIX_TRUE if the candidate Cert needs to be checked
- * against Certificate Revocation Lists.
+ * to determine whether "candidateCert" is trusted.
*
* First it checks whether "candidateCert" has already been traversed by
- * determining whether it is contained in the List of traversed Certs. It
+ * determining whether it is contained in the List of traversed Certs. It then
* checks the candidate Cert with user checkers, if any, in the List pointed to
- * by "userCheckers". It then runs the signature validation. Finally, it
- * determines the appropriate value for "pNeedsCRLChecking".
+ * by "userCheckers". Finally, it runs the signature validation.
*
* If this Certificate fails verification, and state->verifyNode is non-NULL,
* this function sets the Error code into the verifyNode.
@@ -800,14 +780,8 @@ cleanup:
* "userCheckers"
* Address of a List of CertChainCheckers to be used, if present, to
* validate the candidateCert.
- * "revocationChecking"
- * Boolean indication of whether revocation checking is available, either
- * as a CertChainChecker or a List of RevocationCheckers.
* "trusted"
* Boolean value of trust for the candidate Cert
- * "pNeedsCRLChecking"
- * Address where Boolean CRL-checking-needed value is stored.
- * Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
@@ -821,9 +795,7 @@ static PKIX_Error *
pkix_Build_VerifyCertificate(
PKIX_ForwardBuilderState *state,
PKIX_List *userCheckers,
- PKIX_Boolean revocationChecking,
PKIX_Boolean *pTrusted,
- PKIX_Boolean *pNeedsCRLChecking,
PKIX_VerifyNode *verifyNode,
void *plContext)
{
@@ -841,12 +813,10 @@ pkix_Build_VerifyCertificate(
void *nbioContext = NULL;
PKIX_ENTER(BUILD, "pkix_Build_VerifyCertificate");
- PKIX_NULLCHECK_THREE(state, pTrusted, pNeedsCRLChecking);
+ PKIX_NULLCHECK_TWO(state, pTrusted);
PKIX_NULLCHECK_THREE
(state->candidateCerts, state->prevCert, state->trustChain);
- *pNeedsCRLChecking = PKIX_FALSE;
-
PKIX_INCREF(state->candidateCert);
candidateCert = state->candidateCert;
@@ -944,26 +914,6 @@ pkix_Build_VerifyCertificate(
PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS);
}
}
-
-
- if (revocationChecking) {
- if (!trusted) {
- if (state->revCheckDelayed) {
- goto cleanup;
- } else {
- PKIX_Boolean isSelfIssued = PKIX_FALSE;
- PKIX_CHECK(
- pkix_IsCertSelfIssued(candidateCert, &isSelfIssued,
- plContext),
- PKIX_ISCERTSELFISSUEDFAILED);
- if (isSelfIssued) {
- state->revCheckDelayed = PKIX_TRUE;
- goto cleanup;
- }
- }
- }
- *pNeedsCRLChecking = PKIX_TRUE;
- }
cleanup:
PKIX_DECREF(candidateCert);
@@ -1348,9 +1298,8 @@ pkix_Build_ValidateEntireChain(
ERROR_CHECK(PKIX_CHECKCHAINFAILED);
- if (state->reasonCode != 0) {
- PKIX_ERROR(PKIX_CHAINREJECTEDBYREVOCATIONCHECKER);
- }
+ /* XXX Remove this assertion after 2014-12-31. See bug 946984. */
+ PORT_Assert(state->reasonCode == 0);
PKIX_CHECK(pkix_ValidateResult_Create
(subjPubKey, anchor, policyTree, &valResult, plContext),
@@ -2080,8 +2029,6 @@ pkix_BuildForwardDepthFirstSearch(
PKIX_Boolean trusted = PKIX_FALSE;
PKIX_Boolean isSelfIssued = PKIX_FALSE;
PKIX_Boolean canBeCached = PKIX_FALSE;
- PKIX_Boolean revocationCheckingExists = PKIX_FALSE;
- PKIX_Boolean needsCRLChecking = PKIX_FALSE;
PKIX_Boolean ioPending = PKIX_FALSE;
PKIX_PL_Date *validityDate = NULL;
PKIX_PL_Date *currTime = NULL;
@@ -2392,9 +2339,6 @@ pkix_BuildForwardDepthFirstSearch(
#endif
if (state->status == BUILD_CERTVALIDATING) {
- revocationCheckingExists =
- (state->buildConstants.revChecker != NULL);
-
PKIX_DECREF(state->candidateCert);
PKIX_CHECK(PKIX_List_GetItem
(state->candidateCerts,
@@ -2417,9 +2361,7 @@ pkix_BuildForwardDepthFirstSearch(
verifyError = pkix_Build_VerifyCertificate
(state,
state->buildConstants.userCheckers,
- revocationCheckingExists,
&trusted,
- &needsCRLChecking,
verifyNode,
plContext);
@@ -2454,63 +2396,11 @@ pkix_BuildForwardDepthFirstSearch(
(PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
}
state->status = BUILD_GETNEXTCERT;
- } else if (needsCRLChecking) {
- state->status = BUILD_CRLPREP;
} else {
state->status = BUILD_DATEPREP;
}
}
- if (state->status == BUILD_CRLPREP) {
- PKIX_RevocationStatus revStatus;
- PKIX_UInt32 reasonCode;
-
- verifyError =
- PKIX_RevocationChecker_Check(
- state->prevCert, state->candidateCert,
- state->buildConstants.revChecker,
- state->buildConstants.procParams,
- PKIX_FALSE,
- (state->parentState == NULL) ?
- PKIX_TRUE : PKIX_FALSE,
- &revStatus, &reasonCode,
- &nbio, plContext);
- if (nbio != NULL) {
- *pNBIOContext = nbio;
- goto cleanup;
- }
- if (revStatus == PKIX_RevStatus_Revoked || verifyError) {
- if (!verifyError) {
- /* if verifyError is returned then use it as
- * it has a detailed revocation error code.
- * Otherwise create a new error */
- PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED,
- verifyError);
- }
- if (state->verifyNode != NULL) {
- PKIX_CHECK_FATAL(pkix_VerifyNode_SetError
- (verifyNode, verifyError, plContext),
- PKIX_VERIFYNODESETERRORFAILED);
- PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
- (state->verifyNode,
- verifyNode,
- plContext),
- PKIX_VERIFYNODEADDTOTREEFAILED);
- PKIX_DECREF(verifyNode);
- }
- PKIX_DECREF(finalError);
- finalError = verifyError;
- verifyError = NULL;
- if (state->certLoopingDetected) {
- PKIX_ERROR
- (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
- }
- state->status = BUILD_GETNEXTCERT;
- } else {
- state->status = BUILD_DATEPREP;
- }
- }
-
if (state->status == BUILD_DATEPREP) {
/* Keep track of whether this chain can be cached */
PKIX_CHECK(pkix_Build_UpdateDate(state, plContext),
@@ -2712,7 +2602,6 @@ pkix_BuildForwardDepthFirstSearch(
(childTraversedCACerts,
state->buildConstants.maxFanout,
state->numDepth - 1,
- state->revCheckDelayed,
canBeCached,
validityDate,
state->candidateCert,
@@ -3522,7 +3411,6 @@ pkix_Build_InitiateBuildChain(
(0, /* PKIX_UInt32 traversedCACerts */
buildConstants.maxFanout,
buildConstants.maxDepth,
- PKIX_FALSE, /* PKIX_Boolean revCheckDelayed */
PKIX_TRUE, /* PKIX_Boolean canBeCached */
NULL, /* PKIX_Date *validityDate */
targetCert, /* PKIX_PL_Cert *prevCert */
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-08 02:32:29 +0000