palemoon-dev/platform/security/nss/lib/crmf/crmfreq.c

/* -*- Mode: C; tab-width: 8 -*-*/
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "crmf.h"
#include "crmfi.h"
#include "keyhi.h"
#include "secder.h"

/*
 * Macro that returns PR_TRUE if the pointer is not NULL.
 * If the pointer is NULL, then the macro will return PR_FALSE.
 */
#define IS_NOT_NULL(ptr) ((ptr) == NULL) ? PR_FALSE : PR_TRUE

const unsigned char hexTrue = 0xff;
const unsigned char hexFalse = 0x00;

SECStatus
crmf_encode_integer(PLArenaPool *poolp, SECItem *dest, long value)
{
    SECItem *dummy;

    dummy = SEC_ASN1EncodeInteger(poolp, dest, value);
    PORT_Assert(dummy == dest);
    if (dummy == NULL) {
        return SECFailure;
    }
    return SECSuccess;
}

SECStatus
crmf_encode_unsigned_integer(PLArenaPool *poolp, SECItem *dest,
                             unsigned long value)
{
    SECItem *dummy;

    dummy = SEC_ASN1EncodeUnsignedInteger(poolp, dest, value);
    PORT_Assert(dummy == dest);
    if (dummy != dest) {
        return SECFailure;
    }
    return SECSuccess;
}

static SECStatus
crmf_copy_secitem(PLArenaPool *poolp, SECItem *dest, SECItem *src)
{
    return SECITEM_CopyItem(poolp, dest, src);
}

PRBool
CRMF_DoesRequestHaveField(CRMFCertRequest *inCertReq,
                          CRMFCertTemplateField inField)
{

    PORT_Assert(inCertReq != NULL);
    if (inCertReq == NULL) {
        return PR_FALSE;
    }
    switch (inField) {
        case crmfVersion:
            return inCertReq->certTemplate.version.data != NULL;
        case crmfSerialNumber:
            return inCertReq->certTemplate.serialNumber.data != NULL;
        case crmfSigningAlg:
            return inCertReq->certTemplate.signingAlg != NULL;
        case crmfIssuer:
            return inCertReq->certTemplate.issuer != NULL;
        case crmfValidity:
            return inCertReq->certTemplate.validity != NULL;
        case crmfSubject:
            return inCertReq->certTemplate.subject != NULL;
        case crmfPublicKey:
            return inCertReq->certTemplate.publicKey != NULL;
        case crmfIssuerUID:
            return inCertReq->certTemplate.issuerUID.data != NULL;
        case crmfSubjectUID:
            return inCertReq->certTemplate.subjectUID.data != NULL;
        case crmfExtension:
            return CRMF_CertRequestGetNumberOfExtensions(inCertReq) != 0;
    }
    return PR_FALSE;
}

CRMFCertRequest *
CRMF_CreateCertRequest(PRUint32 inRequestID)
{
    PLArenaPool *poolp;
    CRMFCertRequest *certReq;
    SECStatus rv;

    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
    if (poolp == NULL) {
        goto loser;
    }

    certReq = PORT_ArenaZNew(poolp, CRMFCertRequest);
    if (certReq == NULL) {
        goto loser;
    }

    certReq->poolp = poolp;
    certReq->requestID = inRequestID;

    rv = crmf_encode_unsigned_integer(poolp, &(certReq->certReqId),
                                      inRequestID);
    if (rv != SECSuccess) {
        goto loser;
    }

    return certReq;
loser:
    if (poolp) {
        PORT_FreeArena(poolp, PR_FALSE);
    }
    return NULL;
}

SECStatus
CRMF_DestroyCertRequest(CRMFCertRequest *inCertReq)
{
    PORT_Assert(inCertReq != NULL);
    if (inCertReq != NULL) {
        if (inCertReq->certTemplate.extensions) {
            PORT_Free(inCertReq->certTemplate.extensions);
        }
        if (inCertReq->controls) {
            /* Right now we don't support EnveloppedData option,
             * so we won't go through and delete each occurrence of
             * an EnveloppedData in the control.
             */
            PORT_Free(inCertReq->controls);
        }
        if (inCertReq->poolp) {
            PORT_FreeArena(inCertReq->poolp, PR_TRUE);
        }
    }
    return SECSuccess;
}

static SECStatus
crmf_template_add_version(PLArenaPool *poolp, SECItem *dest, long version)
{
    return (crmf_encode_integer(poolp, dest, version));
}

static SECStatus
crmf_template_add_serialnumber(PLArenaPool *poolp, SECItem *dest, long serial)
{
    return (crmf_encode_integer(poolp, dest, serial));
}

SECStatus
crmf_template_copy_secalg(PLArenaPool *poolp, SECAlgorithmID **dest,
                          SECAlgorithmID *src)
{
    SECStatus rv;
    void *mark = NULL;
    SECAlgorithmID *mySecAlg;

    if (!poolp) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }

    mark = PORT_ArenaMark(poolp);
    *dest = mySecAlg = PORT_ArenaZNew(poolp, SECAlgorithmID);
    if (mySecAlg == NULL) {
        goto loser;
    }
    rv = SECOID_CopyAlgorithmID(poolp, mySecAlg, src);
    if (rv != SECSuccess) {
        goto loser;
    }
    if (mark) {
        PORT_ArenaUnmark(poolp, mark);
    }
    return SECSuccess;

loser:
    *dest = NULL;
    if (mark) {
        PORT_ArenaRelease(poolp, mark);
    }
    return SECFailure;
}

SECStatus
crmf_copy_cert_name(PLArenaPool *poolp, CERTName **dest,
                    CERTName *src)
{
    CERTName *newName;
    SECStatus rv;
    void *mark;

    mark = PORT_ArenaMark(poolp);
    *dest = newName = PORT_ArenaZNew(poolp, CERTName);
    if (newName == NULL) {
        goto loser;
    }

    rv = CERT_CopyName(poolp, newName, src);
    if (rv != SECSuccess) {
        goto loser;
    }
    PORT_ArenaUnmark(poolp, mark);
    return SECSuccess;
loser:
    PORT_ArenaRelease(poolp, mark);
    *dest = NULL;
    return SECFailure;
}

static SECStatus
crmf_template_add_issuer(PLArenaPool *poolp, CERTName **dest,
                         CERTName *issuerName)
{
    return crmf_copy_cert_name(poolp, dest, issuerName);
}

static SECStatus
crmf_template_add_validity(PLArenaPool *poolp, CRMFOptionalValidity **dest,
                           CRMFValidityCreationInfo *info)
{
    SECStatus rv;
    void *mark;
    CRMFOptionalValidity *myValidity;

    /*First off, let's make sure at least one of the two fields is present*/
    if (!info || (!info->notBefore && !info->notAfter)) {
        return SECFailure;
    }
    mark = PORT_ArenaMark(poolp);
    *dest = myValidity = PORT_ArenaZNew(poolp, CRMFOptionalValidity);
    if (myValidity == NULL) {
        goto loser;
    }

    if (info->notBefore) {
        rv = DER_EncodeTimeChoice(poolp, &myValidity->notBefore,
                                  *info->notBefore);
        if (rv != SECSuccess) {
            goto loser;
        }
    }
    if (info->notAfter) {
        rv = DER_EncodeTimeChoice(poolp, &myValidity->notAfter,
                                  *info->notAfter);
        if (rv != SECSuccess) {
            goto loser;
        }
    }
    PORT_ArenaUnmark(poolp, mark);
    return SECSuccess;
loser:
    PORT_ArenaRelease(poolp, mark);
    *dest = NULL;
    return SECFailure;
}

static SECStatus
crmf_template_add_subject(PLArenaPool *poolp, CERTName **dest,
                          CERTName *subject)
{
    return crmf_copy_cert_name(poolp, dest, subject);
}

SECStatus
crmf_template_add_public_key(PLArenaPool *poolp,
                             CERTSubjectPublicKeyInfo **dest,
                             CERTSubjectPublicKeyInfo *pubKey)
{
    CERTSubjectPublicKeyInfo *spki;
    SECStatus rv;

    *dest = spki = (poolp == NULL) ? PORT_ZNew(CERTSubjectPublicKeyInfo) : PORT_ArenaZNew(poolp, CERTSubjectPublicKeyInfo);
    if (spki == NULL) {
        goto loser;
    }
    rv = SECKEY_CopySubjectPublicKeyInfo(poolp, spki, pubKey);
    if (rv != SECSuccess) {
        goto loser;
    }
    return SECSuccess;
loser:
    if (poolp == NULL && spki != NULL) {
        SECKEY_DestroySubjectPublicKeyInfo(spki);
    }
    *dest = NULL;
    return SECFailure;
}

static SECStatus
crmf_copy_bitstring(PLArenaPool *poolp, SECItem *dest, const SECItem *src)
{
    SECStatus rv;
    SECItem byteSrc;

    byteSrc = *src;
    byteSrc.len = CRMF_BITS_TO_BYTES(byteSrc.len);
    rv = crmf_copy_secitem(poolp, dest, &byteSrc);
    dest->len = src->len;
    return rv;
}

static SECStatus
crmf_template_add_issuer_uid(PLArenaPool *poolp, SECItem *dest,
                             const SECItem *issuerUID)
{
    return crmf_copy_bitstring(poolp, dest, issuerUID);
}

static SECStatus
crmf_template_add_subject_uid(PLArenaPool *poolp, SECItem *dest,
                              const SECItem *subjectUID)
{
    return crmf_copy_bitstring(poolp, dest, subjectUID);
}

static void
crmf_zeroize_new_extensions(CRMFCertExtension **extensions,
                            int numToZeroize)
{
    PORT_Memset((void *)extensions, 0, sizeof(CERTCertExtension *) * numToZeroize);
}

/*
 * The strategy for adding templates will differ from all the other
 * attributes in the template.  First, we want to allow the client
 * of this API to set extensions more than just once.  So we will
 * need the ability grow the array of extensions.  Since arenas don't
 * give us the realloc function, we'll use the generic PORT_* functions
 * to allocate the array of pointers *ONLY*.  Then we will allocate each
 * individual extension from the arena that comes along with the certReq
 * structure that owns this template.
 */
static SECStatus
crmf_template_add_extensions(PLArenaPool *poolp, CRMFCertTemplate *inTemplate,
                             CRMFCertExtCreationInfo *extensions)
{
    void *mark;
    int newSize, oldSize, i;
    SECStatus rv;
    CRMFCertExtension **extArray;
    CRMFCertExtension *newExt, *currExt;

    mark = PORT_ArenaMark(poolp);
    if (inTemplate->extensions == NULL) {
        newSize = extensions->numExtensions;
        extArray = PORT_ZNewArray(CRMFCertExtension *, newSize + 1);
    } else {
        newSize = inTemplate->numExtensions + extensions->numExtensions;
        extArray = PORT_Realloc(inTemplate->extensions,
                                sizeof(CRMFCertExtension *) * (newSize + 1));
    }
    if (extArray == NULL) {
        goto loser;
    }
    oldSize = inTemplate->numExtensions;
    inTemplate->extensions = extArray;
    inTemplate->numExtensions = newSize;
    for (i = oldSize; i < newSize; i++) {
        newExt = PORT_ArenaZNew(poolp, CRMFCertExtension);
        if (newExt == NULL) {
            goto loser2;
        }
        currExt = extensions->extensions[i - oldSize];
        rv = crmf_copy_secitem(poolp, &(newExt->id), &(currExt->id));
        if (rv != SECSuccess) {
            goto loser2;
        }
        rv = crmf_copy_secitem(poolp, &(newExt->critical),
                               &(currExt->critical));
        if (rv != SECSuccess) {
            goto loser2;
        }
        rv = crmf_copy_secitem(poolp, &(newExt->value), &(currExt->value));
        if (rv != SECSuccess) {
            goto loser2;
        }
        extArray[i] = newExt;
    }
    extArray[newSize] = NULL;
    PORT_ArenaUnmark(poolp, mark);
    return SECSuccess;
loser2:
    crmf_zeroize_new_extensions(&(inTemplate->extensions[oldSize]),
                                extensions->numExtensions);
    inTemplate->numExtensions = oldSize;
loser:
    PORT_ArenaRelease(poolp, mark);
    return SECFailure;
}

SECStatus
CRMF_CertRequestSetTemplateField(CRMFCertRequest *inCertReq,
                                 CRMFCertTemplateField inTemplateField,
                                 void *data)
{
    CRMFCertTemplate *certTemplate;
    PLArenaPool *poolp;
    SECStatus rv = SECFailure;
    void *mark;

    if (inCertReq == NULL) {
        return SECFailure;
    }

    certTemplate = &(inCertReq->certTemplate);

    poolp = inCertReq->poolp;
    mark = PORT_ArenaMark(poolp);
    switch (inTemplateField) {
        case crmfVersion:
            rv = crmf_template_add_version(poolp, &(certTemplate->version),
                                           *(long *)data);
            break;
        case crmfSerialNumber:
            rv = crmf_template_add_serialnumber(poolp,
                                                &(certTemplate->serialNumber),
                                                *(long *)data);
            break;
        case crmfSigningAlg:
            rv = crmf_template_copy_secalg(poolp, &(certTemplate->signingAlg),
                                           (SECAlgorithmID *)data);
            break;
        case crmfIssuer:
            rv = crmf_template_add_issuer(poolp, &(certTemplate->issuer),
                                          (CERTName *)data);
            break;
        case crmfValidity:
            rv = crmf_template_add_validity(poolp, &(certTemplate->validity),
                                            (CRMFValidityCreationInfo *)data);
            break;
        case crmfSubject:
            rv = crmf_template_add_subject(poolp, &(certTemplate->subject),
                                           (CERTName *)data);
            break;
        case crmfPublicKey:
            rv = crmf_template_add_public_key(poolp, &(certTemplate->publicKey),
                                              (CERTSubjectPublicKeyInfo *)data);
            break;
        case crmfIssuerUID:
            rv = crmf_template_add_issuer_uid(poolp, &(certTemplate->issuerUID),
                                              (SECItem *)data);
            break;
        case crmfSubjectUID:
            rv = crmf_template_add_subject_uid(poolp, &(certTemplate->subjectUID),
                                               (SECItem *)data);
            break;
        case crmfExtension:
            rv = crmf_template_add_extensions(poolp, certTemplate,
                                              (CRMFCertExtCreationInfo *)data);
            break;
    }
    if (rv != SECSuccess) {
        PORT_ArenaRelease(poolp, mark);
    } else {
        PORT_ArenaUnmark(poolp, mark);
    }
    return rv;
}

SECStatus
CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg *inCertReqMsg,
                              CRMFCertRequest *inCertReq)
{
    PORT_Assert(inCertReqMsg != NULL && inCertReq != NULL);
    if (inCertReqMsg == NULL || inCertReq == NULL) {
        return SECFailure;
    }
    inCertReqMsg->certReq = crmf_copy_cert_request(inCertReqMsg->poolp,
                                                   inCertReq);
    return (inCertReqMsg->certReq == NULL) ? SECFailure : SECSuccess;
}

CRMFCertReqMsg *
CRMF_CreateCertReqMsg(void)
{
    PLArenaPool *poolp;
    CRMFCertReqMsg *reqMsg;

    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
    if (poolp == NULL) {
        goto loser;
    }
    reqMsg = PORT_ArenaZNew(poolp, CRMFCertReqMsg);
    if (reqMsg == NULL) {
        goto loser;
    }
    reqMsg->poolp = poolp;
    return reqMsg;

loser:
    if (poolp) {
        PORT_FreeArena(poolp, PR_FALSE);
    }
    return NULL;
}

SECStatus
CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg)
{
    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->poolp != NULL);
    if (!inCertReqMsg->isDecoded) {
        if (inCertReqMsg->certReq->certTemplate.extensions != NULL) {
            PORT_Free(inCertReqMsg->certReq->certTemplate.extensions);
        }
        if (inCertReqMsg->certReq->controls != NULL) {
            PORT_Free(inCertReqMsg->certReq->controls);
        }
    }
    PORT_FreeArena(inCertReqMsg->poolp, PR_TRUE);
    return SECSuccess;
}

CRMFCertExtension *
crmf_create_cert_extension(PLArenaPool *poolp,
                           SECOidTag id,
                           PRBool isCritical,
                           SECItem *data)
{
    CRMFCertExtension *newExt;
    SECOidData *oidData;
    SECStatus rv;

    newExt = (poolp == NULL) ? PORT_ZNew(CRMFCertExtension) : PORT_ArenaZNew(poolp, CRMFCertExtension);
    if (newExt == NULL) {
        goto loser;
    }
    oidData = SECOID_FindOIDByTag(id);
    if (oidData == NULL ||
        oidData->supportedExtension != SUPPORTED_CERT_EXTENSION) {
        goto loser;
    }

    rv = SECITEM_CopyItem(poolp, &(newExt->id), &(oidData->oid));
    if (rv != SECSuccess) {
        goto loser;
    }

    rv = SECITEM_CopyItem(poolp, &(newExt->value), data);
    if (rv != SECSuccess) {
        goto loser;
    }

    if (isCritical) {
        newExt->critical.data = (poolp == NULL) ? PORT_New(unsigned char)
                                                : PORT_ArenaNew(poolp, unsigned char);
        if (newExt->critical.data == NULL) {
            goto loser;
        }
        newExt->critical.data[0] = hexTrue;
        newExt->critical.len = 1;
    }
    return newExt;
loser:
    if (newExt != NULL && poolp == NULL) {
        CRMF_DestroyCertExtension(newExt);
    }
    return NULL;
}

CRMFCertExtension *
CRMF_CreateCertExtension(SECOidTag id,
                         PRBool isCritical,
                         SECItem *data)
{
    return crmf_create_cert_extension(NULL, id, isCritical, data);
}

static SECStatus
crmf_destroy_cert_extension(CRMFCertExtension *inExtension, PRBool freeit)
{
    if (inExtension != NULL) {
        SECITEM_FreeItem(&(inExtension->id), PR_FALSE);
        SECITEM_FreeItem(&(inExtension->value), PR_FALSE);
        SECITEM_FreeItem(&(inExtension->critical), PR_FALSE);
        if (freeit) {
            PORT_Free(inExtension);
        }
    }
    return SECSuccess;
}

SECStatus
CRMF_DestroyCertExtension(CRMFCertExtension *inExtension)
{
    return crmf_destroy_cert_extension(inExtension, PR_TRUE);
}

SECStatus
CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs)
{
    PORT_Assert(inCertReqMsgs != NULL);
    if (inCertReqMsgs != NULL) {
        PORT_FreeArena(inCertReqMsgs->poolp, PR_TRUE);
    }
    return SECSuccess;
}

static PRBool
crmf_item_has_data(SECItem *item)
{
    if (item != NULL && item->data != NULL) {
        return PR_TRUE;
    }
    return PR_FALSE;
}

PRBool
CRMF_CertRequestIsFieldPresent(CRMFCertRequest *inCertReq,
                               CRMFCertTemplateField inTemplateField)
{
    PRBool retVal;
    CRMFCertTemplate *certTemplate;

    PORT_Assert(inCertReq != NULL);
    if (inCertReq == NULL) {
        /* This is probably some kind of error, but this is
         * the safest return value for this function.
         */
        return PR_FALSE;
    }
    certTemplate = &inCertReq->certTemplate;
    switch (inTemplateField) {
        case crmfVersion:
            retVal = crmf_item_has_data(&certTemplate->version);
            break;
        case crmfSerialNumber:
            retVal = crmf_item_has_data(&certTemplate->serialNumber);
            break;
        case crmfSigningAlg:
            retVal = IS_NOT_NULL(certTemplate->signingAlg);
            break;
        case crmfIssuer:
            retVal = IS_NOT_NULL(certTemplate->issuer);
            break;
        case crmfValidity:
            retVal = IS_NOT_NULL(certTemplate->validity);
            break;
        case crmfSubject:
            retVal = IS_NOT_NULL(certTemplate->subject);
            break;
        case crmfPublicKey:
            retVal = IS_NOT_NULL(certTemplate->publicKey);
            break;
        case crmfIssuerUID:
            retVal = crmf_item_has_data(&certTemplate->issuerUID);
            break;
        case crmfSubjectUID:
            retVal = crmf_item_has_data(&certTemplate->subjectUID);
            break;
        case crmfExtension:
            retVal = IS_NOT_NULL(certTemplate->extensions);
            break;
        default:
            retVal = PR_FALSE;
    }
    return retVal;
}