summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/hx509/revoke.c
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2008-10-27 11:35:07 +0100
committerStefan Metzmacher <metze@samba.org>2008-10-28 08:53:09 +0100
commit2b29b7186459d945ec448694164bfe4239b30d72 (patch)
tree561495b1870facf03f7892559a184f4f49df1fe2 /source4/heimdal/lib/hx509/revoke.c
parent698b7fd43658d9e96d28f26c9e1dae5e770bb57f (diff)
downloadsamba-2b29b7186459d945ec448694164bfe4239b30d72.tar.gz
samba-2b29b7186459d945ec448694164bfe4239b30d72.tar.bz2
samba-2b29b7186459d945ec448694164bfe4239b30d72.zip
s4: import lorikeet-heimdal-200810271034
metze
Diffstat (limited to 'source4/heimdal/lib/hx509/revoke.c')
-rw-r--r--source4/heimdal/lib/hx509/revoke.c130
1 files changed, 65 insertions, 65 deletions
diff --git a/source4/heimdal/lib/hx509/revoke.c b/source4/heimdal/lib/hx509/revoke.c
index a36ec964d2..3f35b0d190 100644
--- a/source4/heimdal/lib/hx509/revoke.c
+++ b/source4/heimdal/lib/hx509/revoke.c
@@ -1,34 +1,34 @@
/*
- * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
*
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
*
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
*
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
*
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
/**
@@ -234,19 +234,19 @@ verify_ocsp(hx509_context context,
goto out;
}
- ret = hx509_cert_check_eku(context, signer,
+ ret = hx509_cert_check_eku(context, signer,
oid_id_pkix_kp_OCSPSigning(), 0);
if (ret)
goto out;
}
ret = _hx509_verify_signature_bitstring(context,
- _hx509_get_cert(signer),
+ _hx509_get_cert(signer),
&ocsp->ocsp.signatureAlgorithm,
&ocsp->ocsp.tbsResponseData._save,
&ocsp->ocsp.signature);
if (ret) {
- hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+ hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
"OCSP signature invalid");
goto out;
}
@@ -294,7 +294,7 @@ parse_ocsp_basic(const void *data, size_t length, OCSPBasicOCSPResponse *basic)
return EINVAL;
}
- ret = der_heim_oid_cmp(&resp.responseBytes->responseType,
+ ret = der_heim_oid_cmp(&resp.responseBytes->responseType,
oid_id_pkix_ocsp_basic());
if (ret != 0) {
free_OCSPResponse(&resp);
@@ -352,7 +352,7 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
if (basic.certs) {
int i;
- ret = hx509_certs_init(context, "MEMORY:ocsp-certs", 0,
+ ret = hx509_certs_init(context, "MEMORY:ocsp-certs", 0,
NULL, &certs);
if (ret) {
free_OCSPBasicOCSPResponse(&basic);
@@ -361,11 +361,11 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
for (i = 0; i < basic.certs->len; i++) {
hx509_cert c;
-
+
ret = hx509_cert_init(context, &basic.certs->val[i], &c);
if (ret)
continue;
-
+
ret = hx509_certs_add(context, certs, c);
hx509_cert_free(c);
if (ret)
@@ -420,7 +420,7 @@ hx509_revoke_add_ocsp(hx509_context context,
return 0;
}
- data = realloc(ctx->ocsps.val,
+ data = realloc(ctx->ocsps.val,
(ctx->ocsps.len + 1) * sizeof(ctx->ocsps.val[0]));
if (data == NULL) {
hx509_clear_error_string(context);
@@ -429,7 +429,7 @@ hx509_revoke_add_ocsp(hx509_context context,
ctx->ocsps.val = data;
- memset(&ctx->ocsps.val[ctx->ocsps.len], 0,
+ memset(&ctx->ocsps.val[ctx->ocsps.len], 0,
sizeof(ctx->ocsps.val[0]));
ctx->ocsps.val[ctx->ocsps.len].path = strdup(path);
@@ -507,7 +507,7 @@ verify_crl(hx509_context context,
}
ret = _hx509_verify_signature_bitstring(context,
- _hx509_get_cert(signer),
+ _hx509_get_cert(signer),
&crl->signatureAlgorithm,
&crl->tbsCertList._save,
&crl->signatureValue);
@@ -517,7 +517,7 @@ verify_crl(hx509_context context,
goto out;
}
- /*
+ /*
* If signer is not CA cert, need to check revoke status of this
* CRL signing cert too, this include all parent CRL signer cert
* up to the root *sigh*, assume root at least hve CERTSIGN flag
@@ -540,7 +540,7 @@ verify_crl(hx509_context context,
}
ret = hx509_revoke_verify(context,
- ctx,
+ ctx,
certs,
time_now,
signer,
@@ -621,7 +621,7 @@ hx509_revoke_add_crl(hx509_context context,
return HX509_UNSUPPORTED_OPERATION;
}
-
+
path += 5;
for (i = 0; i < ctx->crls.len; i++) {
@@ -629,7 +629,7 @@ hx509_revoke_add_crl(hx509_context context,
return 0;
}
- data = realloc(ctx->crls.val,
+ data = realloc(ctx->crls.val,
(ctx->crls.len + 1) * sizeof(ctx->crls.val[0]));
if (data == NULL) {
hx509_clear_error_string(context);
@@ -645,7 +645,7 @@ hx509_revoke_add_crl(hx509_context context,
return ENOMEM;
}
- ret = load_crl(path,
+ ret = load_crl(path,
&ctx->crls.val[ctx->crls.len].last_modfied,
&ctx->crls.val[ctx->crls.len].crl);
if (ret) {
@@ -719,7 +719,7 @@ hx509_revoke_verify(hx509_context context,
&c->tbsCertificate.serialNumber);
if (ret != 0)
continue;
-
+
/* verify issuer hashes hash */
ret = _hx509_verify_signature(context,
NULL,
@@ -744,7 +744,7 @@ hx509_revoke_verify(hx509_context context,
case choice_OCSPCertStatus_good:
break;
case choice_OCSPCertStatus_revoked:
- hx509_set_error_string(context, 0,
+ hx509_set_error_string(context, 0,
HX509_CERT_REVOKED,
"Certificate revoked by issuer in OCSP");
return HX509_CERT_REVOKED;
@@ -753,7 +753,7 @@ hx509_revoke_verify(hx509_context context,
}
/* don't allow the update to be in the future */
- if (ocsp->ocsp.tbsResponseData.responses.val[j].thisUpdate >
+ if (ocsp->ocsp.tbsResponseData.responses.val[j].thisUpdate >
now + context->ocsp_time_diff)
continue;
@@ -774,7 +774,7 @@ hx509_revoke_verify(hx509_context context,
int diff;
/* check if cert.issuer == crls.val[i].crl.issuer */
- ret = _hx509_name_cmp(&c->tbsCertificate.issuer,
+ ret = _hx509_name_cmp(&c->tbsCertificate.issuer,
&crl->crl.tbsCertList.issuer, &diff);
if (ret || diff)
continue;
@@ -807,7 +807,7 @@ hx509_revoke_verify(hx509_context context,
if (crl->crl.tbsCertList.crlExtensions) {
for (j = 0; j < crl->crl.tbsCertList.crlExtensions->len; j++) {
if (crl->crl.tbsCertList.crlExtensions->val[j].critical) {
- hx509_set_error_string(context, 0,
+ hx509_set_error_string(context, 0,
HX509_CRL_UNKNOWN_EXTENSION,
"Unknown CRL extension");
return HX509_CRL_UNKNOWN_EXTENSION;
@@ -830,13 +830,13 @@ hx509_revoke_verify(hx509_context context,
t = _hx509_Time2time_t(&crl->crl.tbsCertList.revokedCertificates->val[j].revocationDate);
if (t > now)
continue;
-
+
if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions)
for (k = 0; k < crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->len; k++)
if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->val[k].critical)
return HX509_CRL_UNKNOWN_EXTENSION;
-
- hx509_set_error_string(context, 0,
+
+ hx509_set_error_string(context, 0,
HX509_CERT_REVOKED,
"Certificate revoked by issuer in CRL");
return HX509_CERT_REVOKED;
@@ -848,7 +848,7 @@ hx509_revoke_verify(hx509_context context,
if (context->flags & HX509_CTX_VERIFY_MISSING_OK)
return 0;
- hx509_set_error_string(context, HX509_ERROR_APPEND,
+ hx509_set_error_string(context, HX509_ERROR_APPEND,
HX509_REVOKE_STATUS_MISSING,
"No revoke status found for "
"certificates");
@@ -874,13 +874,13 @@ add_to_req(hx509_context context, void *ptr, hx509_cert cert)
hx509_query q;
void *d;
- d = realloc(ctx->req->requestList.val,
+ d = realloc(ctx->req->requestList.val,
sizeof(ctx->req->requestList.val[0]) *
(ctx->req->requestList.len + 1));
if (d == NULL)
return ENOMEM;
ctx->req->requestList.val = d;
-
+
one = &ctx->req->requestList.val[ctx->req->requestList.len];
memset(one, 0, sizeof(*one));
@@ -920,7 +920,7 @@ add_to_req(hx509_context context, void *ptr, hx509_cert cert)
goto out;
os.data = p->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
- os.length =
+ os.length =
p->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.length / 8;
ret = _hx509_create_signature(context,
@@ -994,9 +994,9 @@ hx509_ocsp_request(hx509_context context,
hx509_cert_free(ctx.parent);
if (ret)
goto out;
-
+
if (nonce) {
- req.tbsRequest.requestExtensions =
+ req.tbsRequest.requestExtensions =
calloc(1, sizeof(*req.tbsRequest.requestExtensions));
if (req.tbsRequest.requestExtensions == NULL) {
ret = ENOMEM;
@@ -1079,7 +1079,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
{
struct revoke_ocsp ocsp;
int ret, i;
-
+
if (out == NULL)
out = stdout;
@@ -1122,7 +1122,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
break;
}
- fprintf(out, "producedAt: %s\n",
+ fprintf(out, "producedAt: %s\n",
printable_time(ocsp.ocsp.tbsResponseData.producedAt));
fprintf(out, "replies: %d\n", ocsp.ocsp.tbsResponseData.responses.len);
@@ -1145,10 +1145,10 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
fprintf(out, "\t%d. status: %s\n", i, status);
- fprintf(out, "\tthisUpdate: %s\n",
+ fprintf(out, "\tthisUpdate: %s\n",
printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
if (ocsp.ocsp.tbsResponseData.responses.val[i].nextUpdate)
- fprintf(out, "\tproducedAt: %s\n",
+ fprintf(out, "\tproducedAt: %s\n",
printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
}
@@ -1210,7 +1210,7 @@ hx509_ocsp_verify(hx509_context context,
&c->tbsCertificate.serialNumber);
if (ret != 0)
continue;
-
+
/* verify issuer hashes hash */
ret = _hx509_verify_signature(context,
NULL,
@@ -1229,7 +1229,7 @@ hx509_ocsp_verify(hx509_context context,
}
/* don't allow the update to be in the future */
- if (basic.tbsResponseData.responses.val[i].thisUpdate >
+ if (basic.tbsResponseData.responses.val[i].thisUpdate >
now + context->ocsp_time_diff)
continue;
@@ -1323,7 +1323,7 @@ hx509_crl_alloc(hx509_context context, hx509_crl *crl)
int
hx509_crl_add_revoked_certs(hx509_context context,
- hx509_crl crl,
+ hx509_crl crl,
hx509_certs certs)
{
return hx509_certs_merge(context, crl->revoked, certs);
@@ -1386,13 +1386,13 @@ add_revoked(hx509_context context, void *ctx, hx509_cert cert)
}
c->revokedCertificates->val = ptr;
- ret = hx509_cert_get_serialnumber(cert,
+ ret = hx509_cert_get_serialnumber(cert,
&c->revokedCertificates->val[num].userCertificate);
if (ret) {
hx509_clear_error_string(context);
return ret;
}
- c->revokedCertificates->val[num].revocationDate.element =
+ c->revokedCertificates->val[num].revocationDate.element =
choice_Time_generalTime;
c->revokedCertificates->val[num].revocationDate.u.generalTime =
time(NULL) - 3600 * 24;
@@ -1401,7 +1401,7 @@ add_revoked(hx509_context context, void *ctx, hx509_cert cert)
c->revokedCertificates->len++;
return 0;
-}
+}
/**
* Sign a CRL and return an encode certificate.
@@ -1479,7 +1479,7 @@ hx509_crl_sign(hx509_context context,
c.tbsCertList.nextUpdate->u.generalTime = next;
}
- c.tbsCertList.revokedCertificates =
+ c.tbsCertList.revokedCertificates =
calloc(1, sizeof(*c.tbsCertList.revokedCertificates));
if (c.tbsCertList.revokedCertificates == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");