/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*

 * pkix_revocationchecker.c

 *

 * RevocationChecker Object Functions

 *

 */

#include "pkix_revocationchecker.h"

#include "pkix_tools.h"

/* --Private-Functions-------------------------------------------- */

/*

 * FUNCTION: pkix_RevocationChecker_Destroy

 *      (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)

 */

static PKIX_Error *

pkix_RevocationChecker_Destroy(

        PKIX_PL_Object *object,

        void *plContext)

{

        PKIX_RevocationChecker *checker = NULL;

        PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Destroy");

        PKIX_NULLCHECK_ONE(object);

        /* Check that this object is a revocation checker */

        PKIX_CHECK(pkix_CheckType

                    (object, PKIX_REVOCATIONCHECKER_TYPE, plContext),

                    PKIX_OBJECTNOTREVOCATIONCHECKER);

        checker = (PKIX_RevocationChecker *)object;

        PKIX_DECREF(checker->leafMethodList);

        PKIX_DECREF(checker->chainMethodList);

cleanup:

        PKIX_RETURN(REVOCATIONCHECKER);

}

/*

 * FUNCTION: pkix_RevocationChecker_Duplicate

 * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)

 */

static PKIX_Error *

pkix_RevocationChecker_Duplicate(

        PKIX_PL_Object *object,

        PKIX_PL_Object **pNewObject,

        void *plContext)

{

        PKIX_RevocationChecker *checker = NULL;

        PKIX_RevocationChecker *checkerDuplicate = NULL;

        PKIX_List *dupLeafList = NULL;

        PKIX_List *dupChainList = NULL;

        PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Duplicate");

        PKIX_NULLCHECK_TWO(object, pNewObject);

        PKIX_CHECK(pkix_CheckType

                    (object, PKIX_REVOCATIONCHECKER_TYPE, plContext),

                    PKIX_OBJECTNOTCERTCHAINCHECKER);

        checker = (PKIX_RevocationChecker *)object;

        if (checker->leafMethodList){

                PKIX_CHECK(PKIX_PL_Object_Duplicate

                            ((PKIX_PL_Object *)checker->leafMethodList,

                            (PKIX_PL_Object **)&dupLeafList,

                            plContext),

                            PKIX_OBJECTDUPLICATEFAILED);

        }

        if (checker->chainMethodList){

                PKIX_CHECK(PKIX_PL_Object_Duplicate

                            ((PKIX_PL_Object *)checker->chainMethodList,

                            (PKIX_PL_Object **)&dupChainList,

                            plContext),

                            PKIX_OBJECTDUPLICATEFAILED);

        }

        PKIX_CHECK(

            PKIX_RevocationChecker_Create(checker->leafMethodListFlags,

                                          checker->chainMethodListFlags,

                                          &checkerDuplicate,

                                          plContext),

            PKIX_REVOCATIONCHECKERCREATEFAILED);

        checkerDuplicate->leafMethodList = dupLeafList;

        checkerDuplicate->chainMethodList = dupChainList;

        dupLeafList = NULL;

        dupChainList = NULL;

        *pNewObject = (PKIX_PL_Object *)checkerDuplicate;

cleanup:

        PKIX_DECREF(dupLeafList);

        PKIX_DECREF(dupChainList);

        PKIX_RETURN(REVOCATIONCHECKER);

}

/*

 * FUNCTION: pkix_RevocationChecker_RegisterSelf

 * DESCRIPTION:

 *  Registers PKIX_REVOCATIONCHECKER_TYPE and its related functions with

 *  systemClasses[]

 * THREAD SAFETY:

 *  Not Thread Safe - for performance and complexity reasons

 *

 *  Since this function is only called by PKIX_PL_Initialize, which should

 *  only be called once, it is acceptable that this function is not

 *  thread-safe.

 */

PKIX_Error *

pkix_RevocationChecker_RegisterSelf(void *plContext)

{

        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];

        pkix_ClassTable_Entry entry;

        PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_RegisterSelf");

        entry.description = "RevocationChecker";

        entry.objCounter = 0;

        entry.typeObjectSize = sizeof(PKIX_RevocationChecker);

        entry.destructor = pkix_RevocationChecker_Destroy;

        entry.equalsFunction = NULL;

        entry.hashcodeFunction = NULL;

        entry.toStringFunction = NULL;

        entry.comparator = NULL;

        entry.duplicateFunction = pkix_RevocationChecker_Duplicate;

        systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;

        PKIX_RETURN(REVOCATIONCHECKER);

}

/* Sort methods by their priorities (lower priority = higher preference) */

static PKIX_Error *

pkix_RevocationChecker_SortComparator(

        PKIX_PL_Object *obj1,

        PKIX_PL_Object *obj2,

        PKIX_Int32 *pResult,

        void *plContext)

{

    pkix_RevocationMethod *method1 = NULL, *method2 = NULL;

    PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");

    method1 = (pkix_RevocationMethod *)obj1;

    method2 = (pkix_RevocationMethod *)obj2;

    if (method1->priority < method2->priority) {

      *pResult = -1;

    } else if (method1->priority > method2->priority) {

      *pResult = 1;

    } else {

      *pResult = 0;

    }

    PKIX_RETURN(BUILD);

}

/* --Public-Functions--------------------------------------------- */

/*

 * FUNCTION: PKIX_RevocationChecker_Create (see comments in pkix_revchecker.h)

 */

PKIX_Error *

PKIX_RevocationChecker_Create(

    PKIX_UInt32 leafMethodListFlags,

    PKIX_UInt32 chainMethodListFlags,

    PKIX_RevocationChecker **pChecker,

    void *plContext)

{

    PKIX_RevocationChecker *checker = NULL;

    PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Create");

    PKIX_NULLCHECK_ONE(pChecker);

    PKIX_CHECK(

        PKIX_PL_Object_Alloc(PKIX_REVOCATIONCHECKER_TYPE,

                             sizeof (PKIX_RevocationChecker),

                             (PKIX_PL_Object **)&checker,

                             plContext),

        PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT);

    checker->leafMethodListFlags = leafMethodListFlags;

    checker->chainMethodListFlags = chainMethodListFlags;

    checker->leafMethodList = NULL;

    checker->chainMethodList = NULL;

    *pChecker = checker;

    checker = NULL;

cleanup:

    PKIX_DECREF(checker);

    PKIX_RETURN(REVOCATIONCHECKER);

}

/*

 * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod

 */

PKIX_Error *

PKIX_RevocationChecker_CreateAndAddMethod(

    PKIX_RevocationChecker *revChecker,

    PKIX_ProcessingParams *params,

    PKIX_RevocationMethodType methodType,

    PKIX_UInt32 flags,

    PKIX_UInt32 priority,

    PKIX_PL_VerifyCallback verificationFn,

    PKIX_Boolean isLeafMethod,

    void *plContext)

{

    PKIX_List **methodList = NULL;

    PKIX_List  *unsortedList = NULL;

    PKIX_List  *certStores = NULL;

    pkix_RevocationMethod *method = NULL;

    pkix_LocalRevocationCheckFn *localRevChecker = NULL;

    pkix_ExternalRevocationCheckFn *externRevChecker = NULL;

    PKIX_UInt32 miFlags;

    PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_CreateAndAddMethod");

    PKIX_NULLCHECK_ONE(revChecker);

    /* If the caller has said "Either one is sufficient, then don't let the 

     * absence of any one method's info lead to an overall failure.

     */

    miFlags = isLeafMethod ? revChecker->leafMethodListFlags 

	                   : revChecker->chainMethodListFlags;

    if (miFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE)

	flags &= ~PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;

    switch (methodType) {

    case PKIX_RevocationMethod_CRL:

        localRevChecker = pkix_CrlChecker_CheckLocal;

        externRevChecker = pkix_CrlChecker_CheckExternal;

        PKIX_CHECK(

            PKIX_ProcessingParams_GetCertStores(params, &certStores,

                                                plContext),

            PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);

        PKIX_CHECK(

            pkix_CrlChecker_Create(methodType, flags, priority,

                                   localRevChecker, externRevChecker,

                                   certStores, verificationFn,

                                   &method,

                                   plContext),

            PKIX_COULDNOTCREATECRLCHECKEROBJECT);

        break;

    case PKIX_RevocationMethod_OCSP:

        localRevChecker = pkix_OcspChecker_CheckLocal;

        externRevChecker = pkix_OcspChecker_CheckExternal;

        PKIX_CHECK(

            pkix_OcspChecker_Create(methodType, flags, priority,

                                    localRevChecker, externRevChecker,

                                    verificationFn,

                                    &method,

                                    plContext),

            PKIX_COULDNOTCREATEOCSPCHECKEROBJECT);

        break;

    default:

        PKIX_ERROR(PKIX_INVALIDREVOCATIONMETHOD);

    }

    if (isLeafMethod) {

        methodList = &revChecker->leafMethodList;

    } else {

        methodList = &revChecker->chainMethodList;

    }

    if (*methodList == NULL) {

        PKIX_CHECK(

            PKIX_List_Create(methodList, plContext),

            PKIX_LISTCREATEFAILED);

    }

    unsortedList = *methodList;

    PKIX_CHECK(

        PKIX_List_AppendItem(unsortedList, (PKIX_PL_Object*)method, plContext),

        PKIX_LISTAPPENDITEMFAILED);

    PKIX_CHECK(

        pkix_List_BubbleSort(unsortedList, 

                             pkix_RevocationChecker_SortComparator,

                             methodList, plContext),

        PKIX_LISTBUBBLESORTFAILED);

cleanup:

    PKIX_DECREF(method);

    PKIX_DECREF(unsortedList);

    PKIX_DECREF(certStores);

    PKIX_RETURN(REVOCATIONCHECKER);

}

/*

 * FUNCTION: PKIX_RevocationChecker_Check

 */

PKIX_Error *

PKIX_RevocationChecker_Check(

    PKIX_PL_Cert *cert,

    PKIX_PL_Cert *issuer,

    PKIX_RevocationChecker *revChecker,

    PKIX_ProcessingParams *procParams,

    PKIX_Boolean chainVerificationState,

    PKIX_Boolean testingLeafCert,

    PKIX_RevocationStatus *pRevStatus,

    PKIX_UInt32 *pReasonCode,

    void **pNbioContext,

    void *plContext)

{

    PKIX_RevocationStatus overallStatus = PKIX_RevStatus_NoInfo;

    PKIX_RevocationStatus methodStatus[PKIX_RevocationMethod_MAX];

    PKIX_Boolean onlyUseRemoteMethods = PKIX_FALSE;

    PKIX_UInt32 revFlags = 0;

    PKIX_List *revList = NULL;

    PKIX_PL_Date *date = NULL;

    pkix_RevocationMethod *method = NULL;

    void *nbioContext;

    int tries;

    PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Check");

    PKIX_NULLCHECK_TWO(revChecker, procParams);

    nbioContext = *pNbioContext;

    *pNbioContext = NULL;

    if (testingLeafCert) {

        revList = revChecker->leafMethodList;

        revFlags = revChecker->leafMethodListFlags;        

    } else {

        revList = revChecker->chainMethodList;

        revFlags = revChecker->chainMethodListFlags;

    }

    if (!revList) {

        /* Return NoInfo status */

        goto cleanup;

    }

    PORT_Memset(methodStatus, PKIX_RevStatus_NoInfo,

                sizeof(PKIX_RevocationStatus) * PKIX_RevocationMethod_MAX);

    date = procParams->date;

    /* Need to have two loops if we testing all local info first:

     *    first we are going to test all local(cached) info

     *    second, all remote info(fetching) */

    for (tries = 0;tries < 2;tries++) {

        int methodNum = 0;

        for (;methodNum < revList->length;methodNum++) {

            PKIX_UInt32 methodFlags = 0;

            PKIX_DECREF(method);

            PKIX_CHECK(

                PKIX_List_GetItem(revList, methodNum,

                                  (PKIX_PL_Object**)&method, plContext),

                PKIX_LISTGETITEMFAILED);

            methodFlags = method->flags;

            if (!(methodFlags & PKIX_REV_M_TEST_USING_THIS_METHOD)) {

                /* Will not check with this method. Skipping... */

                continue;

            }

            if (!onlyUseRemoteMethods &&

                methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {

                PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;

                PKIX_CHECK_NO_GOTO(

                    (*method->localRevChecker)(cert, issuer, date,

                                               method, procParams,

                                               methodFlags, 

                                               chainVerificationState,

                                               &revStatus,

                                               pReasonCode, plContext),

                    PKIX_REVCHECKERCHECKFAILED);

                methodStatus[methodNum] = revStatus;

                if (revStatus == PKIX_RevStatus_Revoked) {

                    /* if error was generated use it as final error. */

                    overallStatus = PKIX_RevStatus_Revoked;

                    goto cleanup;

                }

                if (pkixErrorResult) {

                    /* Disregard errors. Only returned revStatus matters. */

                    PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,

                                          plContext);

                    pkixErrorResult = NULL;

                }

            }

            if ((!(revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST) ||

                 onlyUseRemoteMethods) &&

                chainVerificationState &&

                methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {

                if (!(methodFlags & PKIX_REV_M_FORBID_NETWORK_FETCHING)) {

                    PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;

                    PKIX_CHECK_NO_GOTO(

                        (*method->externalRevChecker)(cert, issuer, date,

                                                      method,

                                                      procParams, methodFlags,

                                                      &revStatus, pReasonCode,

                                                      &nbioContext, plContext),

                        PKIX_REVCHECKERCHECKFAILED);

                    methodStatus[methodNum] = revStatus;

                    if (revStatus == PKIX_RevStatus_Revoked) {

                        /* if error was generated use it as final error. */

                        overallStatus = PKIX_RevStatus_Revoked;

                        goto cleanup;

                    }

                    if (pkixErrorResult) {

                        /* Disregard errors. Only returned revStatus matters. */

                        PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,

                                              plContext);

                        pkixErrorResult = NULL;

                    }

                } else if (methodFlags &

                           PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {

                    /* Info is not in the local cache. Network fetching is not

                     * allowed. If need to fail on missing fresh info for the

                     * the method, then we should fail right here.*/

                    overallStatus = PKIX_RevStatus_Revoked;

                    goto cleanup;

                }

            }

            /* If success and we should not check the next method, then

             * return a success. */

            if (methodStatus[methodNum] == PKIX_RevStatus_Success &&

                !(methodFlags & PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO)) {

                overallStatus = PKIX_RevStatus_Success;

                goto cleanup;

            }

        } /* inner loop */

        if (!onlyUseRemoteMethods &&

            revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST &&

            chainVerificationState) {

            onlyUseRemoteMethods = PKIX_TRUE;

            continue;

        }

        break;

    } /* outer loop */

    if (overallStatus == PKIX_RevStatus_NoInfo &&

        chainVerificationState) {

        /* The following check makes sence only for chain

         * validation step, sinse we do not fetch info while

         * in the process of finding trusted anchor. 

         * For chain building step it is enough to know, that

         * the cert was not directly revoked by any of the

         * methods. */

        /* Still have no info. But one of the method could

         * have returned success status(possible if CONTINUE

         * TESTING ON FRESH INFO flag was used).

         * If any of the methods have returned Success status,

         * the overallStatus should be success. */

        int methodNum = 0;

        for (;methodNum < PKIX_RevocationMethod_MAX;methodNum++) {

            if (methodStatus[methodNum] == PKIX_RevStatus_Success) {

                overallStatus = PKIX_RevStatus_Success;

                goto cleanup;

            }

        }

        if (revFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE) {

            overallStatus = PKIX_RevStatus_Revoked;

        }

    }

cleanup:

    *pRevStatus = overallStatus;

    PKIX_DECREF(method);

    PKIX_RETURN(REVOCATIONCHECKER);

}