diff options
| author | nelsonb%netscape.com <devnull@localhost> | 2004-01-22 02:33:41 +0000 |
|---|---|---|
| committer | nelsonb%netscape.com <devnull@localhost> | 2004-01-22 02:33:41 +0000 |
| commit | ecfa3ca73480eb45999f93a7a6cca891093f3045 (patch) | |
| tree | a3b8670e5a7225ccb2fb8910d8bdb3778a83e01a | |
| parent | 7ff685d218d45dd85a357c57ef94be16c4927ced (diff) | |
| download | nss-hg-ecfa3ca73480eb45999f93a7a6cca891093f3045.tar.gz | |
Fix name constraints code to pass NIST PKITS test 38. r=wtc. Bug 231223.
| -rw-r--r-- | security/nss/lib/certdb/genname.c | 39 |
1 files changed, 27 insertions, 12 deletions
diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c index 93c437778..18957509c 100644 --- a/security/nss/lib/certdb/genname.c +++ b/security/nss/lib/certdb/genname.c @@ -1135,17 +1135,29 @@ compareURIN2C(const SECItem *name, const SECItem *constraint) return SECFailure; } -/* for DNSnames, the constraint matches any string to which it matches the -** rightmost characters in that string. -** Constraint Name Result -** ------------ --------------- -------- -** foo.bar.com foo.bar.com matches -** foo.bar.com FoO.bAr.CoM matches -** foo.bar.com www.foo.bar.com matches -** foo.bar.com nofoo.bar.com MATCHES -** .foo.bar.com www.foo.bar.com matches -** .foo.bar.com foo.bar.com no match -** .foo.bar.com www..foo.bar.com matches +/* for DNSname constraints, RFC 3280 says, (section 4.2.1.11, page 38) +** +** DNS name restrictions are expressed as foo.bar.com. Any DNS name +** that can be constructed by simply adding to the left hand side of the +** name satisfies the name constraint. For example, www.foo.bar.com +** would satisfy the constraint but foo1.bar.com would not. +** +** But NIST's PKITS test suite requires that the constraint be treated +** as a domain name, and requires that any name added to the left hand +** side end in a dot ".". Sensible, but not strictly following the RFC. +** +** Constraint Name RFC 3280 NIST PKITS +** ------------ --------------- -------- ---------- +** foo.bar.com foo.bar.com matches matches +** foo.bar.com FoO.bAr.CoM matches matches +** foo.bar.com www.foo.bar.com matches matches +** foo.bar.com nofoo.bar.com MATCHES NO MATCH +** .foo.bar.com www.foo.bar.com matches matches? disallowed? +** .foo.bar.com foo.bar.com no match no match +** .foo.bar.com www..foo.bar.com matches probably not +** +** We will try to conform to NIST's PKITS tests, and the unstated +** rules they imply. */ static SECStatus compareDNSN2C(const SECItem *name, const SECItem *constraint) @@ -1161,7 +1173,10 @@ compareDNSN2C(const SECItem *name, const SECItem *constraint) offset = name->len - constraint->len; if (PL_strncasecmp(name->data + offset, constraint->data, constraint->len)) return SECFailure; - return SECSuccess; + if (!offset || + (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1) + return SECSuccess; + return SECFailure; } /* Returns SECSuccess if name matches constraint per RFC 3280 rules for |