diff options
| author | emaldona%redhat.com <devnull@localhost> | 2012-12-19 02:10:42 +0000 |
|---|---|---|
| committer | emaldona%redhat.com <devnull@localhost> | 2012-12-19 02:10:42 +0000 |
| commit | ea1c825ad91a589221d5f55478af403024a97cd1 (patch) | |
| tree | 27d1ce02515a23dea51ff74941aed94d7093d0d4 | |
| parent | b09c1dca4d5c597ec80a97b6fbce92895f441fcd (diff) | |
| download | nss-hg-ea1c825ad91a589221d5f55478af403024a97cd1.tar.gz | |
Bug 807890 - Add support for Microsoft Trust List Signing EKU. r=rrelyea, wtc
| -rw-r--r-- | security/nss/cmd/certcgi/ca_form.html | 1 | ||||
| -rw-r--r-- | security/nss/cmd/certcgi/certcgi.c | 5 | ||||
| -rw-r--r-- | security/nss/cmd/certcgi/stnd_ext_form.html | 1 | ||||
| -rw-r--r-- | security/nss/cmd/certutil/certext.c | 4 | ||||
| -rw-r--r-- | security/nss/cmd/certutil/certutil.c | 1 | ||||
| -rw-r--r-- | security/nss/cmd/lib/moreoids.c | 11 | ||||
| -rw-r--r-- | security/nss/cmd/lib/secutil.h | 3 | ||||
| -rw-r--r-- | security/nss/lib/util/secoid.c | 15 | ||||
| -rw-r--r-- | security/nss/lib/util/secoidt.h | 6 |
9 files changed, 46 insertions, 1 deletions
diff --git a/security/nss/cmd/certcgi/ca_form.html b/security/nss/cmd/certcgi/ca_form.html index 02a242e1a..f72a4d322 100644 --- a/security/nss/cmd/certcgi/ca_form.html +++ b/security/nss/cmd/certcgi/ca_form.html @@ -167,6 +167,7 @@ <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P> <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P> <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P> + <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P> </tr> <tr> <td> diff --git a/security/nss/cmd/certcgi/certcgi.c b/security/nss/cmd/certcgi/certcgi.c index a595cb71e..d8cbb67f7 100644 --- a/security/nss/cmd/certcgi/certcgi.c +++ b/security/nss/cmd/certcgi/certcgi.c @@ -819,6 +819,11 @@ AddExtKeyUsage(void *extHandle, Pair *data) if( SECSuccess != rv ) goto loser; } + if( find_field_bool(data, "extKeyUsage-msCodeSign", PR_TRUE) ) { + rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH); + if( SECSuccess != rv ) goto loser; + } + if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) { rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH); if( SECSuccess != rv ) goto loser; diff --git a/security/nss/cmd/certcgi/stnd_ext_form.html b/security/nss/cmd/certcgi/stnd_ext_form.html index 0df580e80..5af8fecf7 100644 --- a/security/nss/cmd/certcgi/stnd_ext_form.html +++ b/security/nss/cmd/certcgi/stnd_ext_form.html @@ -34,6 +34,7 @@ <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P> <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P> <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P> + <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P> </tr> <tr> <td> diff --git a/security/nss/cmd/certutil/certext.c b/security/nss/cmd/certutil/certext.c index 9d9b87314..c536af0d7 100644 --- a/security/nss/cmd/certutil/certext.c +++ b/security/nss/cmd/certutil/certext.c @@ -483,6 +483,7 @@ extKeyUsageKeyWordArray[] = { "serverAuth", "timeStamp", "ocspResponder", "stepUp", + "msCodeSigning", NULL}; static SECStatus @@ -554,6 +555,9 @@ AddExtKeyUsage (void *extHandle, const char *userSuppliedValue) case 6: rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED); break; + case 7: + rv = AddOidToSequence(os, SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING); + break; default: goto endloop; } diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index c78d8e568..b8762ddbe 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -1145,6 +1145,7 @@ static void luC(enum usage_level ul, const char *command) "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n" "%-20s \"stepUp\", \"critical\"\n", " -6 | --extKeyUsage keyword,keyword,...", "", "", "", ""); + "%-20s \"stepUp\", \"msCodeSign\", \"critical\"\n", FPS "%-20s Create an email subject alt name extension\n", " -7 emailAddrs"); FPS "%-20s Create an dns subject alt name extension\n", diff --git a/security/nss/cmd/lib/moreoids.c b/security/nss/cmd/lib/moreoids.c index 652df283b..6c184764c 100644 --- a/security/nss/cmd/lib/moreoids.c +++ b/security/nss/cmd/lib/moreoids.c @@ -127,6 +127,17 @@ static const SECOidData oids[] = { static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]); +/* Fetch and register an oid if it hasn't been done already */ +void +SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src) +{ + if (*data == SEC_OID_UNKNOWN) { + /* AddEntry does the right thing if someone else has already + * added the oid. (that is return that oid tag) */ + *data = SECOID_AddEntry(src); + } +} + SECStatus SECU_RegisterDynamicOids(void) { diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h index 6ab59b398..dc8c0324a 100644 --- a/security/nss/cmd/lib/secutil.h +++ b/security/nss/cmd/lib/secutil.h @@ -293,6 +293,9 @@ extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw); extern char *SECU_SECModDBName(void); +/* Fetch and register an oid if it hasn't been done already */ +extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src); + extern SECStatus SECU_RegisterDynamicOids(void); /* Identifies hash algorithm tag by its string representation. */ diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index 60b86cfe1..7cabb5e2e 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -3,6 +3,7 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "secoid.h" +#include "secoidt.h" #include "pkcs11t.h" #include "secitem.h" #include "secerr.h" @@ -145,6 +146,13 @@ const char __nss_util_sccsid[] = "@(#)NSS " NSSUTIL_VERSION _DEBUG_STRING #define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 #define EV_NAME_ATTRIBUTE MICROSOFT_OID, 60, 2, 1 +/* Microsoft Crypto 2.0 ID space */ +/* { 1.3.6.1.4.1.311.10 } */ +#define MS_CRYPTO_20 MICROSOFT_OID, 10 +/* Microsoft Crypto 2.0 Extended Key Usage ID space */ +/* { 1.3.6.1.4.1.311.10.3 } */ +#define MS_CRYPTO_EKU MS_CRYPTO_20, 3 + #define CERTICOM_OID 0x2b, 0x81, 0x04 #define SECG_OID CERTICOM_OID, 0x00 @@ -448,6 +456,7 @@ CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 }; CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 }; CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 }; CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 }; +CONST_OID msExtendedKeyUsageCodeSigning[] = { MS_CRYPTO_EKU, 1 }; /* OIDs for Netscape defined algorithms */ CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 }; @@ -1633,7 +1642,11 @@ const static SECOidData oids[SEC_OID_TOTAL] = { OD( nistDSASignaturewithSHA256Digest, SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST, "DSA with SHA-256 Signature", - CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION) + CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION), + OD( msExtendedKeyUsageCodeSigning, + SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING, + "Microsoft Trust List Signing", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ) }; /* PRIVATE EXTENDED SECOID Table diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h index a9502a54c..3f3b563df 100644 --- a/security/nss/lib/util/secoidt.h +++ b/security/nss/lib/util/secoidt.h @@ -436,6 +436,12 @@ typedef enum { SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST = 314, SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST = 315, + /* Microsoft Trust List Signing + * szOID_KP_CTL_USAGE_SIGNING + * where KP stands for Key Purpose + */ + SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING = 316, + SEC_OID_TOTAL } SECOidTag; |