diff options
author | Camilo Viecco <cviecco@mozilla.com> | 2014-04-08 20:10:08 +0200 |
---|---|---|
committer | Camilo Viecco <cviecco@mozilla.com> | 2014-04-08 20:10:08 +0200 |
commit | 4801d8a10e64b9d34b043c2013fcdbca0924bd40 (patch) | |
tree | 5bc721e9a102965546bd5957c54e7e6e2fd71f7b | |
parent | 0e38fdf30d8a29c4f9cbaca0a0da2982d72a3ca2 (diff) | |
download | nss-hg-NSS_3_16_1_BETA1.tar.gz |
Bug 952572, Hard code ANSSI(DCISS) to french gov dns space, r=kaieNSS_3_16_1_BETA1
-rw-r--r-- | lib/certdb/genname.c | 81 | ||||
-rw-r--r-- | tests/chains/scenarios/nameconstraints.cfg | 8 | ||||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.dcissallowed.cert | bin | 0 -> 888 bytes | |||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.dcissblocked.cert | bin | 0 -> 889 bytes | |||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.dcisscopy.cert | bin | 0 -> 957 bytes | |||
-rwxr-xr-x | tests/libpkix/certs/make-nc | 54 |
6 files changed, 140 insertions, 3 deletions
diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c index b0d35cc86..de9e1f874 100644 --- a/lib/certdb/genname.c +++ b/lib/certdb/genname.c @@ -1523,6 +1523,75 @@ done: return rv; } +/* Add name constraints to certain certs that do not include name constraints + * This is the core of the implementation for bug 952572. + */ + +static SECStatus +getNameExtensionsBuiltIn(CERTCertificate *cert, + SECItem *extensions) +{ + const char constraintFranceGov[] = "\x30\x5D" /* sequence len = 93*/ + "\xA0\x5B" /* element len =91 */ + "\x30\x05" /* sequence len 5 */ + "\x82\x03" /* entry len 3 */ + ".fr" + "\x30\x05\x82\x03" /* sequence len5, entry len 3 */ + ".gp" + "\x30\x05\x82\x03" + ".gf" + "\x30\x05\x82\x03" + ".mq" + "\x30\x05\x82\x03" + ".re" + "\x30\x05\x82\x03" + ".yt" + "\x30\x05\x82\x03" + ".pm" + "\x30\x05\x82\x03" + ".bl" + "\x30\x05\x82\x03" + ".mf" + "\x30\x05\x82\x03" + ".wf" + "\x30\x05\x82\x03" + ".pf" + "\x30\x05\x82\x03" + ".nc" + "\x30\x05\x82\x03" + ".tf"; + + /* The stringified value for the subject is: + E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR + */ + const char rawANSSISubject[] = "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04" + "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03" + "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65" + "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" + "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03" + "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44" + "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13" + "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06" + "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41" + "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7" + "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40" + "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75" + "\x76\x2E\x66\x72"; + + const SECItem anssi_subject = {0, (char *) rawANSSISubject, + sizeof(rawANSSISubject)-1}; + const SECItem permitFranceGovNC = {0, (char *) constraintFranceGov, + sizeof(constraintFranceGov)-1}; + + if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) { + SECStatus rv; + rv = SECITEM_CopyItem(NULL, extensions, &permitFranceGovNC); + return rv; + } + PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND); + return SECFailure; +} + /* Extract the name constraints extension from the CA cert. */ SECStatus CERT_FindNameConstraintsExten(PLArenaPool *arena, @@ -1538,10 +1607,16 @@ CERT_FindNameConstraintsExten(PLArenaPool *arena, rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, &constraintsExtension); if (rv != SECSuccess) { - if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { - rv = SECSuccess; + if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { + return rv; + } + rv = getNameExtensionsBuiltIn(cert, &constraintsExtension); + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { + return SECSuccess; + } + return rv; } - return rv; } mark = PORT_ArenaMark(arena); diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg index 55f9acf55..d49e20e38 100644 --- a/tests/chains/scenarios/nameconstraints.cfg +++ b/tests/chains/scenarios/nameconstraints.cfg @@ -9,6 +9,7 @@ db trustanchors import NameConstraints.ca:x:CT,C,C import NameConstraints.ncca:x:CT,C,C # Name Constrained CA: Name constrained to permited DNSName ".example" +import NameConstraints.dcisscopy:x:CT,C,C # Intermediate 1: Name constrained to permited DNSName ".example" @@ -149,5 +150,12 @@ verify NameConstraints.server17:x cert NameConstraints.intermediate6:x result pass +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com" +verify NameConstraints.dcissblocked:x + result fail + +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr" +verify NameConstraints.dcissallowed:x + result pass diff --git a/tests/libpkix/certs/NameConstraints.dcissallowed.cert b/tests/libpkix/certs/NameConstraints.dcissallowed.cert Binary files differnew file mode 100644 index 000000000..539adcfee --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.dcissallowed.cert diff --git a/tests/libpkix/certs/NameConstraints.dcissblocked.cert b/tests/libpkix/certs/NameConstraints.dcissblocked.cert Binary files differnew file mode 100644 index 000000000..28f84919d --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.dcissblocked.cert diff --git a/tests/libpkix/certs/NameConstraints.dcisscopy.cert b/tests/libpkix/certs/NameConstraints.dcisscopy.cert Binary files differnew file mode 100644 index 000000000..a3fbd91f3 --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.dcisscopy.cert diff --git a/tests/libpkix/certs/make-nc b/tests/libpkix/certs/make-nc index 28080eba7..b32dd65ee 100755 --- a/tests/libpkix/certs/make-nc +++ b/tests/libpkix/certs/make-nc @@ -423,6 +423,57 @@ y n CERTSCRIPT +#DCISS copy certs +certutil -S -z noise -g 2048 -d . -n dcisscopy -s "E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR" -t C,C,C -x -m 998899 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +#the following cert MUST not pass +certutil -S -z noise -g 2048 -d . -n dcissblocked -s "CN=foo.example.com,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998900 -v 120 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +#the following cert MUST not pass +certutil -S -z noise -g 2048 -d . -n dcissallowed -s "CN=foo.example.fr,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998901 -v 120 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + + certutil -d . -L -n ca -r > NameConstraints.ca.cert certutil -d . -L -n ica -r > NameConstraints.intermediate.cert @@ -450,5 +501,8 @@ certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert certutil -d . -L -n server15 -r > NameConstraints.server15.cert certutil -d . -L -n server16 -r > NameConstraints.server16.cert certutil -d . -L -n server17 -r > NameConstraints.server17.cert +certutil -d . -L -n dcisscopy -r > NameConstraints.dcisscopy.cert +certutil -d . -L -n dcissblocked -r > NameConstraints.dcissblocked.cert +certutil -d . -L -n dcissallowed -r > NameConstraints.dcissallowed.cert echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert" |