Bug 952572, Hard code ANSSI(DCISS) to french gov dns space, r=kaieNSS_3_16_1_BETA1

6 files changed, 140 insertions, 3 deletions

diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c
index b0d35cc86..de9e1f874 100644
--- a/lib/certdb/genname.c
+++ b/lib/certdb/genname.c
@@ -1523,6 +1523,75 @@ done:
     return rv;
 }
 
+/* Add name constraints to certain certs that do not include name constraints
+ * This is the core of the implementation for bug 952572.
+ */
+
+static SECStatus
+getNameExtensionsBuiltIn(CERTCertificate  *cert,
+                         SECItem *extensions)
+{
+  const char constraintFranceGov[] = "\x30\x5D" /* sequence len = 93*/
+                                     "\xA0\x5B" /* element len =91 */
+                                     "\x30\x05" /* sequence len 5 */
+                                     "\x82\x03" /* entry len 3 */
+                                     ".fr"
+                                     "\x30\x05\x82\x03" /* sequence len5, entry len 3 */
+                                     ".gp"
+                                     "\x30\x05\x82\x03"
+                                     ".gf"
+                                     "\x30\x05\x82\x03"
+                                     ".mq"
+                                     "\x30\x05\x82\x03"
+                                     ".re"
+                                     "\x30\x05\x82\x03"
+                                     ".yt"
+                                     "\x30\x05\x82\x03"
+                                     ".pm"
+                                     "\x30\x05\x82\x03"
+                                     ".bl"
+                                     "\x30\x05\x82\x03"
+                                     ".mf"
+                                     "\x30\x05\x82\x03"
+                                     ".wf"
+                                     "\x30\x05\x82\x03"
+                                     ".pf"
+                                     "\x30\x05\x82\x03"
+                                     ".nc"
+                                     "\x30\x05\x82\x03"
+                                     ".tf";
+
+  /* The stringified value for the subject is:
+     E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
+   */
+  const char rawANSSISubject[] = "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04"
+                                 "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03"
+                                 "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65"
+                                 "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05"
+                                 "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03"
+                                 "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44"
+                                 "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13"
+                                 "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06"
+                                 "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41"
+                                 "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7"
+                                 "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40"
+                                 "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75"
+                                 "\x76\x2E\x66\x72";
+
+  const SECItem anssi_subject = {0, (char *) rawANSSISubject,
+                                 sizeof(rawANSSISubject)-1};
+  const SECItem permitFranceGovNC = {0, (char *) constraintFranceGov,
+                                     sizeof(constraintFranceGov)-1};
+
+  if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) {
+    SECStatus rv;
+    rv = SECITEM_CopyItem(NULL, extensions, &permitFranceGovNC);
+    return rv;
+  }
+  PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+  return SECFailure;
+}
+
 /* Extract the name constraints extension from the CA cert. */
 SECStatus
 CERT_FindNameConstraintsExten(PLArenaPool      *arena,
@@ -1538,10 +1607,16 @@ CERT_FindNameConstraintsExten(PLArenaPool      *arena,
     rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, 
                                 &constraintsExtension);
     if (rv != SECSuccess) {
-        if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
-            rv = SECSuccess;
+        if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
+            return rv;
+        }
+        rv = getNameExtensionsBuiltIn(cert, &constraintsExtension);
+        if (rv != SECSuccess) {
+          if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
+            return SECSuccess;
+          }
+          return rv;
         }
-        return rv;
     }
 
     mark = PORT_ArenaMark(arena);
diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
index 55f9acf55..d49e20e38 100644
--- a/tests/chains/scenarios/nameconstraints.cfg
+++ b/tests/chains/scenarios/nameconstraints.cfg
@@ -9,6 +9,7 @@ db trustanchors
 import NameConstraints.ca:x:CT,C,C
 import NameConstraints.ncca:x:CT,C,C
 # Name Constrained CA:  Name constrained to permited DNSName ".example"
+import NameConstraints.dcisscopy:x:CT,C,C
 
 # Intermediate 1: Name constrained to permited DNSName ".example"
 
@@ -149,5 +150,12 @@ verify NameConstraints.server17:x
   cert NameConstraints.intermediate6:x
   result pass
 
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
+verify NameConstraints.dcissblocked:x
+  result fail
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
+verify NameConstraints.dcissallowed:x
+  result pass
 
 
diff --git a/tests/libpkix/certs/NameConstraints.dcissallowed.cert b/tests/libpkix/certs/NameConstraints.dcissallowed.cert
new file mode 100644
index 000000000..539adcfee
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.dcissallowed.cert
diff --git a/tests/libpkix/certs/NameConstraints.dcissblocked.cert b/tests/libpkix/certs/NameConstraints.dcissblocked.cert
new file mode 100644
index 000000000..28f84919d
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.dcissblocked.cert
diff --git a/tests/libpkix/certs/NameConstraints.dcisscopy.cert b/tests/libpkix/certs/NameConstraints.dcisscopy.cert
new file mode 100644
index 000000000..a3fbd91f3
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.dcisscopy.cert
diff --git a/tests/libpkix/certs/make-nc b/tests/libpkix/certs/make-nc
index 28080eba7..b32dd65ee 100755
--- a/tests/libpkix/certs/make-nc
+++ b/tests/libpkix/certs/make-nc
@@ -423,6 +423,57 @@ y
 n
 CERTSCRIPT
 
+#DCISS copy certs
+certutil -S -z noise -g 2048 -d . -n dcisscopy -s "E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR" -t C,C,C -x -m 998899 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+#the following cert MUST not pass
+certutil -S -z noise -g 2048 -d . -n dcissblocked -s "CN=foo.example.com,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998900 -v 120 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+#the following cert MUST not pass
+certutil -S -z noise -g 2048 -d . -n dcissallowed -s "CN=foo.example.fr,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998901 -v 120 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
 
 certutil -d . -L -n ca -r > NameConstraints.ca.cert
 certutil -d . -L -n ica -r > NameConstraints.intermediate.cert
@@ -450,5 +501,8 @@ certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert
 certutil -d . -L -n server15 -r > NameConstraints.server15.cert
 certutil -d . -L -n server16 -r > NameConstraints.server16.cert
 certutil -d . -L -n server17 -r > NameConstraints.server17.cert
+certutil -d . -L -n dcisscopy -r >  NameConstraints.dcisscopy.cert
+certutil -d . -L -n dcissblocked -r >  NameConstraints.dcissblocked.cert
+certutil -d . -L -n dcissallowed -r >  NameConstraints.dcissallowed.cert
 
 echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert"