diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2019-02-06 18:23:37 +0100 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2019-02-06 18:23:37 +0100 |
commit | c2e6dd5a73d0b3badc0c8bc4ba3c65c2c42249af (patch) | |
tree | 45280c495658fa39084b3b6d2a60d47b96d5f4d3 | |
parent | b1f86d4ebe5f4d59ecac770fadca991821178f20 (diff) | |
download | nss-hg-c2e6dd5a73d0b3badc0c8bc4ba3c65c2c42249af.tar.gz |
Bug 1523484 - do not treat CN as DNS name for non-server certs, r=ueno
libpkix, when validating a leaf certificate against the CAs' name
constraints, treats the Subject DN CN attribute as a DNS name. This
may be reasonable behaviour for server certificates, but does not
make sense for other kinds of certificates (e.g. user certificates,
OCSP signing certificates, etc.)
Update the libpkix name constraints checker to only treat the CN as
a DNS name for server certificates (i.e. when id-kp-serverAuth is
asserted in the Extended Key Usage extension). For compatibility,
the behaviour is unchanged (i.e. CN is still treated as a DNS name)
when the certificate does not have an Extended Key Usage extension.
-rwxr-xr-x | lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c | 34 | ||||
-rw-r--r-- | tests/chains/scenarios/nameconstraints.cfg | 9 | ||||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.ipaca.cert | bin | 0 -> 981 bytes | |||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.ocsp1.cert | bin | 0 -> 898 bytes |
4 files changed, 42 insertions, 1 deletions
diff --git a/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c b/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c index 7c9430d3c..28f21a6c2 100755 --- a/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c +++ b/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c @@ -168,6 +168,9 @@ pkix_NameConstraintsChecker_Check( PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL; PKIX_Boolean selfIssued = PKIX_FALSE; PKIX_Boolean lastCert = PKIX_FALSE; + PKIX_Boolean treatCommonNameAsDNSName = PKIX_FALSE; + PKIX_List *extKeyUsageList = NULL; + PKIX_PL_OID *serverAuthOID = NULL; PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check"); PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); @@ -185,11 +188,38 @@ pkix_NameConstraintsChecker_Check( PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext), PKIX_ISCERTSELFISSUEDFAILED); + if (lastCert) { + /* For the last cert, treat the CN as a DNS name for name + * constraint check. But only if EKU has id-kp-serverAuth + * or EKU is absent. It does not make sense to treat CN + * as a DNS name for an OCSP signing certificate, for example. + */ + PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage + (cert, &extKeyUsageList, plContext), + PKIX_CERTGETEXTENDEDKEYUSAGEFAILED); + if (extKeyUsageList == NULL) { + treatCommonNameAsDNSName = PKIX_TRUE; + } else { + PKIX_CHECK(PKIX_PL_OID_Create + (PKIX_KEY_USAGE_SERVER_AUTH_OID, + &serverAuthOID, + plContext), + PKIX_OIDCREATEFAILED); + + PKIX_CHECK(pkix_List_Contains + (extKeyUsageList, + (PKIX_PL_Object *) serverAuthOID, + &treatCommonNameAsDNSName, + plContext), + PKIX_LISTCONTAINSFAILED); + } + } + /* Check on non self-issued and if so only for last cert */ if (selfIssued == PKIX_FALSE || (selfIssued == PKIX_TRUE && lastCert)) { PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints - (cert, state->nameConstraints, lastCert, + (cert, state->nameConstraints, treatCommonNameAsDNSName, plContext), PKIX_CERTCHECKNAMECONSTRAINTSFAILED); } @@ -241,6 +271,8 @@ pkix_NameConstraintsChecker_Check( cleanup: PKIX_DECREF(state); + PKIX_DECREF(extKeyUsageList); + PKIX_DECREF(serverAuthOID); PKIX_RETURN(CERTCHAINCHECKER); } diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg index 6eda441ce..4a149032b 100644 --- a/tests/chains/scenarios/nameconstraints.cfg +++ b/tests/chains/scenarios/nameconstraints.cfg @@ -10,6 +10,7 @@ import NameConstraints.ca:x:CT,C,C # Name Constrained CA: Name constrained to permited DNSName ".example" import NameConstraints.ncca:x:CT,C,C import NameConstraints.dcisscopy:x:CT,C,C +import NameConstraints.ipaca:x:CT,C,C # Intermediate 1: Name constrained to permited DNSName ".example" @@ -158,4 +159,12 @@ verify NameConstraints.dcissblocked:x verify NameConstraints.dcissallowed:x result pass +# Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem" +# +# This tests that a non server certificate (i.e. id-kp-serverAuth +# not present in EKU) does *NOT* have CN treated as dnsName for +# purposes of Name Constraints validation +verify NameConstraints.ocsp1:x + usage 10 + result pass diff --git a/tests/libpkix/certs/NameConstraints.ipaca.cert b/tests/libpkix/certs/NameConstraints.ipaca.cert Binary files differnew file mode 100644 index 000000000..6c7d68c77 --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.ipaca.cert diff --git a/tests/libpkix/certs/NameConstraints.ocsp1.cert b/tests/libpkix/certs/NameConstraints.ocsp1.cert Binary files differnew file mode 100644 index 000000000..ce7325fca --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.ocsp1.cert |