Bug 1571677 Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name r=mtNSS_3_52_BETA1

This patch makes libpkix treat name contraints the same the NSS cert verifier.
This proposal available for review for 9 months without objection.

Time to make this official

Differential Revision: https://phabricator.services.mozilla.com/D72457

1 files changed, 9 insertions, 0 deletions

diff --git a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index 25a1170a5..e5516505d 100644
--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -3150,6 +3150,15 @@ PKIX_PL_Cert_CheckNameConstraints(
                 if (arena == NULL) {
                         PKIX_ERROR(PKIX_OUTOFMEMORY);
                 }
+                /* only check common Name if the usage requires it */
+                if (treatCommonNameAsDNSName) {
+                    SECCertificateUsage certificateUsage;
+                    certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
+                    if ((certificateUsage != certificateUsageSSLServer) &&
+                        (certificateUsage != certificateUsageIPsec)) {
+                        treatCommonNameAsDNSName = PKIX_FALSE;
+                    }
+                }
 
                 /* This NSS call returns Subject Alt Names. If
                  * treatCommonNameAsDNSName is true, it also returns the