diff options
author | Robert Relyea <rrelyea@redhat.com> | 2020-04-24 11:08:17 -0700 |
---|---|---|
committer | Robert Relyea <rrelyea@redhat.com> | 2020-04-24 11:08:17 -0700 |
commit | 1faab9523671a932167dc2cf06f6cb6579ae9fc7 (patch) | |
tree | d841747938806c2c1fcf80f9cf31fefd998059aa | |
parent | c92ab0a01fd92479be27bc789f433440239c75d5 (diff) | |
download | nss-hg-1faab9523671a932167dc2cf06f6cb6579ae9fc7.tar.gz |
Bug 1571677 Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name r=mtNSS_3_52_BETA1
This patch makes libpkix treat name contraints the same the NSS cert verifier.
This proposal available for review for 9 months without objection.
Time to make this official
Differential Revision: https://phabricator.services.mozilla.com/D72457
-rw-r--r-- | lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c index 25a1170a5..e5516505d 100644 --- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c +++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c @@ -3150,6 +3150,15 @@ PKIX_PL_Cert_CheckNameConstraints( if (arena == NULL) { PKIX_ERROR(PKIX_OUTOFMEMORY); } + /* only check common Name if the usage requires it */ + if (treatCommonNameAsDNSName) { + SECCertificateUsage certificateUsage; + certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage; + if ((certificateUsage != certificateUsageSSLServer) && + (certificateUsage != certificateUsageIPsec)) { + treatCommonNameAsDNSName = PKIX_FALSE; + } + } /* This NSS call returns Subject Alt Names. If * treatCommonNameAsDNSName is true, it also returns the |