diff options
| author | John Schanck <jschanck@mozilla.com> | 2022-04-21 10:12:48 +0000 |
|---|---|---|
| committer | John Schanck <jschanck@mozilla.com> | 2022-04-21 10:12:48 +0000 |
| commit | 095ec67cc8bdc8fee9709e8dd9fcc5983d920541 (patch) | |
| tree | bb9bca4c5067e70605b0ba108b461d21df3cb885 | |
| parent | adfae9856f8e4e3aa35729a99be885be273f942a (diff) | |
| download | nss-hg-095ec67cc8bdc8fee9709e8dd9fcc5983d920541.tar.gz | |
Bug 1765003 - Add a strict variant of moz::pkix::CheckCertHostname. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D143853
| -rw-r--r-- | lib/mozpkix/include/pkix/pkix.h | 2 | ||||
| -rw-r--r-- | lib/mozpkix/include/pkix/pkixtypes.h | 8 | ||||
| -rw-r--r-- | lib/mozpkix/lib/pkixnames.cpp | 17 |
3 files changed, 27 insertions, 0 deletions
diff --git a/lib/mozpkix/include/pkix/pkix.h b/lib/mozpkix/include/pkix/pkix.h index 1cd6548e4..439bfd1cd 100644 --- a/lib/mozpkix/include/pkix/pkix.h +++ b/lib/mozpkix/include/pkix/pkix.h @@ -117,6 +117,8 @@ Result BuildCertChain(TrustDomain& trustDomain, Input cert, Time time, // - IP addresses are out of scope of RFC 6125, but this method accepts them for // backward compatibility (see SearchNames in pkixnames.cpp) // - A wildcard in a DNS-ID may only appear as the entirety of the first label. +// If the NameMatchingPolicy is omitted, a StrictNameMatchingPolicy is used. +Result CheckCertHostname(Input cert, Input hostname); Result CheckCertHostname(Input cert, Input hostname, NameMatchingPolicy& nameMatchingPolicy); diff --git a/lib/mozpkix/include/pkix/pkixtypes.h b/lib/mozpkix/include/pkix/pkixtypes.h index 48c11c3a6..ba54d4f12 100644 --- a/lib/mozpkix/include/pkix/pkixtypes.h +++ b/lib/mozpkix/include/pkix/pkixtypes.h @@ -401,6 +401,14 @@ class NameMatchingPolicy { NameMatchingPolicy(const NameMatchingPolicy&) = delete; void operator=(const NameMatchingPolicy&) = delete; }; + +class StrictNameMatchingPolicy : public NameMatchingPolicy { + public: + virtual Result FallBackToCommonName( + Time notBefore, + /*out*/ FallBackToSearchWithinSubject& fallBacktoCommonName) override; +}; + } } // namespace mozilla::pkix diff --git a/lib/mozpkix/lib/pkixnames.cpp b/lib/mozpkix/lib/pkixnames.cpp index 6f40800d7..c8894bfc2 100644 --- a/lib/mozpkix/lib/pkixnames.cpp +++ b/lib/mozpkix/lib/pkixnames.cpp @@ -280,6 +280,23 @@ CheckCertHostname(Input endEntityCertDER, Input hostname, } } +// A strict name matching policy for CheckCertHostname which never +// falls back to searching within the subject name. +Result StrictNameMatchingPolicy::FallBackToCommonName( + Time notBefore, + /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) { + fallBackToCommonName = FallBackToSearchWithinSubject::No; + return Success; +} + +Result +CheckCertHostname(Input endEntityCertDER, Input hostname) +{ + StrictNameMatchingPolicy policy{}; + return CheckCertHostname(endEntityCertDER, hostname, policy); +} + + // 4.2.1.10. Name Constraints Result CheckNameConstraints(Input encodedNameConstraints, |