diff options
author | Ryan Sleevi <ryan.sleevi@gmail.com> | 2013-06-11 17:20:46 -0700 |
---|---|---|
committer | Ryan Sleevi <ryan.sleevi@gmail.com> | 2013-06-11 17:20:46 -0700 |
commit | 034529fa47025fa9f5d2e2b10e7c6474a789c47a (patch) | |
tree | d25b46ad994fa364053e6af4cb0e2416ec33988b | |
parent | d4128557f4a186c1bc7d16fa121f293c43353ac7 (diff) | |
download | nss-hg-034529fa47025fa9f5d2e2b10e7c6474a789c47a.tar.gz |
BUG 856060: Enforce nameConstraints on the commonName in libpkix mode when no SAN is present.
Strictly speaking, this is not required by RFC 3280/5280, but reflects a common
approach of ensuring that "DNS-like" names are appropriately constrained by
nameConstraints. This should never happen in the real world, due to the CA/Browser
Forum's Baseline Requirements always requiring a SAN.
-rwxr-xr-x | lib/libpkix/pkix/top/pkix_build.c | 23 | ||||
-rw-r--r-- | tests/chains/scenarios/nameconstraints.cfg | 22 | ||||
-rw-r--r-- | tests/chains/scenarios/scenarios | 1 | ||||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.ca.cert | bin | 0 -> 626 bytes | |||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.intermediate.cert | bin | 0 -> 662 bytes | |||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.server1.cert | bin | 0 -> 660 bytes | |||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.server2.cert | bin | 0 -> 643 bytes | |||
-rw-r--r-- | tests/libpkix/certs/NameConstraints.server3.cert | bin | 0 -> 660 bytes | |||
-rwxr-xr-x | tests/libpkix/certs/make-nc | 103 |
9 files changed, 148 insertions, 1 deletions
diff --git a/lib/libpkix/pkix/top/pkix_build.c b/lib/libpkix/pkix/top/pkix_build.c index 71fa2e984..c35163a48 100755 --- a/lib/libpkix/pkix/top/pkix_build.c +++ b/lib/libpkix/pkix/top/pkix_build.c @@ -1021,9 +1021,11 @@ pkix_Build_ValidationCheckers( PKIX_ProcessingParams *procParams = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_PublicKey *trustedPubKey = NULL; + PKIX_PL_CertNameConstraints *trustedNC = NULL; PKIX_CertChainChecker *sigChecker = NULL; PKIX_CertChainChecker *policyChecker = NULL; PKIX_CertChainChecker *userChecker = NULL; + PKIX_CertChainChecker *nameConstraintsChecker = NULL; PKIX_CertChainChecker *checker = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_List *userCheckerExtOIDs = NULL; @@ -1192,7 +1194,7 @@ pkix_Build_ValidationCheckers( } } - /* Inabling post chain building signature check on the certs. */ + /* Enabling post chain building signature check on the certs. */ PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert (anchor, &trustedCert, plContext), PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); @@ -1214,6 +1216,23 @@ pkix_Build_ValidationCheckers( plContext), PKIX_LISTAPPENDITEMFAILED); + /* Enabling post chain building name constraints check on the certs. */ + PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints + (anchor, &trustedNC, plContext), + PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED); + + PKIX_CHECK(pkix_NameConstraintsChecker_Initialize + (trustedNC, numChainCerts, &nameConstraintsChecker, + plContext), + PKIX_NAMECONSTRAINTSCHECKERINITIALIZEFAILED); + + PKIX_CHECK(PKIX_List_AppendItem + (checkers, + (PKIX_PL_Object *)nameConstraintsChecker, + plContext), + PKIX_LISTAPPENDITEMFAILED); + + PKIX_DECREF(state->reversedCertChain); PKIX_INCREF(reversedCertChain); state->reversedCertChain = reversedCertChain; @@ -1240,6 +1259,8 @@ cleanup: PKIX_DECREF(trustedPubKey); PKIX_DECREF(certSelector); PKIX_DECREF(sigChecker); + PKIX_DECREF(trustedNC); + PKIX_DECREF(nameConstraintsChecker); PKIX_DECREF(policyChecker); PKIX_DECREF(userChecker); PKIX_DECREF(userCheckerExtOIDs); diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg new file mode 100644 index 000000000..823e83d02 --- /dev/null +++ b/tests/chains/scenarios/nameconstraints.cfg @@ -0,0 +1,22 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario TrustAnchors + +db trustanchors + +import NameConstraints.ca:x:CT,C,C + +verify NameConstraints.server1:x + cert NameConstraints.intermediate:x + result fail + +verify NameConstraints.server2:x + cert NameConstraints.intermediate:x + result fail + +verify NameConstraints.server3:x + cert NameConstraints.intermediate:x + result pass + diff --git a/tests/chains/scenarios/scenarios b/tests/chains/scenarios/scenarios index 3eda34fd7..1aa62d4c3 100644 --- a/tests/chains/scenarios/scenarios +++ b/tests/chains/scenarios/scenarios @@ -53,3 +53,4 @@ revoc.cfg ocsp.cfg crldp.cfg trustanchors.cfg +nameconstraints.cfg diff --git a/tests/libpkix/certs/NameConstraints.ca.cert b/tests/libpkix/certs/NameConstraints.ca.cert Binary files differnew file mode 100644 index 000000000..9e859a0aa --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.ca.cert diff --git a/tests/libpkix/certs/NameConstraints.intermediate.cert b/tests/libpkix/certs/NameConstraints.intermediate.cert Binary files differnew file mode 100644 index 000000000..6fe77d198 --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.intermediate.cert diff --git a/tests/libpkix/certs/NameConstraints.server1.cert b/tests/libpkix/certs/NameConstraints.server1.cert Binary files differnew file mode 100644 index 000000000..23088d1c8 --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.server1.cert diff --git a/tests/libpkix/certs/NameConstraints.server2.cert b/tests/libpkix/certs/NameConstraints.server2.cert Binary files differnew file mode 100644 index 000000000..feac11392 --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.server2.cert diff --git a/tests/libpkix/certs/NameConstraints.server3.cert b/tests/libpkix/certs/NameConstraints.server3.cert Binary files differnew file mode 100644 index 000000000..5e69183e6 --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.server3.cert diff --git a/tests/libpkix/certs/make-nc b/tests/libpkix/certs/make-nc new file mode 100755 index 000000000..3f312728d --- /dev/null +++ b/tests/libpkix/certs/make-nc @@ -0,0 +1,103 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +mkdir tmp +cd tmp +dd if=/dev/urandom bs=512 count=1 of=noise +echo "" > pwfile + +certutil -d . -N -f pwfile + +certutil -S -z noise -g 1024 -d . -n ca -s "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t C,C,C -x -m 1 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n ica -s "CN=NSS Intermediate CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 20 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT +5 +6 +9 +n +y + +n +3 +.example +1 +n +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server1 -s "CN=test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 40 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server2 -s "CN=another_test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server3 -s "CN=test.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 42 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -d . -L -n ca -r > NameConstraints.ca.cert +certutil -d . -L -n ica -r > NameConstraints.intermediate.cert +certutil -d . -L -n server1 -r > NameConstraints.server1.cert +certutil -d . -L -n server2 -r > NameConstraints.server2.cert +certutil -d . -L -n server3 -r > NameConstraints.server3.cert + +echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert" |