BUG 856060: Enforce nameConstraints on the commonName in libpkix mode when no SAN is present.

Strictly speaking, this is not required by RFC 3280/5280, but reflects a common approach of ensuring that "DNS-like" names are appropriately constrained by nameConstraints. This should never happen in the real world, due to the CA/Browser Forum's Baseline Requirements always requiring a SAN.
author: Ryan Sleevi <ryan.sleevi@gmail.com> 2013-06-11 17:20:46 -0700
committer: Ryan Sleevi <ryan.sleevi@gmail.com> 2013-06-11 17:20:46 -0700
commit: 034529fa47025fa9f5d2e2b10e7c6474a789c47a (patch)
tree: d25b46ad994fa364053e6af4cb0e2416ec33988b
parent: d4128557f4a186c1bc7d16fa121f293c43353ac7 (diff)
download: nss-hg-034529fa47025fa9f5d2e2b10e7c6474a789c47a.tar.gz
9 files changed, 148 insertions, 1 deletions
diff --git a/lib/libpkix/pkix/top/pkix_build.c b/lib/libpkix/pkix/top/pkix_build.c
index 71fa2e984..c35163a48 100755
--- a/lib/libpkix/pkix/top/pkix_build.c
+++ b/lib/libpkix/pkix/top/pkix_build.c
@@ -1021,9 +1021,11 @@ pkix_Build_ValidationCheckers(
         PKIX_ProcessingParams *procParams = NULL;
         PKIX_PL_Cert *trustedCert = NULL;
         PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_PL_CertNameConstraints *trustedNC = NULL;
         PKIX_CertChainChecker *sigChecker = NULL;
         PKIX_CertChainChecker *policyChecker = NULL;
         PKIX_CertChainChecker *userChecker = NULL;
+        PKIX_CertChainChecker *nameConstraintsChecker = NULL;
         PKIX_CertChainChecker *checker = NULL;
         PKIX_CertSelector *certSelector = NULL;
         PKIX_List *userCheckerExtOIDs = NULL;
@@ -1192,7 +1194,7 @@ pkix_Build_ValidationCheckers(
                 }
         }
 
-        /* Inabling post chain building signature check on the certs. */
+        /* Enabling post chain building signature check on the certs. */
         PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
                    (anchor, &trustedCert, plContext),
                    PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
@@ -1214,6 +1216,23 @@ pkix_Build_ValidationCheckers(
                     plContext),
                    PKIX_LISTAPPENDITEMFAILED);
 
+        /* Enabling post chain building name constraints check on the certs. */
+        PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints
+                  (anchor, &trustedNC, plContext),
+                  PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED);
+
+        PKIX_CHECK(pkix_NameConstraintsChecker_Initialize
+                  (trustedNC, numChainCerts, &nameConstraintsChecker,
+                   plContext),
+                  PKIX_NAMECONSTRAINTSCHECKERINITIALIZEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                  (checkers,
+                   (PKIX_PL_Object *)nameConstraintsChecker,
+                   plContext),
+                  PKIX_LISTAPPENDITEMFAILED);
+
+
         PKIX_DECREF(state->reversedCertChain);
         PKIX_INCREF(reversedCertChain);
         state->reversedCertChain = reversedCertChain;
@@ -1240,6 +1259,8 @@ cleanup:
         PKIX_DECREF(trustedPubKey);
         PKIX_DECREF(certSelector);
         PKIX_DECREF(sigChecker);
+        PKIX_DECREF(trustedNC);
+        PKIX_DECREF(nameConstraintsChecker);
         PKIX_DECREF(policyChecker);
         PKIX_DECREF(userChecker);
         PKIX_DECREF(userCheckerExtOIDs);
diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
new file mode 100644
index 000000000..823e83d02
--- /dev/null
+++ b/tests/chains/scenarios/nameconstraints.cfg
@@ -0,0 +1,22 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+db trustanchors
+
+import NameConstraints.ca:x:CT,C,C
+
+verify NameConstraints.server1:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+verify NameConstraints.server2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+verify NameConstraints.server3:x
+  cert NameConstraints.intermediate:x
+  result pass
+
diff --git a/tests/chains/scenarios/scenarios b/tests/chains/scenarios/scenarios
index 3eda34fd7..1aa62d4c3 100644
--- a/tests/chains/scenarios/scenarios
+++ b/tests/chains/scenarios/scenarios
@@ -53,3 +53,4 @@ revoc.cfg
 ocsp.cfg
 crldp.cfg
 trustanchors.cfg
+nameconstraints.cfg
diff --git a/tests/libpkix/certs/NameConstraints.ca.cert b/tests/libpkix/certs/NameConstraints.ca.cert
new file mode 100644
index 000000000..9e859a0aa
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.ca.cert
diff --git a/tests/libpkix/certs/NameConstraints.intermediate.cert b/tests/libpkix/certs/NameConstraints.intermediate.cert
new file mode 100644
index 000000000..6fe77d198
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.intermediate.cert
diff --git a/tests/libpkix/certs/NameConstraints.server1.cert b/tests/libpkix/certs/NameConstraints.server1.cert
new file mode 100644
index 000000000..23088d1c8
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.server1.cert
diff --git a/tests/libpkix/certs/NameConstraints.server2.cert b/tests/libpkix/certs/NameConstraints.server2.cert
new file mode 100644
index 000000000..feac11392
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.server2.cert
diff --git a/tests/libpkix/certs/NameConstraints.server3.cert b/tests/libpkix/certs/NameConstraints.server3.cert
new file mode 100644
index 000000000..5e69183e6
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.server3.cert
diff --git a/tests/libpkix/certs/make-nc b/tests/libpkix/certs/make-nc
new file mode 100755
index 000000000..3f312728d
--- /dev/null
+++ b/tests/libpkix/certs/make-nc
@@ -0,0 +1,103 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+mkdir tmp
+cd tmp
+dd if=/dev/urandom bs=512 count=1 of=noise
+echo "" > pwfile
+
+certutil -d . -N -f pwfile
+
+certutil -S -z noise -g 1024 -d . -n ca -s "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t C,C,C -x -m 1 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica -s "CN=NSS Intermediate CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 20 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+.example
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server1 -s "CN=test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 40 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server2 -s "CN=another_test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server3 -s "CN=test.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 42 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -d . -L -n ca -r > NameConstraints.ca.cert
+certutil -d . -L -n ica -r > NameConstraints.intermediate.cert
+certutil -d . -L -n server1 -r > NameConstraints.server1.cert
+certutil -d . -L -n server2 -r > NameConstraints.server2.cert
+certutil -d . -L -n server3 -r > NameConstraints.server3.cert
+
+echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert"
author	Ryan Sleevi <ryan.sleevi@gmail.com>	2013-06-11 17:20:46 -0700
committer	Ryan Sleevi <ryan.sleevi@gmail.com>	2013-06-11 17:20:46 -0700
commit	034529fa47025fa9f5d2e2b10e7c6474a789c47a (patch)
tree	d25b46ad994fa364053e6af4cb0e2416ec33988b
parent	d4128557f4a186c1bc7d16fa121f293c43353ac7 (diff)
download	nss-hg-034529fa47025fa9f5d2e2b10e7c6474a789c47a.tar.gz