diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2019-02-06 18:23:37 +0100 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2019-02-06 18:23:37 +0100 |
commit | c2e6dd5a73d0b3badc0c8bc4ba3c65c2c42249af (patch) | |
tree | 45280c495658fa39084b3b6d2a60d47b96d5f4d3 /lib/libpkix | |
parent | b1f86d4ebe5f4d59ecac770fadca991821178f20 (diff) | |
download | nss-hg-c2e6dd5a73d0b3badc0c8bc4ba3c65c2c42249af.tar.gz |
Bug 1523484 - do not treat CN as DNS name for non-server certs, r=ueno
libpkix, when validating a leaf certificate against the CAs' name
constraints, treats the Subject DN CN attribute as a DNS name. This
may be reasonable behaviour for server certificates, but does not
make sense for other kinds of certificates (e.g. user certificates,
OCSP signing certificates, etc.)
Update the libpkix name constraints checker to only treat the CN as
a DNS name for server certificates (i.e. when id-kp-serverAuth is
asserted in the Extended Key Usage extension). For compatibility,
the behaviour is unchanged (i.e. CN is still treated as a DNS name)
when the certificate does not have an Extended Key Usage extension.
Diffstat (limited to 'lib/libpkix')
-rwxr-xr-x | lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c b/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c index 7c9430d3c..28f21a6c2 100755 --- a/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c +++ b/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c @@ -168,6 +168,9 @@ pkix_NameConstraintsChecker_Check( PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL; PKIX_Boolean selfIssued = PKIX_FALSE; PKIX_Boolean lastCert = PKIX_FALSE; + PKIX_Boolean treatCommonNameAsDNSName = PKIX_FALSE; + PKIX_List *extKeyUsageList = NULL; + PKIX_PL_OID *serverAuthOID = NULL; PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check"); PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); @@ -185,11 +188,38 @@ pkix_NameConstraintsChecker_Check( PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext), PKIX_ISCERTSELFISSUEDFAILED); + if (lastCert) { + /* For the last cert, treat the CN as a DNS name for name + * constraint check. But only if EKU has id-kp-serverAuth + * or EKU is absent. It does not make sense to treat CN + * as a DNS name for an OCSP signing certificate, for example. + */ + PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage + (cert, &extKeyUsageList, plContext), + PKIX_CERTGETEXTENDEDKEYUSAGEFAILED); + if (extKeyUsageList == NULL) { + treatCommonNameAsDNSName = PKIX_TRUE; + } else { + PKIX_CHECK(PKIX_PL_OID_Create + (PKIX_KEY_USAGE_SERVER_AUTH_OID, + &serverAuthOID, + plContext), + PKIX_OIDCREATEFAILED); + + PKIX_CHECK(pkix_List_Contains + (extKeyUsageList, + (PKIX_PL_Object *) serverAuthOID, + &treatCommonNameAsDNSName, + plContext), + PKIX_LISTCONTAINSFAILED); + } + } + /* Check on non self-issued and if so only for last cert */ if (selfIssued == PKIX_FALSE || (selfIssued == PKIX_TRUE && lastCert)) { PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints - (cert, state->nameConstraints, lastCert, + (cert, state->nameConstraints, treatCommonNameAsDNSName, plContext), PKIX_CERTCHECKNAMECONSTRAINTSFAILED); } @@ -241,6 +271,8 @@ pkix_NameConstraintsChecker_Check( cleanup: PKIX_DECREF(state); + PKIX_DECREF(extKeyUsageList); + PKIX_DECREF(serverAuthOID); PKIX_RETURN(CERTCHAINCHECKER); } |