diff options
author | nelson%bolyard.com <devnull@localhost> | 2007-05-04 06:54:06 +0000 |
---|---|---|
committer | nelson%bolyard.com <devnull@localhost> | 2007-05-04 06:54:06 +0000 |
commit | f47bf75ef8a4a11638537c6c3466d9ca57ec03ac (patch) | |
tree | e065c09743f882b8c0aca164dc0caad059365bdd /security | |
parent | 176b3124cf99da140f051d423611d0b05df14129 (diff) | |
download | nss-hg-f47bf75ef8a4a11638537c6c3466d9ca57ec03ac.tar.gz |
Bug 371685 ? allow unsupported critical extensions in special builds.
r=rrelyea,wtc
Diffstat (limited to 'security')
-rw-r--r-- | security/coreconf/config.mk | 4 | ||||
-rw-r--r-- | security/nss/lib/nss/nss.h | 9 | ||||
-rw-r--r-- | security/nss/lib/util/secoid.c | 62 | ||||
-rw-r--r-- | security/nss/lib/util/secoidt.h | 10 |
4 files changed, 71 insertions, 14 deletions
diff --git a/security/coreconf/config.mk b/security/coreconf/config.mk index 248acb68e..ac30785d4 100644 --- a/security/coreconf/config.mk +++ b/security/coreconf/config.mk @@ -181,3 +181,7 @@ endif ifdef NSS_ECC_MORE_THAN_SUITE_B DEFINES += -DNSS_ECC_MORE_THAN_SUITE_B endif + +ifdef NSS_ALLOW_UNSUPPORTED_CRITICAL +DEFINES += -DNSS_ALLOW_UNSUPPORTED_CRITICAL +endif diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index af593a927..2519223ff 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -56,6 +56,13 @@ SEC_BEGIN_PROTOS #define _NSS_ECC_STRING "" #endif +/* The private macro _NSS_CUSTOMIZED is for NSS internal use only. */ +#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL) +#define _NSS_CUSTOMIZED " (Customized build)" +#else +#define _NSS_CUSTOMIZED +#endif + /* * NSS's major version, minor version, patch level, and whether * this is a beta release. @@ -63,7 +70,7 @@ SEC_BEGIN_PROTOS * The format of the version string should be * "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.11.7" _NSS_ECC_STRING " Beta" +#define NSS_VERSION "3.11.7" _NSS_ECC_STRING " Beta" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 11 #define NSS_VPATCH 7 diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index 79536ad11..3608b6e08 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -315,7 +315,7 @@ CONST_OID netscapeAOLScreenname[] = { NETSCAPE_NAME_COMPONENTS, 0x02 }; CONST_OID netscapeRecoveryRequest[] = { NETSCAPE_CERT_SERVER_CRMF, 0x01 }; -/* Standard x.509 v3 Certificate Extensions */ +/* Standard x.509 v3 Certificate & CRL Extensions */ CONST_OID x509SubjectDirectoryAttr[] = { ID_CE_OID, 9 }; CONST_OID x509SubjectKeyID[] = { ID_CE_OID, 14 }; CONST_OID x509KeyUsage[] = { ID_CE_OID, 15 }; @@ -323,19 +323,25 @@ CONST_OID x509PrivateKeyUsagePeriod[] = { ID_CE_OID, 16 }; CONST_OID x509SubjectAltName[] = { ID_CE_OID, 17 }; CONST_OID x509IssuerAltName[] = { ID_CE_OID, 18 }; CONST_OID x509BasicConstraints[] = { ID_CE_OID, 19 }; +CONST_OID x509CRLNumber[] = { ID_CE_OID, 20 }; +CONST_OID x509ReasonCode[] = { ID_CE_OID, 21 }; +CONST_OID x509HoldInstructionCode[] = { ID_CE_OID, 23 }; +CONST_OID x509InvalidDate[] = { ID_CE_OID, 24 }; +CONST_OID x509DeltaCRLIndicator[] = { ID_CE_OID, 27 }; +CONST_OID x509IssuingDistributionPoint[] = { ID_CE_OID, 28 }; +CONST_OID x509CertIssuer[] = { ID_CE_OID, 29 }; CONST_OID x509NameConstraints[] = { ID_CE_OID, 30 }; CONST_OID x509CRLDistPoints[] = { ID_CE_OID, 31 }; CONST_OID x509CertificatePolicies[] = { ID_CE_OID, 32 }; CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 }; -CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 34 }; CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 }; +CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 36 }; CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 }; -CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 }; +CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 }; +CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 }; -/* Standard x.509 v3 CRL Extensions */ -CONST_OID x509CrlNumber[] = { ID_CE_OID, 20}; -CONST_OID x509ReasonCode[] = { ID_CE_OID, 21}; -CONST_OID x509InvalidDate[] = { ID_CE_OID, 24}; +CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 }; +CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 }; /* pkcs 12 additions */ CONST_OID pkcs12[] = { PKCS12 }; @@ -540,6 +546,12 @@ CONST_OID secgECsect571r1[] = {SECG_OID, 0x27 }; #define OD(oid,tag,desc,mech,ext) { OI(oid), tag, 0, mech, ext } #endif +#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL) +#define FAKE_SUPPORTED_CERT_EXTENSION SUPPORTED_CERT_EXTENSION +#else +#define FAKE_SUPPORTED_CERT_EXTENSION UNSUPPORTED_CERT_EXTENSION +#endif + /* * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h! */ @@ -780,7 +792,7 @@ const static SECOidData oids[] = { CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), OD( x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME, "Certificate Issuer Alt Name", - CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ), + CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ), OD( x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS, "Certificate Basic Constraints", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), @@ -789,16 +801,16 @@ const static SECOidData oids[] = { CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), OD( x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS, "CRL Distribution Points", - CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ), + CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ), OD( x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES, "Certificate Policies", - CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ), + CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ), OD( x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS, "Certificate Policy Mappings", CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ), OD( x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS, "Certificate Policy Constraints", - CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ), + CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ), OD( x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID, "Certificate Authority Key Identifier", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), @@ -810,7 +822,7 @@ const static SECOidData oids[] = { CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), /* x.509 v3 CRL extensions */ - OD( x509CrlNumber, SEC_OID_X509_CRL_NUMBER, + OD( x509CRLNumber, SEC_OID_X509_CRL_NUMBER, "CRL Number", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), OD( x509ReasonCode, SEC_OID_X509_REASON_CODE, "CRL reason code", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), @@ -1469,6 +1481,30 @@ const static SECOidData oids[] = { SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, "X9.62 ECDSA signature with SHA512", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), + + /* More id-ce and id-pe OIDs from RFC 3280 */ + OD( x509HoldInstructionCode, SEC_OID_X509_HOLD_INSTRUCTION_CODE, + "CRL Hold Instruction Code", CKM_INVALID_MECHANISM, + UNSUPPORTED_CERT_EXTENSION ), + OD( x509DeltaCRLIndicator, SEC_OID_X509_DELTA_CRL_INDICATOR, + "Delta CRL Indicator", CKM_INVALID_MECHANISM, + FAKE_SUPPORTED_CERT_EXTENSION ), + OD( x509IssuingDistributionPoint, SEC_OID_X509_ISSUING_DISTRIBUTION_POINT, + "Issuing Distribution Point", CKM_INVALID_MECHANISM, + FAKE_SUPPORTED_CERT_EXTENSION ), + OD( x509CertIssuer, SEC_OID_X509_CERT_ISSUER, + "Certificate Issuer Extension",CKM_INVALID_MECHANISM, + FAKE_SUPPORTED_CERT_EXTENSION ), + OD( x509FreshestCRL, SEC_OID_X509_FRESHEST_CRL, + "Freshest CRL", CKM_INVALID_MECHANISM, + UNSUPPORTED_CERT_EXTENSION ), + OD( x509InhibitAnyPolicy, SEC_OID_X509_INHIBIT_ANY_POLICY, + "Inhibit Any Policy", CKM_INVALID_MECHANISM, + FAKE_SUPPORTED_CERT_EXTENSION ), + OD( x509SubjectInfoAccess, SEC_OID_X509_SUBJECT_INFO_ACCESS, + "Subject Info Access", CKM_INVALID_MECHANISM, + UNSUPPORTED_CERT_EXTENSION ), + }; /* @@ -1843,7 +1879,7 @@ SECOID_Shutdown(void) /* Have to handle the case where the lock was created, but ** the pool wasn't. ** I'm not going to attempt to create the lock, just to protect - ** the destruction of data the probably isn't inisialized anyway. + ** the destruction of data that probably isn't initialized anyway. */ if (dynOidLock) { NSSRWLock_LockWrite(dynOidLock); diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h index 64e75c720..982e750a8 100644 --- a/security/nss/lib/util/secoidt.h +++ b/security/nss/lib/util/secoidt.h @@ -413,6 +413,16 @@ typedef enum { SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE = 278, SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE = 279, SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE = 280, + + /* More id-ce and id-pe OIDs from RFC 3280 */ + SEC_OID_X509_HOLD_INSTRUCTION_CODE = 281, + SEC_OID_X509_DELTA_CRL_INDICATOR = 282, + SEC_OID_X509_ISSUING_DISTRIBUTION_POINT = 283, + SEC_OID_X509_CERT_ISSUER = 284, + SEC_OID_X509_FRESHEST_CRL = 285, + SEC_OID_X509_INHIBIT_ANY_POLICY = 286, + SEC_OID_X509_SUBJECT_INFO_ACCESS = 287, + SEC_OID_TOTAL } SECOidTag; |