diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2019-02-06 18:23:37 +0100 |
|---|---|---|
| committer | Fraser Tweedale <ftweedal@redhat.com> | 2019-02-06 18:23:37 +0100 |
| commit | c2e6dd5a73d0b3badc0c8bc4ba3c65c2c42249af (patch) | |
| tree | 45280c495658fa39084b3b6d2a60d47b96d5f4d3 /tests | |
| parent | b1f86d4ebe5f4d59ecac770fadca991821178f20 (diff) | |
| download | nss-hg-c2e6dd5a73d0b3badc0c8bc4ba3c65c2c42249af.tar.gz | |
Bug 1523484 - do not treat CN as DNS name for non-server certs, r=ueno
libpkix, when validating a leaf certificate against the CAs' name
constraints, treats the Subject DN CN attribute as a DNS name. This
may be reasonable behaviour for server certificates, but does not
make sense for other kinds of certificates (e.g. user certificates,
OCSP signing certificates, etc.)
Update the libpkix name constraints checker to only treat the CN as
a DNS name for server certificates (i.e. when id-kp-serverAuth is
asserted in the Extended Key Usage extension). For compatibility,
the behaviour is unchanged (i.e. CN is still treated as a DNS name)
when the certificate does not have an Extended Key Usage extension.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/chains/scenarios/nameconstraints.cfg | 9 | ||||
| -rw-r--r-- | tests/libpkix/certs/NameConstraints.ipaca.cert | bin | 0 -> 981 bytes | |||
| -rw-r--r-- | tests/libpkix/certs/NameConstraints.ocsp1.cert | bin | 0 -> 898 bytes |
3 files changed, 9 insertions, 0 deletions
diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg index 6eda441ce..4a149032b 100644 --- a/tests/chains/scenarios/nameconstraints.cfg +++ b/tests/chains/scenarios/nameconstraints.cfg @@ -10,6 +10,7 @@ import NameConstraints.ca:x:CT,C,C # Name Constrained CA: Name constrained to permited DNSName ".example" import NameConstraints.ncca:x:CT,C,C import NameConstraints.dcisscopy:x:CT,C,C +import NameConstraints.ipaca:x:CT,C,C # Intermediate 1: Name constrained to permited DNSName ".example" @@ -158,4 +159,12 @@ verify NameConstraints.dcissblocked:x verify NameConstraints.dcissallowed:x result pass +# Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem" +# +# This tests that a non server certificate (i.e. id-kp-serverAuth +# not present in EKU) does *NOT* have CN treated as dnsName for +# purposes of Name Constraints validation +verify NameConstraints.ocsp1:x + usage 10 + result pass diff --git a/tests/libpkix/certs/NameConstraints.ipaca.cert b/tests/libpkix/certs/NameConstraints.ipaca.cert Binary files differnew file mode 100644 index 000000000..6c7d68c77 --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.ipaca.cert diff --git a/tests/libpkix/certs/NameConstraints.ocsp1.cert b/tests/libpkix/certs/NameConstraints.ocsp1.cert Binary files differnew file mode 100644 index 000000000..ce7325fca --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.ocsp1.cert |