summaryrefslogtreecommitdiff
path: root/security/nss/lib/util/secoid.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/util/secoid.c')
-rw-r--r--security/nss/lib/util/secoid.c111
1 files changed, 92 insertions, 19 deletions
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
index 550f09b4f..98950aeb7 100644
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -166,6 +166,8 @@
#define ANSI_X962_CURVE_OID ANSI_X962_OID, 0x03
#define ANSI_X962_GF2m_OID ANSI_X962_CURVE_OID, 0x00
#define ANSI_X962_GFp_OID ANSI_X962_CURVE_OID, 0x01
+#define ANSI_X962_SIGNATURE_OID ANSI_X962_OID, 0x04
+#define ANSI_X962_SPECIFY_OID ANSI_X962_SIGNATURE_OID, 0x03
#define CONST_OID static const unsigned char
@@ -313,7 +315,7 @@ CONST_OID netscapeAOLScreenname[] = { NETSCAPE_NAME_COMPONENTS, 0x02 };
CONST_OID netscapeRecoveryRequest[] = { NETSCAPE_CERT_SERVER_CRMF, 0x01 };
-/* Standard x.509 v3 Certificate Extensions */
+/* Standard x.509 v3 Certificate & CRL Extensions */
CONST_OID x509SubjectDirectoryAttr[] = { ID_CE_OID, 9 };
CONST_OID x509SubjectKeyID[] = { ID_CE_OID, 14 };
CONST_OID x509KeyUsage[] = { ID_CE_OID, 15 };
@@ -321,19 +323,25 @@ CONST_OID x509PrivateKeyUsagePeriod[] = { ID_CE_OID, 16 };
CONST_OID x509SubjectAltName[] = { ID_CE_OID, 17 };
CONST_OID x509IssuerAltName[] = { ID_CE_OID, 18 };
CONST_OID x509BasicConstraints[] = { ID_CE_OID, 19 };
+CONST_OID x509CRLNumber[] = { ID_CE_OID, 20 };
+CONST_OID x509ReasonCode[] = { ID_CE_OID, 21 };
+CONST_OID x509HoldInstructionCode[] = { ID_CE_OID, 23 };
+CONST_OID x509InvalidDate[] = { ID_CE_OID, 24 };
+CONST_OID x509DeltaCRLIndicator[] = { ID_CE_OID, 27 };
+CONST_OID x509IssuingDistributionPoint[] = { ID_CE_OID, 28 };
+CONST_OID x509CertIssuer[] = { ID_CE_OID, 29 };
CONST_OID x509NameConstraints[] = { ID_CE_OID, 30 };
CONST_OID x509CRLDistPoints[] = { ID_CE_OID, 31 };
CONST_OID x509CertificatePolicies[] = { ID_CE_OID, 32 };
CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 };
-CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 34 };
CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 };
+CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 36 };
CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 };
-CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
+CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
+CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
-/* Standard x.509 v3 CRL Extensions */
-CONST_OID x509CrlNumber[] = { ID_CE_OID, 20};
-CONST_OID x509ReasonCode[] = { ID_CE_OID, 21};
-CONST_OID x509InvalidDate[] = { ID_CE_OID, 24};
+CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
+CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
/* pkcs 12 additions */
CONST_OID pkcs12[] = { PKCS12 };
@@ -379,6 +387,9 @@ CONST_OID pkcs12V1CRLBag[] = { PKCS12_V1_BAG_IDS, 0x04 };
CONST_OID pkcs12V1SecretBag[] = { PKCS12_V1_BAG_IDS, 0x05 };
CONST_OID pkcs12V1SafeContentsBag[] = { PKCS12_V1_BAG_IDS, 0x06 };
+/* The following encoding is INCORRECT, but correcting it would create a
+ * duplicate OID in the table. So, we will leave it alone.
+ */
CONST_OID pkcs12KeyUsageAttr[] = { 2, 5, 29, 15 };
CONST_OID ansix9DSASignature[] = { ANSI_X9_ALGORITHM, 0x01 };
@@ -453,8 +464,14 @@ CONST_OID sha256[] = { SHAXXX, 1 };
CONST_OID sha384[] = { SHAXXX, 2 };
CONST_OID sha512[] = { SHAXXX, 3 };
-CONST_OID ansix962ECPublicKey[] = { ANSI_X962_OID, 0x02, 0x01 };
-CONST_OID ansix962ECDSASignaturewithSHA1Digest[] = { ANSI_X962_OID, 0x04, 0x01 };
+CONST_OID ansix962ECPublicKey[] = { ANSI_X962_OID, 0x02, 0x01 };
+CONST_OID ansix962SignaturewithSHA1Digest[] = { ANSI_X962_SIGNATURE_OID, 0x01 };
+CONST_OID ansix962SignatureRecommended[] = { ANSI_X962_SIGNATURE_OID, 0x02 };
+CONST_OID ansix962SignatureSpecified[] = { ANSI_X962_SPECIFY_OID };
+CONST_OID ansix962SignaturewithSHA224Digest[] = { ANSI_X962_SPECIFY_OID, 0x01 };
+CONST_OID ansix962SignaturewithSHA256Digest[] = { ANSI_X962_SPECIFY_OID, 0x02 };
+CONST_OID ansix962SignaturewithSHA384Digest[] = { ANSI_X962_SPECIFY_OID, 0x03 };
+CONST_OID ansix962SignaturewithSHA512Digest[] = { ANSI_X962_SPECIFY_OID, 0x04 };
/* ANSI X9.62 prime curve OIDs */
/* NOTE: prime192v1 is the same as secp192r1, prime256v1 is the
@@ -532,6 +549,12 @@ CONST_OID secgECsect571r1[] = {SECG_OID, 0x27 };
#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, 0, mech, ext }
#endif
+#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
+#define FAKE_SUPPORTED_CERT_EXTENSION SUPPORTED_CERT_EXTENSION
+#else
+#define FAKE_SUPPORTED_CERT_EXTENSION UNSUPPORTED_CERT_EXTENSION
+#endif
+
/*
* NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
*/
@@ -772,7 +795,7 @@ const static SECOidData oids[] = {
CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
OD( x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME,
"Certificate Issuer Alt Name",
- CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+ CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
OD( x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS,
"Certificate Basic Constraints",
CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
@@ -781,16 +804,16 @@ const static SECOidData oids[] = {
CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
OD( x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS,
"CRL Distribution Points",
- CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+ CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
OD( x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES,
"Certificate Policies",
- CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+ CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
OD( x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS,
"Certificate Policy Mappings",
CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
OD( x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS,
"Certificate Policy Constraints",
- CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+ CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
OD( x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID,
"Certificate Authority Key Identifier",
CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
@@ -802,7 +825,7 @@ const static SECOidData oids[] = {
CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
/* x.509 v3 CRL extensions */
- OD( x509CrlNumber, SEC_OID_X509_CRL_NUMBER,
+ OD( x509CRLNumber, SEC_OID_X509_CRL_NUMBER,
"CRL Number", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
OD( x509ReasonCode, SEC_OID_X509_REASON_CODE,
"CRL reason code", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
@@ -1067,8 +1090,8 @@ const static SECOidData oids[] = {
OD( pkcs9LocalKeyID, SEC_OID_PKCS9_LOCAL_KEY_ID,
"PKCS #9 Local Key ID",
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
- OD( pkcs12KeyUsageAttr, SEC_OID_PKCS12_KEY_USAGE,
- "PKCS 12 Key Usage", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ OD( pkcs12KeyUsageAttr, SEC_OID_BOGUS_KEY_USAGE,
+ "Bogus Key Usage", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
OD( dhPublicKey, SEC_OID_X942_DIFFIE_HELMAN_KEY,
"Diffie-Helman Public Key", CKM_DH_PKCS_DERIVE,
INVALID_CERT_EXTENSION ),
@@ -1150,8 +1173,8 @@ const static SECOidData oids[] = {
OD( ansix962ECPublicKey, SEC_OID_ANSIX962_EC_PUBLIC_KEY,
"X9.62 elliptic curve public key", CKM_ECDH1_DERIVE,
INVALID_CERT_EXTENSION ),
- OD( ansix962ECDSASignaturewithSHA1Digest,
- SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST,
+ OD( ansix962SignaturewithSHA1Digest,
+ SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE,
"X9.62 ECDSA signature with SHA1", CKM_ECDSA_SHA1,
INVALID_CERT_EXTENSION ),
@@ -1435,6 +1458,56 @@ const static SECOidData oids[] = {
OD( pkcs9ExtensionRequest, SEC_OID_PKCS9_EXTENSION_REQUEST,
"PKCS #9 Extension Request",
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+ /* more ECC Signature Oids */
+ OD( ansix962SignatureRecommended,
+ SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST,
+ "X9.62 ECDSA signature with recommended digest", CKM_INVALID_MECHANISM,
+ INVALID_CERT_EXTENSION ),
+ OD( ansix962SignatureSpecified,
+ SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST,
+ "X9.62 ECDSA signature with specified digest", CKM_ECDSA,
+ INVALID_CERT_EXTENSION ),
+ OD( ansix962SignaturewithSHA224Digest,
+ SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE,
+ "X9.62 ECDSA signature with SHA224", CKM_INVALID_MECHANISM,
+ INVALID_CERT_EXTENSION ),
+ OD( ansix962SignaturewithSHA256Digest,
+ SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE,
+ "X9.62 ECDSA signature with SHA256", CKM_INVALID_MECHANISM,
+ INVALID_CERT_EXTENSION ),
+ OD( ansix962SignaturewithSHA384Digest,
+ SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE,
+ "X9.62 ECDSA signature with SHA384", CKM_INVALID_MECHANISM,
+ INVALID_CERT_EXTENSION ),
+ OD( ansix962SignaturewithSHA512Digest,
+ SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE,
+ "X9.62 ECDSA signature with SHA512", CKM_INVALID_MECHANISM,
+ INVALID_CERT_EXTENSION ),
+
+ /* More id-ce and id-pe OIDs from RFC 3280 */
+ OD( x509HoldInstructionCode, SEC_OID_X509_HOLD_INSTRUCTION_CODE,
+ "CRL Hold Instruction Code", CKM_INVALID_MECHANISM,
+ UNSUPPORTED_CERT_EXTENSION ),
+ OD( x509DeltaCRLIndicator, SEC_OID_X509_DELTA_CRL_INDICATOR,
+ "Delta CRL Indicator", CKM_INVALID_MECHANISM,
+ FAKE_SUPPORTED_CERT_EXTENSION ),
+ OD( x509IssuingDistributionPoint, SEC_OID_X509_ISSUING_DISTRIBUTION_POINT,
+ "Issuing Distribution Point", CKM_INVALID_MECHANISM,
+ FAKE_SUPPORTED_CERT_EXTENSION ),
+ OD( x509CertIssuer, SEC_OID_X509_CERT_ISSUER,
+ "Certificate Issuer Extension",CKM_INVALID_MECHANISM,
+ FAKE_SUPPORTED_CERT_EXTENSION ),
+ OD( x509FreshestCRL, SEC_OID_X509_FRESHEST_CRL,
+ "Freshest CRL", CKM_INVALID_MECHANISM,
+ UNSUPPORTED_CERT_EXTENSION ),
+ OD( x509InhibitAnyPolicy, SEC_OID_X509_INHIBIT_ANY_POLICY,
+ "Inhibit Any Policy", CKM_INVALID_MECHANISM,
+ FAKE_SUPPORTED_CERT_EXTENSION ),
+ OD( x509SubjectInfoAccess, SEC_OID_X509_SUBJECT_INFO_ACCESS,
+ "Subject Info Access", CKM_INVALID_MECHANISM,
+ UNSUPPORTED_CERT_EXTENSION ),
+
};
/*
@@ -1809,7 +1882,7 @@ SECOID_Shutdown(void)
/* Have to handle the case where the lock was created, but
** the pool wasn't.
** I'm not going to attempt to create the lock, just to protect
- ** the destruction of data the probably isn't inisialized anyway.
+ ** the destruction of data that probably isn't initialized anyway.
*/
if (dynOidLock) {
NSSRWLock_LockWrite(dynOidLock);
View Lorry Controller Status