| OLD | NEW |
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 | 4 |
| 5 /* | 5 /* |
| 6 * Certificate handling code | 6 * Certificate handling code |
| 7 */ | 7 */ |
| 8 | 8 |
| 9 #include "nssilock.h" | 9 #include "nssilock.h" |
| 10 #include "prmon.h" | 10 #include "prmon.h" |
| (...skipping 1363 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1374 | 1374 |
| 1375 if ( match == 0 ) { | 1375 if ( match == 0 ) { |
| 1376 rv = SECSuccess; | 1376 rv = SECSuccess; |
| 1377 } else { | 1377 } else { |
| 1378 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); | 1378 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); |
| 1379 rv = SECFailure; | 1379 rv = SECFailure; |
| 1380 } | 1380 } |
| 1381 return rv; | 1381 return rv; |
| 1382 } | 1382 } |
| 1383 } else { | 1383 } else { |
| 1384 » /* New approach conforms to RFC 2818. */ | 1384 » /* New approach conforms to RFC 6125. */ |
| 1385 char *wildcard = PORT_Strchr(cn, '*'); | 1385 char *wildcard = PORT_Strchr(cn, '*'); |
| 1386 char *firstcndot = PORT_Strchr(cn, '.'); | 1386 char *firstcndot = PORT_Strchr(cn, '.'); |
| 1387 char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; | 1387 char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; |
| 1388 char *firsthndot = PORT_Strchr(hn, '.'); | 1388 char *firsthndot = PORT_Strchr(hn, '.'); |
| 1389 | 1389 |
| 1390 /* For a cn pattern to be considered valid, the wildcard character... | 1390 /* For a cn pattern to be considered valid, the wildcard character... |
| 1391 * - may occur only in a DNS name with at least 3 components, and | 1391 * - may occur only in a DNS name with at least 3 components, and |
| 1392 * - may occur only as last character in the first component, and | 1392 * - may occur only as last character in the first component, and |
| 1393 » * - may be preceded by additional characters | 1393 » * - may be preceded by additional characters, and |
| 1394 » * - must not be preceded by an IDNA ACE prefix (xn--) |
| 1394 */ | 1395 */ |
| 1395 if (wildcard && secondcndot && secondcndot[1] && firsthndot | 1396 if (wildcard && secondcndot && secondcndot[1] && firsthndot |
| 1396 » && firstcndot - wildcard == 1 | 1397 » && firstcndot - wildcard == 1 /* wildcard is last char in first co
mponent */ |
| 1397 » && secondcndot - firstcndot > 1 | 1398 » && secondcndot - firstcndot > 1 /* second component is non-empty */ |
| 1398 » && PORT_Strrchr(cn, '*') == wildcard | 1399 » && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ |
| 1399 && !PORT_Strncasecmp(cn, hn, wildcard - cn) | 1400 && !PORT_Strncasecmp(cn, hn, wildcard - cn) |
| 1400 » && !PORT_Strcasecmp(firstcndot, firsthndot)) { | 1401 » && !PORT_Strcasecmp(firstcndot, firsthndot) |
| 1402 » /* If hn starts with xn--, then cn must start with wildcard */ |
| 1403 » && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { |
| 1401 /* valid wildcard pattern match */ | 1404 /* valid wildcard pattern match */ |
| 1402 return SECSuccess; | 1405 return SECSuccess; |
| 1403 } | 1406 } |
| 1404 } | 1407 } |
| 1405 /* String cn has no wildcard or shell expression. | 1408 /* String cn has no wildcard or shell expression. |
| 1406 * Compare entire string hn with cert name. | 1409 * Compare entire string hn with cert name. |
| 1407 */ | 1410 */ |
| 1408 if (PORT_Strcasecmp(hn, cn) == 0) { | 1411 if (PORT_Strcasecmp(hn, cn) == 0) { |
| 1409 return SECSuccess; | 1412 return SECSuccess; |
| 1410 } | 1413 } |
| (...skipping 1852 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3263 CERTCertificate *cert = NULL; | 3266 CERTCertificate *cert = NULL; |
| 3264 SECItem *derCert; | 3267 SECItem *derCert; |
| 3265 | 3268 |
| 3266 derCert = cert_FindDERCertBySubjectKeyID(subjKeyID); | 3269 derCert = cert_FindDERCertBySubjectKeyID(subjKeyID); |
| 3267 if (derCert) { | 3270 if (derCert) { |
| 3268 cert = CERT_FindCertByDERCert(handle, derCert); | 3271 cert = CERT_FindCertByDERCert(handle, derCert); |
| 3269 SECITEM_FreeItem(derCert, PR_TRUE); | 3272 SECITEM_FreeItem(derCert, PR_TRUE); |
| 3270 } | 3273 } |
| 3271 return cert; | 3274 return cert; |
| 3272 } | 3275 } |
| OLD | NEW |