Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(654)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: nss/lib/certdb/genname.c

Issue 319593003: Update to NSS 3.16.2 Beta 3. (Closed) Base URL: http://src.chromium.org/svn/trunk/deps/third_party/nss
Patch Set: Remove unused function SEC_NumberOrNameStringToOIDTag Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « nss/lib/certdb/genname.h ('k') | nss/lib/certhigh/ocsp.c » ('j') | nss/lib/pk11wrap/pk11cert.c » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: nss/lib/certdb/genname.c
diff --git a/nss/lib/certdb/genname.c b/nss/lib/certdb/genname.c
index b0d35cc86dd51444da74747db203cc023fb6d99d..412a9d2c6b165513b1ca785409c93d4631089db8 100644
--- a/nss/lib/certdb/genname.c
+++ b/nss/lib/certdb/genname.c
@@ -137,6 +137,39 @@ const SEC_ASN1Template CERT_GeneralNamesTemplate[] = {
};
+static struct {
+ CERTGeneralNameType type;
+ char *name;
+} typesArray[] = {
+ { certOtherName, "other" },
+ { certRFC822Name, "email" },
+ { certRFC822Name, "rfc822" },
+ { certDNSName, "dns" },
+ { certX400Address, "x400" },
+ { certX400Address, "x400addr" },
+ { certDirectoryName, "directory" },
+ { certDirectoryName, "dn" },
+ { certEDIPartyName, "edi" },
+ { certEDIPartyName, "ediparty" },
+ { certURI, "uri" },
+ { certIPAddress, "ip" },
+ { certIPAddress, "ipaddr" },
+ { certRegisterID, "registerid" }
+};
+
+CERTGeneralNameType
+CERT_GetGeneralNameTypeFromString(const char *string)
+{
+ int types_count = sizeof(typesArray)/sizeof(typesArray[0]);
+ int i;
+
+ for (i=0; i < types_count; i++) {
+ if (PORT_Strcasecmp(string, typesArray[i].name) == 0) {
+ return typesArray[i].type;
+ }
+ }
+ return 0;
+}
CERTGeneralName *
CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type)
@@ -1523,6 +1556,75 @@ done:
return rv;
}
+/* Add name constraints to certain certs that do not include name constraints
+ * This is the core of the implementation for bug 952572.
+ */
+
+static SECStatus
+getNameExtensionsBuiltIn(CERTCertificate *cert,
+ SECItem *extensions)
+{
+ const char constraintFranceGov[] = "\x30\x5D" /* sequence len = 93*/
+ "\xA0\x5B" /* element len =91 */
+ "\x30\x05" /* sequence len 5 */
+ "\x82\x03" /* entry len 3 */
+ ".fr"
+ "\x30\x05\x82\x03" /* sequence len5, entry len 3 */
+ ".gp"
+ "\x30\x05\x82\x03"
+ ".gf"
+ "\x30\x05\x82\x03"
+ ".mq"
+ "\x30\x05\x82\x03"
+ ".re"
+ "\x30\x05\x82\x03"
+ ".yt"
+ "\x30\x05\x82\x03"
+ ".pm"
+ "\x30\x05\x82\x03"
+ ".bl"
+ "\x30\x05\x82\x03"
+ ".mf"
+ "\x30\x05\x82\x03"
+ ".wf"
+ "\x30\x05\x82\x03"
+ ".pf"
+ "\x30\x05\x82\x03"
+ ".nc"
+ "\x30\x05\x82\x03"
+ ".tf";
Ryan Sleevi 2014/06/05 00:22:30 We should compare this with our constraints, and m
wtc 2014/06/05 03:00:10 This is the same as our list in net/cert/cert_veri
+
+ /* The stringified value for the subject is:
+ E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
+ */
+ const char rawANSSISubject[] = "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04"
+ "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03"
+ "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65"
+ "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05"
+ "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03"
+ "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44"
+ "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13"
+ "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06"
+ "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41"
+ "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7"
+ "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40"
+ "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75"
+ "\x76\x2E\x66\x72";
+
+ const SECItem anssi_subject = {0, (char *) rawANSSISubject,
+ sizeof(rawANSSISubject)-1};
+ const SECItem permitFranceGovNC = {0, (char *) constraintFranceGov,
+ sizeof(constraintFranceGov)-1};
+
+ if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) {
+ SECStatus rv;
+ rv = SECITEM_CopyItem(NULL, extensions, &permitFranceGovNC);
+ return rv;
+ }
+ PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+ return SECFailure;
+}
+
/* Extract the name constraints extension from the CA cert. */
SECStatus
CERT_FindNameConstraintsExten(PLArenaPool *arena,
@@ -1538,10 +1640,16 @@ CERT_FindNameConstraintsExten(PLArenaPool *arena,
rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS,
&constraintsExtension);
if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
- rv = SECSuccess;
+ if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
+ return rv;
+ }
+ rv = getNameExtensionsBuiltIn(cert, &constraintsExtension);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
+ return SECSuccess;
+ }
+ return rv;
}
- return rv;
}
mark = PORT_ArenaMark(arena);
« no previous file with comments | « nss/lib/certdb/genname.h ('k') | nss/lib/certhigh/ocsp.c » ('j') | nss/lib/pk11wrap/pk11cert.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698