# HG changeset patch # User Camilo Viecco <cviecco@mozilla.com> # Date 1396980608 -7200 # Node ID 742307da0792066e4b4ca46aa7b28399868507ae # Parent 3c110288ae8a8360679451675c433f53ed253f7c Bug 952572, Hard code ANSSI(DCISS) to french gov dns space, r=kaie diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c --- a/lib/certdb/genname.c +++ b/lib/certdb/genname.c @@ -1560,6 +1560,70 @@ * This is the core of the implementation for bug 952572. */ +static SECStatus +getNameExtensionsBuiltIn(CERTCertificate *cert, + SECItem *extensions) +{ + const char constraintFranceGov[] = "\x30\x5D" /* sequence len = 93*/ + "\xA0\x5B" /* element len =91 */ + "\x30\x05" /* sequence len 5 */ + "\x82\x03" /* entry len 3 */ + ".fr" + "\x30\x05\x82\x03" /* sequence len5, entry len 3 */ + ".gp" + "\x30\x05\x82\x03" + ".gf" + "\x30\x05\x82\x03" + ".mq" + "\x30\x05\x82\x03" + ".re" + "\x30\x05\x82\x03" + ".yt" + "\x30\x05\x82\x03" + ".pm" + "\x30\x05\x82\x03" + ".bl" + "\x30\x05\x82\x03" + ".mf" + "\x30\x05\x82\x03" + ".wf" + "\x30\x05\x82\x03" + ".pf" + "\x30\x05\x82\x03" + ".nc" + "\x30\x05\x82\x03" + ".tf"; + + /* The stringified value for the subject is: + E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR + */ + const char rawANSSISubject[] = "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04" + "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03" + "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65" + "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" + "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03" + "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44" + "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13" + "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06" + "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41" + "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7" + "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40" + "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75" + "\x76\x2E\x66\x72"; + + const SECItem anssi_subject = {0, (unsigned char *) rawANSSISubject, + sizeof(rawANSSISubject)-1}; + const SECItem permitFranceGovNC = {0, (unsigned char *) constraintFranceGov, + sizeof(constraintFranceGov)-1}; + + if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) { + SECStatus rv; + rv = SECITEM_CopyItem(NULL, extensions, &permitFranceGovNC); + return rv; + } + PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND); + return SECFailure; +} /* Extract the name constraints extension from the CA cert. */ SECStatus @@ -1576,10 +1640,16 @@ rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, &constraintsExtension); if (rv != SECSuccess) { - if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { - rv = SECSuccess; + if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { + return rv; + } + rv = getNameExtensionsBuiltIn(cert, &constraintsExtension); + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { + return SECSuccess; + } + return rv; } - return rv; } mark = PORT_ArenaMark(arena); diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg --- a/tests/chains/scenarios/nameconstraints.cfg +++ b/tests/chains/scenarios/nameconstraints.cfg @@ -4,16 +4,17 @@ scenario TrustAnchors db trustanchors import NameConstraints.ca:x:CT,C,C import NameConstraints.ncca:x:CT,C,C # Name Constrained CA: Name constrained to permited DNSName ".example" +import NameConstraints.dcisscopy:x:CT,C,C # Intermediate 1: Name constrained to permited DNSName ".example" # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid" # altDNS: test.invalid # Fail: CN not in name constraints, altDNS not in name constraints verify NameConstraints.server1:x cert NameConstraints.intermediate:x @@ -144,10 +145,17 @@ verify NameConstraints.server16:x result fail # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example" # altDNS: test4.example verify NameConstraints.server17:x cert NameConstraints.intermediate6:x result pass +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com" +verify NameConstraints.dcissblocked:x + result fail +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr" +verify NameConstraints.dcissallowed:x + result pass + diff --git a/tests/libpkix/certs/make-nc b/tests/libpkix/certs/make-nc --- a/tests/libpkix/certs/make-nc +++ b/tests/libpkix/certs/make-nc @@ -418,16 +418,67 @@ n y 0 1 9 n CERTSCRIPT +#DCISS copy certs +certutil -S -z noise -g 2048 -d . -n dcisscopy -s "E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR" -t C,C,C -x -m 998899 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +#the following cert MUST not pass +certutil -S -z noise -g 2048 -d . -n dcissblocked -s "CN=foo.example.com,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998900 -v 120 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +#the following cert MUST not pass +certutil -S -z noise -g 2048 -d . -n dcissallowed -s "CN=foo.example.fr,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998901 -v 120 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + + certutil -d . -L -n ca -r > NameConstraints.ca.cert certutil -d . -L -n ica -r > NameConstraints.intermediate.cert certutil -d . -L -n server1 -r > NameConstraints.server1.cert certutil -d . -L -n server2 -r > NameConstraints.server2.cert certutil -d . -L -n server3 -r > NameConstraints.server3.cert certutil -d . -L -n ica2 -r > NameConstraints.intermediate2.cert certutil -d . -L -n server4 -r > NameConstraints.server4.cert @@ -445,10 +496,13 @@ certutil -d . -L -n server12 -r > NameCo certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert certutil -d . -L -n server13 -r > NameConstraints.server13.cert certutil -d . -L -n server14 -r > NameConstraints.server14.cert certutil -d . -L -n ncca -r > NameConstraints.ncca.cert certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert certutil -d . -L -n server15 -r > NameConstraints.server15.cert certutil -d . -L -n server16 -r > NameConstraints.server16.cert certutil -d . -L -n server17 -r > NameConstraints.server17.cert +certutil -d . -L -n dcisscopy -r > NameConstraints.dcisscopy.cert +certutil -d . -L -n dcissblocked -r > NameConstraints.dcissblocked.cert +certutil -d . -L -n dcissallowed -r > NameConstraints.dcissallowed.cert echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert"