Sophie

Sophie

distrib > Mageia > 3 > x86_64 > by-pkgid > 739dc2cf77b051b3a8ef9af7b89b5a70 > files > 5

nss-3.16.3-1.mga3.src.rpm


# HG changeset patch
# User Camilo Viecco <cviecco@mozilla.com>
# Date 1396980608 -7200
# Node ID 742307da0792066e4b4ca46aa7b28399868507ae
# Parent  3c110288ae8a8360679451675c433f53ed253f7c
Bug 952572, Hard code ANSSI(DCISS) to french gov dns space, r=kaie

diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c
--- a/lib/certdb/genname.c
+++ b/lib/certdb/genname.c
@@ -1560,6 +1560,70 @@
  * This is the core of the implementation for bug 952572.
  */
 
+static SECStatus
+getNameExtensionsBuiltIn(CERTCertificate  *cert,
+                         SECItem *extensions)
+{
+  const char constraintFranceGov[] = "\x30\x5D" /* sequence len = 93*/
+                                     "\xA0\x5B" /* element len =91 */
+                                     "\x30\x05" /* sequence len 5 */
+                                     "\x82\x03" /* entry len 3 */
+                                     ".fr"
+                                     "\x30\x05\x82\x03" /* sequence len5, entry len 3 */
+                                     ".gp"
+                                     "\x30\x05\x82\x03"
+                                     ".gf"
+                                     "\x30\x05\x82\x03"
+                                     ".mq"
+                                     "\x30\x05\x82\x03"
+                                     ".re"
+                                     "\x30\x05\x82\x03"
+                                     ".yt"
+                                     "\x30\x05\x82\x03"
+                                     ".pm"
+                                     "\x30\x05\x82\x03"
+                                     ".bl"
+                                     "\x30\x05\x82\x03"
+                                     ".mf"
+                                     "\x30\x05\x82\x03"
+                                     ".wf"
+                                     "\x30\x05\x82\x03"
+                                     ".pf"
+                                     "\x30\x05\x82\x03"
+                                     ".nc"
+                                     "\x30\x05\x82\x03"
+                                     ".tf";
+
+  /* The stringified value for the subject is:
+     E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
+   */
+  const char rawANSSISubject[] = "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04"
+                                 "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03"
+                                 "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65"
+                                 "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05"
+                                 "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03"
+                                 "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44"
+                                 "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13"
+                                 "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06"
+                                 "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41"
+                                 "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7"
+                                 "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40"
+                                 "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75"
+                                 "\x76\x2E\x66\x72";
+
+  const SECItem anssi_subject = {0, (unsigned char *) rawANSSISubject,
+                                 sizeof(rawANSSISubject)-1};
+  const SECItem permitFranceGovNC = {0, (unsigned char *) constraintFranceGov,
+                                     sizeof(constraintFranceGov)-1};
+
+  if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) {
+    SECStatus rv;
+    rv = SECITEM_CopyItem(NULL, extensions, &permitFranceGovNC);
+    return rv;
+  }
+  PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+  return SECFailure;
+}
 
 /* Extract the name constraints extension from the CA cert. */
 SECStatus
@@ -1576,10 +1640,16 @@
     rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, 
                                 &constraintsExtension);
     if (rv != SECSuccess) {
-        if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
-            rv = SECSuccess;
+        if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
+            return rv;
+        }
+        rv = getNameExtensionsBuiltIn(cert, &constraintsExtension);
+        if (rv != SECSuccess) {
+          if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
+            return SECSuccess;
+          }
+          return rv;
         }
-        return rv;
     }
 
     mark = PORT_ArenaMark(arena);
diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
--- a/tests/chains/scenarios/nameconstraints.cfg
+++ b/tests/chains/scenarios/nameconstraints.cfg
@@ -4,16 +4,17 @@
 
 scenario TrustAnchors
 
 db trustanchors
 
 import NameConstraints.ca:x:CT,C,C
 import NameConstraints.ncca:x:CT,C,C
 # Name Constrained CA:  Name constrained to permited DNSName ".example"
+import NameConstraints.dcisscopy:x:CT,C,C
 
 # Intermediate 1: Name constrained to permited DNSName ".example"
 
 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
 # altDNS: test.invalid
 #   Fail: CN not in name constraints, altDNS not in name constraints
 verify NameConstraints.server1:x
   cert NameConstraints.intermediate:x
@@ -144,10 +145,17 @@ verify NameConstraints.server16:x
   result fail
 
 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
 # altDNS: test4.example
 verify NameConstraints.server17:x
   cert NameConstraints.intermediate6:x
   result pass
 
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
+verify NameConstraints.dcissblocked:x
+  result fail
 
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
+verify NameConstraints.dcissallowed:x
+  result pass
 
+
diff --git a/tests/libpkix/certs/make-nc b/tests/libpkix/certs/make-nc
--- a/tests/libpkix/certs/make-nc
+++ b/tests/libpkix/certs/make-nc
@@ -418,16 +418,67 @@ n
 
 y
 0
 1
 9
 n
 CERTSCRIPT
 
+#DCISS copy certs
+certutil -S -z noise -g 2048 -d . -n dcisscopy -s "E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR" -t C,C,C -x -m 998899 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+#the following cert MUST not pass
+certutil -S -z noise -g 2048 -d . -n dcissblocked -s "CN=foo.example.com,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998900 -v 120 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+#the following cert MUST not pass
+certutil -S -z noise -g 2048 -d . -n dcissallowed -s "CN=foo.example.fr,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998901 -v 120 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
 
 certutil -d . -L -n ca -r > NameConstraints.ca.cert
 certutil -d . -L -n ica -r > NameConstraints.intermediate.cert
 certutil -d . -L -n server1 -r > NameConstraints.server1.cert
 certutil -d . -L -n server2 -r > NameConstraints.server2.cert
 certutil -d . -L -n server3 -r > NameConstraints.server3.cert
 certutil -d . -L -n ica2 -r > NameConstraints.intermediate2.cert
 certutil -d . -L -n server4 -r > NameConstraints.server4.cert
@@ -445,10 +496,13 @@ certutil -d . -L -n server12 -r > NameCo
 certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert
 certutil -d . -L -n server13 -r > NameConstraints.server13.cert
 certutil -d . -L -n server14 -r > NameConstraints.server14.cert
 certutil -d . -L -n ncca -r > NameConstraints.ncca.cert
 certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert
 certutil -d . -L -n server15 -r > NameConstraints.server15.cert
 certutil -d . -L -n server16 -r > NameConstraints.server16.cert
 certutil -d . -L -n server17 -r > NameConstraints.server17.cert
+certutil -d . -L -n dcisscopy -r >  NameConstraints.dcisscopy.cert
+certutil -d . -L -n dcissblocked -r >  NameConstraints.dcissblocked.cert
+certutil -d . -L -n dcissallowed -r >  NameConstraints.dcissallowed.cert
 
 echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert"

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional