summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/certdb
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-12-15 01:42:53 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-12-15 01:42:53 +0100
commit74cabf7948b2597f5b6a67d6910c844fd1a88ff6 (patch)
treedb1f30ada487c3831ea8e4e98b2d39edc9e88eea /security/nss/lib/certdb
parent09ef48bd005a7f9e97a3fe797a079fcf2b5e58d3 (diff)
downloadUXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar
UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.gz
UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.lz
UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.xz
UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.zip
Update NSS to 3.41
Diffstat (limited to 'security/nss/lib/certdb')
-rw-r--r--security/nss/lib/certdb/cert.h2
-rw-r--r--security/nss/lib/certdb/certdb.c77
-rw-r--r--security/nss/lib/certdb/certi.h3
-rw-r--r--security/nss/lib/certdb/certt.h6
4 files changed, 85 insertions, 3 deletions
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index c76a5a9b0..333ba4c9d 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -18,7 +18,7 @@
#include "seccomon.h"
#include "secdert.h"
#include "secoidt.h"
-#include "keyt.h"
+#include "keythi.h"
#include "certt.h"
SEC_BEGIN_PROTOS
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 1a676a720..85b5f2917 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -446,6 +446,74 @@ cert_GetCertType(CERTCertificate *cert)
return SECSuccess;
}
+PRBool
+cert_EKUAllowsIPsecIKE(CERTCertificate *cert, PRBool *isCritical)
+{
+ SECStatus rv;
+ SECItem encodedExtKeyUsage;
+ CERTOidSequence *extKeyUsage = NULL;
+ PRBool result = PR_FALSE;
+
+ rv = CERT_GetExtenCriticality(cert->extensions,
+ SEC_OID_X509_EXT_KEY_USAGE,
+ isCritical);
+ if (rv != SECSuccess) {
+ *isCritical = PR_FALSE;
+ }
+
+ encodedExtKeyUsage.data = NULL;
+ rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,
+ &encodedExtKeyUsage);
+ if (rv != SECSuccess) {
+ /* EKU not present, allowed. */
+ result = PR_TRUE;
+ goto done;
+ }
+
+ extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
+ if (!extKeyUsage) {
+ /* failure */
+ goto done;
+ }
+
+ if (findOIDinOIDSeqByTagNum(extKeyUsage,
+ SEC_OID_X509_ANY_EXT_KEY_USAGE) ==
+ SECSuccess) {
+ result = PR_TRUE;
+ goto done;
+ }
+
+ if (findOIDinOIDSeqByTagNum(extKeyUsage,
+ SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) ==
+ SECSuccess) {
+ result = PR_TRUE;
+ goto done;
+ }
+
+ if (findOIDinOIDSeqByTagNum(extKeyUsage,
+ SEC_OID_IPSEC_IKE_END) ==
+ SECSuccess) {
+ result = PR_TRUE;
+ goto done;
+ }
+
+ if (findOIDinOIDSeqByTagNum(extKeyUsage,
+ SEC_OID_IPSEC_IKE_INTERMEDIATE) ==
+ SECSuccess) {
+ result = PR_TRUE;
+ goto done;
+ }
+
+done:
+ if (encodedExtKeyUsage.data != NULL) {
+ PORT_Free(encodedExtKeyUsage.data);
+ }
+ if (extKeyUsage != NULL) {
+ CERT_DestroyOidSequence(extKeyUsage);
+ }
+ return result;
+}
+
PRUint32
cert_ComputeCertType(CERTCertificate *cert)
{
@@ -1083,6 +1151,10 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
requiredKeyUsage = KU_KEY_CERT_SIGN;
requiredCertType = NS_CERT_TYPE_SSL_CA;
break;
+ case certUsageIPsec:
+ requiredKeyUsage = KU_KEY_CERT_SIGN;
+ requiredCertType = NS_CERT_TYPE_SSL_CA;
+ break;
case certUsageSSLCA:
requiredKeyUsage = KU_KEY_CERT_SIGN;
requiredCertType = NS_CERT_TYPE_SSL_CA;
@@ -1125,6 +1197,11 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
requiredCertType = NS_CERT_TYPE_SSL_SERVER;
break;
+ case certUsageIPsec:
+ /* RFC 4945 Section 5.1.3.2 */
+ requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;
+ requiredCertType = 0;
+ break;
case certUsageSSLServerWithStepUp:
requiredKeyUsage =
KU_KEY_AGREEMENT_OR_ENCIPHERMENT | KU_NS_GOVT_APPROVED;
diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h
index 456f2fc4e..2a8ae2758 100644
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -294,6 +294,9 @@ extern SECStatus cert_GetCertType(CERTCertificate* cert);
*/
extern PRUint32 cert_ComputeCertType(CERTCertificate* cert);
+extern PRBool cert_EKUAllowsIPsecIKE(CERTCertificate* cert,
+ PRBool* isCritical);
+
void cert_AddToVerifyLog(CERTVerifyLog* log, CERTCertificate* cert,
long errorCode, unsigned int depth, void* arg);
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
index 797f9f585..9cac70ca6 100644
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -447,7 +447,8 @@ typedef enum SECCertUsageEnum {
certUsageVerifyCA = 8,
certUsageProtectedObjectSigner = 9,
certUsageStatusResponder = 10,
- certUsageAnyCA = 11
+ certUsageAnyCA = 11,
+ certUsageIPsec = 12
} SECCertUsage;
typedef PRInt64 SECCertificateUsage;
@@ -465,8 +466,9 @@ typedef PRInt64 SECCertificateUsage;
#define certificateUsageProtectedObjectSigner (0x0200)
#define certificateUsageStatusResponder (0x0400)
#define certificateUsageAnyCA (0x0800)
+#define certificateUsageIPsec (0x1000)
-#define certificateUsageHighest certificateUsageAnyCA
+#define certificateUsageHighest certificateUsageIPsec
/*
* Does the cert belong to the user, a peer, or a CA.