summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/certhigh/certvfy.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/certhigh/certvfy.c')
-rw-r--r--security/nss/lib/certhigh/certvfy.c64
1 files changed, 58 insertions, 6 deletions
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c
index ccd38e660..3a94a4150 100644
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -25,7 +25,7 @@
#include "pkim.h"
#include "pki3hack.h"
#include "base.h"
-#include "keyhi.h"
+#include "keyi.h"
/*
* Check the validity times of a certificate
@@ -73,12 +73,38 @@ checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key)
return SECFailure;
}
return SECSuccess;
+
+ case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: {
+ PORTCheapArenaPool tmpArena;
+ SECOidTag hashAlg;
+ SECOidTag maskHashAlg;
+
+ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+ rv = sec_DecodeRSAPSSParams(&tmpArena.arena,
+ &sigAlgorithm->parameters,
+ &hashAlg, &maskHashAlg, NULL);
+ PORT_DestroyCheapArena(&tmpArena);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ if (NSS_GetAlgorithmPolicy(hashAlg, &policyFlags) == SECSuccess &&
+ !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+ PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ return SECFailure;
+ }
+ if (NSS_GetAlgorithmPolicy(maskHashAlg, &policyFlags) == SECSuccess &&
+ !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+ PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ return SECFailure;
+ }
+ }
+ /* fall through to RSA key checking */
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
- case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
@@ -289,6 +315,10 @@ CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
requiredFlags = CERTDB_TRUSTED_CA;
trustType = trustSSL;
break;
+ case certUsageIPsec:
+ requiredFlags = CERTDB_TRUSTED_CA;
+ trustType = trustSSL;
+ break;
case certUsageSSLServerWithStepUp:
requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
trustType = trustSSL;
@@ -579,6 +609,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
switch (certUsage) {
case certUsageSSLClient:
case certUsageSSLServer:
+ case certUsageIPsec:
case certUsageSSLCA:
case certUsageSSLServerWithStepUp:
case certUsageEmailSigner:
@@ -645,7 +676,8 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
CERTGeneralName *subjectNameList;
int subjectNameListLen;
int i;
- PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);
+ PRBool getSubjectCN = (!count &&
+ (certUsage == certUsageSSLServer || certUsage == certUsageIPsec));
subjectNameList =
CERT_GetConstrainedCertificateNames(subjectCert, arena,
getSubjectCN);
@@ -986,6 +1018,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
switch (certUsage) {
case certUsageSSLClient:
case certUsageSSLServer:
+ case certUsageIPsec:
case certUsageSSLCA:
case certUsageSSLServerWithStepUp:
case certUsageEmailSigner:
@@ -1171,6 +1204,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
switch (certUsage) {
case certUsageSSLClient:
case certUsageSSLServer:
+ case certUsageIPsec:
flags = trust.sslFlags;
/* is the cert directly trusted or not trusted ? */
@@ -1347,7 +1381,8 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
/* make sure that the cert is valid at time t */
allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
- (requiredUsages & certificateUsageSSLServerWithStepUp));
+ (requiredUsages & certificateUsageSSLServerWithStepUp) ||
+ (requiredUsages & certificateUsageIPsec));
validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
if (validity != secCertTimeValid) {
valid = SECFailure;
@@ -1360,6 +1395,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
for (i = 1; i <= certificateUsageHighest &&
(SECSuccess == valid || returnedUsages || log);) {
+ PRBool typeAndEKUAllowed = PR_TRUE;
PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;
if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {
NEXT_USAGE();
@@ -1376,6 +1412,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
case certUsageEmailRecipient:
case certUsageObjectSigner:
case certUsageStatusResponder:
+ case certUsageIPsec:
rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
&requiredKeyUsage,
&requiredCertType);
@@ -1408,7 +1445,19 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
LOG_ERROR(log, cert, 0, requiredKeyUsage);
INVALID_USAGE();
}
- if (!(certType & requiredCertType)) {
+ if (certUsage != certUsageIPsec) {
+ if (!(certType & requiredCertType)) {
+ typeAndEKUAllowed = PR_FALSE;
+ }
+ } else {
+ PRBool isCritical;
+ PRBool allowed = cert_EKUAllowsIPsecIKE(cert, &isCritical);
+ /* If the extension isn't critical, we allow any EKU value. */
+ if (isCritical && !allowed) {
+ typeAndEKUAllowed = PR_FALSE;
+ }
+ }
+ if (!typeAndEKUAllowed) {
if (PR_TRUE == requiredUsage) {
PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
}
@@ -1508,7 +1557,8 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
/* make sure that the cert is valid at time t */
allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
- (certUsage == certUsageSSLServerWithStepUp));
+ (certUsage == certUsageSSLServerWithStepUp) ||
+ (certUsage == certUsageIPsec));
validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
if (validity != secCertTimeValid) {
LOG_ERROR_OR_EXIT(log, cert, 0, validity);
@@ -1521,6 +1571,7 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
case certUsageSSLClient:
case certUsageSSLServer:
case certUsageSSLServerWithStepUp:
+ case certUsageIPsec:
case certUsageSSLCA:
case certUsageEmailSigner:
case certUsageEmailRecipient:
@@ -1633,6 +1684,7 @@ CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
* certUsageSSLClient
* certUsageSSLServer
* certUsageSSLServerWithStepUp
+ * certUsageIPsec
* certUsageEmailSigner
* certUsageEmailRecipient
* certUsageObjectSigner