diff options
Diffstat (limited to 'security/nss/lib/certhigh/certvfy.c')
-rw-r--r-- | security/nss/lib/certhigh/certvfy.c | 64 |
1 files changed, 58 insertions, 6 deletions
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c index ccd38e660..3a94a4150 100644 --- a/security/nss/lib/certhigh/certvfy.c +++ b/security/nss/lib/certhigh/certvfy.c @@ -25,7 +25,7 @@ #include "pkim.h" #include "pki3hack.h" #include "base.h" -#include "keyhi.h" +#include "keyi.h" /* * Check the validity times of a certificate @@ -73,12 +73,38 @@ checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key) return SECFailure; } return SECSuccess; + + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: { + PORTCheapArenaPool tmpArena; + SECOidTag hashAlg; + SECOidTag maskHashAlg; + + PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); + rv = sec_DecodeRSAPSSParams(&tmpArena.arena, + &sigAlgorithm->parameters, + &hashAlg, &maskHashAlg, NULL); + PORT_DestroyCheapArena(&tmpArena); + if (rv != SECSuccess) { + return SECFailure; + } + + if (NSS_GetAlgorithmPolicy(hashAlg, &policyFlags) == SECSuccess && + !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { + PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + return SECFailure; + } + if (NSS_GetAlgorithmPolicy(maskHashAlg, &policyFlags) == SECSuccess && + !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { + PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + return SECFailure; + } + } + /* fall through to RSA key checking */ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: if (key->keyType != rsaKey && key->keyType != rsaPssKey) { @@ -289,6 +315,10 @@ CERT_TrustFlagsForCACertUsage(SECCertUsage usage, requiredFlags = CERTDB_TRUSTED_CA; trustType = trustSSL; break; + case certUsageIPsec: + requiredFlags = CERTDB_TRUSTED_CA; + trustType = trustSSL; + break; case certUsageSSLServerWithStepUp: requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA; trustType = trustSSL; @@ -579,6 +609,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, switch (certUsage) { case certUsageSSLClient: case certUsageSSLServer: + case certUsageIPsec: case certUsageSSLCA: case certUsageSSLServerWithStepUp: case certUsageEmailSigner: @@ -645,7 +676,8 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, CERTGeneralName *subjectNameList; int subjectNameListLen; int i; - PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer); + PRBool getSubjectCN = (!count && + (certUsage == certUsageSSLServer || certUsage == certUsageIPsec)); subjectNameList = CERT_GetConstrainedCertificateNames(subjectCert, arena, getSubjectCN); @@ -986,6 +1018,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, switch (certUsage) { case certUsageSSLClient: case certUsageSSLServer: + case certUsageIPsec: case certUsageSSLCA: case certUsageSSLServerWithStepUp: case certUsageEmailSigner: @@ -1171,6 +1204,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage, switch (certUsage) { case certUsageSSLClient: case certUsageSSLServer: + case certUsageIPsec: flags = trust.sslFlags; /* is the cert directly trusted or not trusted ? */ @@ -1347,7 +1381,8 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, /* make sure that the cert is valid at time t */ allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) || - (requiredUsages & certificateUsageSSLServerWithStepUp)); + (requiredUsages & certificateUsageSSLServerWithStepUp) || + (requiredUsages & certificateUsageIPsec)); validity = CERT_CheckCertValidTimes(cert, t, allowOverride); if (validity != secCertTimeValid) { valid = SECFailure; @@ -1360,6 +1395,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, for (i = 1; i <= certificateUsageHighest && (SECSuccess == valid || returnedUsages || log);) { + PRBool typeAndEKUAllowed = PR_TRUE; PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE; if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) { NEXT_USAGE(); @@ -1376,6 +1412,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, case certUsageEmailRecipient: case certUsageObjectSigner: case certUsageStatusResponder: + case certUsageIPsec: rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE, &requiredKeyUsage, &requiredCertType); @@ -1408,7 +1445,19 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, LOG_ERROR(log, cert, 0, requiredKeyUsage); INVALID_USAGE(); } - if (!(certType & requiredCertType)) { + if (certUsage != certUsageIPsec) { + if (!(certType & requiredCertType)) { + typeAndEKUAllowed = PR_FALSE; + } + } else { + PRBool isCritical; + PRBool allowed = cert_EKUAllowsIPsecIKE(cert, &isCritical); + /* If the extension isn't critical, we allow any EKU value. */ + if (isCritical && !allowed) { + typeAndEKUAllowed = PR_FALSE; + } + } + if (!typeAndEKUAllowed) { if (PR_TRUE == requiredUsage) { PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE); } @@ -1508,7 +1557,8 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert, /* make sure that the cert is valid at time t */ allowOverride = (PRBool)((certUsage == certUsageSSLServer) || - (certUsage == certUsageSSLServerWithStepUp)); + (certUsage == certUsageSSLServerWithStepUp) || + (certUsage == certUsageIPsec)); validity = CERT_CheckCertValidTimes(cert, t, allowOverride); if (validity != secCertTimeValid) { LOG_ERROR_OR_EXIT(log, cert, 0, validity); @@ -1521,6 +1571,7 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert, case certUsageSSLClient: case certUsageSSLServer: case certUsageSSLServerWithStepUp: + case certUsageIPsec: case certUsageSSLCA: case certUsageEmailSigner: case certUsageEmailRecipient: @@ -1633,6 +1684,7 @@ CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert, * certUsageSSLClient * certUsageSSLServer * certUsageSSLServerWithStepUp + * certUsageIPsec * certUsageEmailSigner * certUsageEmailRecipient * certUsageObjectSigner |