summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/libpkix
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/libpkix')
-rwxr-xr-xsecurity/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c34
-rw-r--r--security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c5
-rw-r--r--security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c13
3 files changed, 38 insertions, 14 deletions
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
index 7c9430d3c..28f21a6c2 100755
--- a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
@@ -168,6 +168,9 @@ pkix_NameConstraintsChecker_Check(
PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL;
PKIX_Boolean selfIssued = PKIX_FALSE;
PKIX_Boolean lastCert = PKIX_FALSE;
+ PKIX_Boolean treatCommonNameAsDNSName = PKIX_FALSE;
+ PKIX_List *extKeyUsageList = NULL;
+ PKIX_PL_OID *serverAuthOID = NULL;
PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check");
PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
@@ -185,11 +188,38 @@ pkix_NameConstraintsChecker_Check(
PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
PKIX_ISCERTSELFISSUEDFAILED);
+ if (lastCert) {
+ /* For the last cert, treat the CN as a DNS name for name
+ * constraint check. But only if EKU has id-kp-serverAuth
+ * or EKU is absent. It does not make sense to treat CN
+ * as a DNS name for an OCSP signing certificate, for example.
+ */
+ PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
+ (cert, &extKeyUsageList, plContext),
+ PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
+ if (extKeyUsageList == NULL) {
+ treatCommonNameAsDNSName = PKIX_TRUE;
+ } else {
+ PKIX_CHECK(PKIX_PL_OID_Create
+ (PKIX_KEY_USAGE_SERVER_AUTH_OID,
+ &serverAuthOID,
+ plContext),
+ PKIX_OIDCREATEFAILED);
+
+ PKIX_CHECK(pkix_List_Contains
+ (extKeyUsageList,
+ (PKIX_PL_Object *) serverAuthOID,
+ &treatCommonNameAsDNSName,
+ plContext),
+ PKIX_LISTCONTAINSFAILED);
+ }
+ }
+
/* Check on non self-issued and if so only for last cert */
if (selfIssued == PKIX_FALSE ||
(selfIssued == PKIX_TRUE && lastCert)) {
PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
- (cert, state->nameConstraints, lastCert,
+ (cert, state->nameConstraints, treatCommonNameAsDNSName,
plContext),
PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
}
@@ -241,6 +271,8 @@ pkix_NameConstraintsChecker_Check(
cleanup:
PKIX_DECREF(state);
+ PKIX_DECREF(extKeyUsageList);
+ PKIX_DECREF(serverAuthOID);
PKIX_RETURN(CERTCHAINCHECKER);
}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c
index 3dc06be9a..9b6f8d688 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c
@@ -352,7 +352,9 @@ pkix_pl_LdapDefaultClient_VerifyBindResponse(
SECItem decode = {siBuffer, NULL, 0};
SECStatus rv = SECFailure;
LDAPMessage msg;
- LDAPBindResponse *ldapBindResponse = NULL;
+ LDAPBindResponse *ldapBindResponse = &msg.protocolOp.op.bindResponseMsg;
+
+ ldapBindResponse->resultCode.data = NULL;
PKIX_ENTER
(LDAPDEFAULTCLIENT,
@@ -367,7 +369,6 @@ pkix_pl_LdapDefaultClient_VerifyBindResponse(
PKIX_LDAPDEFAULTCLIENTDECODEBINDRESPONSEFAILED);
if (rv == SECSuccess) {
- ldapBindResponse = &msg.protocolOp.op.bindResponseMsg;
if (*(ldapBindResponse->resultCode.data) == SUCCESS) {
client->connectStatus = BOUND;
} else {
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index 145dcff9a..25a1170a5 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -3002,17 +3002,8 @@ PKIX_PL_Cert_VerifyCertAndKeyType(
if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {
PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
}
- if (certUsage != certUsageIPsec) {
- if (!(certType & requiredCertType)) {
- PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
- }
- } else {
- PRBool isCritical;
- PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical);
- /* If the extension isn't critical, we allow any EKU value. */
- if (isCritical && !allowed) {
- PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
- }
+ if (!(certType & requiredCertType)) {
+ PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
}
cleanup:
PKIX_DECREF(basicConstraints);