diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2018-12-15 01:42:53 +0100 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-12-15 01:42:53 +0100 |
| commit | 74cabf7948b2597f5b6a67d6910c844fd1a88ff6 (patch) | |
| tree | db1f30ada487c3831ea8e4e98b2d39edc9e88eea /security/nss/lib/certdb/certdb.c | |
| parent | 09ef48bd005a7f9e97a3fe797a079fcf2b5e58d3 (diff) | |
| download | UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.gz UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.lz UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.tar.xz UXP-74cabf7948b2597f5b6a67d6910c844fd1a88ff6.zip | |
Update NSS to 3.41
Diffstat (limited to 'security/nss/lib/certdb/certdb.c')
| -rw-r--r-- | security/nss/lib/certdb/certdb.c | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 1a676a720..85b5f2917 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -446,6 +446,74 @@ cert_GetCertType(CERTCertificate *cert) return SECSuccess; } +PRBool +cert_EKUAllowsIPsecIKE(CERTCertificate *cert, PRBool *isCritical) +{ + SECStatus rv; + SECItem encodedExtKeyUsage; + CERTOidSequence *extKeyUsage = NULL; + PRBool result = PR_FALSE; + + rv = CERT_GetExtenCriticality(cert->extensions, + SEC_OID_X509_EXT_KEY_USAGE, + isCritical); + if (rv != SECSuccess) { + *isCritical = PR_FALSE; + } + + encodedExtKeyUsage.data = NULL; + rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, + &encodedExtKeyUsage); + if (rv != SECSuccess) { + /* EKU not present, allowed. */ + result = PR_TRUE; + goto done; + } + + extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage); + if (!extKeyUsage) { + /* failure */ + goto done; + } + + if (findOIDinOIDSeqByTagNum(extKeyUsage, + SEC_OID_X509_ANY_EXT_KEY_USAGE) == + SECSuccess) { + result = PR_TRUE; + goto done; + } + + if (findOIDinOIDSeqByTagNum(extKeyUsage, + SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) == + SECSuccess) { + result = PR_TRUE; + goto done; + } + + if (findOIDinOIDSeqByTagNum(extKeyUsage, + SEC_OID_IPSEC_IKE_END) == + SECSuccess) { + result = PR_TRUE; + goto done; + } + + if (findOIDinOIDSeqByTagNum(extKeyUsage, + SEC_OID_IPSEC_IKE_INTERMEDIATE) == + SECSuccess) { + result = PR_TRUE; + goto done; + } + +done: + if (encodedExtKeyUsage.data != NULL) { + PORT_Free(encodedExtKeyUsage.data); + } + if (extKeyUsage != NULL) { + CERT_DestroyOidSequence(extKeyUsage); + } + return result; +} + PRUint32 cert_ComputeCertType(CERTCertificate *cert) { @@ -1083,6 +1151,10 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca, requiredKeyUsage = KU_KEY_CERT_SIGN; requiredCertType = NS_CERT_TYPE_SSL_CA; break; + case certUsageIPsec: + requiredKeyUsage = KU_KEY_CERT_SIGN; + requiredCertType = NS_CERT_TYPE_SSL_CA; + break; case certUsageSSLCA: requiredKeyUsage = KU_KEY_CERT_SIGN; requiredCertType = NS_CERT_TYPE_SSL_CA; @@ -1125,6 +1197,11 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca, requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT; requiredCertType = NS_CERT_TYPE_SSL_SERVER; break; + case certUsageIPsec: + /* RFC 4945 Section 5.1.3.2 */ + requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION; + requiredCertType = 0; + break; case certUsageSSLServerWithStepUp: requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT | KU_NS_GOVT_APPROVED; |