From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Fri, 2 Feb 2018 04:16:08 -0500 Subject: Add m-esr52 at 52.6.0 --- security/certverifier/BRNameMatchingPolicy.h | 59 ++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 security/certverifier/BRNameMatchingPolicy.h (limited to 'security/certverifier/BRNameMatchingPolicy.h') diff --git a/security/certverifier/BRNameMatchingPolicy.h b/security/certverifier/BRNameMatchingPolicy.h new file mode 100644 index 000000000..009f21440 --- /dev/null +++ b/security/certverifier/BRNameMatchingPolicy.h @@ -0,0 +1,59 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef BRNameMatchingPolicy_h +#define BRNameMatchingPolicy_h + +#include "pkix/pkixtypes.h" + +namespace mozilla { namespace psm { + +// According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a, +// the requirements of the subject common name field are as follows: +// "If present, this field MUST contain a single IP address or Fully‐Qualified +// Domain Name that is one of the values contained in the Certificate’s +// subjectAltName extension". Consequently, since any name information present +// in the common name must be present in the subject alternative name extension, +// when performing name matching, it should not be necessary to fall back to the +// common name. Because this consequence has not commonly been enforced, this +// implementation provides a mechanism to start enforcing it gradually while +// maintaining some backwards compatibility. If configured with the mode +// "EnforceAfter23August2016", name matching will only fall back to using the +// subject common name for certificates where the notBefore field is before 23 +// August 2016. Similarly, the mode "EnforceAfter23August2015" is also +// available. This is to provide a balance between allowing preexisting +// long-lived certificates and detecting newly-issued problematic certificates. +// Note that this implementation does not actually directly enforce that if the +// subject common name is present, its value corresponds to a dNSName or +// iPAddress entry in the subject alternative name extension. + +class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy +{ +public: + enum class Mode { + DoNotEnforce = 0, + EnforceAfter23August2016 = 1, + EnforceAfter23August2015 = 2, + Enforce = 3, + }; + + explicit BRNameMatchingPolicy(Mode mode) + : mMode(mode) + { + } + + virtual mozilla::pkix::Result FallBackToCommonName( + mozilla::pkix::Time notBefore, + /*out*/ mozilla::pkix::FallBackToSearchWithinSubject& fallBacktoCommonName) + override; + +private: + Mode mMode; +}; + +} } // namespace mozilla::psm + +#endif // BRNameMatchingPolicy_h -- cgit v1.2.3