Skip to content

Commit

Permalink
bug 985021 - mozilla::pkix: temporarily accept pathLenConstraint in E…
Browse files Browse the repository at this point in the history
…E basic constraints extensions r=briansmith
  • Loading branch information
mozkeeler committed Mar 21, 2014
1 parent 6739ab6 commit 22f565e
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 4 deletions.
65 changes: 61 additions & 4 deletions security/pkix/lib/pkixcheck.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
* limitations under the License.
*/

#include <limits>

#include "pkix/pkix.h"
#include "pkixcheck.h"
#include "pkixder.h"
Expand Down Expand Up @@ -147,6 +149,62 @@ CheckCertificatePolicies(BackCert& cert, EndEntityOrCA endEntityOrCA,
return RecoverableError;
}

// BasicConstraints ::= SEQUENCE {
// cA BOOLEAN DEFAULT FALSE,
// pathLenConstraint INTEGER (0..MAX) OPTIONAL }
der::Result
DecodeBasicConstraints(const SECItem* encodedBasicConstraints,
CERTBasicConstraints& basicConstraints)
{
PR_ASSERT(encodedBasicConstraints);
if (!encodedBasicConstraints) {
return der::Fail(SEC_ERROR_INVALID_ARGS);
}

basicConstraints.isCA = false;
basicConstraints.pathLenConstraint = 0;

der::Input input;
if (input.Init(encodedBasicConstraints->data, encodedBasicConstraints->len)
!= der::Success) {
return der::Fail(SEC_ERROR_EXTENSION_VALUE_INVALID);
}

if (der::ExpectTagAndIgnoreLength(input, der::SEQUENCE) != der::Success) {
return der::Fail(SEC_ERROR_EXTENSION_VALUE_INVALID);
}

bool isCA = false;
if (der::OptionalBoolean(input, isCA) != der::Success) {
return der::Fail(SEC_ERROR_EXTENSION_VALUE_INVALID);
}
basicConstraints.isCA = isCA;

if (input.Peek(der::INTEGER)) {
SECItem pathLenConstraintEncoded;
if (der::Integer(input, pathLenConstraintEncoded) != der::Success) {
return der::Fail(SEC_ERROR_EXTENSION_VALUE_INVALID);
}
long pathLenConstraint = DER_GetInteger(&pathLenConstraintEncoded);
if (pathLenConstraint >= std::numeric_limits<int>::max() ||
pathLenConstraint < 0) {
return der::Fail(SEC_ERROR_EXTENSION_VALUE_INVALID);
}
basicConstraints.pathLenConstraint = static_cast<int>(pathLenConstraint);
// TODO(bug 985025): If isCA is false, pathLenConstraint MUST NOT
// be included (as per RFC 5280 section 4.2.1.9), but for compatibility
// reasons, we don't check this for now.
} else if (basicConstraints.isCA) {
// If this is a CA but the path length is omitted, it is unlimited.
basicConstraints.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
}

if (der::End(input) != der::Success) {
return der::Fail(SEC_ERROR_EXTENSION_VALUE_INVALID);
}
return der::Success;
}

// RFC5280 4.2.1.9. Basic Constraints (id-ce-basicConstraints)
Result
CheckBasicConstraints(const BackCert& cert,
Expand All @@ -156,10 +214,9 @@ CheckBasicConstraints(const BackCert& cert,
{
CERTBasicConstraints basicConstraints;
if (cert.encodedBasicConstraints) {
SECStatus rv = CERT_DecodeBasicConstraintValue(&basicConstraints,
cert.encodedBasicConstraints);
if (rv != SECSuccess) {
return MapSECStatus(rv);
if (DecodeBasicConstraints(cert.encodedBasicConstraints,
basicConstraints) != der::Success) {
return RecoverableError;
}
} else {
// Synthesize a non-CA basic constraints by default
Expand Down
17 changes: 17 additions & 0 deletions security/pkix/lib/pkixder.h
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,23 @@ Boolean(Input& input, /*out*/ bool& value)
}
}

// This is for any BOOLEAN DEFAULT FALSE.
// (If it is present and false, this is a bad encoding.)
inline Result
OptionalBoolean(Input& input, /*out*/ bool& value)
{
value = false;
if (input.Peek(BOOLEAN)) {
if (Boolean(input, value) != Success) {
return Failure;
}
if (!value) {
return Fail(SEC_ERROR_BAD_DER);
}
}
return Success;
}

inline Result
Enumerated(Input& input, uint8_t& value)
{
Expand Down

0 comments on commit 22f565e

Please sign in to comment.