Bug 1111398: Rename ValidDNSIDMatchType to IDRole, r=keeler
authorBrian Smith <brian@briansmith.org>
Sat, 13 Dec 2014 22:29:58 -0800
changeset 220767 5e53f5ad4e5de9619e9e2b2476998f1eb88601e2
parent 220766 6820a4e8be01e9a2ebd944cb30c4cc9c9f5a9538
child 220768 4ef8135861e45d8e50be3aa228f82c31c3119e41
push id28000
push usercbook@mozilla.com
push dateMon, 22 Dec 2014 12:13:57 +0000
treeherdermozilla-central@c82d5fcdc416 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1111398
milestone37.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1111398: Rename ValidDNSIDMatchType to IDRole, r=keeler
security/pkix/lib/pkixnames.cpp
--- a/security/pkix/lib/pkixnames.cpp
+++ b/security/pkix/lib/pkixnames.cpp
@@ -150,45 +150,44 @@ Result MatchPresentedIDWithReferenceID(G
                                        /*in/out*/ MatchResult& matchResult);
 Result CheckPresentedIDConformsToConstraints(GeneralNameType referenceIDType,
                                              Input presentedID,
                                              Input nameConstraints);
 
 uint8_t LocaleInsensitveToLower(uint8_t a);
 bool StartsWithIDNALabel(Input id);
 
-MOZILLA_PKIX_ENUM_CLASS ValidDNSIDMatchType
+MOZILLA_PKIX_ENUM_CLASS IDRole
 {
   ReferenceID = 0,
   PresentedID = 1,
   NameConstraint = 2,
 };
 
-bool IsValidDNSID(Input hostname, ValidDNSIDMatchType matchType);
+bool IsValidDNSID(Input hostname, IDRole idRole);
 
 Result MatchPresentedDNSIDWithReferenceDNSID(
-         Input presentedDNSID, ValidDNSIDMatchType referenceDNSIDType,
+         Input presentedDNSID, IDRole referenceDNSIDRole,
          Input referenceDNSID, /*out*/ bool& matches);
 
 } // unnamed namespace
 
 bool IsValidReferenceDNSID(Input hostname);
 bool IsValidPresentedDNSID(Input hostname);
 bool ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4]);
 bool ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16]);
 
 // This is used by the pkixnames_tests.cpp tests.
 Result
 MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
                                       Input referenceDNSID,
                                       /*out*/ bool& matches)
 {
   return MatchPresentedDNSIDWithReferenceDNSID(
-           presentedDNSID, ValidDNSIDMatchType::ReferenceID,
-           referenceDNSID, matches);
+           presentedDNSID, IDRole::ReferenceID, referenceDNSID, matches);
 }
 
 // Verify that the given end-entity cert, which is assumed to have been already
 // validated with BuildCertChain, is valid for the given hostname. hostname is
 // assumed to be a string representation of an IPv4 address, an IPv6 addresss,
 // or a normalized ASCII (possibly punycode) DNS name.
 Result
 CheckCertHostname(Input endEntityCertDER, Input hostname)
@@ -614,18 +613,17 @@ MatchPresentedIDWithReferenceID(GeneralN
   }
 
   Result rv;
   bool foundMatch;
 
   switch (referenceIDType) {
     case GeneralNameType::dNSName:
       rv = MatchPresentedDNSIDWithReferenceDNSID(
-             presentedID, ValidDNSIDMatchType::ReferenceID,
-             referenceID, foundMatch);
+             presentedID, IDRole::ReferenceID, referenceID, foundMatch);
       break;
 
     case GeneralNameType::iPAddress:
       foundMatch = InputsAreEqual(presentedID, referenceID);
       rv = Success;
       break;
 
     case GeneralNameType::rfc822Name: // fall through
@@ -766,18 +764,17 @@ CheckPresentedIDConformsToNameConstraint
     }
 
     if (presentedIDType == nameConstraintType) {
       bool matches;
 
       switch (presentedIDType) {
         case GeneralNameType::dNSName:
           rv = MatchPresentedDNSIDWithReferenceDNSID(
-                 presentedID, ValidDNSIDMatchType::NameConstraint,
-                 base, matches);
+                 presentedID, IDRole::NameConstraint, base, matches);
           if (rv != Success) {
             return rv;
           }
           break;
 
         case GeneralNameType::iPAddress:
           rv = MatchPresentedIPAddressWithConstraint(presentedID, base,
                                                      matches);
@@ -968,37 +965,37 @@ CheckPresentedIDConformsToNameConstraint
 // [3] Proposal to add such support to OpenSSL:
 //     http://www.mail-archive.com/openssl-dev%40openssl.org/msg36204.html
 //     https://rt.openssl.org/Ticket/Display.html?id=3562
 // [4] Feedback on the lack of clarify in the definition that never got
 //     incorporated into the spec:
 //     https://www.ietf.org/mail-archive/web/pkix/current/msg21192.html
 Result
 MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
-                                      ValidDNSIDMatchType referenceDNSIDType,
+                                      IDRole referenceDNSIDRole,
                                       Input referenceDNSID,
                                       /*out*/ bool& matches)
 {
   if (!IsValidPresentedDNSID(presentedDNSID)) {
     return Result::ERROR_BAD_DER;
   }
 
-  if (!IsValidDNSID(referenceDNSID, referenceDNSIDType)) {
+  if (!IsValidDNSID(referenceDNSID, referenceDNSIDRole)) {
     return Result::ERROR_BAD_DER;
   }
 
   Reader presented(presentedDNSID);
   Reader reference(referenceDNSID);
 
-  switch (referenceDNSIDType)
+  switch (referenceDNSIDRole)
   {
-    case ValidDNSIDMatchType::ReferenceID:
+    case IDRole::ReferenceID:
       break;
 
-    case ValidDNSIDMatchType::NameConstraint:
+    case IDRole::NameConstraint:
     {
       if (presentedDNSID.GetLength() > referenceDNSID.GetLength()) {
         if (referenceDNSID.GetLength() == 0) {
           // An empty constraint matches everything.
           matches = true;
           return Success;
         }
         // If the reference ID starts with a dot then skip the prefix of
@@ -1047,19 +1044,19 @@ MatchPresentedDNSIDWithReferenceDNSID(In
             matches = false;
             return Success;
           }
         }
       }
       break;
     }
 
-    case ValidDNSIDMatchType::PresentedID: // fall through
+    case IDRole::PresentedID: // fall through
     default:
-      return NotReached("invalid or unknown referenceDNSIDType",
+      return NotReached("invalid or unknown referenceDNSIDRole",
                         Result::FATAL_ERROR_INVALID_ARGS);
   }
 
   // We only allow wildcard labels that consist only of '*'.
   if (presented.Peek('*')) {
     if (presented.Skip(1) != Success) {
       return NotReached("Skipping '*' failed",
                         Result::FATAL_ERROR_LIBRARY_FAILURE);
@@ -1096,17 +1093,17 @@ MatchPresentedDNSIDWithReferenceDNSID(In
       }
       break;
     }
   }
 
   // Allow a relative presented DNS ID to match an absolute reference DNS ID,
   // unless we're matching a name constraint.
   if (!reference.AtEnd()) {
-    if (referenceDNSIDType != ValidDNSIDMatchType::NameConstraint) {
+    if (referenceDNSIDRole != IDRole::NameConstraint) {
       uint8_t referenceByte;
       if (reference.Read(referenceByte) != Success) {
         return NotReached("read failed but not at end",
                           Result::FATAL_ERROR_LIBRARY_FAILURE);
       }
       if (referenceByte != '.') {
         matches = false;
         return Success;
@@ -1557,50 +1554,49 @@ ParseIPv6Address(Input hostname, /*out*/
       }
     }
   }
 }
 
 bool
 IsValidReferenceDNSID(Input hostname)
 {
-  return IsValidDNSID(hostname, ValidDNSIDMatchType::ReferenceID);
+  return IsValidDNSID(hostname, IDRole::ReferenceID);
 }
 
 bool
 IsValidPresentedDNSID(Input hostname)
 {
-  return IsValidDNSID(hostname, ValidDNSIDMatchType::PresentedID);
+  return IsValidDNSID(hostname, IDRole::PresentedID);
 }
 
 namespace {
 
 bool
-IsValidDNSID(Input hostname, ValidDNSIDMatchType matchType)
+IsValidDNSID(Input hostname, IDRole idRole)
 {
   if (hostname.GetLength() > 253) {
     return false;
   }
 
   Reader input(hostname);
 
-  if (matchType == ValidDNSIDMatchType::NameConstraint && input.AtEnd()) {
+  if (idRole == IDRole::NameConstraint && input.AtEnd()) {
     return true;
   }
 
   size_t dotCount = 0;
   size_t labelLength = 0;
   bool labelIsAllNumeric = false;
   bool labelEndsWithHyphen = false;
 
   // Only presented IDs are allowed to have wildcard labels. And, like
   // Chromium, be stricter than RFC 6125 requires by insisting that a
   // wildcard label consist only of '*'.
-  bool isWildcard = matchType == ValidDNSIDMatchType::PresentedID &&
-                    input.Peek('*');
+  bool isWildcard = idRole == IDRole::PresentedID && input.Peek('*');
   bool isFirstByte = !isWildcard;
   if (isWildcard) {
     Result rv = input.Skip(1);
     if (rv != Success) {
       assert(false);
       return false;
     }
 
@@ -1674,35 +1670,34 @@ IsValidDNSID(Input hostname, ValidDNSIDM
         if (labelLength > MAX_LABEL_LENGTH) {
           return false;
         }
         break;
 
       case '.':
         ++dotCount;
         if (labelLength == 0 &&
-            (matchType != ValidDNSIDMatchType::NameConstraint ||
-             !isFirstByte)) {
+            (idRole != IDRole::NameConstraint || !isFirstByte)) {
           return false;
         }
         if (labelEndsWithHyphen) {
           return false; // Labels must not end with a hyphen.
         }
         labelLength = 0;
         break;
 
       default:
         return false; // Invalid character.
     }
     isFirstByte = false;
   } while (!input.AtEnd());
 
   // Only reference IDs, not presented IDs or name constraints, may be
   // absolute.
-  if (labelLength == 0 && matchType != ValidDNSIDMatchType::ReferenceID) {
+  if (labelLength == 0 && idRole != IDRole::ReferenceID) {
     return false;
   }
 
   if (labelEndsWithHyphen) {
     return false; // Labels must not end with a hyphen.
   }
 
   if (labelIsAllNumeric) {