Backed out 2 changesets (bug 1030204) for build bustage a=backout
authorWes Kocher <wkocher@mozilla.com>
Thu, 10 Jul 2014 12:32:05 -0700
changeset 199722 470b9d3ffc0fab4c333266da3c2a501d26ed6889
parent 199721 a56eae7ad1c2840818e03453ef2b1f12a33c4466
child 199725 b8b8b4bab1fa6cfb991ba7de60c925e300b952be
push id3728
push userkwierso@gmail.com
push dateThu, 10 Jul 2014 19:32:28 +0000
treeherdermozilla-beta@470b9d3ffc0f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbackout
bugs1030204
milestone31.0
backs outa56eae7ad1c2840818e03453ef2b1f12a33c4466
ff83e05223eb57c19253506433181958892e60b0
Backed out 2 changesets (bug 1030204) for build bustage a=backout Backed out changeset a56eae7ad1c2 (bug 1030204) Backed out changeset ff83e05223eb (bug 1030204)
security/manager/ssl/tests/unit/test_name_constraints.js
security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.cert
security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.cert
security/manager/ssl/tests/unit/test_name_constraints/dcisscopy.der
security/pkix/lib/pkixcheck.cpp
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -263,23 +263,16 @@ function run_test_in_mode(useMozillaPKIX
   // We don't enforce dNSName name constraints on CN unless we're validating
   // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
   // NSS get it right.
   {
     let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
     check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
     check_cert_err_generic(cert, 0, certificateUsageSSLClient);
   }
-
-  // DCISS tests
-  // The certs used here were generated by the NSS test suite and are
-  // originally located as security/nss/tests/libpkix/cert/
-  load_cert("dcisscopy", "C,C,C");
-  check_ok(certFromFile('NameConstraints.dcissallowed.cert'));
-  check_fail(certFromFile('NameConstraints.dcissblocked.cert'));
 }
 
 function run_test() {
   load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
   load_cert("ca-nc", "CTu,CTu,CTu");
 
   run_test_in_mode(true);
   run_test_in_mode(false);
deleted file mode 100644
index 539adcfee927bdd583c848eea16281217f5b958a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 28f84919de2e82c0e0334e9da9c35b1c5482311b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index a3fbd91f3fd4521875fafd981592dd6ea263e2b1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
Hc$@<O00001
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -378,95 +378,28 @@ BackCert::GetConstrainedNames(/*out*/ co
   *result = constrainedNames;
   return Success;
 }
 
 // 4.2.1.10. Name Constraints
 Result
 CheckNameConstraints(BackCert& cert)
 {
-  static const char constraintFranceGov[] =
-                                     "\x30\x5D" /* sequence len 93*/
-                                     "\xA0\x5B" /* element len 91 */
-                                     "\x30\x05" /* sequence len 5 */
-                                     "\x82\x03" /* entry len 3 */
-                                     ".fr"
-                                     "\x30\x05\x82\x03" /* sequence len 5, entry len 3 */
-                                     ".gp"
-                                     "\x30\x05\x82\x03"
-                                     ".gf"
-                                     "\x30\x05\x82\x03"
-                                     ".mq"
-                                     "\x30\x05\x82\x03"
-                                     ".re"
-                                     "\x30\x05\x82\x03"
-                                     ".yt"
-                                     "\x30\x05\x82\x03"
-                                     ".pm"
-                                     "\x30\x05\x82\x03"
-                                     ".bl"
-                                     "\x30\x05\x82\x03"
-                                     ".mf"
-                                     "\x30\x05\x82\x03"
-                                     ".wf"
-                                     "\x30\x05\x82\x03"
-                                     ".pf"
-                                     "\x30\x05\x82\x03"
-                                     ".nc"
-                                     "\x30\x05\x82\x03"
-                                     ".tf";
-
-  /* The stringified value for the subject is:
-     E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
-   */
-  static const char rawANSSISubject[] =
-                                 "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04"
-                                 "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03"
-                                 "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65"
-                                 "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05"
-                                 "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03"
-                                 "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44"
-                                 "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13"
-                                 "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06"
-                                 "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41"
-                                 "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7"
-                                 "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40"
-                                 "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75"
-                                 "\x76\x2E\x66\x72";
-
-  const SECItem ANSSI_SUBJECT = {
-    siBuffer,
-    reinterpret_cast<uint8_t *>(const_cast<char *>(rawANSSISubject)),
-    sizeof(rawANSSISubject) - 1
-  };
-
-  const SECItem PERMIT_FRANCE_GOV_NC = {
-    siBuffer,
-    reinterpret_cast<uint8_t *>(const_cast<char *>(constraintFranceGov)),
-    sizeof(constraintFranceGov) - 1
-  };
-
-  const SECItem* nameConstraintsToUse = cert.encodedNameConstraints;
-
-  if (!nameConstraintsToUse) {
-    if (SECITEM_ItemsAreEqual(&cert.GetSubject(), &ANSSI_SUBJECT)) {
-      nameConstraintsToUse = &PERMIT_FRANCE_GOV_NC;
-    } else {
-      return Success;
-    }
+  if (!cert.encodedNameConstraints) {
+    return Success;
   }
 
   PLArenaPool* arena = cert.GetArena();
   if (!arena) {
     return FatalError;
   }
 
   // Owned by arena
   const CERTNameConstraints* constraints =
-    CERT_DecodeNameConstraintsExtension(arena, nameConstraintsToUse);
+    CERT_DecodeNameConstraintsExtension(arena, cert.encodedNameConstraints);
   if (!constraints) {
     return MapSECStatus(SECFailure);
   }
 
   for (BackCert* prev = cert.childCert; prev; prev = prev->childCert) {
     const CERTGeneralName* names = nullptr;
     Result rv = prev->GetConstrainedNames(&names);
     if (rv != Success) {