Bug 1047177 - Treat v4 certs as v3 certs (1/2). r=keeler. a=lmandel
authorCamilo Viecco <cviecco@mozilla.com>
Thu, 21 Aug 2014 15:28:41 -0700
changeset 208370 6049537c2510
parent 208369 ac8864d8ecc0
child 208371 74a58e14d1d3
push id3846
push usercviecco@mozilla.com
push date2014-08-22 00:35 +0000
treeherdermozilla-beta@74a58e14d1d3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, lmandel
bugs1047177
milestone32.0
Bug 1047177 - Treat v4 certs as v3 certs (1/2). r=keeler. a=lmandel
content/media/test/small-shot.mp3
security/pkix/lib/pkixbuild.cpp
security/pkix/lib/pkixder.h
--- a/security/pkix/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@@ -58,17 +58,18 @@ BackCert::Init(const SECItem& certDER)
   }
   // We only decode v3 extensions for v3 certificates for two reasons.
   // 1. They make no sense in non-v3 certs
   // 2. An invalid cert can embed a basic constraints extension and the
   //    check basic constrains will asume that this is valid. Making it
   //    posible to create chains with v1 and v2 intermediates with is
   //    not desirable.
   if (! (nssCert->version.len == 1 &&
-      nssCert->version.data[0] == mozilla::pkix::der::Version::v3)) {
+      (nssCert->version.data[0] == mozilla::pkix::der::Version::v3 ||
+       nssCert->version.data[0] == mozilla::pkix::der::Version::v4))) {
     return Fail(RecoverableError, SEC_ERROR_EXTENSION_VALUE_INVALID);
   }
 
   const SECItem* dummyEncodedSubjectKeyIdentifier = nullptr;
   const SECItem* dummyEncodedAuthorityKeyIdentifier = nullptr;
   const SECItem* dummyEncodedAuthorityInfoAccess = nullptr;
   const SECItem* dummyEncodedSubjectAltName = nullptr;
 
--- a/security/pkix/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@@ -617,17 +617,17 @@ CertificateSerialNumber(Input& input, /*
     }
   }
 
   return Success;
 }
 
 // x.509 and OCSP both use this same version numbering scheme, though OCSP
 // only supports v1.
-enum Version { v1 = 0, v2 = 1, v3 = 2 };
+enum Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3 };
 
 // X.509 Certificate and OCSP ResponseData both use this
 // "[0] EXPLICIT Version DEFAULT <defaultVersion>" construct, but with
 // different default versions.
 inline Result
 OptionalVersion(Input& input, /*out*/ uint8_t& version)
 {
   const uint8_t tag = CONTEXT_SPECIFIC | CONSTRUCTED | 0;