Bug 1030204 - 1/2 Name constraint ANSSI(DCISS) Root cert in mozilla::pkix. r=keeler a=sledru
authorCamilo Viecco <cviecco@mozilla.com>
Tue, 08 Jul 2014 16:16:26 -0700
changeset 207818 8a86bcf49ef57770f36f2e6f03f574f0b6ce9564
parent 207817 93a1f34ce73545be0cc798f44589041138d9ad39
child 207819 d9c3d923cb3e24afc0a1d7d8a4500037200121b5
push id3741
push userasasaki@mozilla.com
push dateMon, 21 Jul 2014 20:25:18 +0000
treeherdermozilla-beta@4d6f46f5af68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, sledru
bugs1030204
milestone32.0a2
Bug 1030204 - 1/2 Name constraint ANSSI(DCISS) Root cert in mozilla::pkix. r=keeler a=sledru
security/pkix/lib/pkixcheck.cpp
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -402,28 +402,95 @@ BackCert::GetConstrainedNames(/*out*/ co
   *result = constrainedNames;
   return Success;
 }
 
 // 4.2.1.10. Name Constraints
 Result
 CheckNameConstraints(BackCert& cert)
 {
-  if (!cert.encodedNameConstraints) {
-    return Success;
+  static const char constraintFranceGov[] =
+                                     "\x30\x5D" /* sequence len 93*/
+                                     "\xA0\x5B" /* element len 91 */
+                                     "\x30\x05" /* sequence len 5 */
+                                     "\x82\x03" /* entry len 3 */
+                                     ".fr"
+                                     "\x30\x05\x82\x03" /* sequence len 5, entry len 3 */
+                                     ".gp"
+                                     "\x30\x05\x82\x03"
+                                     ".gf"
+                                     "\x30\x05\x82\x03"
+                                     ".mq"
+                                     "\x30\x05\x82\x03"
+                                     ".re"
+                                     "\x30\x05\x82\x03"
+                                     ".yt"
+                                     "\x30\x05\x82\x03"
+                                     ".pm"
+                                     "\x30\x05\x82\x03"
+                                     ".bl"
+                                     "\x30\x05\x82\x03"
+                                     ".mf"
+                                     "\x30\x05\x82\x03"
+                                     ".wf"
+                                     "\x30\x05\x82\x03"
+                                     ".pf"
+                                     "\x30\x05\x82\x03"
+                                     ".nc"
+                                     "\x30\x05\x82\x03"
+                                     ".tf";
+
+  /* The stringified value for the subject is:
+     E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
+   */
+  static const char rawANSSISubject[] =
+                                 "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04"
+                                 "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03"
+                                 "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65"
+                                 "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05"
+                                 "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03"
+                                 "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44"
+                                 "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13"
+                                 "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06"
+                                 "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41"
+                                 "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7"
+                                 "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40"
+                                 "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75"
+                                 "\x76\x2E\x66\x72";
+
+  const SECItem ANSSI_SUBJECT = {
+    siBuffer,
+    reinterpret_cast<uint8_t *>(const_cast<char *>(rawANSSISubject)),
+    sizeof(rawANSSISubject) - 1
+  };
+
+  const SECItem PERMIT_FRANCE_GOV_NC = {
+    siBuffer,
+    reinterpret_cast<uint8_t *>(const_cast<char *>(constraintFranceGov)),
+    sizeof(constraintFranceGov) - 1
+  };
+
+  const SECItem* nameConstraintsToUse = cert.encodedNameConstraints;
+
+  if (!nameConstraintsToUse) {
+    if (SECITEM_ItemsAreEqual(&cert.GetSubject(), &ANSSI_SUBJECT)) {
+      nameConstraintsToUse = &PERMIT_FRANCE_GOV_NC;
+    } else {
+      return Success;
+    }
   }
 
   PLArenaPool* arena = cert.GetArena();
   if (!arena) {
     return FatalError;
   }
 
   // Owned by arena
   const CERTNameConstraints* constraints =
-    CERT_DecodeNameConstraintsExtension(arena, cert.encodedNameConstraints);
+    CERT_DecodeNameConstraintsExtension(arena, nameConstraintsToUse);
   if (!constraints) {
     return MapSECStatus(SECFailure);
   }
 
   for (BackCert* prev = cert.childCert; prev; prev = prev->childCert) {
     const CERTGeneralName* names = nullptr;
     Result rv = prev->GetConstrainedNames(&names);
     if (rv != Success) {