Bug 1047177 - Treat v4 certs as v3 certs (1/2). r=keeler. a=lmandel
authorCamilo Viecco <cviecco@mozilla.com>
Thu, 21 Aug 2014 17:34:53 -0700
changeset 216491 912f3087ec0c9bf1abb58fe8930fdae3fe5b0128
parent 216490 947dd9a0f12be223626e373bcb3f20ac0b743f56
child 216492 dfdc5879d992042f13f0da69c4b72ed7072e8b30
push id3857
push userraliiev@mozilla.com
push dateTue, 02 Sep 2014 16:39:23 +0000
treeherdermozilla-beta@5638b907b505 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, lmandel
bugs1047177
milestone33.0a2
Bug 1047177 - Treat v4 certs as v3 certs (1/2). r=keeler. a=lmandel
security/pkix/lib/pkixcert.cpp
security/pkix/lib/pkixder.h
--- a/security/pkix/lib/pkixcert.cpp
+++ b/security/pkix/lib/pkixcert.cpp
@@ -145,17 +145,20 @@ BackCert::Init()
       rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 2);
       if (rv != Success) {
         return rv;
       }
     }
   }
 
   // Extensions were added in v3, so only accept extensions in v3 certificates.
-  if (version == der::Version::v3) {
+  // v4 certificates are not defined but there are some certificates issued
+  // with v4 that expect v3 decoding. For compatibility reasons we handle them
+  // as v3 certificates.
+  if (version == der::Version::v3 || version == der::Version::v4) {
     rv = der::OptionalExtensions(tbsCertificate, CSC | 3,
                                  bind(&BackCert::RememberExtension, this, _1,
                                       _2, _3));
     if (rv != Success) {
       return rv;
     }
   }
 
--- a/security/pkix/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@@ -454,17 +454,17 @@ CertificateSerialNumber(Input& input, /*
     }
   }
 
   return Success;
 }
 
 // x.509 and OCSP both use this same version numbering scheme, though OCSP
 // only supports v1.
-MOZILLA_PKIX_ENUM_CLASS Version { v1 = 0, v2 = 1, v3 = 2 };
+MOZILLA_PKIX_ENUM_CLASS Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3 };
 
 // X.509 Certificate and OCSP ResponseData both use this
 // "[0] EXPLICIT Version DEFAULT <defaultVersion>" construct, but with
 // different default versions.
 inline Result
 OptionalVersion(Input& input, /*out*/ Version& version)
 {
   static const uint8_t TAG = CONTEXT_SPECIFIC | CONSTRUCTED | 0;
@@ -487,16 +487,17 @@ OptionalVersion(Input& input, /*out*/ Ve
     return rv;
   }
   switch (integerValue) {
     case static_cast<uint8_t>(Version::v3): version = Version::v3; break;
     case static_cast<uint8_t>(Version::v2): version = Version::v2; break;
     // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
     // do here for compatibility reasons.
     case static_cast<uint8_t>(Version::v1): version = Version::v1; break;
+    case static_cast<uint8_t>(Version::v4): version = Version::v4; break;
     default:
       return Fail(SEC_ERROR_BAD_DER);
   }
   return Success;
 }
 
 template <typename ExtensionHandler>
 inline Result