• Fraser Tweedale's avatar
    Bug 1523484 - do not treat CN as DNS name for non-server certs, r=ueno · 54d34e31
    Fraser Tweedale authored
    libpkix, when validating a leaf certificate against the CAs' name
    constraints, treats the Subject DN CN attribute as a DNS name.  This
    may be reasonable behaviour for server certificates, but does not
    make sense for other kinds of certificates (e.g. user certificates,
    OCSP signing certificates, etc.)
    
    Update the libpkix name constraints checker to only treat the CN as
    a DNS name for server certificates (i.e. when id-kp-serverAuth is
    asserted in the Extended Key Usage extension).  For compatibility,
    the behaviour is unchanged (i.e. CN is still treated as a DNS name)
    when the certificate does not have an Extended Key Usage extension.
    
    --HG--
    extra : amend_source : c2bbd69eec528ce9be7c89d3d1aa7742c9eb4c49
    54d34e31
Name
Last commit
Last update
automation Loading commit data...
cmd Loading commit data...
coreconf Loading commit data...
cpputil Loading commit data...
doc Loading commit data...
fuzz Loading commit data...
gtests Loading commit data...
lib Loading commit data...
nss-tool Loading commit data...
pkg Loading commit data...
tests Loading commit data...
.arcconfig Loading commit data...
.clang-format Loading commit data...
.gitignore Loading commit data...
.hgignore Loading commit data...
.hgtags Loading commit data...
.sancov-blacklist Loading commit data...
.taskcluster.yml Loading commit data...
COPYING Loading commit data...
Makefile Loading commit data...
build.sh Loading commit data...
exports.gyp Loading commit data...
help.txt Loading commit data...
mach Loading commit data...
manifest.mn Loading commit data...
nss.gyp Loading commit data...
readme.md Loading commit data...
trademarks.txt Loading commit data...