bug 1170303 - treat malformed name information in certificates as a domain name mismatch r=Cykesiopka

2024-09-13 09:24:08 -07:00 · 2015-06-01 13:55:23 -07:00 · 2015-06-01 13:55:23 -07:00 · 08dfe96c6a
commit 08dfe96c6a
parent 9b52f419be
7 changed files with 40 additions and 7 deletions
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@ -488,7 +488,12 @@ CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
  }
  result = CheckCertHostname(peerCertInput, hostnameInput);
  if (result != Success) {
-    PR_SetError(MapResultToPRErrorCode(result), 0);
+    // Treat malformed name information as a domain mismatch.
+    if (result == Result::ERROR_BAD_DER) {
+      PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
+    } else {
+      PR_SetError(MapResultToPRErrorCode(result), 0);
+    }
    return SECFailure;
  }

--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@ -433,7 +433,9 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
      return SECFailure;
    }
    result = CheckCertHostname(certInput, hostnameInput);
-    if (result == Result::ERROR_BAD_CERT_DOMAIN) {
+    // Treat malformed name information as a domain mismatch.
+    if (result == Result::ERROR_BAD_DER ||
+        result == Result::ERROR_BAD_CERT_DOMAIN) {
      collectedErrors |= nsICertOverrideService::ERROR_MISMATCH;
      errorCodeMismatch = SSL_ERROR_BAD_CERT_DOMAIN;
    } else if (result != Success) {
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@ -47,7 +47,7 @@ function check_telemetry() {
        "Actual and expected SEC_ERROR_INADEQUATE_KEY_USAGE counts should match");
  equal(histogram.counts[ 8], 2,
        "Actual and expected SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED counts should match");
-  equal(histogram.counts[ 9], 6,
+  equal(histogram.counts[ 9], 10,
        "Actual and expected SSL_ERROR_BAD_CERT_DOMAIN counts should match");
  equal(histogram.counts[10], 5,
        "Actual and expected SEC_ERROR_EXPIRED_CERTIFICATE counts should match");
@ -72,7 +72,7 @@ function check_telemetry() {
        "Actual and expected unchecked key size counts should match");
  equal(keySizeHistogram.counts[1], 0,
        "Actual and expected successful verifications of 2048-bit keys should match");
-  equal(keySizeHistogram.counts[2], 4,
+  equal(keySizeHistogram.counts[2], 12,
        "Actual and expected successful verifications of 1024-bit keys should match");
  equal(keySizeHistogram.counts[3], 48,
        "Actual and expected key size verification failures should match");
@ -129,9 +129,16 @@ function add_simple_tests() {
  add_cert_override_test("md5signature.example.com",
                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                         SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+  // This has name information in the subject alternative names extension,
+  // but not the subject common name.
  add_cert_override_test("mismatch.example.com",
                         Ci.nsICertOverrideService.ERROR_MISMATCH,
                         SSL_ERROR_BAD_CERT_DOMAIN);
+  // This has name information in the subject common name but not the subject
+  // alternative names extension.
+  add_cert_override_test("mismatch-CN.example.com",
+                         Ci.nsICertOverrideService.ERROR_MISMATCH,
+                         SSL_ERROR_BAD_CERT_DOMAIN);

  // A Microsoft IIS utility generates self-signed certificates with
  // properties similar to the one this "host" will present (see
@ -152,7 +159,8 @@ function add_simple_tests() {
    setCertTrust(rootCert, ",,");
    run_next_test();
  });
-  add_non_overridable_test("badSubjectAltNames.example.com", SEC_ERROR_BAD_DER);
+  add_non_overridable_test("nsCertTypeCritical.example.com",
+                           SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
  add_test(function() {
    let rootCert = constructCertFromFile("tlsserver/test-ca.der");
    setCertTrust(rootCert, "CTu,,");
@ -205,6 +213,16 @@ function add_simple_tests() {
  // small and terminates the connection. The error is not overridable.
  add_non_overridable_test("inadequate-key-size-ee.example.com",
                           SSL_ERROR_WEAK_SERVER_CERT_KEY);
+
+  add_cert_override_test("ipAddressAsDNSNameInSAN.example.com",
+                         Ci.nsICertOverrideService.ERROR_MISMATCH,
+                         SSL_ERROR_BAD_CERT_DOMAIN);
+  add_cert_override_test("noValidNames.example.com",
+                         Ci.nsICertOverrideService.ERROR_MISMATCH,
+                         SSL_ERROR_BAD_CERT_DOMAIN);
+  add_cert_override_test("badSubjectAltNames.example.com",
+                         Ci.nsICertOverrideService.ERROR_MISMATCH,
+                         SSL_ERROR_BAD_CERT_DOMAIN);
 }

 function add_combo_tests() {
--- a/security/manager/ssl/tests/unit/tlsserver/cert9.db
+++ b/security/manager/ssl/tests/unit/tlsserver/cert9.db
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@ -33,6 +33,7 @@ const BadCertHost sBadCertHosts[] =
  { "selfsigned.example.com", "selfsigned" },
  { "unknownissuer.example.com", "unknownissuer" },
  { "mismatch.example.com", "mismatch" },
+  { "mismatch-CN.example.com", "mismatchCN" },
  { "expiredissuer.example.com", "expiredissuer" },
  { "notyetvalidissuer.example.com", "notYetValidIssuer" },
  { "before-epoch-issuer.example.com", "beforeEpochIssuer" },
@ -71,6 +72,8 @@ const BadCertHost sBadCertHosts[] =
  { "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" },
  { "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
  { "badSubjectAltNames.example.com", "badSubjectAltNames" },
+  { "ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN" },
+  { "noValidNames.example.com", "noValidNames" },
  { nullptr, nullptr }
 };

--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@ -178,6 +178,8 @@ function make_EE {
  SUBJECT_ALT_NAME="${4}"
  EXTRA_ARGS="${5} ${6}"

+  [ -z "$SUBJECT_ALT_NAME" ] && SUBJECT_ALT_NAME_PART="" || SUBJECT_ALT_NAME_PART="-8 $SUBJECT_ALT_NAME"
+
  cert_already_exists $NICKNAME
  if [ $ALREADY_EXISTS -eq 1 ]; then
    echo "cert \"$NICKNAME\" already exists - not regenerating it (use --clobber to force regeneration)"
@ -187,7 +189,7 @@ function make_EE {
  echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -S \
                                                     -n $NICKNAME \
                                                     -s "$SUBJECT" \
-                                                     -8 $SUBJECT_ALT_NAME \
+                                                     $SUBJECT_ALT_NAME_PART \
                                                     -c $CA \
                                                     -t ",," \
                                                     -m $SERIALNO \
@ -276,7 +278,10 @@ make_EE ocspEEWithIntermediate 'CN=Test End-entity with Intermediate' testINT "l
 make_EE expired 'CN=Expired Test End-entity' testCA "expired.example.com" "-w -400"
 export_cert expired expired-ee.der
 make_EE notYetValid 'CN=Not Yet Valid Test End-entity' testCA "notyetvalid.example.com" "-w 400"
-make_EE mismatch 'CN=Mismatch Test End-entity' testCA "doesntmatch.example.com"
+make_EE mismatch 'CN=Mismatch Test End-entity' testCA "doesntmatch.example.com,*.alsodoesntmatch.example.com"
+make_EE mismatchCN 'CN=doesntmatch.example.com' testCA
+make_EE ipAddressAsDNSNameInSAN 'CN=127.0.0.1' testCA "127.0.0.1"
+make_EE noValidNames 'CN=End-entity with no valid names' testCA
 make_EE selfsigned 'CN=Self-signed Test End-entity' testCA "selfsigned.example.com" "-x"
 # If the certificate 'CN=Test Intermediate' isn't loaded into memory,
 # this certificate will have an unknown issuer.
--- a/security/manager/ssl/tests/unit/tlsserver/key4.db
+++ b/security/manager/ssl/tests/unit/tlsserver/key4.db