Bug 1111399, Part 1: Preconditions for RFC822 name constraints, r=keeler

--HG--
extra : rebase_source : cd20b448a6c77ba27c86cb3d8e6c121f92a2ba93

security/pkix/include/pkix/Input.h

@@ -250,7 +250,7 @@ public:
     return Success;
   }
 
-  Result Skip(Input::size_type len, Input& skipped)
+  Result Skip(Input::size_type len, /*out*/ Input& skipped)
   {
     Result rv = EnsureLength(len);
     if (rv != Success) {
@@ -269,6 +269,11 @@ public:
     input = end;
   }
 
+  void SkipToEnd(/*out*/ Input& skipped)
+  {
+    (void) Skip(static_cast<size_t>(end - input), skipped);
+  }
+
   Result EnsureLength(Input::size_type len)
   {
     if (static_cast<size_t>(end - input) < len) {
@@ -319,6 +324,21 @@ private:
   void operator=(const Reader&) /* = delete */;
 };
 
+inline bool
+InputContains(const Input& input, uint8_t toFind)
+{
+  Reader reader(input);
+  for (;;) {
+    uint8_t b;
+    if (reader.Read(b) != Success) {
+      return false;
+    }
+    if (b == toFind) {
+      return true;
+    }
+  }
+}
+
 } } // namespace mozilla::pkix
 
 #endif // mozilla_pkix__Input_h

security/pkix/include/pkix/Result.h

@@ -128,6 +128,8 @@ static const unsigned int FATAL_ERROR_FLAG = 0x800;
                      MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA) \
     MOZILLA_PKIX_MAP(ERROR_BAD_CERT_DOMAIN, 42, \
                      SSL_ERROR_BAD_CERT_DOMAIN) \
+    MOZILLA_PKIX_MAP(ERROR_NO_RFC822NAME_MATCH, 43, \
+                     MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1, \
                      SEC_ERROR_INVALID_ARGS) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \

security/pkix/include/pkix/bind.h

@@ -56,6 +56,7 @@ using std::ref;
 using std::placeholders::_1;
 using std::placeholders::_2;
 using std::placeholders::_3;
+using std::placeholders::_4;
 
 #else
 
@@ -144,6 +145,25 @@ private:
   void operator=(const BindToMemberFunction4&) /*= delete*/;
 };
 
+template <typename R, typename P1, typename B1, typename B2, typename B3,
+          typename B4, typename B5>
+class Bind5
+{
+public:
+  typedef R (&F)(P1&, B1, B2, B3, B4, B5);
+  Bind5(F f, B1 b1, B2 b2, B3 b3, B4 b4, B5 b5)
+    : f(f), b1(b1), b2(b2), b3(b3), b4(b4), b5(b5) { }
+  R operator()(P1& p1) const { return f(p1, b1, b2, b3, b4, b5); }
+private:
+  const F f;
+  B1 b1;
+  B2 b2;
+  B3 b3;
+  B4 b4;
+  B5 b5;
+  void operator=(const Bind5&) /*= delete*/;
+};
+
 } // namespace internal
 
 template <typename R, typename P1, typename B1>
@@ -186,6 +206,15 @@ bind(R (C1::*f)(P1&, P2&, P3, P4&), C1* that, Placeholder1&, Placeholder2&,
   return internal::BindToMemberFunction4<R, C1, P1, P2, P3, P4>(f, that);
 }
 
+template <typename R, typename P1, typename B1, typename B2, typename B3,
+          typename B4, typename B5>
+inline internal::Bind5<R, P1, B1, B2, B3, B4, B5&>
+bind(R (&f)(P1&, B1, B2, B3, B4, B5&), Placeholder1&, B1 b1, B2 b2, B3 b3,
+     B4 b4, B5& b5)
+{
+  return internal::Bind5<R, P1, B1, B2, B3, B4, B5&>(f, b1, b2, b3, b4, b5);
+}
+
 #endif
 
 } } // namespace mozilla::pkix

security/pkix/include/pkix/pkixnss.h

@@ -74,6 +74,7 @@ enum ErrorCode {
   MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
   MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
+  MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4,
 };
 
 void RegisterErrorTable();

security/pkix/lib/pkixder.h

@@ -69,6 +69,7 @@ enum Tag
   SET = UNIVERSAL | CONSTRUCTED | 0x11, // 0x31
   PrintableString = UNIVERSAL | 0x13,
   TeletexString = UNIVERSAL | 0x14,
+  IA5String = UNIVERSAL | 0x16,
   UTCTime = UNIVERSAL | 0x17,
   GENERALIZED_TIME = UNIVERSAL | 0x18,
 };

security/pkix/lib/pkixnss.cpp

@@ -246,6 +246,8 @@ RegisterErrorTable()
       "An X.509 version 1 certificate that is not a trust anchor was used to "
       "issue the server's certificate. X.509 version 1 certificates are "
       "deprecated and should not be used to sign other certificates." },
+    { "MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH",
+      "The certificate is not valid for the given email address." },
   };
   // Note that these error strings are not localizable.
   // When these strings change, update the localization information too.