mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 969188 - Part 1/3 - Fix mozilla::pkix handling of trusted v1 certificates. r=briansmith
--HG-- extra : rebase_source : 242b4849a7820d23518936a8c86ddcb7d9684394
This commit is contained in:
parent
146867598f
commit
2d58a01154
@ -234,18 +234,10 @@ CheckBasicConstraints(const BackCert& cert,
|
||||
// TODO: add check for self-signedness?
|
||||
if (endEntityOrCA == MustBeCA && isTrustAnchor) {
|
||||
const CERTCertificate* nssCert = cert.GetNSSCert();
|
||||
|
||||
der::Input versionDer;
|
||||
if (versionDer.Init(nssCert->version.data, nssCert->version.len)
|
||||
!= der::Success) {
|
||||
return RecoverableError;
|
||||
}
|
||||
uint8_t version;
|
||||
if (der::OptionalVersion(versionDer, version) || der::End(versionDer)
|
||||
!= der::Success) {
|
||||
return RecoverableError;
|
||||
}
|
||||
if (version == 1) {
|
||||
// We only allow trust anchor CA certs to omit the
|
||||
// basicConstraints extension if they are v1. v1 is encoded
|
||||
// implicitly.
|
||||
if (!nssCert->version.data && !nssCert->version.len) {
|
||||
basicConstraints.isCA = true;
|
||||
basicConstraints.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user