Bug 969188 - Part 1/3 - Fix mozilla::pkix handling of trusted v1 certificates. r=briansmith

--HG-- extra : rebase_source : 242b4849a7820d23518936a8c86ddcb7d9684394
2024-09-13 09:24:08 -07:00 · 2014-03-06 10:04:04 -08:00 · 2014-03-06 10:04:04 -08:00 · 2d58a01154
commit 2d58a01154
parent 146867598f
1 changed files with 4 additions and 12 deletions
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@ -234,18 +234,10 @@ CheckBasicConstraints(const BackCert& cert,
    // TODO: add check for self-signedness?
    if (endEntityOrCA == MustBeCA && isTrustAnchor) {
      const CERTCertificate* nssCert = cert.GetNSSCert();
-
-      der::Input versionDer;
-      if (versionDer.Init(nssCert->version.data, nssCert->version.len)
-            != der::Success) {
-        return RecoverableError;
-      }
-      uint8_t version;
-      if (der::OptionalVersion(versionDer, version) || der::End(versionDer)
-            != der::Success) {
-        return RecoverableError;
-      }
-      if (version == 1) {
+      // We only allow trust anchor CA certs to omit the
+      // basicConstraints extension if they are v1. v1 is encoded
+      // implicitly.
+      if (!nssCert->version.data && !nssCert->version.len) {
        basicConstraints.isCA = true;
        basicConstraints.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
      }