Bug 1031022: Go back to accepting explicit encoding of v1 for certificates and OCSP responses, r=cviecco

--HG-- extra : rebase_source : f0adf63879a48db6c036cce1a3e9a7b65e44fc4e
2024-09-13 09:24:08 -07:00 · 2014-06-26 17:03:48 -07:00 · 2014-06-26 17:03:48 -07:00 · da88992387
commit da88992387
parent 80f9373ca4
3 changed files with 17 additions and 4 deletions
--- a/security/pkix/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@ -58,6 +58,11 @@ BackCert::Init(const SECItem& certDER)
  } else if (nssCert->version.len == 1 &&
             nssCert->version.data[0] == static_cast<uint8_t>(der::Version::v2)) {
    version = der::Version::v2;
+  } else if (nssCert->version.len == 1 &&
+             nssCert->version.data[0] == static_cast<uint8_t>(der::Version::v2)) {
+    // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
+    // do here for compatibility reasons.
+    version = der::Version::v1;
  } else if (nssCert->version.len == 0) {
    version = der::Version::v1;
  } else {
--- a/security/pkix/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@ -655,6 +655,9 @@ OptionalVersion(Input& input, /*out*/ Version& version)
  switch (integerValue) {
    case static_cast<uint8_t>(Version::v3): version = Version::v3; break;
    case static_cast<uint8_t>(Version::v2): version = Version::v2; break;
+    // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
+    // do here for compatibility reasons.
+    case static_cast<uint8_t>(Version::v1): version = Version::v1; break;
    default:
      return Fail(SEC_ERROR_BAD_DER);
  }
--- a/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
+++ b/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
@ -167,7 +167,7 @@ TEST_F(pkixder_pki_types_tests, CertificateSerialNumberZeroLength)
  ASSERT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
 }

-TEST_F(pkixder_pki_types_tests, OptionalVersionV1ExplicitEncodingNotAllowed)
+TEST_F(pkixder_pki_types_tests, OptionalVersionV1ExplicitEncodingAllowed)
 {
  const uint8_t DER_OPTIONAL_VERSION_V1[] = {
    0xa0, 0x03,                   // context specific 0
@ -178,9 +178,14 @@ TEST_F(pkixder_pki_types_tests, OptionalVersionV1ExplicitEncodingNotAllowed)
  ASSERT_EQ(Success, input.Init(DER_OPTIONAL_VERSION_V1,
                                sizeof DER_OPTIONAL_VERSION_V1));

-  Version version;
-  ASSERT_EQ(Failure, OptionalVersion(input, version));
-  ASSERT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+  // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
+  // do here for compatibility reasons.
+  // Version version;
+  // ASSERT_EQ(Failure, OptionalVersion(input, version));
+  // ASSERT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+  Version version = Version::v3;
+  ASSERT_EQ(Success, OptionalVersion(input, version));
+  ASSERT_EQ(Version::v1, version);
 }

 TEST_F(pkixder_pki_types_tests, OptionalVersionV2)