SECStatus
CERT_FindBasicConstraintExten(CERTCertificate *cert,
CERTBasicConstraints *value)
{
SECItem encodedExtenValue;
SECStatus rv;
encodedExtenValue.data = NULL;
encodedExtenValue.len = 0;
rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS,
&encodedExtenValue);
if ( rv != SECSuccess ) {
return (rv);
}
rv = CERT_DecodeBasicConstraintValue (value, &encodedExtenValue);
/* free the raw extension data */
PORT_Free(encodedExtenValue.data);
encodedExtenValue.data = NULL;
return(rv);
}
// RFC5280 4.2.1.9. Basic Constraints (id-ce-basicConstraints)
Result
CheckBasicConstraints(const BackCert& cert,
EndEntityOrCA endEntityOrCA,
bool isTrustAnchor,
unsigned int subCACount)
{
CERTBasicConstraints basicConstraints;
if (cert.encodedBasicConstraints) {
SECStatus rv = CERT_DecodeBasicConstraintValue(&basicConstraints,
cert.encodedBasicConstraints);
if (rv != SECSuccess) {
return MapSECStatus(rv);
}
} else {
// Synthesize a non-CA basic constraints by default
basicConstraints.isCA = false;
basicConstraints.pathLenConstraint = 0;
// "If the basic constraints extension is not present in a version 3
// certificate, or the extension is present but the cA boolean is not
// asserted, then the certified public key MUST NOT be used to verify
// certificate signatures."
//
// For compatibility, we must accept v1 trust anchors without basic
// constraints as CAs.
//
// TODO: add check for self-signedness?
if (endEntityOrCA == MustBeCA && isTrustAnchor) {
const CERTCertificate* nssCert = cert.GetNSSCert();
der::Input versionDer;
if (versionDer.Init(nssCert->version.data, nssCert->version.len)
!= der::Success) {
return RecoverableError;
}
uint8_t version;
if (der::OptionalVersion(versionDer, version) || der::End(versionDer)
!= der::Success) {
return RecoverableError;
}
if (version == 1) {
basicConstraints.isCA = true;
basicConstraints.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
}
}
}
if (endEntityOrCA == MustBeEndEntity) {
// CA certificates are not trusted as EE certs.
if (basicConstraints.isCA) {
// XXX: We use SEC_ERROR_CA_CERT_INVALID here so we can distinguish
// this error from other errors, given that NSS does not have a "CA cert
// used as end-entity" error code since it doesn't have such a
// prohibition. We should add such an error code and stop abusing
// SEC_ERROR_CA_CERT_INVALID this way.
//
// Note, in particular, that this check prevents a delegated OCSP
// response signing certificate with the CA bit from successfully
// validating when we check it from pkixocsp.cpp, which is a good thing.
//
return Fail(RecoverableError, SEC_ERROR_CA_CERT_INVALID);
}
return Success;
}
PORT_Assert(endEntityOrCA == MustBeCA);
// End-entity certificates are not allowed to act as CA certs.
if (!basicConstraints.isCA) {
return Fail(RecoverableError, SEC_ERROR_CA_CERT_INVALID);
}
if (basicConstraints.pathLenConstraint >= 0) {
if (subCACount >
static_cast<unsigned int>(basicConstraints.pathLenConstraint)) {
return Fail(RecoverableError, SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
}
}
return Success;
}
