Closed
Bug 1107790
Opened 11 years ago
Closed 11 years ago
Remove support for absolute hostnames in presented DNS IDs and name constraints
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: briansmith, Assigned: briansmith)
References
Details
(Keywords: dev-doc-complete, site-compat)
Attachments
(1 file)
|
16.63 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
I think we're being a little too liberal in supporting the absolute DNS ID syntax for presented IDs (hostnames in the CN of the subject, and DNSNames in SubjectAltName). RFC 5280 and related standards do not suggest any syntax that supports the trailing dot.
We still have to support absolute *reference DNS IDs*, but we should remove the support for the other forms.
Attachment #8532349 -
Flags: review?(dkeeler)
|
||
Comment 1•11 years ago
|
||
Comment on attachment 8532349 [details] [diff] [review]
remove-absolute-DNS-ID-cert-support.patch
Review of attachment 8532349 [details] [diff] [review]:
-----------------------------------------------------------------
LGTM - just two items to address.
::: security/pkix/lib/pkixnames.cpp
@@ +757,5 @@
> case GeneralNameType::dNSName:
> matches = PresentedDNSIDMatchesReferenceDNSID(
> presentedID, ValidDNSIDMatchType::NameConstraint, base);
> + if (!matches &&
> + !IsValidDNSID(base, ValidDNSIDMatchType::NameConstraint)) {
I'm not sure I understand why we have '!matches &&' here - is that an optimization? (Because if matches is true, then we already know base is a valid DNSID as a name constraint.) We should probably document that, if so.
@@ +1072,5 @@
> if (!isFirstPresentedByte && StartsWithIDNALabel(referenceDNSID)) {
> return false;
> }
> + }
> + else {
nit: '} else {' all on one line, unless there's a compelling reason not to
Attachment #8532349 -
Flags: review?(dkeeler) → review+
|
Assignee | |
Comment 2•11 years ago
|
||
|
||
Comment 3•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
|
||
Comment 4•11 years ago
|
||
Added to the compat doc: https://developer.mozilla.org/en-US/Firefox/Releases/37/Site_Compatibility
Keywords: dev-doc-complete,
site-compat
You need to log in
before you can comment on or make changes to this bug.
Description
•