Bug 969188 - Part 2/3 - mozilla::pkix only decode v3 extensions in v3 certificates. r=briansmith

--HG-- extra : rebase_source : 86e58ccf8538d0f40d3b24b89a92dceac095cb21
2025-01-09 13:25:00 +00:00 · 2014-03-06 10:04:04 -08:00 · 2014-03-06 10:04:04 -08:00 · 0b1f14ef5a
commit 0b1f14ef5a
parent a97f568c99
1 changed files with 10 additions and 0 deletions
--- a/security/pkix/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@ -37,6 +37,16 @@ BackCert::Init()
  if (!exts) {
    return Success;
  }
+  // We only decode v3 extensions for v3 certificates for two reasons.
+  // 1. They make no sense in non-v3 certs
+  // 2. An invalid cert can embed a basic constraints extension and the
+  //    check basic constrains will asume that this is valid. Making it
+  //    posible to create chains with v1 and v2 intermediates with is
+  //    not desirable.
+  if (! (nssCert->version.len == 1 &&
+      nssCert->version.data[0] == mozilla::pkix::der::Version::v3)) {
+    return Fail(RecoverableError, SEC_ERROR_EXTENSION_VALUE_INVALID);
+  }

  const SECItem* dummyEncodedSubjectKeyIdentifier = nullptr;
  const SECItem* dummyEncodedAuthorityKeyIdentifier = nullptr;