Bug 371685 allow unsupported critical extensions in special builds.

r=rrelyea,wtc git-svn-id: svn://10.0.0.236/trunk@225562 18797224-902f-48f8-a5cc-f745e15eee43
2007-05-04 05:15:43 +00:00 · 2007-05-04 05:15:43 +00:00 · 874bd204fc
commit 874bd204fc
parent b428fd379d
4 changed files with 74 additions and 17 deletions
--- a/mozilla/security/coreconf/config.mk
+++ b/mozilla/security/coreconf/config.mk
@ -181,3 +181,7 @@ endif
 ifdef NSS_ECC_MORE_THAN_SUITE_B
 DEFINES += -DNSS_ECC_MORE_THAN_SUITE_B
 endif
+
+ifdef NSS_ALLOW_UNSUPPORTED_CRITICAL
+DEFINES += -DNSS_ALLOW_UNSUPPORTED_CRITICAL
+endif
--- a/mozilla/security/nss/lib/nss/nss.h
+++ b/mozilla/security/nss/lib/nss/nss.h
@ -36,7 +36,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.50 2006-12-06 19:51:30 wtchang%redhat.com Exp $ */
+/* $Id: nss.h,v 1.51 2007-05-04 05:15:43 nelson%bolyard.com Exp $ */

 #ifndef __nss_h_
 #define __nss_h_
@ -56,6 +56,13 @@ SEC_BEGIN_PROTOS
 #define _NSS_ECC_STRING ""
 #endif

+/* The private macro _NSS_CUSTOMIZED is for NSS internal use only. */
+#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
+#define _NSS_CUSTOMIZED " (Customized build)"
+#else
+#define _NSS_CUSTOMIZED 
+#endif
+
 /*
 * NSS's major version, minor version, patch level, and whether
 * this is a beta release.
@ -63,7 +70,7 @@ SEC_BEGIN_PROTOS
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
 */
-#define NSS_VERSION  "3.12" _NSS_ECC_STRING " Beta"
+#define NSS_VERSION  "3.12" _NSS_ECC_STRING " Beta" _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   12
 #define NSS_VPATCH   0
--- a/mozilla/security/nss/lib/util/secoid.c
+++ b/mozilla/security/nss/lib/util/secoid.c
@ -322,7 +322,7 @@ CONST_OID netscapeAOLScreenname[] 	= { NETSCAPE_NAME_COMPONENTS, 0x02 };
 CONST_OID netscapeRecoveryRequest[] 	= { NETSCAPE_CERT_SERVER_CRMF, 0x01 };


-/* Standard x.509 v3 Certificate Extensions */
+/* Standard x.509 v3 Certificate & CRL Extensions */
 CONST_OID x509SubjectDirectoryAttr[]  		= { ID_CE_OID,  9 };
 CONST_OID x509SubjectKeyID[]          		= { ID_CE_OID, 14 };
 CONST_OID x509KeyUsage[]              		= { ID_CE_OID, 15 };
@ -330,6 +330,13 @@ CONST_OID x509PrivateKeyUsagePeriod[] 		= { ID_CE_OID, 16 };
 CONST_OID x509SubjectAltName[]        		= { ID_CE_OID, 17 };
 CONST_OID x509IssuerAltName[]         		= { ID_CE_OID, 18 };
 CONST_OID x509BasicConstraints[]      		= { ID_CE_OID, 19 };
+CONST_OID x509CRLNumber[]                    	= { ID_CE_OID, 20 };
+CONST_OID x509ReasonCode[]                   	= { ID_CE_OID, 21 };
+CONST_OID x509HoldInstructionCode[]             = { ID_CE_OID, 23 };
+CONST_OID x509InvalidDate[]                     = { ID_CE_OID, 24 };
+CONST_OID x509DeltaCRLIndicator[]               = { ID_CE_OID, 27 };
+CONST_OID x509IssuingDistributionPoint[]        = { ID_CE_OID, 28 };
+CONST_OID x509CertIssuer[]                      = { ID_CE_OID, 29 };
 CONST_OID x509NameConstraints[]       		= { ID_CE_OID, 30 };
 CONST_OID x509CRLDistPoints[]         		= { ID_CE_OID, 31 };
 CONST_OID x509CertificatePolicies[]   		= { ID_CE_OID, 32 };
@ -337,12 +344,12 @@ CONST_OID x509PolicyMappings[]        		= { ID_CE_OID, 33 };
 CONST_OID x509AuthKeyID[]             		= { ID_CE_OID, 35 };
 CONST_OID x509PolicyConstraints[]     		= { ID_CE_OID, 36 };
 CONST_OID x509ExtKeyUsage[]           		= { ID_CE_OID, 37 };
-CONST_OID x509AuthInfoAccess[]        		= { PKIX_CERT_EXTENSIONS, 1 };
+CONST_OID x509FreshestCRL[]           		= { ID_CE_OID, 46 };
+CONST_OID x509InhibitAnyPolicy[]           	= { ID_CE_OID, 54 };
+
+CONST_OID x509AuthInfoAccess[]        		= { PKIX_CERT_EXTENSIONS,  1 };
+CONST_OID x509SubjectInfoAccess[]               = { PKIX_CERT_EXTENSIONS, 11 };

-/* Standard x.509 v3 CRL Extensions */
-CONST_OID x509CrlNumber[]                    	= { ID_CE_OID, 20};
-CONST_OID x509ReasonCode[]                   	= { ID_CE_OID, 21};
-CONST_OID x509InvalidDate[]                  	= { ID_CE_OID, 24};

 /* pkcs 12 additions */
 CONST_OID pkcs12[]                           = { PKCS12 };
@ -554,6 +561,12 @@ CONST_OID secgECsect571r1[] = {SECG_OID, 0x27 };
 #define OD(oid,tag,desc,mech,ext) { OI(oid), tag, 0, mech, ext }
 #endif

+#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
+#define FAKE_SUPPORTED_CERT_EXTENSION   SUPPORTED_CERT_EXTENSION
+#else
+#define FAKE_SUPPORTED_CERT_EXTENSION UNSUPPORTED_CERT_EXTENSION
+#endif
+
 /*
 * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
 */
@ -794,7 +807,7 @@ const static SECOidData oids[] = {
        CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
    OD( x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME, 
 	"Certificate Issuer Alt Name",
-        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+        CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
    OD( x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS, 
 	"Certificate Basic Constraints",
 	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
@ -803,16 +816,16 @@ const static SECOidData oids[] = {
 	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
    OD( x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS, 
 	"CRL Distribution Points",
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+	CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
    OD( x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES,
 	"Certificate Policies",
-        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+        CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
    OD( x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS, 
 	"Certificate Policy Mappings",
        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
    OD( x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS, 
 	"Certificate Policy Constraints",
-        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+        CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
    OD( x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID, 
 	"Certificate Authority Key Identifier",
 	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
@ -824,7 +837,7 @@ const static SECOidData oids[] = {
        CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),

    /* x.509 v3 CRL extensions */
-    OD( x509CrlNumber, SEC_OID_X509_CRL_NUMBER, 
+    OD( x509CRLNumber, SEC_OID_X509_CRL_NUMBER, 
 	"CRL Number", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
    OD( x509ReasonCode, SEC_OID_X509_REASON_CODE, 
 	"CRL reason code", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
@ -1484,6 +1497,29 @@ const static SECOidData oids[] = {
 	"X9.62 ECDSA signature with SHA512", CKM_INVALID_MECHANISM,
 	INVALID_CERT_EXTENSION ),

+    /* More id-ce and id-pe OIDs from RFC 3280 */
+    OD( x509HoldInstructionCode,      SEC_OID_X509_HOLD_INSTRUCTION_CODE,
+        "CRL Hold Instruction Code",  CKM_INVALID_MECHANISM,
+	UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509DeltaCRLIndicator,        SEC_OID_X509_DELTA_CRL_INDICATOR,
+        "Delta CRL Indicator",        CKM_INVALID_MECHANISM,
+	FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509IssuingDistributionPoint, SEC_OID_X509_ISSUING_DISTRIBUTION_POINT,
+        "Issuing Distribution Point", CKM_INVALID_MECHANISM,
+	FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509CertIssuer,               SEC_OID_X509_CERT_ISSUER,
+        "Certificate Issuer Extension",CKM_INVALID_MECHANISM,
+	FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509FreshestCRL,              SEC_OID_X509_FRESHEST_CRL,
+        "Freshest CRL",               CKM_INVALID_MECHANISM,
+	UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509InhibitAnyPolicy,         SEC_OID_X509_INHIBIT_ANY_POLICY,
+        "Inhibit Any Policy",         CKM_INVALID_MECHANISM,
+	FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509SubjectInfoAccess,        SEC_OID_X509_SUBJECT_INFO_ACCESS,
+        "Subject Info Access",        CKM_INVALID_MECHANISM,
+	UNSUPPORTED_CERT_EXTENSION ),
+
    /* Camellia algorithm OIDs */
    OD( camellia128_CBC, SEC_OID_CAMELLIA_128_CBC,
 	"CAMELLIA-128-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION ),
@ -1491,6 +1527,7 @@ const static SECOidData oids[] = {
 	"CAMELLIA-192-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION ),
    OD( camellia256_CBC, SEC_OID_CAMELLIA_256_CBC,
 	"CAMELLIA-256-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION ),
+
 };

 /*
--- a/mozilla/security/nss/lib/util/secoidt.h
+++ b/mozilla/security/nss/lib/util/secoidt.h
@ -40,7 +40,7 @@
 /*
 * secoidt.h - public data structures for ASN.1 OID functions
 *
- * $Id: secoidt.h,v 1.21 2007-02-28 19:47:36 rrelyea%redhat.com Exp $
+ * $Id: secoidt.h,v 1.22 2007-05-04 05:15:43 nelson%bolyard.com Exp $
 */

 #include "secitem.h"
@ -414,10 +414,19 @@ typedef enum {
    SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE = 279,
    SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE = 280,

+    /* More id-ce and id-pe OIDs from RFC 3280 */
+    SEC_OID_X509_HOLD_INSTRUCTION_CODE      = 281,
+    SEC_OID_X509_DELTA_CRL_INDICATOR        = 282,
+    SEC_OID_X509_ISSUING_DISTRIBUTION_POINT = 283,
+    SEC_OID_X509_CERT_ISSUER                = 284,
+    SEC_OID_X509_FRESHEST_CRL               = 285,
+    SEC_OID_X509_INHIBIT_ANY_POLICY         = 286,
+    SEC_OID_X509_SUBJECT_INFO_ACCESS        = 287,
+
    /* Camellia OIDs (RFC3657)*/
-    SEC_OID_CAMELLIA_128_CBC = 281,
-    SEC_OID_CAMELLIA_192_CBC = 282,
-    SEC_OID_CAMELLIA_256_CBC = 283,
+    SEC_OID_CAMELLIA_128_CBC                = 288,
+    SEC_OID_CAMELLIA_192_CBC                = 289,
+    SEC_OID_CAMELLIA_256_CBC                = 290,

    SEC_OID_TOTAL
 } SECOidTag;