Skip to content

Commit 4ec02c7

Browse files
kaohkaoh
committed
completed DN comparison, added special handling for serial numbers
1 parent 02d0a89 commit 4ec02c7

File tree

3 files changed

+24
-5
lines changed

3 files changed

+24
-5
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,4 +24,5 @@ pkix/out
2424
prov/out
2525
tls/out
2626
test/out
27+
codesigning.jks
2728

prov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidator.java

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,13 @@
88
import java.util.Map;
99
import java.util.Set;
1010

11+
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
1112
import org.bouncycastle.asn1.ASN1OctetString;
1213
import org.bouncycastle.asn1.ASN1Sequence;
1314
import org.bouncycastle.asn1.DERIA5String;
1415
import org.bouncycastle.asn1.x500.RDN;
16+
import org.bouncycastle.asn1.x500.X500Name;
17+
import org.bouncycastle.asn1.x500.style.BCStyle;
1518
import org.bouncycastle.asn1.x500.style.IETFUtils;
1619
import org.bouncycastle.asn1.x500.style.RFC4519Style;
1720
import org.bouncycastle.asn1.x509.GeneralName;
@@ -64,13 +67,28 @@ private static boolean withinDNSubtree(
6467
{
6568
// both subtree and dns are a ASN.1 Name and the elements are a RDN
6669
RDN subtreeRdn = RDN.getInstance(subtree.getObjectAt(j));
70+
dnsiteration:
6771
for (int k=0; k<dns.size(); k++) {
6872
RDN dnsRdn = RDN.getInstance(dns.getObjectAt(k));
69-
// type must match, other types which are not restricted are allowed, see https://tools.ietf.org/html/rfc5280#section-7.1
70-
if (subtreeRdn.getFirst().getType().equals(dnsRdn.getFirst().getType())) {
73+
// check if types and values of all naming attributes are matching, other types which are not restricted are allowed, see https://tools.ietf.org/html/rfc5280#section-7.1
74+
if (subtreeRdn.size() > 0 && subtreeRdn.size() == dnsRdn.size()) {
75+
// Two relative distinguished names
76+
// RDN1 and RDN2 match if they have the same number of naming attributes
77+
// and for each naming attribute in RDN1 there is a matching naming attribute in RDN2.
78+
// NOTE: this is checking the attributes in the same order, which might be not necessary, if this is a problem also IETFUtils.rDNAreEqual mus tbe changed.
79+
for (int l=0; l<subtreeRdn.size(); l++) {
80+
if (!subtreeRdn.getTypesAndValues()[l].getType().equals(dnsRdn.getTypesAndValues()[l].getType())) {
81+
continue dnsiteration;
82+
}
83+
}
7184
// use new RFC 5280 comparison, NOTE: this is not different from with RFC 3280, where only binary comparison is used
7285
// obey RFC 5280 7.1
73-
if (!IETFUtils.rDNAreEqual(subtreeRdn, dnsRdn)) {
86+
// special treatment of serialNumber for GSMA SGP.22 RSP specification
87+
if (subtreeRdn.size() == 1 && subtreeRdn.getFirst().getType().equals(RFC4519Style.serialNumber)) {
88+
if (!dnsRdn.getFirst().getValue().toString().startsWith(subtreeRdn.getFirst().getValue().toString())) {
89+
return false;
90+
}
91+
} else if (!IETFUtils.rDNAreEqual(subtreeRdn, dnsRdn)) {
7492
return false;
7593
}
7694
}

prov/src/test/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -85,12 +85,12 @@ public class PKIXNameConstraintsTest
8585

8686
private final static String testDNIsConstraint[] =
8787
{ "O=test org, OU=test org unit",
88-
"O=test org, OU=test org unit, CN=John Doe" };
88+
"O=test org, OU=test org unit, CN=John Doe",
89+
"OU=test org unit, O=test org, CN=John Doe",};
8990

9091
private final static String testDNIsNotConstraint[] =
9192
{ "O=test org, OU=test org unit, CN=John Doe2",
9293
"O=test org, OU=test org unit2",
93-
"OU=test org unit, O=test org, CN=John Doe",
9494
"O=test org, OU=test org unit, CN=John Doe, L=USA" };
9595

9696
private final static String testDNS = "abc.test.com";

0 commit comments

Comments
 (0)