Skip to content

Commit 8520934

Browse files
dghgitdghgit
committed
Merge branch 'kaoh-master'
2 parents ec381a1 + f4e4176 commit 8520934

File tree

8 files changed

+80
-12
lines changed

8 files changed

+80
-12
lines changed

.gitignore

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,3 +17,12 @@ pg/*.txt
1717

1818
.idea
1919

20+
core/out
21+
mail/out
22+
pg/out
23+
pkix/out
24+
prov/out
25+
tls/out
26+
test/out
27+
codesigning.jks
28+

bc-build.properties

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,7 @@ release.name: 1.61
44
release.version: 1.61.0
55
release.debug: false
66

7-
mail.jar.home: /opt/javamail/mail.jar
8-
activation.jar.home: /opt/jaf/activation.jar
9-
#junit.jar.home: /opt/junit4.8.1/junit-4.8.1.jar
10-
junit.jar.home: /opt/junit/junit.jar
7+
mail.jar.home: ./libs/mail.jar
8+
activation.jar.home: ./libs/activation.jar
9+
junit.jar.home: ./libs/junit.jar
1110

core/src/main/java/org/bouncycastle/asn1/x509/PKIXNameConstraintValidator.java

Lines changed: 33 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,13 @@
1212
import org.bouncycastle.asn1.ASN1OctetString;
1313
import org.bouncycastle.asn1.ASN1Sequence;
1414
import org.bouncycastle.asn1.DERIA5String;
15+
import org.bouncycastle.asn1.x500.RDN;
1516
import org.bouncycastle.asn1.x500.X500Name;
17+
import org.bouncycastle.asn1.x500.style.BCStyle;
18+
import org.bouncycastle.asn1.x500.style.IETFUtils;
19+
import org.bouncycastle.asn1.x500.style.RFC4519Style;
20+
import org.bouncycastle.asn1.x509.GeneralName;
21+
import org.bouncycastle.asn1.x509.GeneralSubtree;
1622
import org.bouncycastle.util.Arrays;
1723
import org.bouncycastle.util.Integers;
1824
import org.bouncycastle.util.Strings;
@@ -392,9 +398,33 @@ private static boolean withinDNSubtree(
392398

393399
for (int j = subtree.size() - 1; j >= 0; j--)
394400
{
395-
if (!subtree.getObjectAt(j).equals(dns.getObjectAt(j)))
396-
{
397-
return false;
401+
// both subtree and dns are a ASN.1 Name and the elements are a RDN
402+
RDN subtreeRdn = RDN.getInstance(subtree.getObjectAt(j));
403+
dnsiteration:
404+
for (int k=0; k<dns.size(); k++) {
405+
RDN dnsRdn = RDN.getInstance(dns.getObjectAt(k));
406+
// check if types and values of all naming attributes are matching, other types which are not restricted are allowed, see https://tools.ietf.org/html/rfc5280#section-7.1
407+
if (subtreeRdn.size() > 0 && subtreeRdn.size() == dnsRdn.size()) {
408+
// Two relative distinguished names
409+
// RDN1 and RDN2 match if they have the same number of naming attributes
410+
// and for each naming attribute in RDN1 there is a matching naming attribute in RDN2.
411+
// NOTE: this is checking the attributes in the same order, which might be not necessary, if this is a problem also IETFUtils.rDNAreEqual mus tbe changed.
412+
for (int l=0; l<subtreeRdn.size(); l++) {
413+
if (!subtreeRdn.getTypesAndValues()[l].getType().equals(dnsRdn.getTypesAndValues()[l].getType())) {
414+
continue dnsiteration;
415+
}
416+
}
417+
// use new RFC 5280 comparison, NOTE: this is now different from with RFC 3280, where only binary comparison is used
418+
// obey RFC 5280 7.1
419+
// special treatment of serialNumber for GSMA SGP.22 RSP specification
420+
if (subtreeRdn.size() == 1 && subtreeRdn.getFirst().getType().equals(RFC4519Style.serialNumber)) {
421+
if (!dnsRdn.getFirst().getValue().toString().startsWith(subtreeRdn.getFirst().getValue().toString())) {
422+
return false;
423+
}
424+
} else if (!IETFUtils.rDNAreEqual(subtreeRdn, dnsRdn)) {
425+
return false;
426+
}
427+
}
398428
}
399429
}
400430

libs/activation.jar

67.8 KB
Binary file not shown.

libs/junit.jar

308 KB
Binary file not shown.

libs/mail.jar

496 KB
Binary file not shown.

prov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidator.java

Lines changed: 33 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,15 @@
88
import java.util.Map;
99
import java.util.Set;
1010

11+
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
1112
import org.bouncycastle.asn1.ASN1OctetString;
1213
import org.bouncycastle.asn1.ASN1Sequence;
1314
import org.bouncycastle.asn1.DERIA5String;
15+
import org.bouncycastle.asn1.x500.RDN;
16+
import org.bouncycastle.asn1.x500.X500Name;
17+
import org.bouncycastle.asn1.x500.style.BCStyle;
18+
import org.bouncycastle.asn1.x500.style.IETFUtils;
19+
import org.bouncycastle.asn1.x500.style.RFC4519Style;
1420
import org.bouncycastle.asn1.x509.GeneralName;
1521
import org.bouncycastle.asn1.x509.GeneralSubtree;
1622
import org.bouncycastle.util.Arrays;
@@ -59,9 +65,33 @@ private static boolean withinDNSubtree(
5965

6066
for (int j = subtree.size() - 1; j >= 0; j--)
6167
{
62-
if (!subtree.getObjectAt(j).equals(dns.getObjectAt(j)))
63-
{
64-
return false;
68+
// both subtree and dns are a ASN.1 Name and the elements are a RDN
69+
RDN subtreeRdn = RDN.getInstance(subtree.getObjectAt(j));
70+
dnsiteration:
71+
for (int k=0; k<dns.size(); k++) {
72+
RDN dnsRdn = RDN.getInstance(dns.getObjectAt(k));
73+
// check if types and values of all naming attributes are matching, other types which are not restricted are allowed, see https://tools.ietf.org/html/rfc5280#section-7.1
74+
if (subtreeRdn.size() > 0 && subtreeRdn.size() == dnsRdn.size()) {
75+
// Two relative distinguished names
76+
// RDN1 and RDN2 match if they have the same number of naming attributes
77+
// and for each naming attribute in RDN1 there is a matching naming attribute in RDN2.
78+
// NOTE: this is checking the attributes in the same order, which might be not necessary, if this is a problem also IETFUtils.rDNAreEqual mus tbe changed.
79+
for (int l=0; l<subtreeRdn.size(); l++) {
80+
if (!subtreeRdn.getTypesAndValues()[l].getType().equals(dnsRdn.getTypesAndValues()[l].getType())) {
81+
continue dnsiteration;
82+
}
83+
}
84+
// use new RFC 5280 comparison, NOTE: this is now different from with RFC 3280, where only binary comparison is used
85+
// obey RFC 5280 7.1
86+
// special treatment of serialNumber for GSMA SGP.22 RSP specification
87+
if (subtreeRdn.size() == 1 && subtreeRdn.getFirst().getType().equals(RFC4519Style.serialNumber)) {
88+
if (!dnsRdn.getFirst().getValue().toString().startsWith(subtreeRdn.getFirst().getValue().toString())) {
89+
return false;
90+
}
91+
} else if (!IETFUtils.rDNAreEqual(subtreeRdn, dnsRdn)) {
92+
return false;
93+
}
94+
}
6595
}
6696
}
6797

prov/src/test/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -85,12 +85,12 @@ public class PKIXNameConstraintsTest
8585

8686
private final static String testDNIsConstraint[] =
8787
{ "O=test org, OU=test org unit",
88-
"O=test org, OU=test org unit, CN=John Doe" };
88+
"O=test org, OU=test org unit, CN=John Doe",
89+
"OU=test org unit, O=test org, CN=John Doe",};
8990

9091
private final static String testDNIsNotConstraint[] =
9192
{ "O=test org, OU=test org unit, CN=John Doe2",
9293
"O=test org, OU=test org unit2",
93-
"OU=test org unit, O=test org, CN=John Doe",
9494
"O=test org, OU=test org unit, CN=John Doe, L=USA" };
9595

9696
private final static String testDNS = "abc.test.com";

0 commit comments

Comments
 (0)