corrected subtree name constraint handling according RFC 5280 RF 7.1

merrymode · Apr 6, 2019 · 02d0a89 · 02d0a89
1 parent ca8f53f
commit 02d0a89
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 10 deletions.
diff --git a/.gitignore b/.gitignore
@@ -17,3 +17,11 @@ pg/*.txt
 
 .idea
 
+core/out
+mail/out
+pg/out
+pkix/out
+prov/out
+tls/out
+test/out
+
diff --git a/ant/bc+-build.xml b/ant/bc+-build.xml
@@ -3,6 +3,9 @@
 <project name="crypto.bcbuild" default="build" basedir=".">
 
     <property file="bc-build.properties" />
+    <echo message="Mail home: ${mail.jar.home}"/>
+    <echo message="Junit home: ${junit.jar.home}"/>
+    <echo message="Activation home: ${activation.jar.home}"/>
     <property environment="env" />
 
     <property name="target.name" value="${target.prefix}-${release.suffix}" />
@@ -282,7 +285,7 @@
         </copy>
 
         <javac source="${bc.javac.source}" target="${bc.javac.target}"
-            srcdir="${lcrypto.target.src.dir}"
+            srcdir="${lcrypto.target.src.dir}" verbose="true"
             destdir="${lcrypto.target.classes.dir}"
 	    memoryMaximumSize="512m"
             fork="true"
@@ -1117,7 +1120,7 @@
     -->
     <target name="zip-src" depends="zip-src-check, zip-src-jce, zip-src-jce-ext, zip-src-provider, zip-src-provider-ext">
         <zip basedir="${mail.target.src.dir}" destfile="${mail.target.src.zip}" />
-        <delete dir="${mail.target.src.dir}" />
+        <delete dir="${mail.target.src.dir}"/>
         <zip basedir="${pkix.target.src.dir}" destfile="${pkix.target.src.zip}" />
         <delete dir="${pkix.target.src.dir}" />
         <zip basedir="${pg.target.src.dir}" destfile="${pg.target.src.zip}" />

diff --git a/bc-build.properties b/bc-build.properties
@@ -2,10 +2,9 @@
 release.suffix: 161
 release.name: 1.61
 release.version: 1.61.0
-release.debug: false
+release.debug: true
 
-mail.jar.home: /opt/javamail/mail.jar
-activation.jar.home: /opt/jaf/activation.jar
-#junit.jar.home: /opt/junit4.8.1/junit-4.8.1.jar
-junit.jar.home: /opt/junit/junit.jar
+mail.jar.home: ./libs/mail.jar
+activation.jar.home:  ./libs/activation.jar
+junit.jar.home:  ./libs/junit.jar
 
diff --git a/libs/activation.jar b/libs/activation.jar
diff --git a/libs/junit.jar b/libs/junit.jar
diff --git a/libs/mail.jar b/libs/mail.jar
diff --git a/prov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidator.java b/prov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidator.java
@@ -11,6 +11,9 @@
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.DERIA5String;
+import org.bouncycastle.asn1.x500.RDN;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.asn1.x500.style.RFC4519Style;
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralSubtree;
 import org.bouncycastle.util.Arrays;
@@ -59,9 +62,18 @@ private static boolean withinDNSubtree(
 
         for (int j = subtree.size() - 1; j >= 0; j--)
         {
-            if (!subtree.getObjectAt(j).equals(dns.getObjectAt(j)))
-            {
-                return false;
+            // both subtree and dns are a ASN.1 Name and the elements are a RDN
+            RDN subtreeRdn = RDN.getInstance(subtree.getObjectAt(j));
+            for (int k=0; k<dns.size(); k++) {
+                RDN dnsRdn = RDN.getInstance(dns.getObjectAt(k));
+                // type must match, other types which are not restricted are allowed, see https://tools.ietf.org/html/rfc5280#section-7.1
+                if (subtreeRdn.getFirst().getType().equals(dnsRdn.getFirst().getType())) {
+                    // use new RFC 5280 comparison, NOTE: this is not different from with RFC 3280, where only binary comparison is used
+                    // obey RFC 5280 7.1
+                    if (!IETFUtils.rDNAreEqual(subtreeRdn, dnsRdn)) {
+                        return false;
+                    }
+                }
             }
         }