Bug 1047177 - Treat v4 certs as v3 certs (1/2). r=keeler.

--HG-- extra : rebase_source : 4cfb69672aa54274bb4ee850f23f0bbbe8e9e49f
2014-08-21 14:47:25 -07:00 · 2014-08-21 14:47:25 -07:00 · a7b51fb02b
--- a/security/pkix/lib/pkixcert.cpp
+++ b/security/pkix/lib/pkixcert.cpp
@ -146,7 +146,10 @@ BackCert::Init()
  }

  // Extensions were added in v3, so only accept extensions in v3 certificates.
-  if (version == der::Version::v3) {
+  // v4 certificates are not defined but there are some certificates issued
+  // with v4 that expect v3 decoding. For compatibility reasons we handle them
+  // as v3 certificates.
+  if (version == der::Version::v3 || version == der::Version::v4) {
    rv = der::OptionalExtensions(tbsCertificate, CSC | 3,
                                 bind(&BackCert::RememberExtension, this, _1,
                                      _2, _3));
--- a/security/pkix/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@ -464,7 +464,7 @@ CertificateSerialNumber(Reader& input, /*out*/ Input& value)

 // x.509 and OCSP both use this same version numbering scheme, though OCSP
 // only supports v1.
-MOZILLA_PKIX_ENUM_CLASS Version { v1 = 0, v2 = 1, v3 = 2 };
+MOZILLA_PKIX_ENUM_CLASS Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3 };

 // X.509 Certificate and OCSP ResponseData both use this
 // "[0] EXPLICIT Version DEFAULT <defaultVersion>" construct, but with
@ -497,6 +497,7 @@ OptionalVersion(Reader& input, /*out*/ Version& version)
    // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
    // do here for compatibility reasons.
    case static_cast<uint8_t>(Version::v1): version = Version::v1; break;
+    case static_cast<uint8_t>(Version::v4): version = Version::v4; break;
    default:
      return Result::ERROR_BAD_DER;
  }