Skip to content

Commit

Permalink
codegen: correct TUBITAK1 name constraints.
Browse files Browse the repository at this point in the history
The content was misencoded, resulting in a permitted subtree base name
that's an otherName type general name with a nonsensical value. These
types of general name are not supported by webpki, making the name
constraint functionally a no-op.

The updated encoding correctly specifies a permitted subtree with
a dNSName type base general name with the value ".tr".
  • Loading branch information
cpu authored and djc committed Aug 9, 2023
1 parent 601a71e commit e69119d
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
2 changes: 1 addition & 1 deletion src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1564,7 +1564,7 @@ pub const TLS_SERVER_ROOTS: &[TrustAnchor] = &[
TrustAnchor {
subject: b"1\x0b0\t\x06\x03U\x04\x06\x13\x02TR1\x180\x16\x06\x03U\x04\x07\x13\x0fGebze - Kocaeli1B0@\x06\x03U\x04\n\x139Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK1-0+\x06\x03U\x04\x0b\x13$Kamu Sertifikasyon Merkezi - Kamu SM1604\x06\x03U\x04\x03\x13-TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1",
spki: b"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xafu03\xaa\xbbk\xd3\x99,\x127\x84\xd9\x8d{\x97\x80\xd3n\xe7\xff\x9bP\x95>\x90\x95VB\xd7\x19|&\x84\x8d\x92\xfa\x01\x1d:\x0f\xe2d8\xb7\x8c\xbc\xe8\x88\xf9\x8b$\xab.\xa3\xf57\xe4@\x8e\x18%y\x83u\x1f;\xffl\xa8\xc5\xc6V\xf8\xb4\xed\x8aD\xa3\xablL\xfc\x1d\xd0\xdc\xefh\xbd\xcf\xe4\xaa\xce\xf0U\xf7\xa24\xd4\x83k7|\x1c\xc2\xfe\xb5\x03\xecW\xce\xbc\xb4\xb5\xc5\xed\x00\x0fS7*M\xf4O\x0c\x83\xfb\x86\xcf\xcb\xfe\x8cN\xbd\x87\xf9\xa7\x8b!W\x9cz\xdf\x03g\x89,\x9d\x97a\xa7\x10\xb8U\x90\x7f\x0e-\'8t\xdf\xe7\xfd\xdaN\x12\xe3M\x15\"\x02\xc8\xe0\xe0\xfc\x0f\xad\x8a\xd7\xc9TP\xcc;\x0f\xca\x16\x80\x84\xd0QV\xc3\x8eV\x7f\x89\"3/\xe6\x85\n\xbd\xa5\xa8\x1b6\xde\xd3\xdc,m;\xc7\x13\xbdY#,\xe6\xe5\xa4\xf7\xd8\x0b\xed\xea\x90@D\xa8\x95\xbb\x93\xd5\xd0\x804\xb6Fx\x0e\x1f\x00\x93F\xe1\xee\xe9\xf9\xecO\x17\x02\x03\x01\x00\x01",
name_constraints: Some(b"\xa0\x0b0\t\xa0\x070\x05\x82\x03.tr")
name_constraints: Some(b"\xa0\x070\x05\x82\x03.tr")
},

/*
Expand Down
6 changes: 3 additions & 3 deletions tests/codegen.rs
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ async fn generated_code_is_fresh() {
let mut imposed_constraints = HashMap::<Vec<u8>, Vec<u8>>::default();
imposed_constraints.insert(
concat(TUBITAK1_SUBJECT_DN),
concat(TUBITAK1_NAME_CONSTRAINTS),
TUBITAK1_NAME_CONSTRAINTS.to_vec(),
);

// Generate the trust anchors, sorted by fingerprint
Expand Down Expand Up @@ -198,8 +198,8 @@ const TUBITAK1_SUBJECT_DN: &[&[u8]] = &[
b"TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1",
];

const TUBITAK1_NAME_CONSTRAINTS: &[&[u8]] =
&[b"\xa0\x0b\x30\x09\xa0\x07", b"\x30\x05\x82\x03", b".tr"];
const TUBITAK1_NAME_CONSTRAINTS: &[u8] =
&[0xA0, 0x07, 0x30, 0x05, 0x82, 0x03, 0x2E, 0x74, 0x72];

const EXCLUDED_CAS: &[&str] = &[
// See https://bugzilla.mozilla.org/show_bug.cgi?id=1266574.
Expand Down

0 comments on commit e69119d

Please sign in to comment.