From e69119d3917d99cb24b27d5ccb2129a92323fa63 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Tue, 8 Aug 2023 14:08:58 -0400 Subject: [PATCH] codegen: correct TUBITAK1 name constraints. The content was misencoded, resulting in a permitted subtree base name that's an otherName type general name with a nonsensical value. These types of general name are not supported by webpki, making the name constraint functionally a no-op. The updated encoding correctly specifies a permitted subtree with a dNSName type base general name with the value ".tr". --- src/lib.rs | 2 +- tests/codegen.rs | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 971ec3e..3fbff93 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1564,7 +1564,7 @@ pub const TLS_SERVER_ROOTS: &[TrustAnchor] = &[ TrustAnchor { subject: b"1\x0b0\t\x06\x03U\x04\x06\x13\x02TR1\x180\x16\x06\x03U\x04\x07\x13\x0fGebze - Kocaeli1B0@\x06\x03U\x04\n\x139Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK1-0+\x06\x03U\x04\x0b\x13$Kamu Sertifikasyon Merkezi - Kamu SM1604\x06\x03U\x04\x03\x13-TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1", spki: b"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xafu03\xaa\xbbk\xd3\x99,\x127\x84\xd9\x8d{\x97\x80\xd3n\xe7\xff\x9bP\x95>\x90\x95VB\xd7\x19|&\x84\x8d\x92\xfa\x01\x1d:\x0f\xe2d8\xb7\x8c\xbc\xe8\x88\xf9\x8b$\xab.\xa3\xf57\xe4@\x8e\x18%y\x83u\x1f;\xffl\xa8\xc5\xc6V\xf8\xb4\xed\x8aD\xa3\xablL\xfc\x1d\xd0\xdc\xefh\xbd\xcf\xe4\xaa\xce\xf0U\xf7\xa24\xd4\x83k7|\x1c\xc2\xfe\xb5\x03\xecW\xce\xbc\xb4\xb5\xc5\xed\x00\x0fS7*M\xf4O\x0c\x83\xfb\x86\xcf\xcb\xfe\x8cN\xbd\x87\xf9\xa7\x8b!W\x9cz\xdf\x03g\x89,\x9d\x97a\xa7\x10\xb8U\x90\x7f\x0e-\'8t\xdf\xe7\xfd\xdaN\x12\xe3M\x15\"\x02\xc8\xe0\xe0\xfc\x0f\xad\x8a\xd7\xc9TP\xcc;\x0f\xca\x16\x80\x84\xd0QV\xc3\x8eV\x7f\x89\"3/\xe6\x85\n\xbd\xa5\xa8\x1b6\xde\xd3\xdc,m;\xc7\x13\xbdY#,\xe6\xe5\xa4\xf7\xd8\x0b\xed\xea\x90@D\xa8\x95\xbb\x93\xd5\xd0\x804\xb6Fx\x0e\x1f\x00\x93F\xe1\xee\xe9\xf9\xecO\x17\x02\x03\x01\x00\x01", - name_constraints: Some(b"\xa0\x0b0\t\xa0\x070\x05\x82\x03.tr") + name_constraints: Some(b"\xa0\x070\x05\x82\x03.tr") }, /* diff --git a/tests/codegen.rs b/tests/codegen.rs index a1fc81e..af42235 100644 --- a/tests/codegen.rs +++ b/tests/codegen.rs @@ -98,7 +98,7 @@ async fn generated_code_is_fresh() { let mut imposed_constraints = HashMap::, Vec>::default(); imposed_constraints.insert( concat(TUBITAK1_SUBJECT_DN), - concat(TUBITAK1_NAME_CONSTRAINTS), + TUBITAK1_NAME_CONSTRAINTS.to_vec(), ); // Generate the trust anchors, sorted by fingerprint @@ -198,8 +198,8 @@ const TUBITAK1_SUBJECT_DN: &[&[u8]] = &[ b"TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1", ]; -const TUBITAK1_NAME_CONSTRAINTS: &[&[u8]] = - &[b"\xa0\x0b\x30\x09\xa0\x07", b"\x30\x05\x82\x03", b".tr"]; +const TUBITAK1_NAME_CONSTRAINTS: &[u8] = + &[0xA0, 0x07, 0x30, 0x05, 0x82, 0x03, 0x2E, 0x74, 0x72]; const EXCLUDED_CAS: &[&str] = &[ // See https://bugzilla.mozilla.org/show_bug.cgi?id=1266574.