221743 - certificate usage macro mismatch in CERT_VerifyCertificate

Status: RESOLVED FIXED

(NSS :: Libraries, defect)

Description

[Noriko Hosoi]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Attached code is a part of CERT_VerifyCertificate.  The underlined macro is from
CERT_VerifyCert family, which is enum (certUsageSSLServer == 1); while
certificateUsage family is bit map based.  I checked it in nss3.7 as well as 3.8
and both have the same code.  Could it be certificateUsageSSLServer by any chance?

"certvfy.c"
1211 SECStatus
1212 CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
1213         PRBool checkSig, SECCertificateUsage requiredUsages, int64 t,
1214         void *wincx, CERTVerifyLog *log, SECCertificateUsage* returnedUsages)
1215 {
                [...]
1257
1258     /* make sure that the cert is valid at time t */
1259     allowOverride = (PRBool)((requiredUsages & certUsageSSLServer) ||
                                                    ==================
1260                              (requiredUsages &
certificateUsageSSLServerWithStepUp));
1261     validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
1262     if ( validity != secCertTimeValid ) {
1263         LOG_ERROR(log,cert,0,validity);
1264         return SECFailure;
1265     }

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Wan-Teh Chang]

Noriko, I think you are right.

Julien, could you fix this?

Comment 2

[Julien Pierre]

Attachment: fix

Comment 3

[Julien Pierre]

Yes, indeed there is a bug there. 

Fixed in 3.9 :

Checking in certvfy.c;
/cvsroot/mozilla/security/nss/lib/certhigh/certvfy.c,v  <--  certvfy.c
new revision: 1.37; previous revision: 1.36
done