Closed
Bug 430369
Opened 16 years ago
Closed 16 years ago
vfychain -o succeeds even if -pp is not specified
Categories
(NSS :: Tools, defect)
NSS
Tools
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.1
People
(Reporter: julien.pierre, Assigned: alvolkov.bgs)
Details
(Whiteboard: PKIXTEST)
Attachments
(1 file)
3.60 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
The -o option is used to pass in a specific policy OID that we want to check against the chain. The --p option is used to invoke the new PKIX API. If --p is omitted, CERT_VerifyCertificate is invoked, and the policy OID is actually ignored, making it seem like the verification succeeded. This is not the case. The -o without --p combination should always fail, preferably with a usage error.
Comment 1•16 years ago
|
||
The -p option (one dash) has different meaning depending on whether it occurs one time or more than one time (e.g. -pp) in the command line. One time, it has the same effect as the NSS_ENABLE_PKIX_VERIFY envariable. It causes vfychain to call CERT_SetUsePKIXForValidation(true); vfychain then still uses the old API, but the underlying code uses libPKIX. two times (-pp) causes vfychain to call the new CERT_PKIXVerifyCert API.
Reporter | ||
Comment 2•16 years ago
|
||
Yes. The -o / 1 -p combination should fail too, just like the -o / 0 -p combination. -o should only work with --p, since only CERT_PKIXVerifyCert can verify chains with specific policies.
Comment 3•16 years ago
|
||
Julien, I think you mean -pp when you type --p, yes?
Summary: vfychain -o succeeds even if --p is not specified → vfychain -o succeeds even if -pp is not specified
Reporter | ||
Comment 4•16 years ago
|
||
Oops. Yes, you are right.
Comment 5•16 years ago
|
||
BTW, the same problem occurs with -t. The -t option is meaningless without -pp, but the test program doesn't compain about it.
Updated•16 years ago
|
Whiteboard: PKIXTEST
Assignee | ||
Comment 6•16 years ago
|
||
Check that -pp is asserted for -t and -o options. Add description for -t flag.
Attachment #320276 -
Flags: review?(nelson)
Comment 7•16 years ago
|
||
Comment on attachment 320276 [details] [diff] [review] Check for options A few cosmetic issues need to be fixed, then r+. >- "\t-f \t\tenable cert ferching from AIA URL\n" >+ "\t-f \t\t Enable cert ferching from AIA URL\n" s/ferching/fetching/ :) >+ "\t-t\t\t Following cert is explicetly trusted(overrides db trust).\n" s/explicet/explicit/ and put a space before '(' ^ >- "\t-w password\t Database password\n", >+ "\t-w password\t Database password.\n", On this line, you replaced the one leading tab character with 12 spaces. Please go back to one tab. >+ if (trusted) { >+ fprintf(stderr, "Cert trust flag can be used only with" >+ " CERT_PKIXVerifyChain(-pp) fucntion.\n"); s/fucntion/function/ >@@ -372,6 +387,11 @@ breakout: > case 'r' : isAscii = PR_FALSE; break; > case 't' : trusted = PR_TRUE; break; > case 0 : /* positional parameter */ >+ if (usePkix < 2 && trusted) { >+ fprintf(stderr, "Cert trust flag can be used only with" >+ " CERT_PKIXVerifyChain(-pp) fucntion.\n"); s/fucntion/function/
Attachment #320276 -
Flags: review?(nelson) → review+
Assignee | ||
Comment 8•16 years ago
|
||
checked in.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•