484466 - sec_error_invalid_args with NSS_ENABLE_PKIX_VERIFY=1

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P1)

Description

[Rob Stradling]

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Build Identifier: trunk

As reported in bug #483168 comment #43, the current Firefox HEAD + NSS HEAD shows a sec_error_invalid_args error when attempting to navigate to various https sites.

Affected sites include:
https://www.verisign.com
https://secure.comodo.com
https://www.globalsign.com

Unaffected sites include:
https://www.entrust.net
https://www.startssl.com

This problem did not occur 1 month ago when I reported bug #479508 comment #2.

Reproducible: Always

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

The crucial detail for this bug is that it only occurs when 
NSS_ENABLE_PKIX_VERIFY=1 is set.

So, this bug will be "major" when that condition becomes the default,
but not until then.

Comment 2

[Alexei Volkov]

The problem was introduced in the patch for the bug 444404. It happens when pkix_VerifyNode_SetError function sets "unknown issuer" error into verifyNode
 - the variable that suppose to point to the validation error log. 

  pkix_VerifyNode_SetError(verifyNode, verifyError,
                           plContext),

Only in this case it is incorrect to use verifyNode. state->verifyNode should have been used instead of it. pkix_VerifyNode_SetError returns "invalid argument" error since verifyNode is NULL in the context.

(state->verifyNode, verifyError,
                                         plContext),

Comment 3

[Alexei Volkov]

Attachment: Patch v1 - use correct pointer to pkix error log structure

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 368936 [details] [diff] [review]
Patch v1 - use correct pointer to pkix error log structure

r=nelson

Comment 5

[Alexei Volkov]

> (From update of attachment 368936 [details] [diff] [review])
committed.