Closed
Bug 1035414
Opened 9 years ago
Closed 9 years ago
mozilla::pkix should explicitly check that the child cert's issuer name matches the potential issuer's subject name, instead of relying on the TrustDomain to do the check correctly
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: briansmith, Assigned: briansmith, Mentored)
References
Details
Attachments
(2 files)
|
6.07 KB,
patch
|
jcj
:
review+
mmc
:
superreview+
|
Details | Diff | Splinter Review |
|
4.16 KB,
patch
|
jcj
:
review+
mmc
:
superreview+
|
Details | Diff | Splinter Review |
The documentation for TrustDomain::FindPotentialIssuers (or whatever is is about to be renamed) says: // * The subject name of the certificate given to checker.Check must be equal // to encodedIssuerName. It would be much safer if we didn't rely on the TrustDomain to do that check. Instead, in pkixbuild.cpp we should verify that that condition is true. Besides being safer, this would allow simpler implementations of the TrustDomain; See the bug I am about to file that depends on this, for an example.
|
Assignee | |
Updated•9 years ago
|
Mentor: brian
Whiteboard: [good next bug]
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → brian
Whiteboard: [good next bug]
Target Milestone: --- → mozilla37
|
|
Assignee | |
Comment 1•9 years ago
|
||
Since keeler is on vacation, I'm asking jcj to do this review and for mmc to double-check the review. I set sr?keeler on this so that he can check it when he gets back.
Attachment #8541767 -
Flags: superreview?(mmc)
Attachment #8541767 -
Flags: review?(jjones)
|
|
Assignee | |
Comment 2•9 years ago
|
||
Attachment #8541768 -
Flags: superreview?(mmc)
Attachment #8541768 -
Flags: review?(jjones)
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8541767 [details] [diff] [review] Part 1: Test that mozilla::pkix checks the issuer itself Review of attachment 8541767 [details] [diff] [review]: ----------------------------------------------------------------- I don't see any problems with the test. LGTM.
Attachment #8541767 -
Flags: review?(jjones) → review+
|
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8541768 [details] [diff] [review] Part 2: Check that the subject's issuer field matches the potential issuer's subject field Review of attachment 8541768 [details] [diff] [review]: ----------------------------------------------------------------- Given the behavior of NSSCertDBTrustDomain, it seems likely that you planned for this functionality. It looks good to me.
Attachment #8541768 -
Flags: review?(jjones) → review+
|
|
Assignee | |
Comment 5•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d96e3eaf20d9 https://hg.mozilla.org/integration/mozilla-inbound/rev/2018ebe53273 Thanks for the reviews!
Status: NEW → ASSIGNED
|
||
Comment 6•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d96e3eaf20d9 https://hg.mozilla.org/mozilla-central/rev/2018ebe53273
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Comment 7•9 years ago
|
||
Comment on attachment 8541767 [details] [diff] [review] Part 1: Test that mozilla::pkix checks the issuer itself Review of attachment 8541767 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay on this! It wasn't showing up on my bugzilla notifications...
Attachment #8541767 -
Flags: superreview?(mmc) → superreview+
|
|
||
Updated•9 years ago
|
Attachment #8541768 -
Flags: superreview?(mmc) → superreview+
You need to log in
before you can comment on or make changes to this bug.
Description
•