Unprocessed Parameter CERT_PKIXVerifyCert

UNCONFIRMED
Unassigned

Status

NSS
Build
P3
normal
UNCONFIRMED
2 years ago
2 years ago

People

(Reporter: ermenegildo.carrisi, Unassigned)

Tracking

3.21
x86_64
Linux

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [specification][type:bug])

(Reporter)

Description

2 years ago
What did you do?
================
Trying to use CERT_PKIXVerifyCert to validate a certificate chain. Looking at the possible type/value pair in CertValInParam, I see cert_pi_certList (http://mxr.mozilla.org/security/source/security/nss/lib/certdb/certt.h#898), which could be used to provide a certificate chain. So I set the type/value pair in CertValInParam array (code: http://pastebin.com/4BQsinXM where parse_cert is a function which returns a CERTCertificate and it is correctly working)

What happened?
==============
I get error -8187, SEC_ERROR_INVALID_ARGS. 

What should have happened?
==========================
Accepting Argument without raising error

Is there anything else we should know?
======================================
 I try to investigate what happened by looking at the source code, and I find something likely to be wrong here (http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfypkix.c#1509). Indeed, there is a switch on the type of CertValInParam parameter (which is an element of the input array to CERT_PKIXVerifyCert), and cert_pi_CertList has not an associated case. Hence, the default case is matched, which set error SEC_ERROR_INVALID_ARGS and returns a failure. Hence, it seems this type/value pair cannot be used without raising the aforementioned error. And I claim that it's probably not the only type with this issue, also cert_pi_keyusage isn't checked in that switch, and should lead to the same error (even if I haven't tried it as an input).
(Reporter)

Updated

2 years ago
Component: API → Build
OS: Other → Linux
Product: Mozilla Developer Network → NSS
Hardware: All → x86_64
Version: unspecified → 3.21
(Reporter)

Updated

2 years ago
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.