Closed Bug 1249155 Opened 8 years ago Closed 4 months ago

Unprocessed Parameter CERT_PKIXVerifyCert

Categories

(NSS :: Build, defect, P3)

3.21
x86_64
Linux

Tracking

(Not tracked)

RESOLVED INACTIVE

People

(Reporter: ermenegildo.carrisi, Unassigned)

Details

(Whiteboard: [nss-qm])

What did you do?
================
Trying to use CERT_PKIXVerifyCert to validate a certificate chain. Looking at the possible type/value pair in CertValInParam, I see cert_pi_certList (http://mxr.mozilla.org/security/source/security/nss/lib/certdb/certt.h#898), which could be used to provide a certificate chain. So I set the type/value pair in CertValInParam array (code: http://pastebin.com/4BQsinXM where parse_cert is a function which returns a CERTCertificate and it is correctly working)

What happened?
==============
I get error -8187, SEC_ERROR_INVALID_ARGS. 

What should have happened?
==========================
Accepting Argument without raising error

Is there anything else we should know?
======================================
 I try to investigate what happened by looking at the source code, and I find something likely to be wrong here (http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfypkix.c#1509). Indeed, there is a switch on the type of CertValInParam parameter (which is an element of the input array to CERT_PKIXVerifyCert), and cert_pi_CertList has not an associated case. Hence, the default case is matched, which set error SEC_ERROR_INVALID_ARGS and returns a failure. Hence, it seems this type/value pair cannot be used without raising the aforementioned error. And I claim that it's probably not the only type with this issue, also cert_pi_keyusage isn't checked in that switch, and should lead to the same error (even if I haven't tried it as an input).
Component: API → Build
OS: Other → Linux
Product: Mozilla Developer Network → NSS
Hardware: All → x86_64
Version: unspecified → 3.21
Priority: -- → P3
Whiteboard: [specification][type:bug] → [nss-qm]
Severity: normal → S3
Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.