Closed Bug 1896353 Opened 2 months ago Closed 2 months ago

Use lib::pkix as default validator instead of the old-one

Categories

(NSS :: Build, enhancement)

3.99
enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: fkrenzel, Unassigned)

Details

Attachments

(1 file)

Steps to reproduce:

Actual results:

The old pkix validator is used.

Expected results:

As the old validator is rarely used, we propose to change the default to the lib:pkix

The legacy NSS validator doesn't support some extensions that are becoming to be popular. Change the default validator to use lib::pkix.

Bob, I have looked into this, and it seems that the only option enabling the use of old-validator is the 'disable_libpkix%': 1, in coreconf/config.gypi which defines the NSS_DISABLE_LIBPKIX thus using the old-validator.

Isn't the coreconf/config.gypi used only by the ./build.sh i.e., that only the gyp-ninja build are affected.
If so, the make build is not affected and the only required change is to change the default for coreconf/config.gypi.

Flags: needinfo?(rrelyea)

Sigh, I had a nice long explaination here for you and I must not of hit 'save changes' ...

This is not about doing anthing with mozilla libpkix, which isn't yet integrated into NSS. When it is we will replace libpkix with the mozilla version.
It's about changing what cert_VerifyCertChain() in lib/certdb/certvfy.c uses. Currently it defaults to cert_VerifyCertChainOld() instead of cert_VerifyCertChainPkix(). There's a function it calls to determine which is uses called CERT_GetUsePKIXForValidation(). You need to change that function from a default of FALSE (overridden by an environment variable) to a default of TRUE (with a different value for the environment variable setting it back).

I wouldn't change the default in coreconf/config.gypi, but you should use the define to help decide your default.

Someday mozpkix will be integrated and we can get rid of libpkix with mozpkix taking over. We should eventually be able to ditch cert_VerifyCertChainOld() as well and get down to one validator.

Flags: needinfo?(rrelyea)
Status: UNCONFIRMED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: