Closed Bug 217267 Opened 21 years ago Closed 16 years ago

need a way to verify a pre-generated cert chain

Categories

(NSS :: Libraries, enhancement, P2)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: julien.pierre, Assigned: alvolkov.bgs)

References

Details

CERT_VerifyCertChain doesn't take a cert chain as part of its input parameters. Rather, it takes a single CERTCertificate* of the leaf certificate. NSS then builds a cert chain from that leaf certificate, and verifies it. In some cases, there are multiple cert chains that match the same leaf certificate. NSS only explores one chain, the one that it builds automatically. Unfortunately, there is no way for the application to specify which cert chain to verify. We need a new API that takes a CERTCertList* and will try to verify the exact chain passed in by the application, and not a chain generated automatically by NSS. The function would have a prototype looking like the following : SECStatus CERT_VerifyFixedCertChain(CERTCertDBHandle *handle, CERTCertList *chain, PRBool checkSig, SECCertUsage certUsage, int64 t, void *wincx, CERTVerifyLog *log);
QA Contact: bishakhabanerjee → jason.m.reid
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
Julien, will/does the libpkix project solve this?
Yes. The prototype of the API proposed in bug 294531 already allows this (verifyOnly flag). This API hasn't been implemented, but the guts of libpkix make it easy to do verification separately from chain building.
Assignee: nobody → julien.pierre.bugs
Severity: normal → enhancement
Depends on: 294531
Priority: -- → P2
Target Milestone: --- → 3.12
This was resolved in 3.12 by Alexei.
Assignee: julien.pierre.boogz → alexei.volkov.bugs
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.