Closed
Bug 217267
Opened 21 years ago
Closed 16 years ago
need a way to verify a pre-generated cert chain
Categories
(NSS :: Libraries, enhancement, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: julien.pierre, Assigned: alvolkov.bgs)
References
Details
CERT_VerifyCertChain doesn't take a cert chain as part of its input parameters.
Rather, it takes a single CERTCertificate* of the leaf certificate. NSS then
builds a cert chain from that leaf certificate, and verifies it.
In some cases, there are multiple cert chains that match the same leaf
certificate. NSS only explores one chain, the one that it builds automatically.
Unfortunately, there is no way for the application to specify which cert chain
to verify.
We need a new API that takes a CERTCertList* and will try to verify the exact
chain passed in by the application, and not a chain generated automatically by NSS.
The function would have a prototype looking like the following :
SECStatus
CERT_VerifyFixedCertChain(CERTCertDBHandle *handle, CERTCertList *chain,
PRBool checkSig, SECCertUsage certUsage, int64 t,
void *wincx, CERTVerifyLog *log);
Updated•19 years ago
|
QA Contact: bishakhabanerjee → jason.m.reid
Updated•19 years ago
|
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
Comment 1•18 years ago
|
||
Julien, will/does the libpkix project solve this?
Reporter | ||
Comment 2•18 years ago
|
||
Yes. The prototype of the API proposed in bug 294531 already allows this (verifyOnly flag). This API hasn't been implemented, but the guts of libpkix make it easy to do verification separately from chain building.
Assignee: nobody → julien.pierre.bugs
Severity: normal → enhancement
Depends on: 294531
Priority: -- → P2
Target Milestone: --- → 3.12
Reporter | ||
Comment 3•16 years ago
|
||
This was resolved in 3.12 by Alexei.
Assignee: julien.pierre.boogz → alexei.volkov.bugs
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•