Open Bug 217270 Opened 21 years ago Updated 2 years ago

need helper functions for cert chains

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

People

(Reporter: julien.pierre, Unassigned)

Details

In the current version of NSS, cert chains that are verified by NSS are automatically generated by the NSS function CERT_VerifyCertChain. In many cases, the chain chosen is not the one intended by the application. Oftentimes, the application wants to verify a chain of itw own. This is why I filed bug 217267 . However, many cert chains received by clients may not be fully ready for verification. There is a set of common tasks that applications may need to perform on a particular chain before verifying it : 1) checking for chain completeness . We need a PRBool CERT_IsComplete(const CERTCertList* chain) function that simply states if the certificates in the list link to each other all the way to a root cert. When this is PR_TRUE, the chain is ready to be verified (or sorted, see 4). 2) completing the chain If the cert chain is incomplete, we should provide a way to complete it. Eg. SECStatus CERT_CompleteChain(CERTCertList* chain) This would return SECSucess TRUE if the chain was completed, with the certs added to the chain list, or SECSuccess FALSE if it is an interrupted chain that could not be completed. We might need additional arguments to specify the sources to look for the missing certs, or how many levels to complete - eg. just the root, or any number of levels. 3) function to simplify a cert chain A CERTCertList may contain some harmless unrelated certs. Or it could be a set of completely unrelated certs and not be a chain at all. There should be a function to identify the problem. SECStatus CERT_SimplifyCertChain(CERTCertificate* leaf, CERTCertList* inputchain, CERTCertList* unrelatedCerts); The leaf argument would tell the function that the particular "leaf" cert is not to be eliminated (simplified) from the input chain. The unrelated certs would be removed from input chain and added to the unrelatedCerts list. If leaf was omitted, and not all the certs in inputchain are related, then the chain can not be simplified and SECFailure would be returned. 4) Once a cert list contains only related certs and is complete, it would be useful to be able to sort it : SECStatus CERT_SortList(CERTCertList* inputchain);
QA Contact: bishakhabanerjee → jason.m.reid
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.