Last Comment Bug 391560 - libpkix does not consistently return PKIX_ValidateNode tree that truly represent failure reasons
: libpkix does not consistently return PKIX_ValidateNode tree that truly repres...
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P1 enhancement (vote)
: 3.12.2
Assigned To: Alexei Volkov
Depends on:
Blocks: 391183 430405
  Show dependency treegraph
Reported: 2007-08-09 11:30 PDT by Alexei Volkov
Modified: 2008-11-03 18:35 PST (History)
2 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---


Description Alexei Volkov 2007-08-09 11:30:29 PDT
libpkix uses PKIX_ValidateNode tree to indicate cert problems found during cert selection process. Some paths of chain building/validation does not update final PKIX_ValidateNode tree with cert selection failure reasons.
Comment 1 Nelson Bolyard (seldom reads bugmail) 2007-08-09 11:41:08 PDT
"some paths" ?  What paths?  
Please provide enough information that another developer can know what 
code to start examining.
Comment 2 Nelson Bolyard (seldom reads bugmail) 2007-08-09 11:43:08 PDT
Does bug 390888 need to be fixed before this bug is fixed? 
That is, does bug 390888 block this bug?

Or does this bug need to be fixed first?  
Does this bug block 390888?
Comment 3 Steve Parkinson 2007-08-09 11:55:19 PDT
An example is of a path which chains to a root which violates the
basic constraints path length.

In this case, pkix_CertSelector_DefaultMatch() will fail, and pkix_Build_GatherCerts() will return an empty list, because
no cert matches the requirements. There is no ValidateNode
created in this case.

Comment 4 Nelson Bolyard (seldom reads bugmail) 2008-06-06 15:11:42 PDT
This may be fixed.
We need a test case.
Comment 5 Alexei Volkov 2008-11-03 18:35:02 PST
This bug is fixed. Closing.

Note You need to log in before you can comment on or make changes to this bug.