Last Comment Bug 403543 - pkix: need a way to enable/disable AIA cert fetching
: pkix: need a way to enable/disable AIA cert fetching
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P2 normal (vote)
: 3.12.1
Assigned To: Alexei Volkov
Depends on:
  Show dependency treegraph
Reported: 2007-11-12 15:03 PST by Alexei Volkov
Modified: 2009-05-21 21:32 PDT (History)
1 user (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Patch v1 (11.66 KB, patch)
2008-04-09 15:23 PDT, Alexei Volkov
nelson: review+
Details | Diff | Splinter Review
Document when cert_pi_useAIACertFetch was added (1.31 KB, patch)
2009-05-20 17:47 PDT, Wan-Teh Chang
alvolkov.bgs: review+
Details | Diff | Splinter Review

Description Alexei Volkov 2007-11-12 15:03:35 PST
User may not want to use AIA cert extension to fetch issuer certs from the net and thus rely only on the set of certs in the local database.

New libpkix API (tracking bug 294531) should support transferring this additional argument into libpkix.
Comment 1 Alexei Volkov 2008-04-09 15:23:19 PDT
Created attachment 314708 [details] [diff] [review]
Patch v1

The patch sets AIA cert fetching off by default. Also it makes modification to the library to switch it on by user request. The patch also changes vfychain code to support new feature.
Comment 2 Nelson Bolyard (seldom reads bugmail) 2008-04-10 15:33:31 PDT
Comment on attachment 314708 [details] [diff] [review]
Patch v1

r=Nelson, with one change shown below.
I'm not sure if this can be checked in now, or if we consider the tree 
to be "frozen" at this time.  

>+        case cert_pi_useAIACertFetch:
>+            if (param->value.scalar.b) {
>+                error =
>+                    PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
>+                                                                   PKIX_TRUE,
>+                                                                   plContext);
>+            }
>+            break;

This lets the caller enable it, but not disable it.  I suggest instead this:

>+        case cert_pi_useAIACertFetch:
>+            error = PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
>+                             (PRBool)(param->value.scalar.b != 0), plContext);
>+            break;
Comment 3 Nelson Bolyard (seldom reads bugmail) 2008-04-18 12:32:21 PDT
The trunk is now unfrozen for 3.12.1 checkins.  
The patch reviewed above can be checked in with the one change I suggested
in comment 2.

I did a test today, to see if AIA cert fetching works in libPKIX.
I ran the vfyserv program twice, testing the cert of a server that is 
presently misconfigured (not sending out its intermediate CA certs).
I ran it once with the old cert lib, and once with libPKIX.  
The old cert lib reported unknown issuer.
With libPKIX, vfyserv reported the server is correctly configured.
The commands I used were:


The output was:

+ vfyserv
Connecting to host (addr on port 443
CERT 0. :
  ERROR -8179: Peer's Certificate issuer is not recognized.
    CN=Cybertrust Educational CA,OU=Educational CA,O=Cybertrust,C=BE
Error in function PR_Write: -8179
 - Peer's Certificate issuer is not recognized.

Connecting to host (addr on port 443
   bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
   subject DN:,,OU=UNICAS,O=GARR,C=IT
   issuer  DN:
 CN=Cybertrust Educational CA,OU=Educational CA,O=Cybertrust,C=BE
   0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 472 bytes total.
Comment 4 Nelson Bolyard (seldom reads bugmail) 2008-06-11 12:09:26 PDT
Alexei, please check in this reviewed patch on the trunk ASAP,
and remove the term "awaiting checkin" from the status whiteboard.
Comment 5 Alexei Volkov 2008-06-12 14:21:03 PDT
The patch was checked in on 04/21/08. Closing the bug...
Comment 6 Wan-Teh Chang 2009-05-20 17:47:46 PDT
Created attachment 378747 [details] [diff] [review]
Document when cert_pi_useAIACertFetch was added

This info is useful to people who develop NSS-based
apps on Ubuntu 8.04, a long-term support release,
because it's still using NSS, which doesn't
have the cert_pi_useAIACertFetch flag.
Comment 7 Wan-Teh Chang 2009-05-21 21:32:16 PDT
Comment on attachment 378747 [details] [diff] [review]
Document when cert_pi_useAIACertFetch was added

I checked in this comment patch on the NSS trunk (NSS 3.12.4).

Checking in certt.h;
/cvsroot/mozilla/security/nss/lib/certdb/certt.h,v  <--  certt.h
new revision: 1.51; previous revision: 1.50

Note You need to log in before you can comment on or make changes to this bug.