CERT_PKIXVerifyCert never succeeds

RESOLVED FIXED in 3.12

Status

NSS
Libraries
P1
major
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX NSS312B1)

Attachments

(1 attachment)

(Assignee)

Description

10 years ago
When attempting to verify Paypal's cert for EV, I was calling PKIX_VerifyCert.

Even when called with minimal options, the function returned a verification failure.

It turns out the implementation of PKIX_VerifyCert missed to pass on the requested usage to the context object... What an obvious and unnecessary mistake. It took me 1.5 days of tracing through libpkix internals to understand where this failed.
(Assignee)

Updated

10 years ago
Assignee: nobody → kengert
(Assignee)

Comment 1

10 years ago
Created attachment 288549 [details] [diff] [review]
Patch v1
Attachment #288549 - Flags: review?(rrelyea)
Severity: normal → major
Priority: -- → P1
Whiteboard: PKIX NSS312B1
Target Milestone: --- → 3.12

Comment 2

10 years ago
Comment on attachment 288549 [details] [diff] [review]
Patch v1

r=alexei
Attachment #288549 - Flags: review?(rrelyea) → review+
(Assignee)

Updated

10 years ago
Summary: PKIX_VerifyCert never succeeds → CERT_PKIXVerifyCert never succeeds
(Assignee)

Comment 3

10 years ago
fixed
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
> What an obvious and unnecessary mistake. 

As opposed to a necessary mistake?  :)
(Assignee)

Comment 5

10 years ago
(In reply to comment #4)
> > What an obvious and unnecessary mistake. 
> 
> As opposed to a necessary mistake?  :)

It was obvious that this function must care for the usage parameter, which we changed in the design phase to be an always-required parameter. It frustrated me to see it got silently ignored and that I wasted so much time to finding this . Sorry for ranting, I felt better afterwards :-)
I'm making mistakes, too, so I'll shut up now :-)

You need to log in before you can comment on or make changes to this bug.