As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 403682 - CERT_PKIXVerifyCert never succeeds
: CERT_PKIXVerifyCert never succeeds
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P1 major (vote)
: 3.12
Assigned To: Kai Engert (:kaie)
Depends on:
Blocks: evtracker
  Show dependency treegraph
Reported: 2007-11-13 13:52 PST by Kai Engert (:kaie)
Modified: 2007-11-16 15:40 PST (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Patch v1 (775 bytes, patch)
2007-11-13 13:54 PST, Kai Engert (:kaie)
alvolkov.bgs: review+
Details | Diff | Splinter Review

Description User image Kai Engert (:kaie) 2007-11-13 13:52:49 PST
When attempting to verify Paypal's cert for EV, I was calling PKIX_VerifyCert.

Even when called with minimal options, the function returned a verification failure.

It turns out the implementation of PKIX_VerifyCert missed to pass on the requested usage to the context object... What an obvious and unnecessary mistake. It took me 1.5 days of tracing through libpkix internals to understand where this failed.
Comment 1 User image Kai Engert (:kaie) 2007-11-13 13:54:40 PST
Created attachment 288549 [details] [diff] [review]
Patch v1
Comment 2 User image Alexei Volkov 2007-11-14 09:30:25 PST
Comment on attachment 288549 [details] [diff] [review]
Patch v1

Comment 3 User image Kai Engert (:kaie) 2007-11-16 05:39:57 PST
Comment 4 User image Nelson Bolyard (seldom reads bugmail) 2007-11-16 11:24:38 PST
> What an obvious and unnecessary mistake. 

As opposed to a necessary mistake?  :)
Comment 5 User image Kai Engert (:kaie) 2007-11-16 15:40:35 PST
(In reply to comment #4)
> > What an obvious and unnecessary mistake. 
> As opposed to a necessary mistake?  :)

It was obvious that this function must care for the usage parameter, which we changed in the design phase to be an always-required parameter. It frustrated me to see it got silently ignored and that I wasted so much time to finding this . Sorry for ranting, I felt better afterwards :-)
I'm making mistakes, too, so I'll shut up now :-)

Note You need to log in before you can comment on or make changes to this bug.