Last Comment Bug 406647 - libpkix does not use user defined revocation checkers
: libpkix does not use user defined revocation checkers
Status: RESOLVED FIXED
PKIX
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.12
: All All
: P2 normal (vote)
: 3.12
Assigned To: Alexei Volkov
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-03 14:37 PST by Alexei Volkov
Modified: 2007-12-06 13:55 PST (History)
0 users
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Prepend use defined revChecker list. (2.31 KB, patch)
2007-12-03 14:37 PST, Alexei Volkov
nelson: review-
Details | Diff | Splinter Review
Patch v2. (2.45 KB, patch)
2007-12-06 11:42 PST, Alexei Volkov
nelson: review+
Details | Diff | Splinter Review

Description Alexei Volkov 2007-12-03 14:37:43 PST
Created attachment 291300 [details] [diff] [review]
Prepend use defined revChecker list.

pkix_Build_ValidationCheckers(pkix_build.c) does not use revocation checker list defined by user. Instead, it recreate the list and adds(if revCheckDelayed flag set) only one checker called "DefaultRevChecker".
Comment 1 Nelson Bolyard (seldom reads bugmail) 2007-12-03 17:02:05 PST
Comment on attachment 291300 [details] [diff] [review]
Prepend use defined revChecker list.

Alexei, If I understand it correctly, this patch will have 
the effect that each call to this function will modify the 
list of revCheckers that has previously been attached to the 
procParams, by appending the "default rev checker" to it.

Should we instead make a copy of the procParam's list of 
revCheckers, and append the default revchecker to that copy?

Can a caller save and re-use the list of revCheckers in 
multiple subsequence (or concurrent) calls?  

If so, the list of revcheckers will grow with each call.  
If the procParam's list of revCheckers CANNOT be (re)used 
in multiple calls, either sequentially or concurrently, 
then this is not a problem.
Comment 2 Alexei Volkov 2007-12-04 09:54:08 PST
I was taking in consideration only two cases of pkix api usages: CERT_PKIXVerifyCert and cert_VerifyCertChainPkix. Both of them create new processing parameters which implies use of new revChecker list.

For general case would be cleaner to copy members of the revocation list into the state revocation list or at least duplicate the first. 
Comment 3 Nelson Bolyard (seldom reads bugmail) 2007-12-04 13:56:33 PST
Comment on attachment 291300 [details] [diff] [review]
Prepend use defined revChecker list.

> For general case would be cleaner to copy members of the revocation list 
> into the state revocation list 

Yes, please do that.
Comment 4 Alexei Volkov 2007-12-06 11:42:29 PST
Created attachment 291917 [details] [diff] [review]
Patch v2.

Duplicating the list before using it in forward build state.
Comment 5 Nelson Bolyard (seldom reads bugmail) 2007-12-06 13:40:05 PST
Comment on attachment 291917 [details] [diff] [review]
Patch v2.

r=nelson
Comment 6 Alexei Volkov 2007-12-06 13:55:17 PST
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c,v  <--  pkix_build.c
new revision: 1.15; previous revision: 1.14

Note You need to log in before you can comment on or make changes to this bug.