libpkix does not use user defined revocation checkers

RESOLVED FIXED in 3.12

Status

NSS
Libraries
P2
normal
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: Alexei Volkov, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX)

Attachments

(1 attachment, 1 obsolete attachment)

2.45 KB, patch
Nelson Bolyard (seldom reads bugmail)
: review+
Details | Diff | Splinter Review
(Assignee)

Description

10 years ago
Created attachment 291300 [details] [diff] [review]
Prepend use defined revChecker list.

pkix_Build_ValidationCheckers(pkix_build.c) does not use revocation checker list defined by user. Instead, it recreate the list and adds(if revCheckDelayed flag set) only one checker called "DefaultRevChecker".
Attachment #291300 - Flags: review?(nelson)
(Assignee)

Updated

10 years ago
Priority: -- → P2
Whiteboard: PKIX
Comment on attachment 291300 [details] [diff] [review]
Prepend use defined revChecker list.

Alexei, If I understand it correctly, this patch will have 
the effect that each call to this function will modify the 
list of revCheckers that has previously been attached to the 
procParams, by appending the "default rev checker" to it.

Should we instead make a copy of the procParam's list of 
revCheckers, and append the default revchecker to that copy?

Can a caller save and re-use the list of revCheckers in 
multiple subsequence (or concurrent) calls?  

If so, the list of revcheckers will grow with each call.  
If the procParam's list of revCheckers CANNOT be (re)used 
in multiple calls, either sequentially or concurrently, 
then this is not a problem.
(Assignee)

Comment 2

10 years ago
I was taking in consideration only two cases of pkix api usages: CERT_PKIXVerifyCert and cert_VerifyCertChainPkix. Both of them create new processing parameters which implies use of new revChecker list.

For general case would be cleaner to copy members of the revocation list into the state revocation list or at least duplicate the first. 
(Assignee)

Updated

10 years ago
Attachment #291300 - Flags: review?(nelson)
Comment on attachment 291300 [details] [diff] [review]
Prepend use defined revChecker list.

> For general case would be cleaner to copy members of the revocation list 
> into the state revocation list 

Yes, please do that.
Attachment #291300 - Flags: review-
(Assignee)

Comment 4

10 years ago
Created attachment 291917 [details] [diff] [review]
Patch v2.

Duplicating the list before using it in forward build state.
Attachment #291300 - Attachment is obsolete: true
Attachment #291917 - Flags: review?(nelson)
Comment on attachment 291917 [details] [diff] [review]
Patch v2.

r=nelson
Attachment #291917 - Flags: review?(nelson) → review+
(Assignee)

Comment 6

10 years ago
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c,v  <--  pkix_build.c
new revision: 1.15; previous revision: 1.14
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.