Closed
Bug 430369
Opened 17 years ago
Closed 17 years ago
vfychain -o succeeds even if -pp is not specified
Categories
(NSS :: Tools, defect)
NSS
Tools
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.1
People
(Reporter: julien.pierre, Assigned: alvolkov.bgs)
Details
(Whiteboard: PKIXTEST)
Attachments
(1 file)
|
3.60 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
The -o option is used to pass in a specific policy OID that we want to check against the chain. The --p option is used to invoke the new PKIX API.
If --p is omitted, CERT_VerifyCertificate is invoked, and the policy OID is actually ignored, making it seem like the verification succeeded. This is not the case. The -o without --p combination should always fail, preferably with a usage error.
|
||
Comment 1•17 years ago
|
||
The -p option (one dash) has different meaning depending on whether it occurs
one time or more than one time (e.g. -pp) in the command line.
One time, it has the same effect as the NSS_ENABLE_PKIX_VERIFY envariable.
It causes vfychain to call CERT_SetUsePKIXForValidation(true);
vfychain then still uses the old API, but the underlying code uses libPKIX.
two times (-pp) causes vfychain to call the new CERT_PKIXVerifyCert API.
|
|
Reporter | |
Comment 2•17 years ago
|
||
Yes. The -o / 1 -p combination should fail too, just like the -o / 0 -p combination. -o should only work with --p, since only CERT_PKIXVerifyCert can verify chains with specific policies.
|
|
||
Comment 3•17 years ago
|
||
Julien, I think you mean -pp when you type --p, yes?
Summary: vfychain -o succeeds even if --p is not specified → vfychain -o succeeds even if -pp is not specified
|
|
Reporter | |
Comment 4•17 years ago
|
||
Oops. Yes, you are right.
|
|
||
Comment 5•17 years ago
|
||
BTW, the same problem occurs with -t.
The -t option is meaningless without -pp, but the test program doesn't
compain about it.
|
|
||
Updated•17 years ago
|
Whiteboard: PKIXTEST
|
|
Assignee | |
Comment 6•17 years ago
|
||
Check that -pp is asserted for -t and -o options. Add description for -t flag.
Attachment #320276 -
Flags: review?(nelson)
|
|
||
Comment 7•17 years ago
|
||
Comment on attachment 320276 [details] [diff] [review]
Check for options
A few cosmetic issues need to be fixed, then r+.
>- "\t-f \t\tenable cert ferching from AIA URL\n"
>+ "\t-f \t\t Enable cert ferching from AIA URL\n"
s/ferching/fetching/ :)
>+ "\t-t\t\t Following cert is explicetly trusted(overrides db trust).\n"
s/explicet/explicit/ and put a space before '(' ^
>- "\t-w password\t Database password\n",
>+ "\t-w password\t Database password.\n",
On this line, you replaced the one leading tab character with 12 spaces.
Please go back to one tab.
>+ if (trusted) {
>+ fprintf(stderr, "Cert trust flag can be used only with"
>+ " CERT_PKIXVerifyChain(-pp) fucntion.\n");
s/fucntion/function/
>@@ -372,6 +387,11 @@ breakout:
> case 'r' : isAscii = PR_FALSE; break;
> case 't' : trusted = PR_TRUE; break;
> case 0 : /* positional parameter */
>+ if (usePkix < 2 && trusted) {
>+ fprintf(stderr, "Cert trust flag can be used only with"
>+ " CERT_PKIXVerifyChain(-pp) fucntion.\n");
s/fucntion/function/
Attachment #320276 -
Flags: review?(nelson) → review+
|
|
Assignee | |
Comment 8•17 years ago
|
||
checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•