vfychain -o succeeds even if -pp is not specified

RESOLVED FIXED in 3.12.1

Status

NSS
Tools
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Julien Pierre, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIXTEST)

Attachments

(1 attachment)

3.60 KB, patch
Nelson Bolyard (seldom reads bugmail)
: review+
Details | Diff | Splinter Review
(Reporter)

Description

9 years ago
The -o option is used to pass in a specific policy OID that we want to check against the chain. The --p option is used to invoke the new PKIX API.

If --p is omitted, CERT_VerifyCertificate is invoked, and the policy OID is actually ignored, making it seem like the verification succeeded. This is not the case. The -o without --p combination should always fail, preferably with a usage error.
The -p option (one dash) has different meaning depending on whether it occurs
one time or more than one time (e.g. -pp) in the command line.  

One time, it has the same effect as the NSS_ENABLE_PKIX_VERIFY envariable.
It causes vfychain to call CERT_SetUsePKIXForValidation(true);
vfychain then still uses the old API, but the underlying code uses libPKIX.

two times (-pp) causes vfychain to call the new CERT_PKIXVerifyCert API.
(Reporter)

Comment 2

9 years ago
Yes. The -o / 1 -p combination should fail too, just like the -o / 0 -p combination. -o should only work with --p, since only CERT_PKIXVerifyCert can verify chains with specific policies.
Julien, I think you mean -pp when you type --p, yes?
Summary: vfychain -o succeeds even if --p is not specified → vfychain -o succeeds even if -pp is not specified
(Reporter)

Comment 4

9 years ago
Oops. Yes, you are right.
BTW, the same problem occurs with -t.  
The -t option is meaningless without -pp, but the test program doesn't
compain about it.
Whiteboard: PKIXTEST
(Assignee)

Comment 6

9 years ago
Created attachment 320276 [details] [diff] [review]
Check for options

Check that -pp is asserted for -t and -o options. Add description for -t flag.
Attachment #320276 - Flags: review?(nelson)
Comment on attachment 320276 [details] [diff] [review]
Check for options

A few cosmetic issues need to be fixed, then r+.

>-	"\t-f \t\tenable cert ferching from AIA URL\n"
>+	"\t-f \t\t Enable cert ferching from AIA URL\n"

s/ferching/fetching/   :)

>+        "\t-t\t\t Following cert is explicetly trusted(overrides db trust).\n"

s/explicet/explicit/    and put a space before '('      ^

>-	"\t-w password\t Database password\n",
>+            "\t-w password\t Database password.\n",

On this line, you replaced the one leading tab character with 12 spaces.
Please go back to one tab.

>+        if (trusted) {
>+            fprintf(stderr, "Cert trust flag can be used only with"
>+                    " CERT_PKIXVerifyChain(-pp) fucntion.\n");

s/fucntion/function/

>@@ -372,6 +387,11 @@ breakout:
> 	case 'r' : isAscii  = PR_FALSE;                       break;
> 	case 't' : trusted  = PR_TRUE;                       break;
> 	case  0  : /* positional parameter */
>+            if (usePkix < 2 && trusted) {
>+                fprintf(stderr, "Cert trust flag can be used only with"
>+                        " CERT_PKIXVerifyChain(-pp) fucntion.\n");

s/fucntion/function/
Attachment #320276 - Flags: review?(nelson) → review+
(Assignee)

Comment 8

9 years ago
checked in.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.