Last Comment Bug 430369 - vfychain -o succeeds even if -pp is not specified
: vfychain -o succeeds even if -pp is not specified
Status: RESOLVED FIXED
PKIXTEST
:
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: trunk
: All All
: -- normal (vote)
: 3.12.1
Assigned To: Alexei Volkov
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-22 16:56 PDT by Julien Pierre
Modified: 2008-06-11 11:03 PDT (History)
0 users
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Check for options (3.60 KB, patch)
2008-05-09 14:28 PDT, Alexei Volkov
nelson: review+
Details | Diff | Review

Description Julien Pierre 2008-04-22 16:56:30 PDT
The -o option is used to pass in a specific policy OID that we want to check against the chain. The --p option is used to invoke the new PKIX API.

If --p is omitted, CERT_VerifyCertificate is invoked, and the policy OID is actually ignored, making it seem like the verification succeeded. This is not the case. The -o without --p combination should always fail, preferably with a usage error.
Comment 1 Nelson Bolyard (seldom reads bugmail) 2008-04-22 17:08:02 PDT
The -p option (one dash) has different meaning depending on whether it occurs
one time or more than one time (e.g. -pp) in the command line.  

One time, it has the same effect as the NSS_ENABLE_PKIX_VERIFY envariable.
It causes vfychain to call CERT_SetUsePKIXForValidation(true);
vfychain then still uses the old API, but the underlying code uses libPKIX.

two times (-pp) causes vfychain to call the new CERT_PKIXVerifyCert API.
Comment 2 Julien Pierre 2008-04-22 17:30:46 PDT
Yes. The -o / 1 -p combination should fail too, just like the -o / 0 -p combination. -o should only work with --p, since only CERT_PKIXVerifyCert can verify chains with specific policies.
Comment 3 Nelson Bolyard (seldom reads bugmail) 2008-04-22 18:17:45 PDT
Julien, I think you mean -pp when you type --p, yes?
Comment 4 Julien Pierre 2008-04-22 18:20:31 PDT
Oops. Yes, you are right.
Comment 5 Nelson Bolyard (seldom reads bugmail) 2008-04-22 20:47:52 PDT
BTW, the same problem occurs with -t.  
The -t option is meaningless without -pp, but the test program doesn't
compain about it.
Comment 6 Alexei Volkov 2008-05-09 14:28:35 PDT
Created attachment 320276 [details] [diff] [review]
Check for options

Check that -pp is asserted for -t and -o options. Add description for -t flag.
Comment 7 Nelson Bolyard (seldom reads bugmail) 2008-05-15 20:50:45 PDT
Comment on attachment 320276 [details] [diff] [review]
Check for options

A few cosmetic issues need to be fixed, then r+.

>-	"\t-f \t\tenable cert ferching from AIA URL\n"
>+	"\t-f \t\t Enable cert ferching from AIA URL\n"

s/ferching/fetching/   :)

>+        "\t-t\t\t Following cert is explicetly trusted(overrides db trust).\n"

s/explicet/explicit/    and put a space before '('      ^

>-	"\t-w password\t Database password\n",
>+            "\t-w password\t Database password.\n",

On this line, you replaced the one leading tab character with 12 spaces.
Please go back to one tab.

>+        if (trusted) {
>+            fprintf(stderr, "Cert trust flag can be used only with"
>+                    " CERT_PKIXVerifyChain(-pp) fucntion.\n");

s/fucntion/function/

>@@ -372,6 +387,11 @@ breakout:
> 	case 'r' : isAscii  = PR_FALSE;                       break;
> 	case 't' : trusted  = PR_TRUE;                       break;
> 	case  0  : /* positional parameter */
>+            if (usePkix < 2 && trusted) {
>+                fprintf(stderr, "Cert trust flag can be used only with"
>+                        " CERT_PKIXVerifyChain(-pp) fucntion.\n");

s/fucntion/function/
Comment 8 Alexei Volkov 2008-06-11 11:03:46 PDT
checked in.

Note You need to log in before you can comment on or make changes to this bug.