add sustaining asserts

RESOLVED FIXED in 3.12.1

Status

NSS
Libraries
P2
normal
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Julien Pierre, Assigned: Julien Pierre)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
Normally as a rule, we try to only assert on coding errors, not bad external data. I feel however that there are some exceptions for certain particularly egregious errors, in the case of reused issuer and serial number. Often with some products, the errors are not properly reported all the way to the end user. And we can spend a lot of time debugging this kind of problem for no good reason.
I have attached a patch that is #ifdef'ed just for me. But if you agree, I would prefer to have that without ifdef.
(Assignee)

Updated

9 years ago
Priority: -- → P2
Target Milestone: --- → 3.12.1
(Assignee)

Comment 1

9 years ago
Created attachment 317835 [details] [diff] [review]
assert on SEC_ERROR_REUSED_ISSUER_AND_SERIAL_NUMBER

Nelson,

Please let me know also if you are in favor of having this non-ifdef'ed.
Attachment #317835 - Flags: review?(nelson)
Comment on attachment 317835 [details] [diff] [review]
assert on SEC_ERROR_REUSED_ISSUER_AND_SERIAL_NUMBER

Julien, I'm sure it would not be appropriate to put that assertion into
Mozilla browsers.  Personally, I would not want to encounter it in NSS tools, 
either.  So, I do not favor putting THIS assertion in unconditionally,
but I'm not opposed to it in its present ifdef'ed form.

Is there some particular product or family of products you have in mind
that fails to report this error?  
Can we detect that NSS is being used by those products?
Attachment #317835 - Flags: review?(nelson) → review+
(Assignee)

Comment 3

9 years ago
Nelson,

Our own pk12util still fails to report proper errors. Somebody sent me a p12 file with 2 certs with same issuer & serial in it. All I got was a generic error, and I had to trace the code to figure it out.

I suspect mozilla PKCS#12 import would do the same.

I thought about surrounding this with a getenv, but I think that would be way too expensive given how common PORT_SetError is.
In reply to comment 3, please file a bug against our PKCS#12 code about this.
I'd suggest filing it against the utility first, and then that can be changed
to be against the library in case it is found to be the fault of the library
code.
(Assignee)

Comment 5

9 years ago
Nelson,

I already did, over 7 years ago. See bug 72290 .
(Assignee)

Comment 6

9 years ago
Checking in secport.c;
/cvsroot/mozilla/security/nss/lib/util/secport.c,v  <--  secport.c
new revision: 1.22; previous revision: 1.21
done
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.