Open
Bug 464834
Opened 16 years ago
Updated 2 years ago
Can't set both CA and Peer trust flags any more!
Categories
(NSS :: Libraries, defect, P5)
Tracking
(Not tracked)
NEW
People
(Reporter: nelson, Unassigned)
Details
Before project stan, the "CA" trust flags and the "peer" trust flags were independent. You could mark a cert as trusted to be an SSL CA, or trusted to be an SSL peer or both (or neither). You could mark a cert as trusted as a peer and valid as a CA, or trusted as a CA and valid as a peer. Evidently, that cannot be done any more. If you attempt to mark a cert with both the P and C trust flags, you only get C, not both. A cert can now have trust as a peer OR trust as a CA, but not both. :( This is keeping signtool from working with certs that use trust flags as overrides. The problem seems to be in functions STAN_ChangeCertTrust and get_stan_trust (and probably also in related functions). Function get_stan_trust tries to map the old NSS 3.x trust flags into values from an enumerated type. The mapping appears (to me) to be (in this order): TRUSTED_CA -> nssTrustLevel_TrustedDelegator TRUSTED (PEER) -> nssTrustLevel_Trusted VALID_CA -> nssTrustLevel_ValidDelegator VALID_PEER -> nssTrustLevel_Valid The code checks the bits on the left in that order (top to bottom) and at the first match, it sets the stan trust to the corresponding value on the right and then stops. Although the 4 values on the left are independent bits, the 4 values on the right are an enumeration. A cert cannot have more than one of the nssTrustLevel values. This is really broken. Once again, I'm stunned that we went this long without finding this problem before now.
Comment 1•2 years ago
|
||
In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.
Severity: major → --
Updated•2 years ago
|
Severity: -- → S3
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•