464834 - Can't set both CA and Peer trust flags any more!

Status: NEW

(NSS :: Libraries, defect, P5)

Description

[Nelson Bolyard (seldom reads bugmail)]

Before project stan, the "CA" trust flags and the "peer" trust flags were
independent.  You could mark a cert as trusted to be an SSL CA, or trusted
to be an SSL peer or both (or neither).  You could mark a cert as trusted
as a peer and valid as a CA, or trusted as a CA and valid as a peer.

Evidently, that cannot be done any more.  If you attempt to mark a cert with 
both the P and C trust flags, you only get C, not both.  A cert can now have
trust as a peer OR trust as a CA, but not both.  :(

This is keeping signtool from working with certs that use trust flags as 
overrides.

The problem seems to be in functions STAN_ChangeCertTrust and get_stan_trust 
(and probably also in related functions).  Function get_stan_trust tries to 
map the old NSS 3.x trust flags into values from an enumerated type.  
The mapping appears (to me) to be (in this order):
  TRUSTED_CA     -> nssTrustLevel_TrustedDelegator
  TRUSTED (PEER) -> nssTrustLevel_Trusted
  VALID_CA       -> nssTrustLevel_ValidDelegator
  VALID_PEER     -> nssTrustLevel_Valid

The code checks the bits on the left in that order (top to bottom) and
at the first match, it sets the stan trust to the corresponding value 
on the right and then stops. 

Although the 4 values on the left are independent bits, the 4 values on 
the right are an enumeration.  A cert cannot have more than one of the 
nssTrustLevel values. 

This is really broken.  Once again, I'm stunned that we went this long 
without finding this problem before now.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.