Open Bug 465774 Opened 16 years ago Updated 1 year ago

CERT_ImportCerts ignores the usage and caOnly parameters.

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Version:
3.12
Type:
defect

Tracking

(Not tracked)

People

(Reporter: wtc, Unassigned)

Details

CERT_ImportCerts ignores the "SECCertUsage usage" and "PRBool caOnly" parameters. I'm not sure if this is intentional. Below is the history of this change. This change was introduced in NSS 3.12, in rev. 1.80 of lib/certdb/certdb.c. ---------------------------- revision 1.80 date: 2007/07/14 05:51:00; author: nelson%bolyard.com; state: Exp; lines: +1 -125 Back out revision 1.23 of certdb/certdb.c, the "fix" for bug 121487 that started setting the valid override flags routinely on all imported certs. Bug 376737. r=rrelyea ---------------------------- Rev. 1.23 is: ---------------------------- revision 1.23 date: 2002/01/23 21:43:30; author: ian.mcgreer%sun.com; state: Exp; lines: +1 12 -1 restore function CERT_SaveImportedCert, used to set the trust bits of a cert on import. Fixes bug 121487 ---------------------------- Before rev. 1.23, a relevant revision is rev. 1.17, in which we changed the CERT_SaveImportedCert calls to PK11_ImportCert calls: ---------------------------- revision 1.17 date: 2001/11/08 00:14:39; author: relyea%netscape.com; state: Exp; lines: +3 7 -127 Land BOB_WORK_BRANCH unto the tip. remove lots of depricated files. move some files to appropriate directories (pcertdb *_rand associated headers to soft token, for instance) rename several stan files which had the same name as other nss files. remove depricated functions. ----------------------------
I'm quite familiar with all that history and will be happy to answer any questions. Throughout the history of NSS & PSM there has been a series of misunderstandings about purpose and effects of NSS's trust flags. They have always been override flags, intended to be set only in exceptional cases. (Consider trusting a root as exceptional :). The flags have always had the effect of overriding certain validity tests, causing certs to be accepted for purposes for which they would otherwise not be acceptable. But several times they have been misunderstood by certain developers as being merely flags that (a) record the fact that the cert does or does not possess the extensions that mark it as a CA cert, and/or (b) record information about the particular tab in the browser's cert manager window where the cert should be displayed. The trust flags were viewed as simply a simpler, more efficient way of asking if a cert is a CA cert than by examining its extensions. They were used as a convenient way to record info that could later be used to decide whether a cert should be displayed in a tab for CA certs, or in a tab for user or peer certs. So, at various points in time, changes have been made to NSS to set trust flags routinely on import, e.g. setting the CA trust flag on any cert that appears to be a CA cert when it is imported. Of course, setting the trusted (or valid) CA cert flag on a cert when it is imported because it appears to have an extension that identifies it as a CA cert is a security flaw. It defeats the cert validation logic, by causing that logic to override and bypass various cert validity tests, and simply conclude that the cert is valid. The act of marking a cert with a valid CA flag, to ensure that it would subsequently be displayed in a tab of CA certs, also had the effect of causing the cert to be treated as a valid CA cert, whether it was or not. The NSS code that routinely and erroneously set the CA cert trust flags on import of certs with CA extensions was taken out, but then some time later was put back in (rev 1.23) due to a recurrence of that misunderstanding. Then again later (rev 1.80) it was taken out again. It is possible that somewhere along the way, some other intended functionality was changed and some other regression was introduced. I wonder what the "SECCertUsage usage" parameter was intended to do.
Nelson, you can help me document CERT_ImportCerts. When I document CERT_ImportCerts, what should I say about the 'usage' and 'caOnly' parameters? The documentation may need to apply to NSS 3.11.x as well because NSS 3.11.x is still in use.
Severity: normal → S3
Severity: S3 → S4
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.