Do not use the SEC_ERROR_BAD_INFO_ACCESS_LOCATION error code for bad CRL distribution point URLs

RESOLVED FIXED in 3.12.9

Status

NSS
Libraries
P2
normal
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: Wan-Teh Chang, Assigned: Wan-Teh Chang)

Tracking

unspecified
3.12.9

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Assignee)

Description

7 years ago
Created attachment 476463 [details] [diff] [review]
Add SEC_ERROR_BAD_CRL_DP_URL (checked in)

libpkix uses the SEC_ERROR_BAD_INFO_ACCESS_LOCATION error code
for bad (invalid or unsupported) CRL distribution point URLs.
This error code is inaccurate because the CRL distribution point
URLs are not in the AIA (authority information access) certificate
extension.

The proposed patch adds a new SEC_ERROR_BAD_CRL_DP_URL error
code for this error condition.
Attachment #476463 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Comment 1

7 years ago
Created attachment 476468 [details] [diff] [review]
Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)

Without a specific NSS error code, these libpkix errors are mapped
to whatever PORT_GetError()/PR_GetError() returns, which is usually
the stale error code SEC_ERROR_EXTENSION_NOT_FOUND.

This patch also updates the comments for CERT_ParseURL because it
is no longer used just for parsing the URI of an OCSP responder.
Attachment #476468 - Flags: review?(alexei.volkov.bugs)

Comment 2

7 years ago
Comment on attachment 476463 [details] [diff] [review]
Add SEC_ERROR_BAD_CRL_DP_URL (checked in)

r=alexei
Attachment #476463 - Flags: review?(alexei.volkov.bugs) → review+

Comment 3

7 years ago
Comment on attachment 476468 [details] [diff] [review]
Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)

r=alexei
Attachment #476468 - Flags: review?(alexei.volkov.bugs) → review+
(Assignee)

Comment 4

7 years ago
Comment on attachment 476463 [details] [diff] [review]
Add SEC_ERROR_BAD_CRL_DP_URL (checked in)

Checked in the patch on the NSS trunk (NSS 3.13) and
NSS_3_12_BRANCH (NSS 3.12.9).

Checking in cmd/lib/SECerrs.h;
/cvsroot/mozilla/security/nss/cmd/lib/SECerrs.h,v  <--  SECerrs.h
new revision: 1.22; previous revision: 1.21
done
Checking in lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c,v  <--  pkix_pl_pk11certstore.c
new revision: 1.19; previous revision: 1.18
done
Checking in lib/util/secerr.h;
/cvsroot/mozilla/security/nss/lib/util/secerr.h,v  <--  secerr.h
new revision: 1.28; previous revision: 1.27
done

Checking in cmd/lib/SECerrs.h;
/cvsroot/mozilla/security/nss/cmd/lib/SECerrs.h,v  <--  SECerrs.h
new revision: 1.20.2.2; previous revision: 1.20.2.1
done
Checking in lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c,v  <--  pkix_pl_pk11certstore.c
new revision: 1.18.2.1; previous revision: 1.18
done
Checking in lib/util/secerr.h;
/cvsroot/mozilla/security/nss/lib/util/secerr.h,v  <--  secerr.h
new revision: 1.26.2.1; previous revision: 1.26
done
Attachment #476463 - Attachment description: Add SEC_ERROR_BAD_CRL_DP_URL → Add SEC_ERROR_BAD_CRL_DP_URL (checked in)
(Assignee)

Comment 5

7 years ago
Comment on attachment 476468 [details] [diff] [review]
Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)

Checked in on the NSS trunk (NSS 3.13) and
NSS_3_12_BRANCH (NSS 3.12.9).

Checking in ocsp.h;
/cvsroot/mozilla/security/nss/lib/certhigh/ocsp.h,v  <--  ocsp.h
new revision: 1.18; previous revision: 1.17
done
Checking in pkix_errorstrings.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h,v  <--  pkix_errorstrings.h
new revision: 1.36; previous revision: 1.35
done

Checking in ocsp.h;
/cvsroot/mozilla/security/nss/lib/certhigh/ocsp.h,v  <--  ocsp.h
new revision: 1.17.2.1; previous revision: 1.17
done
Checking in pkix_errorstrings.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h,v  <--  pkix_errorstrings.h
new revision: 1.35.2.1; previous revision: 1.35
done
Attachment #476468 - Attachment description: Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL → Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)
(Assignee)

Updated

7 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.