Closed Bug 597622 Opened 10 years ago Closed 10 years ago

Do not use the SEC_ERROR_BAD_INFO_ACCESS_LOCATION error code for bad CRL distribution point URLs

Categories

(NSS :: Libraries, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED FIXED
3.12.9

People

(Reporter: wtc, Assigned: wtc)

Details

Attachments

(2 files)

libpkix uses the SEC_ERROR_BAD_INFO_ACCESS_LOCATION error code
for bad (invalid or unsupported) CRL distribution point URLs.
This error code is inaccurate because the CRL distribution point
URLs are not in the AIA (authority information access) certificate
extension.

The proposed patch adds a new SEC_ERROR_BAD_CRL_DP_URL error
code for this error condition.
Attachment #476463 - Flags: review?(alexei.volkov.bugs)
Without a specific NSS error code, these libpkix errors are mapped
to whatever PORT_GetError()/PR_GetError() returns, which is usually
the stale error code SEC_ERROR_EXTENSION_NOT_FOUND.

This patch also updates the comments for CERT_ParseURL because it
is no longer used just for parsing the URI of an OCSP responder.
Attachment #476468 - Flags: review?(alexei.volkov.bugs)
Comment on attachment 476463 [details] [diff] [review]
Add SEC_ERROR_BAD_CRL_DP_URL (checked in)

r=alexei
Attachment #476463 - Flags: review?(alexei.volkov.bugs) → review+
Comment on attachment 476468 [details] [diff] [review]
Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)

r=alexei
Attachment #476468 - Flags: review?(alexei.volkov.bugs) → review+
Comment on attachment 476463 [details] [diff] [review]
Add SEC_ERROR_BAD_CRL_DP_URL (checked in)

Checked in the patch on the NSS trunk (NSS 3.13) and
NSS_3_12_BRANCH (NSS 3.12.9).

Checking in cmd/lib/SECerrs.h;
/cvsroot/mozilla/security/nss/cmd/lib/SECerrs.h,v  <--  SECerrs.h
new revision: 1.22; previous revision: 1.21
done
Checking in lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c,v  <--  pkix_pl_pk11certstore.c
new revision: 1.19; previous revision: 1.18
done
Checking in lib/util/secerr.h;
/cvsroot/mozilla/security/nss/lib/util/secerr.h,v  <--  secerr.h
new revision: 1.28; previous revision: 1.27
done

Checking in cmd/lib/SECerrs.h;
/cvsroot/mozilla/security/nss/cmd/lib/SECerrs.h,v  <--  SECerrs.h
new revision: 1.20.2.2; previous revision: 1.20.2.1
done
Checking in lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c,v  <--  pkix_pl_pk11certstore.c
new revision: 1.18.2.1; previous revision: 1.18
done
Checking in lib/util/secerr.h;
/cvsroot/mozilla/security/nss/lib/util/secerr.h,v  <--  secerr.h
new revision: 1.26.2.1; previous revision: 1.26
done
Attachment #476463 - Attachment description: Add SEC_ERROR_BAD_CRL_DP_URL → Add SEC_ERROR_BAD_CRL_DP_URL (checked in)
Comment on attachment 476468 [details] [diff] [review]
Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)

Checked in on the NSS trunk (NSS 3.13) and
NSS_3_12_BRANCH (NSS 3.12.9).

Checking in ocsp.h;
/cvsroot/mozilla/security/nss/lib/certhigh/ocsp.h,v  <--  ocsp.h
new revision: 1.18; previous revision: 1.17
done
Checking in pkix_errorstrings.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h,v  <--  pkix_errorstrings.h
new revision: 1.36; previous revision: 1.35
done

Checking in ocsp.h;
/cvsroot/mozilla/security/nss/lib/certhigh/ocsp.h,v  <--  ocsp.h
new revision: 1.17.2.1; previous revision: 1.17
done
Checking in pkix_errorstrings.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h,v  <--  pkix_errorstrings.h
new revision: 1.35.2.1; previous revision: 1.35
done
Attachment #476468 - Attachment description: Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL → Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.