597622 - Do not use the SEC_ERROR_BAD_INFO_ACCESS_LOCATION error code for bad CRL distribution point URLs

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Wan-Teh Chang]

Attachment: Add SEC_ERROR_BAD_CRL_DP_URL (checked in)

libpkix uses the SEC_ERROR_BAD_INFO_ACCESS_LOCATION error code
for bad (invalid or unsupported) CRL distribution point URLs.
This error code is inaccurate because the CRL distribution point
URLs are not in the AIA (authority information access) certificate
extension.

The proposed patch adds a new SEC_ERROR_BAD_CRL_DP_URL error
code for this error condition.

Comment 1

[Wan-Teh Chang]

Attachment: Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)

Without a specific NSS error code, these libpkix errors are mapped
to whatever PORT_GetError()/PR_GetError() returns, which is usually
the stale error code SEC_ERROR_EXTENSION_NOT_FOUND.

This patch also updates the comments for CERT_ParseURL because it
is no longer used just for parsing the URI of an OCSP responder.

Comment 2

[Alexei Volkov]

Comment on attachment 476463 [details] [diff] [review]
Add SEC_ERROR_BAD_CRL_DP_URL (checked in)

r=alexei

Comment 3

[Alexei Volkov]

Comment on attachment 476468 [details] [diff] [review]
Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)

r=alexei

Comment 4

[Wan-Teh Chang]

Comment on attachment 476463 [details] [diff] [review]
Add SEC_ERROR_BAD_CRL_DP_URL (checked in)

Checked in the patch on the NSS trunk (NSS 3.13) and
NSS_3_12_BRANCH (NSS 3.12.9).

Checking in cmd/lib/SECerrs.h;
/cvsroot/mozilla/security/nss/cmd/lib/SECerrs.h,v  <--  SECerrs.h
new revision: 1.22; previous revision: 1.21
done
Checking in lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c,v  <--  pkix_pl_pk11certstore.c
new revision: 1.19; previous revision: 1.18
done
Checking in lib/util/secerr.h;
/cvsroot/mozilla/security/nss/lib/util/secerr.h,v  <--  secerr.h
new revision: 1.28; previous revision: 1.27
done

Checking in cmd/lib/SECerrs.h;
/cvsroot/mozilla/security/nss/cmd/lib/SECerrs.h,v  <--  SECerrs.h
new revision: 1.20.2.2; previous revision: 1.20.2.1
done
Checking in lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c,v  <--  pkix_pl_pk11certstore.c
new revision: 1.18.2.1; previous revision: 1.18
done
Checking in lib/util/secerr.h;
/cvsroot/mozilla/security/nss/lib/util/secerr.h,v  <--  secerr.h
new revision: 1.26.2.1; previous revision: 1.26
done

Comment 5

[Wan-Teh Chang]

Comment on attachment 476468 [details] [diff] [review]
Map more libpkix errors to SEC_ERROR_BAD_INFO_ACCESS_LOCATION; update comments for CERT_ParseURL (checked in)

Checked in on the NSS trunk (NSS 3.13) and
NSS_3_12_BRANCH (NSS 3.12.9).

Checking in ocsp.h;
/cvsroot/mozilla/security/nss/lib/certhigh/ocsp.h,v  <--  ocsp.h
new revision: 1.18; previous revision: 1.17
done
Checking in pkix_errorstrings.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h,v  <--  pkix_errorstrings.h
new revision: 1.36; previous revision: 1.35
done

Checking in ocsp.h;
/cvsroot/mozilla/security/nss/lib/certhigh/ocsp.h,v  <--  ocsp.h
new revision: 1.17.2.1; previous revision: 1.17
done
Checking in pkix_errorstrings.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h,v  <--  pkix_errorstrings.h
new revision: 1.35.2.1; previous revision: 1.35
done