Open Bug 677981 Opened 12 years ago Updated 5 months ago

CERT_PKIXVerifyCert does not allow a self-signed cert to be used as its own trust anchor

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

People

(Reporter: keeler, Unassigned)

Details

Attachments

(4 files, 4 obsolete files)

Makefile
275 bytes, text/plain
Details
selfsigned.crt
627 bytes, text/plain
Details
selfsigned.c
5.33 KB, text/plain
Details
CERT_PKIXVerifyCert-selfsigned.patch
4.16 KB, patch
Details | Diff | Splinter Review
Attached file test program (obsolete) — 
Can't use a CERTValInParam of type cert_pi_trustAnchors to set a self-signed certificate as a trust anchor, then use CERT_PKIXVerifyCert to verify that certificate (for things like expiration, bad signature, etc.)
Results in SEC_ERROR_UNKNOWN_ISSUER.
Attached file selfsigned.c (obsolete) — 
fix typo
Attachment #552141 - Attachment is obsolete: true
Attached file selfsigned.c 
revocation flags need to be specified for CERT_PKIXVerifyCert to work ( -> updated selfsigned.c)
Attachment #552144 - Attachment is obsolete: true
proposed patch (if the certificate is self-signed (i.e. a root), temporarily set the basic constraints criterion's minimum path length to -2, indicating that the certificate must be an end-entity certificate).
Better patch (previous one was not at all the way to do it).
Attachment #552414 - Attachment is obsolete: true
Using pointer equality for certs. Also, switching out the minimum path length argument only needs to happen in one location, not the two from before.
Attachment #553291 - Attachment is obsolete: true
Comment on attachment 553617 [details] [diff] [review]
CERT_PKIXVerifyCert-selfsigned.patch

Clearing review. If this patch even still applies, there's a good chance we're not going to be using libpkix, so we don't even need it.
Attachment #553617 - Flags: review?(bsmith)
Keeler, we might still need libpkix for backwards compatibility. I would not throiw the effort away. However make sure you also check the certifiacte usages on the self signed case.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.