CERT_PKIXVerifyCert does not allow a self-signed cert to be used as its own trust anchor

NEW
Unassigned

Status

7 years ago
2 years ago

People

(Reporter: keeler, Unassigned)

Tracking

trunk
x86
Linux

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(4 attachments, 4 obsolete attachments)

Created attachment 552141 [details]
test program

Can't use a CERTValInParam of type cert_pi_trustAnchors to set a self-signed certificate as a trust anchor, then use CERT_PKIXVerifyCert to verify that certificate (for things like expiration, bad signature, etc.)
Results in SEC_ERROR_UNKNOWN_ISSUER.
Created attachment 552143 [details]
selfsigned.crt
Created attachment 552144 [details]
selfsigned.c

fix typo
Attachment #552141 - Attachment is obsolete: true
Created attachment 552412 [details]
selfsigned.c

revocation flags need to be specified for CERT_PKIXVerifyCert to work ( -> updated selfsigned.c)
Attachment #552144 - Attachment is obsolete: true
Created attachment 552414 [details] [diff] [review]
CERT_PKIXVerifyCert-selfsigned.patch

proposed patch (if the certificate is self-signed (i.e. a root), temporarily set the basic constraints criterion's minimum path length to -2, indicating that the certificate must be an end-entity certificate).
Created attachment 553291 [details] [diff] [review]
CERT_PKIXVerifyCert-selfsigned.patch

Better patch (previous one was not at all the way to do it).
Attachment #552414 - Attachment is obsolete: true
Created attachment 553617 [details] [diff] [review]
CERT_PKIXVerifyCert-selfsigned.patch

Using pointer equality for certs. Also, switching out the minimum path length argument only needs to happen in one location, not the two from before.
Attachment #553291 - Attachment is obsolete: true
Attachment #553617 - Flags: review?(bsmith)
Comment on attachment 553617 [details] [diff] [review]
CERT_PKIXVerifyCert-selfsigned.patch

Clearing review. If this patch even still applies, there's a good chance we're not going to be using libpkix, so we don't even need it.
Attachment #553617 - Flags: review?(bsmith)
Keeler, we might still need libpkix for backwards compatibility. I would not throiw the effort away. However make sure you also check the certifiacte usages on the self signed case.
No longer blocks: 672600
You need to log in before you can comment on or make changes to this bug.