Open Bug 677981 Opened 12 years ago Updated 5 months ago

CERT_PKIXVerifyCert does not allow a self-signed cert to be used as its own trust anchor


(NSS :: Libraries, defect)



(Not tracked)


(Reporter: keeler, Unassigned)



(4 files, 4 obsolete files)

Attached file test program (obsolete) —
Can't use a CERTValInParam of type cert_pi_trustAnchors to set a self-signed certificate as a trust anchor, then use CERT_PKIXVerifyCert to verify that certificate (for things like expiration, bad signature, etc.)
Attached file selfsigned.c (obsolete) —
fix typo
Attachment #552141 - Attachment is obsolete: true
Attached file selfsigned.c
revocation flags need to be specified for CERT_PKIXVerifyCert to work ( -> updated selfsigned.c)
Attachment #552144 - Attachment is obsolete: true
proposed patch (if the certificate is self-signed (i.e. a root), temporarily set the basic constraints criterion's minimum path length to -2, indicating that the certificate must be an end-entity certificate).
Better patch (previous one was not at all the way to do it).
Attachment #552414 - Attachment is obsolete: true
Using pointer equality for certs. Also, switching out the minimum path length argument only needs to happen in one location, not the two from before.
Attachment #553291 - Attachment is obsolete: true
Comment on attachment 553617 [details] [diff] [review]

Clearing review. If this patch even still applies, there's a good chance we're not going to be using libpkix, so we don't even need it.
Attachment #553617 - Flags: review?(bsmith)
Keeler, we might still need libpkix for backwards compatibility. I would not throiw the effort away. However make sure you also check the certifiacte usages on the self signed case.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.