Open Bug 719298 Opened 13 years ago Updated 6 months ago

Stop exposing NSS certificate validation APIs from NSS when MOZ_FOLD_LIBS is set


(Core :: Security: PSM, enhancement, P5)





(Reporter: briansmith, Unassigned)


(Blocks 1 open bug)


(Whiteboard: [psm-cleanup])

Some addons, like Gmail S/MIME and Penango, require the classic CERT_Verify* API in addition to CERT_PKIXVerifyCert, because CERT_PKIXVerifyCert does not have some features that these addons need.

Once all the bugs blocking this bug are fixed, we can stop exporting the classic CERT_Verify* API from the copy of NSS that we ship with Firefox and/or Thunderbird. There are probably more bugs that need to be added to the dependency list. Sean, it would be great if you could add the other dependencies you know about, filing new bugs if necessary.

One of the issues that Sean mentioned is that libpkix does not return a partial certificate chain when it fails to build a complete chain. Such logic may also be useful for Gecko's cert UI. However, this doesn't necessarily need to be implemented in libpkix, AFAICT. We may just need an API or example code, that, given cert A, returns all possible known signers of cert A. Then, this function can be called recursively to build one or more possible partial paths.

Another issue that Sean mentioned is bug 640892. Again, I am not sure if we really need to fix that bug, or if we can find some workarounds, like the ones I have suggested for Gecko in bug 699874 and elsewhere. (Or, perhaps it is not too difficult to fix bug 640892.)
See Also: → 653572
Depends on: 1025998, 975229
No longer depends on: 640892
Summary: Stop exposing NSS classic certificate validation API to addons → Stop exposing NSS certificate validation APIs from NSS when MOZ_FOLD_LIBS is set
At this point, I think all we would need to do here is remove CERT_VerifyCertificate and CERT_PKIXVerifyCert from config/external/nss/nss.symbols. There may be other (now-)unused functions that can be removed from that file as well.
Whiteboard: [psm-cleanup]
Priority: -- → P5
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.