Closed
Bug 726134
Opened 13 years ago
Closed 13 years ago
Allow CERT_PKIXVerifyCert to return a NULL trust anchor cert (cert_po_trustAnchor)
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.13.4
People
(Reporter: wtc, Assigned: wtc)
References
Details
Attachments
(1 file, 1 obsolete file)
|
12.52 KB,
patch
|
Details | Diff | Splinter Review |
I have written a patch to allow CERT_PKIXVerifyCert to verify
an end-entity certificate that is explicitly trusted. We need
to decide what should be considered the trust anchor in this
case. There are two options.
1) Return no trust anchor because by definition a trust anchor
is a CA, but the trust on an explicitly trusted EE cert is not
derived from a CA.
The attached patch implements this option.
This option will break code that assumes the trust anchor cert
(cert_po_trustAnchor) returned by CERT_PKIXVerifyCert is not
NULL.
2) Consider the explicitly trusted EE cert as the trust anchor.
This option uses a broader interpretation of "trust anchor".
"Trust anchor" means the source of trust, which is not necessarily
the CA that issues the first cert of the certification path as
specified in RFC 5280 (search for
(b) certificate 1 is issued by the trust anchor;
in that RFC).
This option will break code that assumes the cert chain
(cert_po_certList) and trust anchor cert (cert_po_trustAnchor)
returned by CERT_PKIXVerifyCert are disjoint.
Bob, what do you think we should do? I think Option 1 is more
logical, but it may cause some users of CERT_PKIXVerifyCert to
crash.
Attachment #596149 -
Flags: review?(rrelyea)
|
Assignee | |
Updated•13 years ago
|
Target Milestone: 3.13.3 → 3.13.4
|
||
Comment 1•13 years ago
|
||
Comment on attachment 596149 [details] [diff] [review]
Allow a NULL trust anchor
r+ I think dealing with a NULL trust anchor is better than trying to understand what could go wrong with an overlap structure
Attachment #596149 -
Flags: review?(rrelyea) → review+
|
|
Assignee | |
Comment 2•13 years ago
|
||
(I made some whitespace fixes.)
Patch checked in on the NSS trunk (NSS 3.13.4).
Checking in lib/certhigh/certvfypkix.c;
/cvsroot/mozilla/security/nss/lib/certhigh/certvfypkix.c,v <-- certvfypkix.c
new revision: 1.52; previous revision: 1.51
done
Checking in lib/libpkix/pkix/results/pkix_valresult.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/results/pkix_valresult.c,v <-- pkix_valresult.c
new revision: 1.7; previous revision: 1.6
done
Checking in lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h,v <-- pkix_pl_cert.h
new revision: 1.6; previous revision: 1.5
done
Attachment #596149 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•