Closed Bug 726134 Opened 11 years ago Closed 11 years ago
_PKIXVerify Cert to return a NULL trust anchor cert (cert _po _trust Anchor)
I have written a patch to allow CERT_PKIXVerifyCert to verify an end-entity certificate that is explicitly trusted. We need to decide what should be considered the trust anchor in this case. There are two options. 1) Return no trust anchor because by definition a trust anchor is a CA, but the trust on an explicitly trusted EE cert is not derived from a CA. The attached patch implements this option. This option will break code that assumes the trust anchor cert (cert_po_trustAnchor) returned by CERT_PKIXVerifyCert is not NULL. 2) Consider the explicitly trusted EE cert as the trust anchor. This option uses a broader interpretation of "trust anchor". "Trust anchor" means the source of trust, which is not necessarily the CA that issues the first cert of the certification path as specified in RFC 5280 (search for (b) certificate 1 is issued by the trust anchor; in that RFC). This option will break code that assumes the cert chain (cert_po_certList) and trust anchor cert (cert_po_trustAnchor) returned by CERT_PKIXVerifyCert are disjoint. Bob, what do you think we should do? I think Option 1 is more logical, but it may cause some users of CERT_PKIXVerifyCert to crash.
Attachment #596149 - Flags: review?(rrelyea)
Comment on attachment 596149 [details] [diff] [review] Allow a NULL trust anchor r+ I think dealing with a NULL trust anchor is better than trying to understand what could go wrong with an overlap structure
Attachment #596149 - Flags: review?(rrelyea) → review+
(I made some whitespace fixes.) Patch checked in on the NSS trunk (NSS 3.13.4). Checking in lib/certhigh/certvfypkix.c; /cvsroot/mozilla/security/nss/lib/certhigh/certvfypkix.c,v <-- certvfypkix.c new revision: 1.52; previous revision: 1.51 done Checking in lib/libpkix/pkix/results/pkix_valresult.c; /cvsroot/mozilla/security/nss/lib/libpkix/pkix/results/pkix_valresult.c,v <-- pkix_valresult.c new revision: 1.7; previous revision: 1.6 done Checking in lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h; /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h,v <-- pkix_pl_cert.h new revision: 1.6; previous revision: 1.5 done
Attachment #596149 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.