Closed Bug 726134 Opened 12 years ago Closed 12 years ago

Allow CERT_PKIXVerifyCert to return a NULL trust anchor cert (cert_po_trustAnchor)

Categories

(NSS :: Libraries, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED
3.13.4

People

(Reporter: wtc, Assigned: wtc)

References

Details

Attachments

(1 file, 1 obsolete file)

Attached patch Allow a NULL trust anchor (obsolete) — Splinter Review
I have written a patch to allow CERT_PKIXVerifyCert to verify
an end-entity certificate that is explicitly trusted.  We need
to decide what should be considered the trust anchor in this
case.  There are two options.

1) Return no trust anchor because by definition a trust anchor
is a CA, but the trust on an explicitly trusted EE cert is not
derived from a CA.

The attached patch implements this option.

This option will break code that assumes the trust anchor cert
(cert_po_trustAnchor) returned by CERT_PKIXVerifyCert is not
NULL.

2) Consider the explicitly trusted EE cert as the trust anchor.

This option uses a broader interpretation of "trust anchor".
"Trust anchor" means the source of trust, which is not necessarily
the CA that issues the first cert of the certification path as
specified in RFC 5280 (search for
      (b)  certificate 1 is issued by the trust anchor;
in that RFC).

This option will break code that assumes the cert chain
(cert_po_certList) and trust anchor cert (cert_po_trustAnchor)
returned by CERT_PKIXVerifyCert are disjoint.

Bob, what do you think we should do?  I think Option 1 is more
logical, but it may cause some users of CERT_PKIXVerifyCert to
crash.
Attachment #596149 - Flags: review?(rrelyea)
Target Milestone: 3.13.3 → 3.13.4
Comment on attachment 596149 [details] [diff] [review]
Allow a NULL trust anchor

r+ I think dealing with a NULL trust anchor is better than trying to understand what could go wrong with an overlap structure
Attachment #596149 - Flags: review?(rrelyea) → review+
(I made some whitespace fixes.)

Patch checked in on the NSS trunk (NSS 3.13.4).

Checking in lib/certhigh/certvfypkix.c;
/cvsroot/mozilla/security/nss/lib/certhigh/certvfypkix.c,v  <--  certvfypkix.c
new revision: 1.52; previous revision: 1.51
done
Checking in lib/libpkix/pkix/results/pkix_valresult.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/results/pkix_valresult.c,v  <--  pkix_valresult.c
new revision: 1.7; previous revision: 1.6
done
Checking in lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h,v  <--  pkix_pl_cert.h
new revision: 1.6; previous revision: 1.5
done
Attachment #596149 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Blocks: 647364
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: