Closed Bug 808224 Opened 12 years ago Closed 6 months ago

Add a version of SEC_PKCS7VerifyDetachedSignature that allows certificates to be validated using all libpkix features

Categories

(NSS :: Libraries, enhancement, P5)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: briansmith, Unassigned)

Details

SEC_PKCS7VerifyDetachedSignature is currently hard-coded to use the classic certificate validation logic. This limits the ability of the application to use it when it needs more control over the validation parameters, such as what trust anchors to use or what revocation features to enable.

Ideally, we would create a version of this function that abstracts out the certificate validation so that the application can plug in any validation it wants, and then provide a default libpkix plug in for it. Such an interface would also be useful for the SSL auth certificate callback and probably other functions that do certificate validation as part of some larger task.
PSM bug 834091 adds a new function, SEC_PKCS7VerifyDetachedSignatureAtTime, which is like SEC_PKCS7VerifyDetachedSignature except it allows the caller to set the time at which the certificate should be validated.

Instead of upstreaming that patch as-is to NSS CVS, I am going to modify it so that it allows an alternate certificate validation callback function to be passed in, to replace the hard-coded call to CERT_VerifyCert. This will allow PSM to use libpkix for these calls. It will also allow the packaged app signature verification code to use a better mechanism for setting the set of trust anchors to trust (currently, signed app verification cannot be used in non-B2G builds because it depends on an alternate interpretation of the the code signing trust bits.)

Also, at the same time, I would like the new function to avoid doing anything with S/MIME profiles like SEC_PKCS7VerifyDetachedSignature. An application that wants S/MIME profile stuff done could just call SEC_PKCS7VerifyDetachedSignatureAtTime itself after verifying the signature.
Assignee: nobody → bsmith
Priority: -- → P1
Target Milestone: --- → 3.14.3
(In reply to Brian Smith (:bsmith) from comment #1)
> Instead of upstreaming that patch as-is to NSS CVS, I am going to modify it
> so that it allows an alternate certificate validation callback function to
> be passed in, to replace the hard-coded call to CERT_VerifyCert.

This seems like a useful enhancement, but I would suggest to add variants of NSS_CMSSignedData_VerifySignerInfo/NSS_CMSSignerInfo_VerifyCertificate instead, and switch from using SEC_PKCS7VerifyDetachedSignature to "real" libsmime functions (i.e., replace it by NSS_CMSSignedData_GetSignerInfo/NSS_CMSSignedData_VerifySignerInfo, as shown in http://mxr.mozilla.org/mozilla/source/security/nss/cmd/smimetools/cmsutil.c#305). 

PKCS#7 functions have been deprecated long ago already, see e.g. http://article.gmane.org/gmane.comp.mozilla.crypto/6242.
Assignee: brian → nobody
Severity: normal → enhancement
Priority: P1 → --
Target Milestone: 3.14.3 → ---
Severity: normal → S3
Severity: S3 → N/A
Status: NEW → RESOLVED
Closed: 6 months ago
Priority: -- → P5
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.