Closed
Bug 81347
Opened 24 years ago
Closed 24 years ago
RFE: export CERT_GetCertChainFromCert or something like it
Categories
(NSS :: Libraries, enhancement, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
3.3
People
(Reporter: zhou.bin, Assigned: rrelyea)
Details
Comment 1•24 years ago
|
||
Assigned the bug to Nelson.
Assignee: wtc → nelsonb
Severity: normal → enhancement
Priority: -- → P3
Version: unspecified → 3.2.1
Comment 2•24 years ago
|
||
zhoubin wrote:
SSL of NSS should has the function to get peer's certificate chain during ssl
communication..
(this functionality already exists. More info in the next message.)
Summary: SSL of NSS should has the function to get peer's certificate chain during ssl communication.. → RFE: get ssl peer cert chain
Comment 3•24 years ago
|
||
NSS already has CERT_CertChainFromCert(). This takes a pointer to
the leaf cert in the chain and returns a CERTCertificateList
(list of raw DER-encoded certs in the chain).
NSS's function SSL_PeerCertificate() returns the pointer to the
peer's cert, which is the leaf of the chain.
The peer's (leaf) cert and root CA cert are available all throughout
the SSL connection. But the SSL code does not hold onto copies of any
intermediate CA certs in the peer's chain after the peer's cert chain
is authenticated by the application's cert authentication function.
That is, the sequence of events is:
1. SSL receives cert chain from peer
2. SSL loads all certs in chain into temp cert DB, getting references
to the loaded certs.
3. SSL calls application's cert authentication function.
4. If the application's cert authentication function returns an error,
SSL calls the application's cert error handler function (if any).
5. SSL releases its references to the certs in the temp cert DB.
If no other references to those certs are being held, the certs
are freed at that point.
So, if the application wants to get access to the certs in the peer's
chain, it should either
a) extract all the needed info from the cert chain in the app's
cert authentication function, or
b) get new references to the certs in the chain in the authcert function.
So, I'd say this request is already completely satisfied, except for one
thing. CERT_CertChainFromCert() returns a list of raw DER certs. That
is useful when the application wishes to store the certs or wishes to
transmit them somewhere, but for immediate processing, a list of
references to the CERTCertificate structures in NSS's temp cert DB would
be much more useful. NSS has a function to do that, too, named
CERT_GetCertChainFromCert(), but that function is presently not exported
from NSS's DSO. It also has a few obvious bugs :-(
So, I'm changing this RFE to request that CERT_GetCertChainFromCert
(or a function like it that produces a list of references to cert
structs in the temp cert DB) be exported.
CERT_FindCertIssuer() is also not exported, so it's quite difficult
for an NSS app to chase the cert chain in the DB.
And, I'm reassigning this bug to Bob.
Assignee: nelsonb → relyea
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: RFE: get ssl peer cert chain → RFE: export CERT_GetCertChainFromCert or something like it
Assignee | ||
Comment 4•24 years ago
|
||
Yes, this function is safe enough to export. I'll add it for 3.3
bob
Updated•24 years ago
|
Priority: P3 → P1
Target Milestone: --- → 3.3
Comment 5•24 years ago
|
||
While we're at it, we should also fix the numerous bugs in
CERT_GetCertChainFromCert().
This function never checks return values for null or other failures.
So, if CERT_FindCertIssuer() ever returns null (for example), this
function will crash. We should fix that before making this function
public.
Comment 6•24 years ago
|
||
Bob, are we exporting this function in NSS 3.3?
Assignee | ||
Comment 7•24 years ago
|
||
Yes, this should be fixed now.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 8•24 years ago
|
||
Verified that CERT_CertChainFromCert is exported in nss.def.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•