Closed Bug 81347 Opened 24 years ago Closed 24 years ago

RFE: export CERT_GetCertChainFromCert or something like it

Categories

(NSS :: Libraries, enhancement, P1)

3.2.1
enhancement

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: zhou.bin, Assigned: rrelyea)

Details

Assigned the bug to Nelson.
Assignee: wtc → nelsonb
Severity: normal → enhancement
Priority: -- → P3
Version: unspecified → 3.2.1
zhoubin wrote: SSL of NSS should has the function to get peer's certificate chain during ssl communication.. (this functionality already exists. More info in the next message.)
Summary: SSL of NSS should has the function to get peer's certificate chain during ssl communication.. → RFE: get ssl peer cert chain
NSS already has CERT_CertChainFromCert(). This takes a pointer to the leaf cert in the chain and returns a CERTCertificateList (list of raw DER-encoded certs in the chain). NSS's function SSL_PeerCertificate() returns the pointer to the peer's cert, which is the leaf of the chain. The peer's (leaf) cert and root CA cert are available all throughout the SSL connection. But the SSL code does not hold onto copies of any intermediate CA certs in the peer's chain after the peer's cert chain is authenticated by the application's cert authentication function. That is, the sequence of events is: 1. SSL receives cert chain from peer 2. SSL loads all certs in chain into temp cert DB, getting references to the loaded certs. 3. SSL calls application's cert authentication function. 4. If the application's cert authentication function returns an error, SSL calls the application's cert error handler function (if any). 5. SSL releases its references to the certs in the temp cert DB. If no other references to those certs are being held, the certs are freed at that point. So, if the application wants to get access to the certs in the peer's chain, it should either a) extract all the needed info from the cert chain in the app's cert authentication function, or b) get new references to the certs in the chain in the authcert function. So, I'd say this request is already completely satisfied, except for one thing. CERT_CertChainFromCert() returns a list of raw DER certs. That is useful when the application wishes to store the certs or wishes to transmit them somewhere, but for immediate processing, a list of references to the CERTCertificate structures in NSS's temp cert DB would be much more useful. NSS has a function to do that, too, named CERT_GetCertChainFromCert(), but that function is presently not exported from NSS's DSO. It also has a few obvious bugs :-( So, I'm changing this RFE to request that CERT_GetCertChainFromCert (or a function like it that produces a list of references to cert structs in the temp cert DB) be exported. CERT_FindCertIssuer() is also not exported, so it's quite difficult for an NSS app to chase the cert chain in the DB. And, I'm reassigning this bug to Bob.
Assignee: nelsonb → relyea
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: RFE: get ssl peer cert chain → RFE: export CERT_GetCertChainFromCert or something like it
Yes, this function is safe enough to export. I'll add it for 3.3 bob
Priority: P3 → P1
Target Milestone: --- → 3.3
While we're at it, we should also fix the numerous bugs in CERT_GetCertChainFromCert(). This function never checks return values for null or other failures. So, if CERT_FindCertIssuer() ever returns null (for example), this function will crash. We should fix that before making this function public.
Bob, are we exporting this function in NSS 3.3?
Yes, this should be fixed now.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified that CERT_CertChainFromCert is exported in nss.def.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.