816853 - CERT_PKIXVerifyCert should support trusting both trust anchors and the cert DB

Status: RESOLVED FIXED

Description

[Ryan Sleevi]

The CERTVALInParam of cert_pi_trustAnchors is mutually exclusive with using trust settings from the certificate DB, with one exception - distrusted certificates are always distrusted, even when explicitly supplied as trust anchors.

In order to allow certificate verifications that augment the set of trust anchors, but without requiring the caller to import the certificate into the DB or to modify the permanent trust flags (CERT_ChangeCertTrust), it should be possible to indicate to CERT_PKIXVerifyCert that verification should use the union of the trust anchors and the certificate DB.

Comment 1

[Ryan Sleevi]

Created attachment 691125 [details] [diff] [review]
Patch with test updates

I've updated the tests here to make sure there is test coverage. I'm not wedded to the use of T here as the flag, it's just that there weren't many free switches.

If you're wondering where the meat of the change is, see pkix_pl_nss/pki/pkix_pl_cert.c and pkix_build.c

This does *NOT* address the bug where non-certificate trust anchors (eg: SPKI+Subject) are not respected by the libpkix functions. It continues the current pattern of only respecting certificate-based trust anchors.

Comment 2

[Robert Relyea]

Comment on attachment 691125 [details] [diff] [review]
Patch with test updates

r+ rrelyea

Comment 3

[Ryan Sleevi]

Checking in cmd/vfychain/vfychain.c;
/cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v  <--  vfychain.c
new revision: 1.36; previous revision: 1.35
done
Checking in lib/certdb/certt.h;
/cvsroot/mozilla/security/nss/lib/certdb/certt.h,v  <--  certt.h
new revision: 1.58; previous revision: 1.57
done
Checking in lib/certhigh/certvfypkix.c;
/cvsroot/mozilla/security/nss/lib/certhigh/certvfypkix.c,v  <--  certvfypkix.c
new revision: 1.56; previous revision: 1.55
done
Checking in lib/libpkix/include/pkix_params.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_params.h,v  <--  pkix_params.h
new revision: 1.10; previous revision: 1.9
done
Checking in lib/libpkix/pkix/params/pkix_procparams.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.c,v  <--  pkix_procparams.c
new revision: 1.14; previous revision: 1.13
done
Checking in lib/libpkix/pkix/params/pkix_procparams.h;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.h,v  <--  pkix_procparams.h
new revision: 1.9; previous revision: 1.8
done
Checking in lib/libpkix/pkix/top/pkix_build.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c,v  <--  pkix_build.c
new revision: 1.66; previous revision: 1.65
done
Checking in lib/libpkix/pkix/top/pkix_build.h;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.h,v  <--  pkix_build.h
new revision: 1.12; previous revision: 1.11
done
Checking in lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,v  <--  pkix_pl_cert.c
new revision: 1.32; previous revision: 1.31
done
Checking in tests/chains/chains.sh;
/cvsroot/mozilla/security/nss/tests/chains/chains.sh,v  <--  chains.sh
new revision: 1.39; previous revision: 1.38
done
Checking in tests/chains/scenarios/scenarios;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v  <--  scenarios
new revision: 1.10; previous revision: 1.9
done
RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v
done
Checking in tests/chains/scenarios/trustanchors.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v  <--  trustanchors.cfg
initial revision: 1.1
done

Comment 4

[Ryan Sleevi]

Comment on attachment 691125 [details] [diff] [review]
Patch with test updates

Clearing the bsmith review bit. I've gone ahead and landed this. As mentioned, this only adds support for *certificate* trust anchors - arbitrary trust anchors (subject + public key) are not supported in the NSS<->libpkix bridge, so we don't need to worry about those.