The default bug view has changed. See this FAQ.

CERT_PKIXVerifyCert should support trusting both trust anchors and the cert DB

RESOLVED FIXED in 3.14.2

Status

NSS
Libraries
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Ryan Sleevi, Assigned: Ryan Sleevi)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
The CERTVALInParam of cert_pi_trustAnchors is mutually exclusive with using trust settings from the certificate DB, with one exception - distrusted certificates are always distrusted, even when explicitly supplied as trust anchors.

In order to allow certificate verifications that augment the set of trust anchors, but without requiring the caller to import the certificate into the DB or to modify the permanent trust flags (CERT_ChangeCertTrust), it should be possible to indicate to CERT_PKIXVerifyCert that verification should use the union of the trust anchors and the certificate DB.
Blocks: 816820
(Assignee)

Comment 1

4 years ago
Created attachment 691125 [details] [diff] [review]
Patch with test updates

I've updated the tests here to make sure there is test coverage. I'm not wedded to the use of T here as the flag, it's just that there weren't many free switches.

If you're wondering where the meat of the change is, see pkix_pl_nss/pki/pkix_pl_cert.c and pkix_build.c

This does *NOT* address the bug where non-certificate trust anchors (eg: SPKI+Subject) are not respected by the libpkix functions. It continues the current pattern of only respecting certificate-based trust anchors.
Attachment #691125 - Flags: review?(rrelyea)
Attachment #691125 - Flags: feedback?(bsmith)

Comment 2

4 years ago
Comment on attachment 691125 [details] [diff] [review]
Patch with test updates

r+ rrelyea
Attachment #691125 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 3

4 years ago
Checking in cmd/vfychain/vfychain.c;
/cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v  <--  vfychain.c
new revision: 1.36; previous revision: 1.35
done
Checking in lib/certdb/certt.h;
/cvsroot/mozilla/security/nss/lib/certdb/certt.h,v  <--  certt.h
new revision: 1.58; previous revision: 1.57
done
Checking in lib/certhigh/certvfypkix.c;
/cvsroot/mozilla/security/nss/lib/certhigh/certvfypkix.c,v  <--  certvfypkix.c
new revision: 1.56; previous revision: 1.55
done
Checking in lib/libpkix/include/pkix_params.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_params.h,v  <--  pkix_params.h
new revision: 1.10; previous revision: 1.9
done
Checking in lib/libpkix/pkix/params/pkix_procparams.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.c,v  <--  pkix_procparams.c
new revision: 1.14; previous revision: 1.13
done
Checking in lib/libpkix/pkix/params/pkix_procparams.h;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.h,v  <--  pkix_procparams.h
new revision: 1.9; previous revision: 1.8
done
Checking in lib/libpkix/pkix/top/pkix_build.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c,v  <--  pkix_build.c
new revision: 1.66; previous revision: 1.65
done
Checking in lib/libpkix/pkix/top/pkix_build.h;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.h,v  <--  pkix_build.h
new revision: 1.12; previous revision: 1.11
done
Checking in lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,v  <--  pkix_pl_cert.c
new revision: 1.32; previous revision: 1.31
done
Checking in tests/chains/chains.sh;
/cvsroot/mozilla/security/nss/tests/chains/chains.sh,v  <--  chains.sh
new revision: 1.39; previous revision: 1.38
done
Checking in tests/chains/scenarios/scenarios;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v  <--  scenarios
new revision: 1.10; previous revision: 1.9
done
RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v
done
Checking in tests/chains/scenarios/trustanchors.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v  <--  trustanchors.cfg
initial revision: 1.1
done
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Assignee)

Comment 4

4 years ago
Comment on attachment 691125 [details] [diff] [review]
Patch with test updates

Clearing the bsmith review bit. I've gone ahead and landed this. As mentioned, this only adds support for *certificate* trust anchors - arbitrary trust anchors (subject + public key) are not supported in the NSS<->libpkix bridge, so we don't need to worry about those.
Attachment #691125 - Flags: feedback?(bsmith)
You need to log in before you can comment on or make changes to this bug.