The CERTVALInParam of cert_pi_trustAnchors is mutually exclusive with using trust settings from the certificate DB, with one exception - distrusted certificates are always distrusted, even when explicitly supplied as trust anchors. In order to allow certificate verifications that augment the set of trust anchors, but without requiring the caller to import the certificate into the DB or to modify the permanent trust flags (CERT_ChangeCertTrust), it should be possible to indicate to CERT_PKIXVerifyCert that verification should use the union of the trust anchors and the certificate DB.
Created attachment 691125 [details] [diff] [review] Patch with test updates I've updated the tests here to make sure there is test coverage. I'm not wedded to the use of T here as the flag, it's just that there weren't many free switches. If you're wondering where the meat of the change is, see pkix_pl_nss/pki/pkix_pl_cert.c and pkix_build.c This does *NOT* address the bug where non-certificate trust anchors (eg: SPKI+Subject) are not respected by the libpkix functions. It continues the current pattern of only respecting certificate-based trust anchors.
Comment on attachment 691125 [details] [diff] [review] Patch with test updates r+ rrelyea
Checking in cmd/vfychain/vfychain.c; /cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v <-- vfychain.c new revision: 1.36; previous revision: 1.35 done Checking in lib/certdb/certt.h; /cvsroot/mozilla/security/nss/lib/certdb/certt.h,v <-- certt.h new revision: 1.58; previous revision: 1.57 done Checking in lib/certhigh/certvfypkix.c; /cvsroot/mozilla/security/nss/lib/certhigh/certvfypkix.c,v <-- certvfypkix.c new revision: 1.56; previous revision: 1.55 done Checking in lib/libpkix/include/pkix_params.h; /cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_params.h,v <-- pkix_params.h new revision: 1.10; previous revision: 1.9 done Checking in lib/libpkix/pkix/params/pkix_procparams.c; /cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.c,v <-- pkix_procparams.c new revision: 1.14; previous revision: 1.13 done Checking in lib/libpkix/pkix/params/pkix_procparams.h; /cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.h,v <-- pkix_procparams.h new revision: 1.9; previous revision: 1.8 done Checking in lib/libpkix/pkix/top/pkix_build.c; /cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c,v <-- pkix_build.c new revision: 1.66; previous revision: 1.65 done Checking in lib/libpkix/pkix/top/pkix_build.h; /cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.h,v <-- pkix_build.h new revision: 1.12; previous revision: 1.11 done Checking in lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c; /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,v <-- pkix_pl_cert.c new revision: 1.32; previous revision: 1.31 done Checking in tests/chains/chains.sh; /cvsroot/mozilla/security/nss/tests/chains/chains.sh,v <-- chains.sh new revision: 1.39; previous revision: 1.38 done Checking in tests/chains/scenarios/scenarios; /cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v <-- scenarios new revision: 1.10; previous revision: 1.9 done RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v done Checking in tests/chains/scenarios/trustanchors.cfg; /cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v <-- trustanchors.cfg initial revision: 1.1 done
Comment on attachment 691125 [details] [diff] [review] Patch with test updates Clearing the bsmith review bit. I've gone ahead and landed this. As mentioned, this only adds support for *certificate* trust anchors - arbitrary trust anchors (subject + public key) are not supported in the NSS<->libpkix bridge, so we don't need to worry about those.
or
