Last Comment Bug 816853 - CERT_PKIXVerifyCert should support trusting both trust anchors and the cert DB
: CERT_PKIXVerifyCert should support trusting both trust anchors and the cert DB
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: -- normal (vote)
: 3.14.2
Assigned To: Ryan Sleevi
:
:
Mentors:
Depends on:
Blocks: 816820
  Show dependency treegraph
 
Reported: 2012-11-29 21:52 PST by Ryan Sleevi
Modified: 2013-01-16 11:18 PST (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Patch with test updates (20.05 KB, patch)
2012-12-11 16:17 PST, Ryan Sleevi
rrelyea: review+
Details | Diff | Splinter Review

Description Ryan Sleevi 2012-11-29 21:52:08 PST
The CERTVALInParam of cert_pi_trustAnchors is mutually exclusive with using trust settings from the certificate DB, with one exception - distrusted certificates are always distrusted, even when explicitly supplied as trust anchors.

In order to allow certificate verifications that augment the set of trust anchors, but without requiring the caller to import the certificate into the DB or to modify the permanent trust flags (CERT_ChangeCertTrust), it should be possible to indicate to CERT_PKIXVerifyCert that verification should use the union of the trust anchors and the certificate DB.
Comment 1 Ryan Sleevi 2012-12-11 16:17:13 PST
Created attachment 691125 [details] [diff] [review]
Patch with test updates

I've updated the tests here to make sure there is test coverage. I'm not wedded to the use of T here as the flag, it's just that there weren't many free switches.

If you're wondering where the meat of the change is, see pkix_pl_nss/pki/pkix_pl_cert.c and pkix_build.c

This does *NOT* address the bug where non-certificate trust anchors (eg: SPKI+Subject) are not respected by the libpkix functions. It continues the current pattern of only respecting certificate-based trust anchors.
Comment 2 Robert Relyea 2013-01-03 16:42:13 PST
Comment on attachment 691125 [details] [diff] [review]
Patch with test updates

r+ rrelyea
Comment 3 Ryan Sleevi 2013-01-06 19:56:39 PST
Checking in cmd/vfychain/vfychain.c;
/cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v  <--  vfychain.c
new revision: 1.36; previous revision: 1.35
done
Checking in lib/certdb/certt.h;
/cvsroot/mozilla/security/nss/lib/certdb/certt.h,v  <--  certt.h
new revision: 1.58; previous revision: 1.57
done
Checking in lib/certhigh/certvfypkix.c;
/cvsroot/mozilla/security/nss/lib/certhigh/certvfypkix.c,v  <--  certvfypkix.c
new revision: 1.56; previous revision: 1.55
done
Checking in lib/libpkix/include/pkix_params.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_params.h,v  <--  pkix_params.h
new revision: 1.10; previous revision: 1.9
done
Checking in lib/libpkix/pkix/params/pkix_procparams.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.c,v  <--  pkix_procparams.c
new revision: 1.14; previous revision: 1.13
done
Checking in lib/libpkix/pkix/params/pkix_procparams.h;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.h,v  <--  pkix_procparams.h
new revision: 1.9; previous revision: 1.8
done
Checking in lib/libpkix/pkix/top/pkix_build.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c,v  <--  pkix_build.c
new revision: 1.66; previous revision: 1.65
done
Checking in lib/libpkix/pkix/top/pkix_build.h;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.h,v  <--  pkix_build.h
new revision: 1.12; previous revision: 1.11
done
Checking in lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,v  <--  pkix_pl_cert.c
new revision: 1.32; previous revision: 1.31
done
Checking in tests/chains/chains.sh;
/cvsroot/mozilla/security/nss/tests/chains/chains.sh,v  <--  chains.sh
new revision: 1.39; previous revision: 1.38
done
Checking in tests/chains/scenarios/scenarios;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v  <--  scenarios
new revision: 1.10; previous revision: 1.9
done
RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v
done
Checking in tests/chains/scenarios/trustanchors.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v  <--  trustanchors.cfg
initial revision: 1.1
done
Comment 4 Ryan Sleevi 2013-01-16 11:18:14 PST
Comment on attachment 691125 [details] [diff] [review]
Patch with test updates

Clearing the bsmith review bit. I've gone ahead and landed this. As mentioned, this only adds support for *certificate* trust anchors - arbitrary trust anchors (subject + public key) are not supported in the NSS<->libpkix bridge, so we don't need to worry about those.

Note You need to log in before you can comment on or make changes to this bug.