Closed Bug 816853 Opened 13 years ago Closed 13 years ago

CERT_PKIXVerifyCert should support trusting both trust anchors and the cert DB

Categories

(NSS :: Libraries, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
3.14.2

People

(Reporter: ryan.sleevi, Assigned: ryan.sleevi)

References

Details

Attachments

(1 file)

The CERTVALInParam of cert_pi_trustAnchors is mutually exclusive with using trust settings from the certificate DB, with one exception - distrusted certificates are always distrusted, even when explicitly supplied as trust anchors. In order to allow certificate verifications that augment the set of trust anchors, but without requiring the caller to import the certificate into the DB or to modify the permanent trust flags (CERT_ChangeCertTrust), it should be possible to indicate to CERT_PKIXVerifyCert that verification should use the union of the trust anchors and the certificate DB.
I've updated the tests here to make sure there is test coverage. I'm not wedded to the use of T here as the flag, it's just that there weren't many free switches. If you're wondering where the meat of the change is, see pkix_pl_nss/pki/pkix_pl_cert.c and pkix_build.c This does *NOT* address the bug where non-certificate trust anchors (eg: SPKI+Subject) are not respected by the libpkix functions. It continues the current pattern of only respecting certificate-based trust anchors.
Attachment #691125 - Flags: review?(rrelyea)
Attachment #691125 - Flags: feedback?(bsmith)
Comment on attachment 691125 [details] [diff] [review] Patch with test updates r+ rrelyea
Attachment #691125 - Flags: review?(rrelyea) → review+
Checking in cmd/vfychain/vfychain.c; /cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v <-- vfychain.c new revision: 1.36; previous revision: 1.35 done Checking in lib/certdb/certt.h; /cvsroot/mozilla/security/nss/lib/certdb/certt.h,v <-- certt.h new revision: 1.58; previous revision: 1.57 done Checking in lib/certhigh/certvfypkix.c; /cvsroot/mozilla/security/nss/lib/certhigh/certvfypkix.c,v <-- certvfypkix.c new revision: 1.56; previous revision: 1.55 done Checking in lib/libpkix/include/pkix_params.h; /cvsroot/mozilla/security/nss/lib/libpkix/include/pkix_params.h,v <-- pkix_params.h new revision: 1.10; previous revision: 1.9 done Checking in lib/libpkix/pkix/params/pkix_procparams.c; /cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.c,v <-- pkix_procparams.c new revision: 1.14; previous revision: 1.13 done Checking in lib/libpkix/pkix/params/pkix_procparams.h; /cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/pkix_procparams.h,v <-- pkix_procparams.h new revision: 1.9; previous revision: 1.8 done Checking in lib/libpkix/pkix/top/pkix_build.c; /cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c,v <-- pkix_build.c new revision: 1.66; previous revision: 1.65 done Checking in lib/libpkix/pkix/top/pkix_build.h; /cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.h,v <-- pkix_build.h new revision: 1.12; previous revision: 1.11 done Checking in lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c; /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,v <-- pkix_pl_cert.c new revision: 1.32; previous revision: 1.31 done Checking in tests/chains/chains.sh; /cvsroot/mozilla/security/nss/tests/chains/chains.sh,v <-- chains.sh new revision: 1.39; previous revision: 1.38 done Checking in tests/chains/scenarios/scenarios; /cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v <-- scenarios new revision: 1.10; previous revision: 1.9 done RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v done Checking in tests/chains/scenarios/trustanchors.cfg; /cvsroot/mozilla/security/nss/tests/chains/scenarios/trustanchors.cfg,v <-- trustanchors.cfg initial revision: 1.1 done
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 691125 [details] [diff] [review] Patch with test updates Clearing the bsmith review bit. I've gone ahead and landed this. As mentioned, this only adds support for *certificate* trust anchors - arbitrary trust anchors (subject + public key) are not supported in the NSS<->libpkix bridge, so we don't need to worry about those.
Attachment #691125 - Flags: feedback?(bsmith)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: