Closed Bug 978528 Opened 11 years ago Closed 11 years ago

The wrong error code is returned when no candidate issuers can be found when using insanity::pkix

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox29 --- wontfix
firefox30 --- fixed

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

Attachments

(1 file)

Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler
5.10 KB, patch
cviecco
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
AppTrustDomain::FindPotentialIssuers and NSSCertDBTrustDomain::FindPotentialIssuers both incorrectly assume that CERT_CreateSubjectCertList calls PR_SetError when it returns nullptr. However, it doesn't (always) do that, because nullptr is a valid success result meaning "no potential issuers found." This is the cause of bug 978117.
Comment on attachment 8384341 [details] [diff] [review] Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler Review of attachment 8384341 [details] [diff] [review]: ----------------------------------------------------------------- r+ with check reloation or explanation. ::: security/insanity/lib/pkixbuild.cpp @@ +230,5 @@ > ScopedCERTCertList candidates; > if (trustDomain.FindPotentialIssuers(&subject.GetNSSCert()->derIssuer, time, > candidates) != SECSuccess) { > return MapSECStatus(SECFailure); > } move this assert after the check for !candidates. or make the !candidates condition check also check for !canidates.get()
Attachment #8384341 - Flags: review?(cviecco) → review+
Comment on attachment 8384341 [details] [diff] [review] Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler Review of attachment 8384341 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/insanity/lib/pkixbuild.cpp @@ +230,5 @@ > ScopedCERTCertList candidates; > if (trustDomain.FindPotentialIssuers(&subject.GetNSSCert()->derIssuer, time, > candidates) != SECSuccess) { > return MapSECStatus(SECFailure); > } The overloaded operator!() on ScopedPtr makes (!candidates) equivalent to (!candidates.get()) already. Thanks for the review!
Comment on attachment 8384341 [details] [diff] [review] Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 878932. User impact if declined: Confusing error messages. Less automated test coverage for certificate verification for TLS certificates and for packaged app signature verification. Testing completed (on m-c, etc.): This is covered by the automated tests in bug 978117. Risk to taking this patch (and alternatives if risky): Very low risk. This is a very simple change. String or IDL/UUID changes made by this patch: Never!
Attachment #8384341 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/d16477b89f70
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Wes, don't hesitate to update status-firefox30 when you merge the commit in m-c.
Attachment #8384341 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to Sylvestre Ledru [:sylvestre] from comment #7) > Wes, don't hesitate to update status-firefox30 when you merge the commit in > m-c. We use automated marking tools that currently only set it to fixed if it's tracking that release and don't give us the option otherwise. So easier said than done ;)
status-firefox30: affectedfixed
Comment on attachment 8384341 [details] [diff] [review] Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler This didn't get uplifted in time. Requesting approval for beta. [Approval Request Comment] see comment 5
Attachment #8384341 - Flags: approval-mozilla-beta?
Attachment #8384341 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Backed out for Android xpcshell failures. https://hg.mozilla.org/releases/mozilla-beta/rev/e5d922ae5641 https://tbpl.mozilla.org/php/getParsedLog.php?id=36678630&tree=Mozilla-Beta I tried pinging you on IRC and couldn't get ahold of you. A reminder that the tree rules explicitly say that *you* are responsible for watching your pushes to the release branches. https://wiki.mozilla.org/Tree_Rules
status-firefox29: fixedaffected
Flags: needinfo?(dkeeler)
David, there are so many bugs in mozilla::pkix that won't get fixed in Firefox 29 that I don't think it is worth spending more time on this. I suggest we WONTFIX for Firefox 29.
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #11) > I tried pinging you on IRC and couldn't get ahold of you. A reminder that > the tree rules explicitly say that *you* are responsible for watching your > pushes to the release branches. > https://wiki.mozilla.org/Tree_Rules I'll keep a closer watch in the future. (In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #12) > David, there are so many bugs in mozilla::pkix that won't get fixed in > Firefox 29 that I don't think it is worth spending more time on this. I > suggest we WONTFIX for Firefox 29. I agree.
status-firefox29: affectedwontfix
Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: