Closed
Bug 978528
Opened 10 years ago
Closed 10 years ago
The wrong error code is returned when no candidate issuers can be found when using insanity::pkix
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: briansmith, Assigned: briansmith)
References
Details
Attachments
(1 file)
5.10 KB,
patch
|
cviecco
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
AppTrustDomain::FindPotentialIssuers and NSSCertDBTrustDomain::FindPotentialIssuers both incorrectly assume that CERT_CreateSubjectCertList calls PR_SetError when it returns nullptr. However, it doesn't (always) do that, because nullptr is a valid success result meaning "no potential issuers found." This is the cause of bug 978117.
Assignee | ||
Comment 1•10 years ago
|
||
Attachment #8384341 -
Flags: review?(cviecco)
Comment 2•10 years ago
|
||
Comment on attachment 8384341 [details] [diff] [review] Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler Review of attachment 8384341 [details] [diff] [review]: ----------------------------------------------------------------- r+ with check reloation or explanation. ::: security/insanity/lib/pkixbuild.cpp @@ +230,5 @@ > ScopedCERTCertList candidates; > if (trustDomain.FindPotentialIssuers(&subject.GetNSSCert()->derIssuer, time, > candidates) != SECSuccess) { > return MapSECStatus(SECFailure); > } move this assert after the check for !candidates. or make the !candidates condition check also check for !canidates.get()
Attachment #8384341 -
Flags: review?(cviecco) → review+
Assignee | ||
Comment 3•10 years ago
|
||
Comment on attachment 8384341 [details] [diff] [review] Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler Review of attachment 8384341 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/insanity/lib/pkixbuild.cpp @@ +230,5 @@ > ScopedCERTCertList candidates; > if (trustDomain.FindPotentialIssuers(&subject.GetNSSCert()->derIssuer, time, > candidates) != SECSuccess) { > return MapSECStatus(SECFailure); > } The overloaded operator!() on ScopedPtr makes (!candidates) equivalent to (!candidates.get()) already. Thanks for the review!
Assignee | ||
Comment 4•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d16477b89f70
Assignee | ||
Comment 5•10 years ago
|
||
Comment on attachment 8384341 [details] [diff] [review] Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 878932. User impact if declined: Confusing error messages. Less automated test coverage for certificate verification for TLS certificates and for packaged app signature verification. Testing completed (on m-c, etc.): This is covered by the automated tests in bug 978117. Risk to taking this patch (and alternatives if risky): Very low risk. This is a very simple change. String or IDL/UUID changes made by this patch: Never!
Attachment #8384341 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
status-firefox29:
--- → affected
status-firefox30:
--- → affected
https://hg.mozilla.org/mozilla-central/rev/d16477b89f70
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment 7•10 years ago
|
||
Wes, don't hesitate to update status-firefox30 when you merge the commit in m-c.
Updated•10 years ago
|
Attachment #8384341 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 8•10 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #7) > Wes, don't hesitate to update status-firefox30 when you merge the commit in > m-c. We use automated marking tools that currently only set it to fixed if it's tracking that release and don't give us the option otherwise. So easier said than done ;)
Comment on attachment 8384341 [details] [diff] [review] Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler This didn't get uplifted in time. Requesting approval for beta. [Approval Request Comment] see comment 5
Attachment #8384341 -
Flags: approval-mozilla-beta?
Updated•10 years ago
|
Attachment #8384341 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 11•10 years ago
|
||
Backed out for Android xpcshell failures. https://hg.mozilla.org/releases/mozilla-beta/rev/e5d922ae5641 https://tbpl.mozilla.org/php/getParsedLog.php?id=36678630&tree=Mozilla-Beta I tried pinging you on IRC and couldn't get ahold of you. A reminder that the tree rules explicitly say that *you* are responsible for watching your pushes to the release branches. https://wiki.mozilla.org/Tree_Rules
Flags: needinfo?(dkeeler)
Assignee | ||
Comment 12•10 years ago
|
||
David, there are so many bugs in mozilla::pkix that won't get fixed in Firefox 29 that I don't think it is worth spending more time on this. I suggest we WONTFIX for Firefox 29.
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #11) > I tried pinging you on IRC and couldn't get ahold of you. A reminder that > the tree rules explicitly say that *you* are responsible for watching your > pushes to the release branches. > https://wiki.mozilla.org/Tree_Rules I'll keep a closer watch in the future. (In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #12) > David, there are so many bugs in mozilla::pkix that won't get fixed in > Firefox 29 that I don't think it is worth spending more time on this. I > suggest we WONTFIX for Firefox 29. I agree.
Flags: needinfo?(dkeeler)
You need to log in
before you can comment on or make changes to this bug.
Description
•