Closed Bug 978528 Opened 6 years ago Closed 6 years ago

The wrong error code is returned when no candidate issuers can be found when using insanity::pkix

Categories

(Core :: Security: PSM, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla30
Tracking Status
firefox29 --- wontfix
firefox30 --- fixed

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

Attachments

(1 file)

AppTrustDomain::FindPotentialIssuers and NSSCertDBTrustDomain::FindPotentialIssuers both incorrectly assume that CERT_CreateSubjectCertList calls PR_SetError when it returns nullptr. However, it doesn't (always) do that, because nullptr is a valid success result meaning "no potential issuers found."

This is the cause of bug 978117.
Comment on attachment 8384341 [details] [diff] [review]
Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler

Review of attachment 8384341 [details] [diff] [review]:
-----------------------------------------------------------------

r+ with check reloation or explanation.

::: security/insanity/lib/pkixbuild.cpp
@@ +230,5 @@
>    ScopedCERTCertList candidates;
>    if (trustDomain.FindPotentialIssuers(&subject.GetNSSCert()->derIssuer, time,
>                                         candidates) != SECSuccess) {
>      return MapSECStatus(SECFailure);
>    }

move this assert after the check for !candidates. or make the !candidates condition check also check for !canidates.get()
Attachment #8384341 - Flags: review?(cviecco) → review+
Comment on attachment 8384341 [details] [diff] [review]
Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler

Review of attachment 8384341 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/insanity/lib/pkixbuild.cpp
@@ +230,5 @@
>    ScopedCERTCertList candidates;
>    if (trustDomain.FindPotentialIssuers(&subject.GetNSSCert()->derIssuer, time,
>                                         candidates) != SECSuccess) {
>      return MapSECStatus(SECFailure);
>    }

The overloaded operator!() on ScopedPtr makes (!candidates) equivalent to (!candidates.get()) already.

Thanks for the review!
Comment on attachment 8384341 [details] [diff] [review]
Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 878932.
User impact if declined: Confusing error messages. Less automated test coverage for certificate verification for TLS certificates and for packaged app signature verification.
Testing completed (on m-c, etc.): This is covered by the automated tests in bug 978117.
Risk to taking this patch (and alternatives if risky): Very low risk. This is a very simple change.
String or IDL/UUID changes made by this patch: Never!
Attachment #8384341 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/d16477b89f70
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Wes, don't hesitate to update status-firefox30 when you merge the commit in m-c.
Attachment #8384341 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to Sylvestre Ledru [:sylvestre] from comment #7)
> Wes, don't hesitate to update status-firefox30 when you merge the commit in
> m-c.

We use automated marking tools that currently only set it to fixed if it's tracking that release and don't give us the option otherwise. So easier said than done ;)
Comment on attachment 8384341 [details] [diff] [review]
Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r?keeler

This didn't get uplifted in time. Requesting approval for beta.

[Approval Request Comment]
see comment 5
Attachment #8384341 - Flags: approval-mozilla-beta?
Attachment #8384341 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Backed out for Android xpcshell failures.
https://hg.mozilla.org/releases/mozilla-beta/rev/e5d922ae5641

https://tbpl.mozilla.org/php/getParsedLog.php?id=36678630&tree=Mozilla-Beta

I tried pinging you on IRC and couldn't get ahold of you. A reminder that the tree rules explicitly say that *you* are responsible for watching your pushes to the release branches.
https://wiki.mozilla.org/Tree_Rules
Flags: needinfo?(dkeeler)
David, there are so many bugs in mozilla::pkix that won't get fixed in Firefox 29 that I don't think it is worth spending more time on this. I suggest we WONTFIX for Firefox 29.
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #11)
> I tried pinging you on IRC and couldn't get ahold of you. A reminder that
> the tree rules explicitly say that *you* are responsible for watching your
> pushes to the release branches.
> https://wiki.mozilla.org/Tree_Rules

I'll keep a closer watch in the future.

(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #12)
> David, there are so many bugs in mozilla::pkix that won't get fixed in
> Firefox 29 that I don't think it is worth spending more time on this. I
> suggest we WONTFIX for Firefox 29.

I agree.
Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.