зеркало из https://github.com/mozilla/gecko-dev.git
bug 977870 - insanity::pkix: consume the rest of input when a CertID doesn't match in an OCSP response r=briansmith
This commit is contained in:
Родитель
71abad65d5
Коммит
6426e9ea55
|
@ -163,6 +163,11 @@ public:
|
|||
return Success;
|
||||
}
|
||||
|
||||
void SkipToEnd()
|
||||
{
|
||||
input = end;
|
||||
}
|
||||
|
||||
bool AtEnd() const { return input == end; }
|
||||
|
||||
class Mark
|
||||
|
|
|
@ -603,6 +603,11 @@ SingleResponse(der::Input& input, Context& context)
|
|||
}
|
||||
|
||||
if (!match) {
|
||||
// This response does not reference the certificate we're interested in.
|
||||
// By consuming the rest of our input and returning successfully, we can
|
||||
// continue processing and examine another response that might have what
|
||||
// we want.
|
||||
input.SkipToEnd();
|
||||
return der::Success;
|
||||
}
|
||||
|
||||
|
@ -745,6 +750,10 @@ CertID(der::Input& input, const Context& context, /*out*/ bool& match)
|
|||
const CERTCertificate& issuerCert = context.issuerCert;
|
||||
|
||||
if (!SECITEM_ItemsAreEqual(&serialNumber, &cert.serialNumber)) {
|
||||
// This does not reference the certificate we're interested in.
|
||||
// Consume the rest of the input and return successfully to
|
||||
// potentially continue processing other responses.
|
||||
input.SkipToEnd();
|
||||
return der::Success;
|
||||
}
|
||||
|
||||
|
@ -752,6 +761,8 @@ CertID(der::Input& input, const Context& context, /*out*/ bool& match)
|
|||
|
||||
SECOidTag hashAlg = SECOID_GetAlgorithmTag(&hashAlgorithm);
|
||||
if (hashAlg != SEC_OID_SHA1) {
|
||||
// Again, not interested in this response. Consume input, return success.
|
||||
input.SkipToEnd();
|
||||
return der::Success;
|
||||
}
|
||||
|
||||
|
@ -768,6 +779,8 @@ CertID(der::Input& input, const Context& context, /*out*/ bool& match)
|
|||
return der::Failure;
|
||||
}
|
||||
if (memcmp(hashBuf, issuerNameHash.data, issuerNameHash.len)) {
|
||||
// Again, not interested in this response. Consume input, return success.
|
||||
input.SkipToEnd();
|
||||
return der::Success;
|
||||
}
|
||||
|
||||
|
|
|
@ -95,11 +95,8 @@ function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
|
|||
true);
|
||||
add_ocsp_test("ocsp-stapling-unknown.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
|
||||
// TODO(bug 977870): this should not result in SEC_ERROR_BAD_DER
|
||||
add_ocsp_test("ocsp-stapling-good-other.example.com",
|
||||
getXPCOMStatusFromNSS(
|
||||
useInsanity ? SEC_ERROR_BAD_DER
|
||||
: SEC_ERROR_OCSP_UNKNOWN_CERT), true);
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
|
||||
// If the server doesn't staple an OCSP response, we continue as normal
|
||||
// (this means that even though stapling is enabled, we expect an OCSP
|
||||
// request).
|
||||
|
|
Загрузка…
Ссылка в новой задаче