Bug 978528: Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r=cviecco

--HG-- extra : rebase_source : 71f806312ad322bc2971e7efaea2da217b07efad
2014-03-01 20:55:51 -08:00 · 2014-03-01 20:55:51 -08:00 · dbb4eb51fe
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@ -98,15 +98,6 @@ AppTrustDomain::FindPotentialIssuers(const SECItem* encodedIssuerName,

  results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
                                       encodedIssuerName, time, true);
-  if (!results) {
-    // NSS sometimes returns this unhelpful error code upon failing to find any
-    // candidate certificates.
-    if (PR_GetError() == SEC_ERROR_BAD_DATABASE) {
-      PR_SetError(SEC_ERROR_UNKNOWN_ISSUER, 0);
-    }
-    return SECFailure;
-  }
-
  return SECSuccess;
 }

--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@ -57,15 +57,6 @@ NSSCertDBTrustDomain::FindPotentialIssuers(
  // "there was an error trying to retrieve the potential issuers."
  results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
                                       encodedIssuerName, time, true);
-  if (!results) {
-    // NSS sometimes returns this unhelpful error code upon failing to find any
-    // candidate certificates.
-    if (PR_GetError() == SEC_ERROR_BAD_DATABASE) {
-      PR_SetError(SEC_ERROR_UNKNOWN_ISSUER, 0);
-    }
-    return SECFailure;
-  }
-
  return SECSuccess;
 }

--- a/security/insanity/include/insanity/pkixtypes.h
+++ b/security/insanity/include/insanity/pkixtypes.h
@ -73,8 +73,11 @@ public:
  // Find all certificates (intermediate and/or root) in the certificate
  // database that have a subject name matching |encodedIssuerName| at
  // the given time. Certificates where the given time is not within the
-  // certificate's validity period may be excluded. The results should be
-  // added to the |results| certificate list.
+  // certificate's validity period may be excluded. On input, |results|
+  // will be null on input. If no potential issuers are found, then this
+  // function should return SECSuccess with results being either null or
+  // an empty list. Otherwise, this function should construct a
+  // CERTCertList and return it in |results|, transfering ownership.
  virtual SECStatus FindPotentialIssuers(const SECItem* encodedIssuerName,
                                         PRTime time,
                                 /*out*/ ScopedCERTCertList& results) = 0;
--- a/security/insanity/lib/pkixbuild.cpp
+++ b/security/insanity/lib/pkixbuild.cpp
@ -232,7 +232,6 @@ BuildForward(TrustDomain& trustDomain,
                                       candidates) != SECSuccess) {
    return MapSECStatus(SECFailure);
  }
-  PORT_Assert(candidates.get());
  if (!candidates) {
    return Fail(RecoverableError, SEC_ERROR_UNKNOWN_ISSUER);
  }