From dbb4eb51fe903547f9466bf1d454e780fcde5953 Mon Sep 17 00:00:00 2001 From: Brian Smith Date: Sat, 1 Mar 2014 20:55:51 -0800 Subject: [PATCH] Bug 978528: Return the correct error message when no potential issuers are found during path bulding in insanitY::pkix, r=cviecco --HG-- extra : rebase_source : 71f806312ad322bc2971e7efaea2da217b07efad --- security/apps/AppTrustDomain.cpp | 9 --------- security/certverifier/NSSCertDBTrustDomain.cpp | 9 --------- security/insanity/include/insanity/pkixtypes.h | 7 +++++-- security/insanity/lib/pkixbuild.cpp | 1 - 4 files changed, 5 insertions(+), 21 deletions(-) diff --git a/security/apps/AppTrustDomain.cpp b/security/apps/AppTrustDomain.cpp index 12b8c334927e..25b222727fb0 100644 --- a/security/apps/AppTrustDomain.cpp +++ b/security/apps/AppTrustDomain.cpp @@ -98,15 +98,6 @@ AppTrustDomain::FindPotentialIssuers(const SECItem* encodedIssuerName, results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(), encodedIssuerName, time, true); - if (!results) { - // NSS sometimes returns this unhelpful error code upon failing to find any - // candidate certificates. - if (PR_GetError() == SEC_ERROR_BAD_DATABASE) { - PR_SetError(SEC_ERROR_UNKNOWN_ISSUER, 0); - } - return SECFailure; - } - return SECSuccess; } diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 1769b3198f06..661699f610e7 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -57,15 +57,6 @@ NSSCertDBTrustDomain::FindPotentialIssuers( // "there was an error trying to retrieve the potential issuers." results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(), encodedIssuerName, time, true); - if (!results) { - // NSS sometimes returns this unhelpful error code upon failing to find any - // candidate certificates. - if (PR_GetError() == SEC_ERROR_BAD_DATABASE) { - PR_SetError(SEC_ERROR_UNKNOWN_ISSUER, 0); - } - return SECFailure; - } - return SECSuccess; } diff --git a/security/insanity/include/insanity/pkixtypes.h b/security/insanity/include/insanity/pkixtypes.h index a3c849221ea9..23a43e8d8fa1 100644 --- a/security/insanity/include/insanity/pkixtypes.h +++ b/security/insanity/include/insanity/pkixtypes.h @@ -73,8 +73,11 @@ public: // Find all certificates (intermediate and/or root) in the certificate // database that have a subject name matching |encodedIssuerName| at // the given time. Certificates where the given time is not within the - // certificate's validity period may be excluded. The results should be - // added to the |results| certificate list. + // certificate's validity period may be excluded. On input, |results| + // will be null on input. If no potential issuers are found, then this + // function should return SECSuccess with results being either null or + // an empty list. Otherwise, this function should construct a + // CERTCertList and return it in |results|, transfering ownership. virtual SECStatus FindPotentialIssuers(const SECItem* encodedIssuerName, PRTime time, /*out*/ ScopedCERTCertList& results) = 0; diff --git a/security/insanity/lib/pkixbuild.cpp b/security/insanity/lib/pkixbuild.cpp index bfc7e3337877..41fdb1b47ab9 100644 --- a/security/insanity/lib/pkixbuild.cpp +++ b/security/insanity/lib/pkixbuild.cpp @@ -232,7 +232,6 @@ BuildForward(TrustDomain& trustDomain, candidates) != SECSuccess) { return MapSECStatus(SECFailure); } - PORT_Assert(candidates.get()); if (!candidates) { return Fail(RecoverableError, SEC_ERROR_UNKNOWN_ISSUER); }