390502 - libpkix fails cert validation when no valid CRL (NIST validation policy is always enforced). r=nelson

security/nss/lib/certhigh/certvfypkix.c

@@ -560,14 +560,11 @@ cert_CreatePkixProcessingParams(
         PKIX_ProcessingParams_SetDate(procParams, date, plContext),
         PKIX_PROCESSINGPARAMSSETDATEFAILED);
     
-#ifdef PKIX_NOTDEF
-    /* Code will be enabled with integration of a patch for bug 390502 */
     PKIX_CHECK(
         PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled(procParams,
                                                              PKIX_FALSE,
                                                              plContext),
         PKIX_PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED);
-#endif /* PKIX_NOTDEF */
 
     PKIX_CHECK(
         PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE,

security/nss/lib/libpkix/include/pkix_crlsel.h

@@ -559,6 +559,69 @@ PKIX_ComCRLSelParams_SetDateAndTime(
         PKIX_PL_Date *date,
         void *plContext);
 
+/* 
+ * FUNCTION: PKIX_ComCRLSelParams_GetNISTPolicyEnabled
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Boolean representing the NIST CRL policy
+ *  activation flag that is set in the ComCRLSelParams pointed to by "params"
+ *  and stores it at "enabled". If enabled, a CRL must have nextUpdate field.
+ *
+ *  Default value for this flag is TRUE.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParams whose NIST CRL policy criterion  is to
+ *      be stored. Must be non-NULL.
+ *  "pEnabled"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetNISTPolicyEnabled(
+        PKIX_ComCRLSelParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetNISTPolicyEnabled
+ * DESCRIPTION:
+ *
+ *  Sets the NIST crl policy criterion of the ComCRLSelParams pointed to by
+ *  "params" using a "enabled" flag. In order to match against this
+ *  criterion, a CRL's nextUpdate must be available and criterion's
+ *  dataAndTime must be within thisUpdate and nextUpdate time period.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParamsParams whose NIST CRL policy criterion
+ *      is to be set. Must be non-NULL.
+ *  "enabled"
+ *      Address of Bollean used to set the criterion
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetNISTPolicyEnabled(
+        PKIX_ComCRLSelParams *params,
+        PKIX_Boolean enabled,
+        void *plContext);
+
 /*
  * FUNCTION: PKIX_ComCRLSelParams_GetMaxCRLNumber
  * DESCRIPTION:

security/nss/lib/libpkix/include/pkix_errorstrings.h

@@ -901,7 +901,7 @@ PKIX_ERRORENTRY(PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED,PKIX_Processin
 PKIX_ERRORENTRY(PROCESSINGPARAMSGETRESOURCELIMITSFAILED,PKIX_ProcessingParams_GetResourceLimits failed),
 PKIX_ERRORENTRY(PROCESSINGPARAMSGETREVOCATIONCHECKERSFAILED,PKIX_ProcessingParams_GetRevocationCheckers failed),
 PKIX_ERRORENTRY(PROCESSINGPARAMSGETREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_GetRevocationEnabled failed),
-PKIX_ERRORENTRY(PROCESSINGPARAMSGETNISTREVOCATIONPOLICYENABLEDFAILED,pkix_ProcessingParams_GetNISTRevocationPolicyEnabled failed),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED,pkix_ProcessingParams_GetNISTRevocationPolicyEnabled failed),
 PKIX_ERRORENTRY(PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_GetTargetCertConstraints failed),
 PKIX_ERRORENTRY(PROCESSINGPARAMSGETTRUSTANCHORSFAILED,PKIX_ProcessingParams_GetTrustAnchors failed),
 PKIX_ERRORENTRY(PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED,PKIX_ProcessingParams_IsAnyPolicyInhibited failed),

security/nss/lib/libpkix/include/pkix_params.h

@@ -1072,6 +1072,68 @@ PKIX_ProcessingParams_SetRevocationEnabled(
         PKIX_Boolean enabled,
         void *plContext);
 
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled
+ * DESCRIPTION:
+ *
+ *  Checks whether the ProcessingParams pointed to by "params" indicate that
+ *  CRL revocation checking is enabled and revocation is done according to NIST
+ *  CRL policy which states that a valid CRL with nextUpdate field must be
+ *  available for certificate revocation checking.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams used to determine whether or not NIST CRL
+ *      revocation policy is enabled. Must be non-NULL.
+ *  "pEnabled"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled
+ * DESCRIPTION:
+ *
+ *  Specifies in the ProcessingParams pointed to by "params" whether NIST CRL
+ *  revocation checking is enabled using the Boolean value of "enabled".
+ *  (See PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled function
+ *  description)
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be set. Must be non-NULL.
+ *  "enabled"
+ *      Boolean value indicating whether nist CRL revocation checking is to
+ *      be enabled.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean enabled,
+        void *plContext);
+
 
 /* PKIX_ValidateParams
  *

security/nss/lib/libpkix/include/pkix_pl_pki.h

@@ -2027,7 +2027,7 @@ PKIX_PL_CRL_GetCRLNumber(
  *
  *  Checks whether the CRL pointed to by "crl" would be valid at the time
  *  represented by the Date pointed to by "date" and stores the Boolean result
- *  at "pResult".
+ *  at "pResult". This check is done only when NIST policy is enforced.
  *
  *  Time ::= CHOICE {
  *      utcTime         UTCTime,

security/nss/lib/libpkix/pkix/checker/pkix_defaultrevchecker.c

@@ -260,11 +260,20 @@ pkix_DefaultRevChecker_Check(
          * create one now.
          */
         if (defaultRevChecker->certChainChecker == NULL) {
+                PKIX_Boolean nistCRLPolicyEnabled = PR_TRUE;
+                if (procParams) {
+                    PKIX_CHECK(
+                        pkix_ProcessingParams_GetNISTRevocationPolicyEnabled
+                        (procParams, &nistCRLPolicyEnabled, plContext),
+                        PKIX_PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED);
+                }
+
                 PKIX_CHECK(pkix_DefaultCRLChecker_Initialize
                         (defaultRevChecker->certStores,
                         defaultRevChecker->testDate,
                         defaultRevChecker->trustedPubKey,
                         defaultRevChecker->certsRemaining,
+                        nistCRLPolicyEnabled,
                         &crlChecker,
                         plContext),
                         PKIX_DEFAULTCRLCHECKERINITIALIZEFAILED);

security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.c

@@ -487,6 +487,7 @@ PKIX_ComCRLSelParams_Create(
         params->issuerNames = NULL;
         params->cert = NULL;
         params->date = NULL;
+        params->nistPolicyEnabled = PKIX_TRUE;
         params->maxCRLNumber = NULL;
         params->minCRLNumber = NULL;
 
@@ -681,6 +682,47 @@ cleanup:
         PKIX_RETURN(COMCRLSELPARAMS);
 }
 
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetDateAndTime (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetNISTPolicyEnabled(
+        PKIX_ComCRLSelParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_GetNISTPolicyEnabled");
+        PKIX_NULLCHECK_TWO(params, pEnabled);
+
+        *pEnabled = params->nistPolicyEnabled;
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetDateAndTime (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetNISTPolicyEnabled(
+        PKIX_ComCRLSelParams *params,
+        PKIX_Boolean enabled,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_SetNISTPolicyEnabled");
+        PKIX_NULLCHECK_ONE(params); /* allows date to be NULL from spec */
+
+        params->nistPolicyEnabled = enabled;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
 
 /*
  * FUNCTION: PKIX_ComCRLSelParams_GetMaxCRLNumber

security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.h

@@ -54,6 +54,7 @@ struct PKIX_ComCRLSelParamsStruct {
         PKIX_List *issuerNames; /* list of PKIX_PL_X500Name */
         PKIX_PL_Cert *cert; /* certificate being checked */
         PKIX_PL_Date *date;
+        PKIX_Boolean nistPolicyEnabled;
         PKIX_PL_BigInt *maxCRLNumber;
         PKIX_PL_BigInt *minCRLNumber;
 };

security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c

@@ -403,7 +403,7 @@ static PKIX_Error *
 pkix_CRLSelector_DefaultMatch(
         PKIX_CRLSelector *selector,
         PKIX_PL_CRL *crl,
-	PKIX_Boolean *pMatch,
+        PKIX_Boolean *pMatch,
         void *plContext)
 {
         PKIX_ComCRLSelParams *params = NULL;
@@ -417,6 +417,7 @@ pkix_CRLSelector_DefaultMatch(
         PKIX_PL_BigInt *minCRLNumber = NULL;
         PKIX_PL_BigInt *maxCRLNumber = NULL;
         PKIX_PL_BigInt *crlNumber = NULL;
+        PKIX_Boolean nistPolicyEnabled = PKIX_FALSE;
 
         PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_DefaultMatch");
         PKIX_NULLCHECK_TWO(selector, crl);
@@ -484,16 +485,22 @@ pkix_CRLSelector_DefaultMatch(
         /* Check for Date */
         if (selDate != NULL){
 
-                result = PKIX_FALSE;
+                PKIX_CHECK(PKIX_ComCRLSelParams_GetNISTPolicyEnabled
+                            (params, &nistPolicyEnabled, plContext),
+                           PKIX_COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED);
 
-                PKIX_CHECK(PKIX_PL_CRL_VerifyUpdateTime
-                            (crl, selDate, &result, plContext),
-                            PKIX_CRLVERIFYUPDATETIMEFAILED);
+                /* check crl dates only for if NIST policies enforced */
+                if (nistPolicyEnabled) {
+                        result = PKIX_FALSE;
                     
-                if (result == PKIX_FALSE) {
-                        PKIX_CRLSELECTOR_DEBUG("DateAndTime match Failed\n");
-                        *pMatch = PKIX_FALSE;
-                        goto cleanup;
+                        PKIX_CHECK(PKIX_PL_CRL_VerifyUpdateTime
+                                   (crl, selDate, &result, plContext),
+                                   PKIX_CRLVERIFYUPDATETIMEFAILED);
+                    
+                        if (result == PKIX_FALSE) {
+                                *pMatch = PKIX_FALSE;
+                                goto cleanup;
+                        }
                 }
 
         }

security/nss/lib/libpkix/pkix/params/pkix_procparams.c

@@ -123,6 +123,10 @@ pkix_ProcessingParams_Equals(
             secondProcParams->isCrlRevocationCheckingEnabled) {
                 goto cleanup;
         }
+        if (firstProcParams->isCrlRevocationCheckingEnabledWithNISTPolicy !=
+            secondProcParams->isCrlRevocationCheckingEnabledWithNISTPolicy) {
+                goto cleanup;
+        }
 
         /* trustAnchors can never be NULL */
 
@@ -265,7 +269,8 @@ pkix_ProcessingParams_Hashcode(
 
         hash += ((((certStoresHash + resourceLimitsHash) << 7) +
                 certChainCheckersHash + revCheckersHash +
-                procParams->isCrlRevocationCheckingEnabled) << 7);
+                procParams->isCrlRevocationCheckingEnabled +
+                procParams->isCrlRevocationCheckingEnabledWithNISTPolicy) << 7);
 
         *pHashcode = hash;
 
@@ -375,7 +380,8 @@ pkix_ProcessingParams_ToString(
                 qualsRejectedString,
                 certStoresString,
                 resourceLimitsString,
-                procParams->isCrlRevocationCheckingEnabled),
+                procParams->isCrlRevocationCheckingEnabled,
+                procParams->isCrlRevocationCheckingEnabledWithNISTPolicy),
                 PKIX_SPRINTFFAILED);
 
         *pString = procParamsString;
@@ -483,6 +489,9 @@ pkix_ProcessingParams_Duplicate(
         paramsDuplicate->isCrlRevocationCheckingEnabled =
                 params->isCrlRevocationCheckingEnabled;
 
+        paramsDuplicate->isCrlRevocationCheckingEnabledWithNISTPolicy =
+                params->isCrlRevocationCheckingEnabledWithNISTPolicy;
+
         *pNewObject = (PKIX_PL_Object *)paramsDuplicate;
 
 cleanup:
@@ -570,12 +579,10 @@ PKIX_ProcessingParams_Create(
         params->certStores = NULL;
         params->resourceLimits = NULL;
 
-        /*
-         * XXX CRL checking should be enabled as default, but before
-         * we encorporate CRL in all our tests, take it as disable for now
-         */
         params->isCrlRevocationCheckingEnabled = PKIX_TRUE;
 
+        params->isCrlRevocationCheckingEnabledWithNISTPolicy = PKIX_TRUE;
+
         *pParams = params;
 
 cleanup:
@@ -1189,7 +1196,7 @@ pkix_ProcessingParams_GetRevocationEnabled(
 {
 
         PKIX_ENTER(PROCESSINGPARAMS,
-                    "PKIX_ProcessingParams_GetRevocationEnabled");
+                    "pkix_ProcessingParams_GetRevocationEnabled");
 
         PKIX_NULLCHECK_TWO(params, pEnabled);
 
@@ -1198,6 +1205,94 @@ pkix_ProcessingParams_GetRevocationEnabled(
         PKIX_RETURN(PROCESSINGPARAMS);
 }
 
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled");
+        PKIX_NULLCHECK_TWO(params, pEnabled);
+
+        *pEnabled = params->isCrlRevocationCheckingEnabledWithNISTPolicy;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean enabled,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->isCrlRevocationCheckingEnabledWithNISTPolicy = enabled;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ProcessingParams_GetNISTRevocationPolicyEnabled
+ *
+ * DESCRIPTION:
+ *  Retrieves the boolean value from the ProcessingParams pointed to by
+ *  "params", and stores the result at "pEnable". The value indicates
+ *  whether Revocation Checking should be performed according to nist
+ *  revocation policy.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose revocationEnabledWithNistPolicy
+ *      flag is to be retrieved. Must be non-NULL.
+ *  "pEnable"
+ *      Address where Boolean value will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_ProcessingParams_GetNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "pkix_ProcessingParams_GetNISTRevocationPolicyEnabled");
+
+        PKIX_NULLCHECK_TWO(params, pEnabled);
+
+        *pEnabled = params->isCrlRevocationCheckingEnabledWithNISTPolicy;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
 /*
  * FUNCTION: PKIX_ProcessingParams_SetResourceLimits
  * (see comments in pkix_params.h)

security/nss/lib/libpkix/pkix/params/pkix_procparams.h

@@ -53,7 +53,7 @@ extern "C" {
 
 struct PKIX_ProcessingParamsStruct {
         PKIX_List *trustAnchors;        /* Never NULL */
-	PKIX_List *hintCerts;	/* user-supplied partial chain, may be NULL */
+        PKIX_List *hintCerts;	/* user-supplied partial chain, may be NULL */
         PKIX_CertSelector *constraints;
         PKIX_PL_Date *date;
         PKIX_List *initialPolicies;     /* list of PKIX_PL_OID */
@@ -65,6 +65,7 @@ struct PKIX_ProcessingParamsStruct {
         PKIX_List *revCheckers;
         PKIX_List *certStores;
         PKIX_Boolean isCrlRevocationCheckingEnabled;
+        PKIX_Boolean isCrlRevocationCheckingEnabledWithNISTPolicy;
         PKIX_ResourceLimits *resourceLimits;
 };
 
@@ -78,6 +79,12 @@ pkix_ProcessingParams_GetRevocationEnabled(
         PKIX_Boolean *pEnabled,
         void *plContext);
 
+PKIX_Error *
+pkix_ProcessingParams_GetNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext);
+
 #ifdef __cplusplus
 }
 #endif

security/nss/lib/libpkix/pkix/top/pkix_build.c

@@ -3601,6 +3601,7 @@ pkix_Build_InitiateBuildChain(
         PKIX_UInt32 i = 0;
         PKIX_Boolean dsaParamsNeeded = PKIX_FALSE;
         PKIX_Boolean isCrlEnabled = PKIX_FALSE;
+        PKIX_Boolean nistCRLPolicyEnabled = PKIX_TRUE;
         PKIX_Boolean cacheHit = PKIX_FALSE;
         PKIX_Boolean trusted = PKIX_FALSE;
         PKIX_Boolean isDuplicate = PKIX_FALSE;
@@ -3786,6 +3787,12 @@ pkix_Build_InitiateBuildChain(
                     (procParams, &isCrlEnabled, plContext),
                     PKIX_PROCESSINGPARAMSGETREVOCATIONENABLEDFAILED);
     
+            PKIX_CHECK(
+                pkix_ProcessingParams_GetNISTRevocationPolicyEnabled
+                (procParams, &nistCRLPolicyEnabled, plContext),
+                PKIX_PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED);
+
+
             PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
                     (procParams, &certStores, plContext),
                     PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
@@ -3836,6 +3843,7 @@ pkix_Build_InitiateBuildChain(
                                     testDate,
                                     NULL,
                                     0,
+                                    nistCRLPolicyEnabled,
                                     &crlChecker,
                                     plContext),
                                     PKIX_DEFAULTCRLCHECKERINITIALIZEFAILED);

security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.c

@@ -154,6 +154,8 @@ pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext)
  *      Must be non-NULL.
  *  "certsRemaining"
  *      Number of certificates remaining in the chain.
+ *  "nistCRLPolicyEnabled"
+ *      If enabled, enforce nist crl policy.
  *  "pCheckerState"
  *      Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
  *  "plContext"
@@ -174,6 +176,7 @@ pkix_DefaultCRLCheckerState_Create(
     PKIX_PL_Date *testDate,
     PKIX_PL_PublicKey *trustedPubKey,
     PKIX_UInt32 certsRemaining,
+    PKIX_Boolean nistCRLPolicyEnabled,
     pkix_DefaultCRLCheckerState **pCheckerState,
     void *plContext)
 {
@@ -202,6 +205,7 @@ pkix_DefaultCRLCheckerState_Create(
         state->prevPublicKey = trustedPubKey;
 
         state->certHasValidCrl = PKIX_FALSE;
+        state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
         state->prevCertCrlSign = PKIX_TRUE;
         state->prevPublicKeyList = NULL;
         state->reasonCodeMask = 0;
@@ -565,6 +569,10 @@ pkix_DefaultCRLChecker_Check_SetSelector(
                 (comCrlSelParams, nowDate, plContext),
                 PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
 
+        PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
+                (comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
+                PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
+
         PKIX_CHECK(PKIX_CRLSelector_Create
                 (NULL,
                 NULL, /* never used? (PKIX_PL_Object *)checker, */
@@ -864,7 +872,7 @@ pkix_DefaultCRLChecker_Check_Helper(
         void *nbioContext = NULL;
         PKIX_Boolean certStoreCanBeUsed = PKIX_FALSE;
         PKIX_CertStore *certStore = NULL;
-	PKIX_Error *storeError = NULL;
+        PKIX_Error *storeError = NULL;
 
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Helper");
         PKIX_NULLCHECK_THREE(checker, cert, state);
@@ -926,8 +934,9 @@ pkix_DefaultCRLChecker_Check_Helper(
                 state->crlStoreIndex++;
         } /* while ((state->crlStoreIndex) < (state->numCrlStores)) */
 
-        if (state->certHasValidCrl == PKIX_FALSE) {
-                PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
+        if (state->nistCRLPolicyEnabled != PKIX_FALSE &&
+            state->certHasValidCrl == PKIX_FALSE) {
+            PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
         }
 
 cleanup:
@@ -1127,6 +1136,8 @@ cleanup:
  *      Address of Public Key of Trust Anchor. Must be non-NULL.
  *  "certsRemaining"
  *      Number of certificates remaining in the chain.
+ *  "nistPolicyEnabled"
+ *      Enable NIST crl policy.
  *  "pChecker"
  *      Address where object pointer will be stored. Must be non-NULL.
  *      Must be non-NULL.
@@ -1147,6 +1158,7 @@ pkix_DefaultCRLChecker_Initialize(
         PKIX_PL_Date *testDate,
         PKIX_PL_PublicKey *trustedPubKey,
         PKIX_UInt32 certsRemaining,
+        PKIX_Boolean nistPolicyEnabled,
         PKIX_CertChainChecker **pChecker,
         void *plContext)
 {
@@ -1160,6 +1172,7 @@ pkix_DefaultCRLChecker_Initialize(
                     testDate,
                     trustedPubKey,
                     certsRemaining,
+                    nistPolicyEnabled, 
                     &state,
                     plContext),
                     PKIX_DEFAULTCRLCHECKERSTATECREATEFAILED);

security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.h

@@ -56,6 +56,7 @@ struct pkix_DefaultCRLCheckerState {
         PKIX_List *certStores; /* list of CertStore */
         PKIX_PL_Date *testDate;
         PKIX_Boolean certHasValidCrl;
+        PKIX_Boolean nistCRLPolicyEnabled;
         PKIX_Boolean prevCertCrlSign;
         PKIX_PL_PublicKey *prevPublicKey; /* Subject PubKey of last cert */
         PKIX_List *prevPublicKeyList; /* of PKIX_PL_PublicKey */
@@ -76,6 +77,7 @@ pkix_DefaultCRLChecker_Initialize(
         PKIX_PL_Date *testDate,
         PKIX_PL_PublicKey *trustedPubKey,
         PKIX_UInt32 certsRemaining,
+        PKIX_Boolean nistCRLPolicyEnabled,
         PKIX_CertChainChecker **pChecker,
         void *plContext);
 

security/nss/lib/libpkix/pkix/top/pkix_validate.c

@@ -602,12 +602,19 @@ pkix_InitializeCheckers(
                     PKIX_LISTGETLENGTHFAILED);
 
                 if (numCertStores > 0) {
+                        PKIX_Boolean nistCRLPolicyEnabled = PR_TRUE;
+
+                        PKIX_CHECK(
+                        pkix_ProcessingParams_GetNISTRevocationPolicyEnabled
+                        (procParams, &nistCRLPolicyEnabled, plContext),
+                        PKIX_PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED);
 
                         PKIX_CHECK(pkix_DefaultCRLChecker_Initialize
                             (certStores,
                             testDate,
                             trustedPubKey,
                             numCerts,
+                            nistCRLPolicyEnabled,
                             &defaultCrlChecker,
                             plContext),
                             PKIX_DEFAULTCRLCHECKERINITIALIZEFAILED);

security/nss/lib/libpkix/pkix/util/pkix_tools.c

@@ -1165,10 +1165,19 @@ pkix_CacheCert_Add(
         PKIX_Error *cachedCertError = NULL;
         PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
         PKIX_UInt32 cachePeriod = CACHE_ITEM_PERIOD_SECONDS;
+        PKIX_UInt32 numCerts = 0;
 
         PKIX_ENTER(BUILD, "pkix_CacheCert_Add");
         PKIX_NULLCHECK_THREE(store, certSelParams, certs);
 
+        PKIX_CHECK(PKIX_List_GetLength(certs, &numCerts,
+                                       plContext),
+                   PKIX_LISTGETLENGTHFAILED);
+        if (numCerts == 0) {
+            /* Don't want to add an empty list. */
+            goto cleanup;
+        }
+
         PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
                 PKIX_LISTCREATEFAILED);
 

security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c

@@ -712,6 +712,8 @@ PKIX_PL_CRL_VerifyUpdateTime(
         PRTime lastUpdate;
         SECStatus status;
         CERTCrl *nssCrl = NULL;
+        SECItem *nextUpdateDer = NULL;
+        PKIX_Boolean haveNextUpdate = PR_FALSE;
 
         PKIX_ENTER(CRL, "PKIX_PL_CRL_VerifyUpdateTime");
         PKIX_NULLCHECK_FOUR(crl, crl->nssSignedCrl, date, pResult);
@@ -724,19 +726,27 @@ PKIX_PL_CRL_VerifyUpdateTime(
                 PKIX_ERROR(PKIX_DERDECODETIMECHOICEFAILED);
         }
 
-        PKIX_CRL_DEBUG("\t\tCalling DER_DecodeTimeChoice on nextUpdate\n");
-        status = DER_DecodeTimeChoice(&nextUpdate, &(nssCrl->nextUpdate));
-        if (status != SECSuccess) {
-                PKIX_ERROR(PKIX_DERDECODETIMECHOICEFORNEXTUPDATEFAILED);
+        /* nextUpdate can be NULL. Checking before using it */
+        nextUpdateDer = &nssCrl->nextUpdate;
+        if (nextUpdateDer->data && nextUpdateDer->len) {
+                haveNextUpdate = PR_TRUE;
+                status = DER_DecodeTimeChoice(&nextUpdate, nextUpdateDer);
+                if (status != SECSuccess) {
+                        PKIX_ERROR(PKIX_DERDECODETIMECHOICEFORNEXTUPDATEFAILED);
+                }
         }
 
-        PKIX_CRL_DEBUG("\t\tCalling DER_DecodeTimeChoice on lastUpdate\n");
         status = DER_DecodeTimeChoice(&lastUpdate, &(nssCrl->lastUpdate));
         if (status != SECSuccess) {
                 PKIX_ERROR(PKIX_DERDECODETIMECHOICEFORLASTUPDATEFAILED);
         }
 
-        if (lastUpdate <= timeToCheck && nextUpdate > timeToCheck) {
+        if (!haveNextUpdate || nextUpdate < timeToCheck) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        if (lastUpdate <= timeToCheck) {
                 *pResult = PKIX_TRUE;
         } else {
                 *pResult = PKIX_FALSE;