Bug 384459, ignore issuer and serial number components of authority key ID

extension when they don't match. Don't report them in certutil either. r=rrelyea, sr=wtc
2008-07-22 02:40:11 +00:00 · 2008-07-22 02:40:11 +00:00 · 5f6b469029
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@ -2042,14 +2042,6 @@ secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level)
 	int snPresent = (kid->authCertSerialNumber.data &&
 	                 kid->authCertSerialNumber.len);

-        if ((keyIDPresent && !issuerPresent && !snPresent) ||
-	    (!keyIDPresent && issuerPresent && snPresent)) {
-	    /* all is well */
-	} else {
-	    SECU_Indent(out, level);
-	    fprintf(out, 
-	    "Error: KeyID OR (Issuer AND Serial) must be present, not both.\n");
-	}
 	if (keyIDPresent)
 	    SECU_PrintAsHex(out, &kid->keyID, "Key ID", level);
 	if (issuerPresent)
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@ -35,7 +35,7 @@
 * ***** END LICENSE BLOCK ***** */

 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.94 $ $Date: 2008-03-15 02:15:36 $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.95 $ $Date: 2008-07-22 02:40:11 $";
 #endif /* DEBUG */

 /*
@ -319,19 +319,18 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id)
    nssCertIDMatch match = nssCertIDMatch_Unknown;

    /* keyIdentifier */
-    if (authKeyID->keyID.len > 0) {
-	if (CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
-	    PRBool skiEqual;
-	    skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
-	    PORT_Free(skid.data);
-	    if (skiEqual) {
-		/* change the state to positive match, but keep going */
-		match = nssCertIDMatch_Yes;
-	    } else {
-		/* exit immediately on failure */
-		return nssCertIDMatch_No;
-	    }
-	} /* else fall through */
+    if (authKeyID->keyID.len > 0 &&
+	CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
+	PRBool skiEqual;
+	skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
+	PORT_Free(skid.data);
+	if (skiEqual) {
+	    /* change the state to positive match, but keep going */
+	    match = nssCertIDMatch_Yes;
+	} else {
+	    /* exit immediately on failure */
+	    return nssCertIDMatch_No;
+	}
    }

    /* issuer/serial (treated as pair) */
@ -342,27 +341,15 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id)
 	caName = (SECItem *)CERT_GetGeneralNameByType(
 	                                        authKeyID->authCertIssuer,
 						certDirectoryName, PR_TRUE);
-	if (caName == NULL) {
-	    /* this is some kind of error, so treat it as unknown */
-	    return nssCertIDMatch_Unknown;
-	}
-	if (SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
+	if (caName != NULL &&
+	    SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
 	    SECITEM_ItemsAreEqual(&c->serialNumber, caSN)) 
 	{
-	    /* change the state to positive match, but keep going */
 	    match = nssCertIDMatch_Yes;
 	} else {
-	    /* exit immediately on failure */
-	    return nssCertIDMatch_No;
+	    match = nssCertIDMatch_Unknown;
 	}
    }
-
-    /* If the issued cert has a keyIdentifier field with a value, but
-     * this issuer cert does not have a subjectKeyID extension, and
-     * the issuer/serial number fields of the authKeyID extension
-     * are empty, the state will be Unknown.  Otherwise it should have
-     * been set to Yes.
-     */
    return match;
 }