mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fix for bug 232392 . Fix erroneous root CA tests in NSS libraries . r=nelson

This commit is contained in:
julien.pierre.boogz%sun.com 2008-02-01 22:09:09 +00:00
Родитель 2dcf8f2e54
Коммит 6dc8e0f5b8
4 изменённых файлов: 6 добавлений и 11 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
security/nss/lib/certhigh/certvfy.c
Просмотреть файл

@ -1043,8 +1043,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
/* make sure that the issuer is not self signed. If it is, then /* make sure that the issuer is not self signed. If it is, then
* stop here to prevent looping. * stop here to prevent looping.
*/ */
rvCompare = SECITEM_CompareItem(&cert->derSubject, &cert->derIssuer); if (cert->isRoot) {
if (rvCompare == SECEqual) {
PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
LOG_ERROR(log, cert, 0, 0); LOG_ERROR(log, cert, 0, 0);
goto loser; goto loser;
@ -1973,8 +1972,7 @@ CERT_GetCertChainFromCert(CERTCertificate *cert, int64 time, SECCertUsage usage)
return chain; return chain;
} }
if (SECITEM_CompareItem(&cert->derIssuer, &cert->derSubject) if (cert->isRoot) {
== SECEqual) {
/* return complete chain */ /* return complete chain */
return chain; return chain;
} }

4
security/nss/lib/cryptohi/seckey.c
Просмотреть файл

@ -502,9 +502,7 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
} }
/* check if the cert is self-signed */ /* check if the cert is self-signed */
rvCompare = (SECStatus)SECITEM_CompareItem(&subjectCert->derSubject, if (subjectCert->isRoot) {
&subjectCert->derIssuer);
if (rvCompare == SECEqual) {
/* fail since cert is self-signed and has no pqg params. */ /* fail since cert is self-signed and has no pqg params. */
return SECFailure; return SECFailure;
} }

3
security/nss/lib/pk11wrap/pk11cert.c
Просмотреть файл

@ -354,8 +354,7 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
* valid CA's which are self-signed here. They must have an object * valid CA's which are self-signed here. They must have an object
* ID of '0'. */ * ID of '0'. */
if (pk11_isID0(slot,certID) && if (pk11_isID0(slot,certID) &&
SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer) cert->isRoot) {
== SECEqual) {
trustflags |= CERTDB_TRUSTED_CA; trustflags |= CERTDB_TRUSTED_CA;
/* is the slot a fortezza card? allow the user or /* is the slot a fortezza card? allow the user or
* admin to turn on objectSigning, but don't turn * admin to turn on objectSigning, but don't turn

4
security/nss/lib/ssl/cmpcert.c
Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL. * the terms of any one of the MPL, the GPL or the LGPL.
* *
* ***** END LICENSE BLOCK ***** */ * ***** END LICENSE BLOCK ***** */
/* $Id: cmpcert.c,v 1.5 2007-07-06 03:16:54 julien.pierre.bugs%sun.com Exp $ */ /* $Id: cmpcert.c,v 1.6 2008-02-01 22:09:09 julien.pierre.boogz%sun.com Exp $ */
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
@ -79,7 +79,7 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
/* compute an alternate issuer name for compatibility with 2.0 /* compute an alternate issuer name for compatibility with 2.0
* enterprise server, which send the CA names without * enterprise server, which send the CA names without
* the outer layer of DER hearder * the outer layer of DER header
*/ */
rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen); rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
if ( rv == SECSuccess ) { if ( rv == SECSuccess ) {