mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

399326 - libpkix is unable to validate cert for certUsageStatusResponder. r=nelson

This commit is contained in:
alexei.volkov.bugs%sun.com 2007-12-05 19:28:11 +00:00
Родитель 0d434e89d6
Коммит fd811fe503
2 изменённых файлов: 70 добавлений и 32 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

72
security/nss/lib/certhigh/certvfy.c
Просмотреть файл

@ -492,7 +492,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
int count;
int currentPathLen = 0;
int pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
int flags;
unsigned int caCertType;
unsigned int requiredCAKeyUsage;
unsigned int requiredFlags;
@ -730,36 +729,49 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
* explicitly UNtrusted. We won't know until we examine the
* trust bits.
*/
if (certUsage == certUsageStatusResponder) {
/* XXX NSS has done this for years, but it seems incorrect. */
rv = rvFinal;
goto done;
}
unsigned int flags;
/*
* check the trust parms of the issuer
*/
if ( certUsage == certUsageVerifyCA ) {
if ( subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA ) {
trustType = trustEmail;
} else if ( subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
trustType = trustSSL;
} else {
trustType = trustObjectSigning;
}
}
flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
if (flags & CERTDB_VALID_CA) {
if ( ( flags & requiredFlags ) == requiredFlags) {
/* we found a trusted one, so return */
rv = rvFinal;
goto done;
}
validCAOverride = PR_TRUE;
}
}
if (certUsage != certUsageAnyCA &&
certUsage != certUsageStatusResponder) {
/*
* check the trust parms of the issuer
*/
if ( certUsage == certUsageVerifyCA ) {
if ( subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA ) {
trustType = trustEmail;
} else if ( subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
trustType = trustSSL;
} else {
trustType = trustObjectSigning;
}
}
flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
if (flags & CERTDB_VALID_CA) {
if ( ( flags & requiredFlags ) == requiredFlags) {
/* we found a trusted one, so return */
rv = rvFinal;
goto done;
}
validCAOverride = PR_TRUE;
}
} else {
/* Check if we have any valid trust when cheching for
* certUsageAnyCA or certUsageStatusResponder. */
for (trustType = trustSSL; trustType < trustTypeNone;
trustType++) {
flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
if ((flags & requiredFlags) == requiredFlags) {
rv = rvFinal;
goto done;
}
if (flags & CERTDB_VALID_CA)
validCAOverride = PR_TRUE;
}
}
}
if (!validCAOverride) {
/*

30
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
Просмотреть файл

@ -101,11 +101,37 @@ pkix_pl_Pk11CertStore_CheckTrust(
}
if (rv == SECSuccess) {
unsigned int certFlags;
unsigned int certFlags;
if (certUsage != certUsageAnyCA &&
certUsage != certUsageStatusResponder) {
CERTCertificate *nssCert = cert->nssCert;
if (certUsage == certUsageVerifyCA) {
if (nssCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) {
trustType = trustEmail;
} else if (nssCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
trustType = trustSSL;
} else {
trustType = trustObjectSigning;
}
}
certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType);
if ((certFlags & requiredFlags) == requiredFlags) {
trusted = PKIX_TRUE;
trusted = PKIX_TRUE;
}
} else {
for (trustType = trustSSL; trustType < trustTypeNone;
trustType++) {
certFlags =
SEC_GET_TRUST_FLAGS((&trust), trustType);
if ((certFlags & requiredFlags) == requiredFlags) {
trusted = PKIX_TRUE;
break;
}
}
}
}
*pTrusted = trusted;