399326 - libpkix is unable to validate cert for certUsageStatusResponder. r=nelson

This commit is contained in:
alexei.volkov.bugs%sun.com 2007-12-05 19:28:11 +00:00
Родитель 0d434e89d6
Коммит fd811fe503
2 изменённых файлов: 70 добавлений и 32 удалений

Просмотреть файл

@ -492,7 +492,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
int count; int count;
int currentPathLen = 0; int currentPathLen = 0;
int pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT; int pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
int flags;
unsigned int caCertType; unsigned int caCertType;
unsigned int requiredCAKeyUsage; unsigned int requiredCAKeyUsage;
unsigned int requiredFlags; unsigned int requiredFlags;
@ -730,11 +729,10 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
* explicitly UNtrusted. We won't know until we examine the * explicitly UNtrusted. We won't know until we examine the
* trust bits. * trust bits.
*/ */
if (certUsage == certUsageStatusResponder) { unsigned int flags;
/* XXX NSS has done this for years, but it seems incorrect. */
rv = rvFinal; if (certUsage != certUsageAnyCA &&
goto done; certUsage != certUsageStatusResponder) {
}
/* /*
* check the trust parms of the issuer * check the trust parms of the issuer
@ -759,6 +757,20 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
} }
validCAOverride = PR_TRUE; validCAOverride = PR_TRUE;
} }
} else {
/* Check if we have any valid trust when cheching for
* certUsageAnyCA or certUsageStatusResponder. */
for (trustType = trustSSL; trustType < trustTypeNone;
trustType++) {
flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
if ((flags & requiredFlags) == requiredFlags) {
rv = rvFinal;
goto done;
}
if (flags & CERTDB_VALID_CA)
validCAOverride = PR_TRUE;
}
}
} }
if (!validCAOverride) { if (!validCAOverride) {

Просмотреть файл

@ -102,10 +102,36 @@ pkix_pl_Pk11CertStore_CheckTrust(
if (rv == SECSuccess) { if (rv == SECSuccess) {
unsigned int certFlags; unsigned int certFlags;
if (certUsage != certUsageAnyCA &&
certUsage != certUsageStatusResponder) {
CERTCertificate *nssCert = cert->nssCert;
if (certUsage == certUsageVerifyCA) {
if (nssCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) {
trustType = trustEmail;
} else if (nssCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
trustType = trustSSL;
} else {
trustType = trustObjectSigning;
}
}
certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType); certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType);
if ((certFlags & requiredFlags) == requiredFlags) { if ((certFlags & requiredFlags) == requiredFlags) {
trusted = PKIX_TRUE; trusted = PKIX_TRUE;
} }
} else {
for (trustType = trustSSL; trustType < trustTypeNone;
trustType++) {
certFlags =
SEC_GET_TRUST_FLAGS((&trust), trustType);
if ((certFlags & requiredFlags) == requiredFlags) {
trusted = PKIX_TRUE;
break;
}
}
}
} }
*pTrusted = trusted; *pTrusted = trusted;