зеркало из https://github.com/mozilla/pjs.git
399326 - libpkix is unable to validate cert for certUsageStatusResponder. r=nelson
This commit is contained in:
Родитель
0d434e89d6
Коммит
fd811fe503
|
@ -492,7 +492,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
|
||||||
int count;
|
int count;
|
||||||
int currentPathLen = 0;
|
int currentPathLen = 0;
|
||||||
int pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
|
int pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
|
||||||
int flags;
|
|
||||||
unsigned int caCertType;
|
unsigned int caCertType;
|
||||||
unsigned int requiredCAKeyUsage;
|
unsigned int requiredCAKeyUsage;
|
||||||
unsigned int requiredFlags;
|
unsigned int requiredFlags;
|
||||||
|
@ -730,11 +729,10 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
|
||||||
* explicitly UNtrusted. We won't know until we examine the
|
* explicitly UNtrusted. We won't know until we examine the
|
||||||
* trust bits.
|
* trust bits.
|
||||||
*/
|
*/
|
||||||
if (certUsage == certUsageStatusResponder) {
|
unsigned int flags;
|
||||||
/* XXX NSS has done this for years, but it seems incorrect. */
|
|
||||||
rv = rvFinal;
|
if (certUsage != certUsageAnyCA &&
|
||||||
goto done;
|
certUsage != certUsageStatusResponder) {
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* check the trust parms of the issuer
|
* check the trust parms of the issuer
|
||||||
|
@ -759,6 +757,20 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
|
||||||
}
|
}
|
||||||
validCAOverride = PR_TRUE;
|
validCAOverride = PR_TRUE;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
/* Check if we have any valid trust when cheching for
|
||||||
|
* certUsageAnyCA or certUsageStatusResponder. */
|
||||||
|
for (trustType = trustSSL; trustType < trustTypeNone;
|
||||||
|
trustType++) {
|
||||||
|
flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
|
||||||
|
if ((flags & requiredFlags) == requiredFlags) {
|
||||||
|
rv = rvFinal;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
if (flags & CERTDB_VALID_CA)
|
||||||
|
validCAOverride = PR_TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!validCAOverride) {
|
if (!validCAOverride) {
|
||||||
|
|
|
@ -102,10 +102,36 @@ pkix_pl_Pk11CertStore_CheckTrust(
|
||||||
|
|
||||||
if (rv == SECSuccess) {
|
if (rv == SECSuccess) {
|
||||||
unsigned int certFlags;
|
unsigned int certFlags;
|
||||||
|
|
||||||
|
if (certUsage != certUsageAnyCA &&
|
||||||
|
certUsage != certUsageStatusResponder) {
|
||||||
|
CERTCertificate *nssCert = cert->nssCert;
|
||||||
|
|
||||||
|
if (certUsage == certUsageVerifyCA) {
|
||||||
|
if (nssCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) {
|
||||||
|
trustType = trustEmail;
|
||||||
|
} else if (nssCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
|
||||||
|
trustType = trustSSL;
|
||||||
|
} else {
|
||||||
|
trustType = trustObjectSigning;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType);
|
certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType);
|
||||||
if ((certFlags & requiredFlags) == requiredFlags) {
|
if ((certFlags & requiredFlags) == requiredFlags) {
|
||||||
trusted = PKIX_TRUE;
|
trusted = PKIX_TRUE;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
for (trustType = trustSSL; trustType < trustTypeNone;
|
||||||
|
trustType++) {
|
||||||
|
certFlags =
|
||||||
|
SEC_GET_TRUST_FLAGS((&trust), trustType);
|
||||||
|
if ((certFlags & requiredFlags) == requiredFlags) {
|
||||||
|
trusted = PKIX_TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
*pTrusted = trusted;
|
*pTrusted = trusted;
|
||||||
|
|
Загрузка…
Ссылка в новой задаче