399326 - libpkix is unable to validate cert for certUsageStatusResponder. r=nelson

2007-12-05 19:28:11 +00:00 · 2007-12-05 19:28:11 +00:00 · fd811fe503
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@ -492,7 +492,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
    int count;
    int currentPathLen = 0;
    int pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
-    int flags;
    unsigned int caCertType;
    unsigned int requiredCAKeyUsage;
    unsigned int requiredFlags;
@ -730,11 +729,10 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
 	     * explicitly UNtrusted.  We won't know until we examine the
 	     * trust bits.
 	     */
-	    if (certUsage == certUsageStatusResponder) {
-		/* XXX NSS has done this for years, but it seems incorrect. */
-		rv = rvFinal;
-		goto done;
-	    }
+	    unsigned int flags;
+
+	    if (certUsage != certUsageAnyCA &&
+	        certUsage != certUsageStatusResponder) {

 	        /*
 	         * check the trust parms of the issuer
@ -759,6 +757,20 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
 	            }
 	            validCAOverride = PR_TRUE;
 	        }
+	    } else {
+                /* Check if we have any valid trust when cheching for
+                 * certUsageAnyCA or certUsageStatusResponder. */
+                for (trustType = trustSSL; trustType < trustTypeNone;
+                     trustType++) {
+                    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+                    if ((flags & requiredFlags) == requiredFlags) {
+	                rv = rvFinal; 
+	                goto done;
+                    }
+                    if (flags & CERTDB_VALID_CA)
+                        validCAOverride = PR_TRUE;
+                }
+            }
        }

 	if (!validCAOverride) {
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
@ -102,10 +102,36 @@ pkix_pl_Pk11CertStore_CheckTrust(

        if (rv == SECSuccess) {
            unsigned int certFlags;
+
+            if (certUsage != certUsageAnyCA &&
+                certUsage != certUsageStatusResponder) {
+                CERTCertificate *nssCert = cert->nssCert;
+                
+                if (certUsage == certUsageVerifyCA) {
+                    if (nssCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) {
+                        trustType = trustEmail;
+                    } else if (nssCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
+                        trustType = trustSSL;
+                    } else {
+                        trustType = trustObjectSigning;
+                    }
+                }
+                
                certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType);
                if ((certFlags & requiredFlags) == requiredFlags) {
                    trusted = PKIX_TRUE;
                }
+            } else {
+                for (trustType = trustSSL; trustType < trustTypeNone;
+                     trustType++) {
+                    certFlags =
+                        SEC_GET_TRUST_FLAGS((&trust), trustType);
+                    if ((certFlags & requiredFlags) == requiredFlags) {
+                        trusted = PKIX_TRUE;
+                        break;
+                    }
+                }
+            }
        }

        *pTrusted = trusted;