diff options
author | kaie%kuix.de <devnull@localhost> | 2007-08-31 12:04:49 +0000 |
---|---|---|
committer | kaie%kuix.de <devnull@localhost> | 2007-08-31 12:04:49 +0000 |
commit | 162474341145a97bb4b0b3e932f9ef918917dccc (patch) | |
tree | 6c7b4f5dcd380f7c91c75b42eb87a45d16633edc | |
parent | ca22358d05af8f10166ca7f0ce554fd08e8c6655 (diff) | |
download | nss-hg-162474341145a97bb4b0b3e932f9ef918917dccc.tar.gz |
Bug 391595, verify usages of NSS trust flags and overrides in libpkix
r=nelson
-rwxr-xr-x | security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c | 32 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c | 16 |
2 files changed, 29 insertions, 19 deletions
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c index 36eca04d4..4d1eb4dfd 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c @@ -75,23 +75,37 @@ pkix_pl_Pk11CertStore_CheckTrust( PKIX_Boolean *pTrusted, void *plContext) { - CERTCertTrust nssTrusted; SECStatus rv = SECFailure; PKIX_Boolean trusted = PKIX_FALSE; - PKIX_UInt32 trustedValues = 0; + SECCertUsage certUsage = 0; + SECCertificateUsage certificateUsage; + unsigned int requiredFlags; + SECTrustType trustType; + CERTCertTrust trust; PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_CheckTrust"); PKIX_NULLCHECK_THREE(store, cert, pTrusted); PKIX_NULLCHECK_ONE(cert->nssCert); - trustedValues = CERTDB_TRUSTED_CA | CERTDB_VALID_CA; + certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage; - PKIX_CERT_DEBUG("\t\tCalling CERT_GetCertTrust).\n"); - rv = CERT_GetCertTrust(cert->nssCert, &nssTrusted); - if (SECSuccess == rv) { - if (nssTrusted.sslFlags & trustedValues || - nssTrusted.emailFlags & trustedValues || - nssTrusted.objectSigningFlags & trustedValues) { + /* ensure we obtained a single usage bit only */ + PORT_Assert(!(certificateUsage & (certificateUsage - 1))); + + /* convert SECertificateUsage (bit mask) to SECCertUsage (enum) */ + while (0 != (certificateUsage = certificateUsage >> 1)) { certUsage++; } + + rv = CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, &trustType); + if (rv != SECSuccess) { + requiredFlags = 0; + trustType = trustSSL; + } + + rv = CERT_GetCertTrust(cert->nssCert, &trust); + if (rv == SECSuccess) { + unsigned int certFlags; + certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType); + if ((certFlags & requiredFlags) == requiredFlags) { trusted = PKIX_TRUE; } } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c index acec9acb7..3044b3892 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c @@ -3201,7 +3201,6 @@ PKIX_PL_Cert_IsCertTrusted( PKIX_Boolean trusted = PKIX_FALSE; SECStatus rv = SECFailure; unsigned int requiredFlags; - unsigned int certFlags; SECTrustType trustType; CERTCertTrust trust; CERTCertificate *nssCert = NULL; @@ -3235,15 +3234,13 @@ PKIX_PL_Cert_IsCertTrusted( certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage; + /* ensure we obtained a single usage bit only */ + PORT_Assert(!(certificateUsage & (certificateUsage - 1))); + /* convert SECertificateUsage (bit mask) to SECCertUsage (enum) */ while (0 != (certificateUsage = certificateUsage >> 1)) { certUsage++; } - PKIX_PL_NSSCALLRV - (CERT, - rv, - CERT_TrustFlagsForCACertUsage, - (certUsage, &requiredFlags, &trustType)); - + rv = CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, &trustType); if (rv != SECSuccess) { requiredFlags = 0; trustType = trustSSL; @@ -3251,10 +3248,9 @@ PKIX_PL_Cert_IsCertTrusted( nssCert = cert->nssCert; - PKIX_PL_NSSCALLRV(CERT, rv, CERT_GetCertTrust, (nssCert, &trust)); - + rv = CERT_GetCertTrust(nssCert, &trust); if (rv == SECSuccess) { - + unsigned int certFlags; certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType); if ((certFlags & requiredFlags) == requiredFlags) { trusted = PKIX_TRUE; |