Bug 391595, verify usages of NSS trust flags and overrides in libpkix

r=nelson
author: kaie%kuix.de <devnull@localhost> 2007-08-31 12:04:49 +0000
committer: kaie%kuix.de <devnull@localhost> 2007-08-31 12:04:49 +0000
commit: 162474341145a97bb4b0b3e932f9ef918917dccc (patch)
tree: 6c7b4f5dcd380f7c91c75b42eb87a45d16633edc
parent: ca22358d05af8f10166ca7f0ce554fd08e8c6655 (diff)
download: nss-hg-162474341145a97bb4b0b3e932f9ef918917dccc.tar.gz
2 files changed, 29 insertions, 19 deletions
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
index 36eca04d4..4d1eb4dfd 100755
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
@@ -75,23 +75,37 @@ pkix_pl_Pk11CertStore_CheckTrust(
         PKIX_Boolean *pTrusted,
         void *plContext)
 {
-        CERTCertTrust nssTrusted;
         SECStatus rv = SECFailure;
         PKIX_Boolean trusted = PKIX_FALSE;
-        PKIX_UInt32 trustedValues = 0;
+        SECCertUsage certUsage = 0;
+        SECCertificateUsage certificateUsage;
+        unsigned int requiredFlags;
+        SECTrustType trustType;
+        CERTCertTrust trust;
 
         PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_CheckTrust");
         PKIX_NULLCHECK_THREE(store, cert, pTrusted);
         PKIX_NULLCHECK_ONE(cert->nssCert);
 
-        trustedValues = CERTDB_TRUSTED_CA | CERTDB_VALID_CA;
+        certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
 
-        PKIX_CERT_DEBUG("\t\tCalling CERT_GetCertTrust).\n");
-        rv = CERT_GetCertTrust(cert->nssCert, &nssTrusted);
-        if (SECSuccess == rv) {
-                if (nssTrusted.sslFlags & trustedValues ||
-                    nssTrusted.emailFlags & trustedValues ||
-                    nssTrusted.objectSigningFlags & trustedValues) {
+        /* ensure we obtained a single usage bit only */
+        PORT_Assert(!(certificateUsage & (certificateUsage - 1)));
+
+        /* convert SECertificateUsage (bit mask) to SECCertUsage (enum) */
+        while (0 != (certificateUsage = certificateUsage >> 1)) { certUsage++; }
+
+        rv = CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, &trustType);
+        if (rv != SECSuccess) {
+                requiredFlags = 0;
+                trustType = trustSSL;
+        }
+
+        rv = CERT_GetCertTrust(cert->nssCert, &trust);
+        if (rv == SECSuccess) {
+                unsigned int certFlags;
+                certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType);
+                if ((certFlags & requiredFlags) == requiredFlags) {
                         trusted = PKIX_TRUE;
                 }
         }
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index acec9acb7..3044b3892 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -3201,7 +3201,6 @@ PKIX_PL_Cert_IsCertTrusted(
         PKIX_Boolean trusted = PKIX_FALSE;
         SECStatus rv = SECFailure;
         unsigned int requiredFlags;
-        unsigned int certFlags;
         SECTrustType trustType;
         CERTCertTrust trust;
         CERTCertificate *nssCert = NULL;
@@ -3235,15 +3234,13 @@ PKIX_PL_Cert_IsCertTrusted(
 
         certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
 
+        /* ensure we obtained a single usage bit only */
+        PORT_Assert(!(certificateUsage & (certificateUsage - 1)));
+
         /* convert SECertificateUsage (bit mask) to SECCertUsage (enum) */
         while (0 != (certificateUsage = certificateUsage >> 1)) { certUsage++; }
 
-        PKIX_PL_NSSCALLRV
-                (CERT,
-                rv,
-                CERT_TrustFlagsForCACertUsage,
-                (certUsage, &requiredFlags, &trustType));
-
+        rv = CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, &trustType);
         if (rv != SECSuccess) {
                 requiredFlags = 0;
                 trustType = trustSSL;
@@ -3251,10 +3248,9 @@ PKIX_PL_Cert_IsCertTrusted(
 
         nssCert = cert->nssCert;
 
-        PKIX_PL_NSSCALLRV(CERT, rv, CERT_GetCertTrust, (nssCert, &trust));
-
+        rv = CERT_GetCertTrust(nssCert, &trust);
         if (rv == SECSuccess) {
-
+                unsigned int certFlags;
                 certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType);
                 if ((certFlags & requiredFlags) == requiredFlags) {
                         trusted = PKIX_TRUE;
author	kaie%kuix.de <devnull@localhost>	2007-08-31 12:04:49 +0000
committer	kaie%kuix.de <devnull@localhost>	2007-08-31 12:04:49 +0000
commit	162474341145a97bb4b0b3e932f9ef918917dccc (patch)
tree	6c7b4f5dcd380f7c91c75b42eb87a45d16633edc
parent	ca22358d05af8f10166ca7f0ce554fd08e8c6655 (diff)
download	nss-hg-162474341145a97bb4b0b3e932f9ef918917dccc.tar.gz