diff options
author | alexei.volkov.bugs%sun.com <devnull@localhost> | 2008-08-12 00:46:47 +0000 |
---|---|---|
committer | alexei.volkov.bugs%sun.com <devnull@localhost> | 2008-08-12 00:46:47 +0000 |
commit | e8b78180dfc8ad1ee498bfe324443ce2a3e51112 (patch) | |
tree | 23ec7b003847211fd480e715ad0a3544415cc951 | |
parent | 2abbe0032c5ee36e7b10ce813777e5499782dbf5 (diff) | |
download | nss-hg-e8b78180dfc8ad1ee498bfe324443ce2a3e51112.tar.gz |
448324 - ocsp checker returns incorrect error code on request with invalid signing cert. r=nelson
-rw-r--r-- | security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c | 44 |
1 files changed, 24 insertions, 20 deletions
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c index f543efab2..5f178ce1b 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c @@ -721,7 +721,7 @@ pkix_pl_OcspResponse_CallCertVerify( void **pNBIOContext, void *plContext) { - SECStatus rv = SECSuccess; + SECStatus rv = SECFailure; PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_CallCertVerify"); @@ -740,6 +740,7 @@ pkix_pl_OcspResponse_CallCertVerify( state, buildResult, NULL, lplContext), PKIX_CERTVERIFYKEYUSAGEFAILED); + rv = SECSuccess; } else { rv = CERT_VerifyCert(response->handle, response->signerCert, PKIX_TRUE, certUsage, response->producedAt, NULL, NULL); @@ -749,6 +750,9 @@ pkix_pl_OcspResponse_CallCertVerify( } cleanup: + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); + } PKIX_RETURN(OCSPRESPONSE); } @@ -913,18 +917,16 @@ pkix_pl_OcspResponse_VerifySignature( } else { certUsage = certUsageStatusResponder; } - /* Set negative result before call. If fail to verify, will jump - * into cleanup with rv = SECFailure. Restore rv after the call. */ - rv = SECFailure; - PKIX_CHECK( + PKIX_CHECK_ONLY_FATAL( pkix_pl_OcspResponse_CallCertVerify(response, procParams, certUsage, &state, &buildResult, &nbio, plContext), PKIX_CERTVERIFYKEYUSAGEFAILED); - - rv = SECSuccess; - + if (pkixTempErrorReceived) { + rv = SECFailure; + goto cleanup; + } if (nbio != NULL) { *pNBIOContext = nbio; goto cleanup; @@ -941,19 +943,21 @@ cleanup: *pPassed = PKIX_FALSE; } - if (signature->wasChecked) { - signature->status = rv; - } - - if (rv != SECSuccess) { - signature->failureReason = PORT_GetError(); - if (response->signerCert != NULL) { - CERT_DestroyCertificate(response->signerCert); - response->signerCert = NULL; + if (signature) { + if (signature->wasChecked) { + signature->status = rv; + } + + if (rv != SECSuccess) { + signature->failureReason = PORT_GetError(); + if (response->signerCert != NULL) { + CERT_DestroyCertificate(response->signerCert); + response->signerCert = NULL; + } + } else { + /* Save signer's certificate in signature. */ + signature->cert = CERT_DupCertificate(response->signerCert); } - } else { - /* Save signer's certificate in signature. */ - signature->cert = CERT_DupCertificate(response->signerCert); } if (issuerCert) |