diff options
author | nelson%bolyard.com <devnull@localhost> | 2008-07-22 02:40:11 +0000 |
---|---|---|
committer | nelson%bolyard.com <devnull@localhost> | 2008-07-22 02:40:11 +0000 |
commit | 9e90d808e6952645c2271162f8ea8d52dca7f00c (patch) | |
tree | 8eb8e0f91609154016fe720d235de40a432b8220 | |
parent | a434258e91f9de4294355506b4c4cee3ac4de449 (diff) | |
download | nss-hg-9e90d808e6952645c2271162f8ea8d52dca7f00c.tar.gz |
Bug 384459, ignore issuer and serial number components of authority key ID
extension when they don't match. Don't report them in certutil either.
r=rrelyea, sr=wtc
-rw-r--r-- | security/nss/cmd/lib/secutil.c | 8 | ||||
-rw-r--r-- | security/nss/lib/pki/pki3hack.c | 43 |
2 files changed, 15 insertions, 36 deletions
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index f31b35605..8755bbe1f 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -2042,14 +2042,6 @@ secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level) int snPresent = (kid->authCertSerialNumber.data && kid->authCertSerialNumber.len); - if ((keyIDPresent && !issuerPresent && !snPresent) || - (!keyIDPresent && issuerPresent && snPresent)) { - /* all is well */ - } else { - SECU_Indent(out, level); - fprintf(out, - "Error: KeyID OR (Issuer AND Serial) must be present, not both.\n"); - } if (keyIDPresent) SECU_PrintAsHex(out, &kid->keyID, "Key ID", level); if (issuerPresent) diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index 33eb61684..5e42bc157 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -319,19 +319,18 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id) nssCertIDMatch match = nssCertIDMatch_Unknown; /* keyIdentifier */ - if (authKeyID->keyID.len > 0) { - if (CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) { - PRBool skiEqual; - skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid); - PORT_Free(skid.data); - if (skiEqual) { - /* change the state to positive match, but keep going */ - match = nssCertIDMatch_Yes; - } else { - /* exit immediately on failure */ - return nssCertIDMatch_No; - } - } /* else fall through */ + if (authKeyID->keyID.len > 0 && + CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) { + PRBool skiEqual; + skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid); + PORT_Free(skid.data); + if (skiEqual) { + /* change the state to positive match, but keep going */ + match = nssCertIDMatch_Yes; + } else { + /* exit immediately on failure */ + return nssCertIDMatch_No; + } } /* issuer/serial (treated as pair) */ @@ -342,27 +341,15 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id) caName = (SECItem *)CERT_GetGeneralNameByType( authKeyID->authCertIssuer, certDirectoryName, PR_TRUE); - if (caName == NULL) { - /* this is some kind of error, so treat it as unknown */ - return nssCertIDMatch_Unknown; - } - if (SECITEM_ItemsAreEqual(&c->derIssuer, caName) && + if (caName != NULL && + SECITEM_ItemsAreEqual(&c->derIssuer, caName) && SECITEM_ItemsAreEqual(&c->serialNumber, caSN)) { - /* change the state to positive match, but keep going */ match = nssCertIDMatch_Yes; } else { - /* exit immediately on failure */ - return nssCertIDMatch_No; + match = nssCertIDMatch_Unknown; } } - - /* If the issued cert has a keyIdentifier field with a value, but - * this issuer cert does not have a subjectKeyID extension, and - * the issuer/serial number fields of the authKeyID extension - * are empty, the state will be Unknown. Otherwise it should have - * been set to Yes. - */ return match; } |