b=175115 Setting member CERTCertificate.timeOK does no longer cause cert to verifyMOZILLA_1_2_RELEASEMOZILLA_1_2_1_RELEASE

r=relyea a=asa

1 files changed, 36 insertions, 43 deletions

diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
index a64c96373..3cfaa6281 100644
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -1162,7 +1162,7 @@ PRBool CRLStillExists(CERTSignedCrl* crl)
 }
 
 SECStatus DPCache_Refresh(CRLDPCache* cache, CERTSignedCrl* crlobject,
-                          int64 t, void* wincx)
+                          void* wincx)
 {
     SECStatus rv = SECSuccess;
     /*  Check if it is an invalid CRL
@@ -1184,17 +1184,20 @@ SECStatus DPCache_Refresh(CRLDPCache* cache, CERTSignedCrl* crlobject,
     } else {
         SECStatus signstatus = SECFailure;
         if (cache->issuer) {
-            signstatus = CERT_VerifySignedData(&crlobject->signatureWrap,
-                                                cache->issuer, t, wincx);
+            int64 issuingDate = 0;
+            signstatus = DER_UTCTimeToTime(&issuingDate, &crlobject->crl.lastUpdate);
+            if (SECSuccess == signstatus) {
+                signstatus = CERT_VerifySignedData(&crlobject->signatureWrap,
+                                                    cache->issuer, issuingDate, wincx);
+            }
         }
         if (SECSuccess != signstatus) {
-            if (0 == t) {
-                /* we tried to verify with a time of t=0 . Most likely this is
-                   because this CRL came through a call to SEC_FindCrlByName,
-                   not because the signature fails to verify.
+            if (!cache->issuer) {
+                /* we tried to verify without an issuer cert . This is
+                   because this CRL came through a call to SEC_FindCrlByName.
                    So we don't cache this verification failure. We'll try
                    to verify the CRL again when a certificate from that issuer
-                   gets verified */
+                   becomes available */
                 GetOpaqueCRLFields(crlobject)->unverified = PR_TRUE;
             } else {
                 GetOpaqueCRLFields(crlobject)->unverified = PR_FALSE;
@@ -1290,7 +1293,7 @@ void DPCache_Empty(CRLDPCache* cache)
     }
 }
 
-SECStatus DPCache_Fetch(CRLDPCache* cache, int64 t, void* wincx)
+SECStatus DPCache_Fetch(CRLDPCache* cache, void* wincx)
 {
     SECStatus rv = SECSuccess;
     CERTSignedCrl* crlobject = NULL;
@@ -1350,7 +1353,7 @@ SECStatus DPCache_Fetch(CRLDPCache* cache, int64 t, void* wincx)
 
     /* update the cache with this new CRL */
     if (SECSuccess == rv) {
-        rv = DPCache_Refresh(cache, crlobject, t, wincx);
+        rv = DPCache_Refresh(cache, crlobject, wincx);
     }
     return rv;
 }
@@ -1413,7 +1416,7 @@ SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn, CERTCrlEntry** returned
 
 #endif
 
-SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
+SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer,
                          void* wincx, PRBool readlocked)
 {
     /* Update the CRLDPCache now. We don't cache token CRL lookup misses
@@ -1428,10 +1431,10 @@ SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
     }
 
     /* verify CRLs that couldn't be checked when inserted into the cache
-       because issuer and time was unavailable. These are CRLs that were
-       inserted through SEC_FindCrlByName, rather than through a certificate
-       verification */
-    if (t && issuer) {
+       because the issuer cert was unavailable. These are CRLs that were
+       inserted into the cache through SEC_FindCrlByName, rather than
+       through a certificate verification (CERT_CheckCRL) */
+    if (issuer) {
         /* if we didn't have a valid issuer cert yet, but we do now. add it */
         if (NULL == cache->issuer) {
             /* save the issuer cert */
@@ -1439,23 +1442,25 @@ SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
         }
 
         /* re-process all unverified CRLs */
-        for (i = 0; i < cache->ncrls ; i++) {
-            CERTSignedCrl* acrl = cache->crls[i];
-            if (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified) {
-                DPCache_LockWrite();
-                /* check that we are the first thread to update */
+        if (cache->issuer) {
+            for (i = 0; i < cache->ncrls ; i++) {
+                CERTSignedCrl* acrl = cache->crls[i];
                 if (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified) {
-                    DPCache_Refresh(cache, acrl, t, wincx);
-                    /* also check all the other CRLs */
-                    for (i = i+1 ; i < cache->ncrls ; i++) {
-                        acrl = cache->crls[i];
-                        if (acrl && (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified)) {
-                            DPCache_Refresh(cache, acrl, t, wincx);
+                    DPCache_LockWrite();
+                    /* check that we are the first thread to update */
+                    if (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified) {
+                        DPCache_Refresh(cache, acrl, wincx);
+                        /* also check all the other CRLs */
+                        for (i = i+1 ; i < cache->ncrls ; i++) {
+                            acrl = cache->crls[i];
+                            if (acrl && (PR_TRUE == GetOpaqueCRLFields(acrl)->unverified)) {
+                                DPCache_Refresh(cache, acrl, wincx);
+                            }
                         }
                     }
+                    DPCache_UnlockWrite();
+                    break;
                 }
-                DPCache_UnlockWrite();
-                break;
             }
         }
     }
@@ -1485,7 +1490,7 @@ SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
                         }
                     }
                     /* and try to fetch a new one */
-                    rv = DPCache_Fetch(cache, t, wincx);
+                    rv = DPCache_Fetch(cache, wincx);
                     updated = PR_TRUE;
                     if (SECSuccess == rv) {
                         rv = DPCache_Cleanup(cache); /* clean up deleted CRLs
@@ -1502,7 +1507,7 @@ SECStatus DPCache_Update(CRLDPCache* cache, CERTCertificate* issuer, int64 t,
         if (0 == cache->ncrls)
         {
             /* we are the first */
-            rv = DPCache_Fetch(cache, t, wincx);
+            rv = DPCache_Fetch(cache, wincx);
         }
         DPCache_UnlockWrite();
     }
@@ -1786,7 +1791,7 @@ SECStatus AcquireDPCache(CERTCertificate* issuer, SECItem* subject, SECItem* dp,
         if (*dpcache)
         {
             /* make sure the DP cache is up to date before using it */
-            rv = DPCache_Update(*dpcache, issuer, t, wincx, PR_FALSE == *writeLocked);
+            rv = DPCache_Update(*dpcache, issuer, wincx, PR_FALSE == *writeLocked);
         }
         else
         {
@@ -1827,18 +1832,6 @@ CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer, SECItem* dp,
     if (!cert || !issuer) {
         return SECFailure;
     }
-    /* we must check the cert issuer (or more appropriately, the CRL
-       signer)'s validity time first. If it's expired, then don't go to the
-       cache.
-       If we do and the cache is empty, a CRL will be fetched, but it won't
-       verify because of the expired issuer, causing us to put the cache in
-       the invalid state.
-       If we do and the cache is already populated, we will lookup the cert
-       in the CRL for no good reason. */
-    validity = CERT_CheckCertValidTimes(issuer, t, PR_FALSE);
-    if ( validity != secCertTimeValid ) {
-	return SECFailure;
-    }
 
     rv = AcquireDPCache(issuer, &issuer->derSubject, dp, t, wincx, &dpcache, &lockedwrite);