diff options
author | nelsonb%netscape.com <devnull@localhost> | 2004-01-22 02:36:53 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2004-01-22 02:36:53 +0000 |
commit | c1bfe9dc22e6325bb2537def583651c89b068882 (patch) | |
tree | bfb06a710aa7fac5af21d665693ffdf69f9a2785 | |
parent | ecfa3ca73480eb45999f93a7a6cca891093f3045 (diff) | |
download | nss-hg-c1bfe9dc22e6325bb2537def583651c89b068882.tar.gz |
Detect duplicate issuer name and serial number between two temp certs.
Bug 230996. r=ian, relyea.
-rw-r--r-- | security/nss/lib/certdb/stanpcertdb.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index 7d607e255..a908c0f6d 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -236,19 +236,21 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, /* Then, see if it is already a perm cert */ c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, &encoding); + } + if (c) { /* actually, that search ends up going by issuer/serial, * so it is still possible to return a cert with the same * issuer/serial but a different encoding, and we're * going to reject that */ - if (c && !nssItem_Equal(&c->encoding, &encoding, NULL)) { + if (!nssItem_Equal(&c->encoding, &encoding, NULL)) { nssCertificate_Destroy(c); PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); - return NULL; + cc = NULL; + } else { + cc = STAN_GetCERTCertificate(c); } - } - if (c) { - return STAN_GetCERTCertificate(c); + return cc; } } pkio = nssPKIObject_Create(NULL, NULL, gTD, gCC); |