diff options
| author | alexei.volkov.bugs%sun.com <devnull@localhost> | 2008-03-27 21:19:16 +0000 |
|---|---|---|
| committer | alexei.volkov.bugs%sun.com <devnull@localhost> | 2008-03-27 21:19:16 +0000 |
| commit | ad1864497a47cd243e4b4cf3677ea8a452e8a9c2 (patch) | |
| tree | eacc0b7586a9e4553111731ef5be42caa04f8768 | |
| parent | fdb4d0c501d48f0475d62a9133f8da9c9b58ea42 (diff) | |
| download | nss-hg-ad1864497a47cd243e4b4cf3677ea8a452e8a9c2.tar.gz | |
422859 - libPKIX builds & validates chain to root not in the caller-provided anchor list. r=nelson
| -rw-r--r-- | security/nss/lib/certhigh/certvfypkix.c | 7 | ||||
| -rwxr-xr-x | security/nss/lib/libpkix/pkix/top/pkix_build.c | 10 |
2 files changed, 11 insertions, 6 deletions
diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c index 44adef837..705d9ef25 100644 --- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -679,6 +679,7 @@ cert_PkixToNssCertsChain( } PR_INIT_CLIST(&validChain->list); validChain->arena = arena; + arena = NULL; PKIX_CHECK( PKIX_List_GetLength(pkixCertChain, &length, plContext), @@ -706,7 +707,6 @@ cert_PkixToNssCertsChain( PR_INSERT_BEFORE(&node->links, &validChain->list); node->cert = nssCert; - nssCert = NULL; PKIX_DECREF(certItem); @@ -725,8 +725,8 @@ cleanup: CERT_DestroyCertificate(nssCert); } } - PKIX_DECREF(certItem); + PKIX_RETURN(CERTVFYPKIX); } @@ -2142,8 +2142,9 @@ do { cleanup: if (verifyNode) { + /* Return validation log only upon error. */ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog); - if (oparam != NULL) { + if (r && oparam != NULL) { PKIX_Error *tmpError = cert_GetLogFromVerifyNode(oparam->value.pointer.log, verifyNode, plContext); diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index ad11aec72..7f6446b78 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -1124,9 +1124,13 @@ pkix_Build_VerifyCertificate( PKIX_INCREF(state->candidateCert); candidateCert = state->candidateCert; - PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted - (candidateCert, &trusted, plContext), - PKIX_CERTISCERTTRUSTEDFAILED); + /* If user defined trust anchor list is not empty, do not + * trust any certs except to the ones that are in the list */ + if (!state->buildConstants.numAnchors) { + PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted + (candidateCert, &trusted, plContext), + PKIX_CERTISCERTTRUSTEDFAILED); + } *pTrusted = trusted; |