diff options
author | wtc%google.com <devnull@localhost> | 2012-02-28 00:29:10 +0000 |
---|---|---|
committer | wtc%google.com <devnull@localhost> | 2012-02-28 00:29:10 +0000 |
commit | af379732f8f2eed281acb9b133338a597edc7f3e (patch) | |
tree | 81e8605363569f1a5782e2a4960950237e736780 | |
parent | 0a52a28f077ff472ca6510e59e96660b0b6333e1 (diff) | |
download | nss-hg-af379732f8f2eed281acb9b133338a597edc7f3e.tar.gz |
Bug 647364: support explicitly trusted leaf certificate. Report a null
trust anchor in this case. Also fix comment typos, remove the unused
matchingAnchor variable, and fix reference count bugs. r=rrelyea.
-rwxr-xr-x | security/nss/lib/libpkix/pkix/top/pkix_build.c | 49 |
1 files changed, 37 insertions, 12 deletions
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index 650226554..14f5eef1c 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -175,7 +175,7 @@ cleanup: * "trustChain" * Address of List of certificates traversed. Must be non-NULL. * "parentState" - * Address of previous ForwardBuilder state + * Address of previous ForwardBuilderState * "pState" * Address where ForwardBuilderState will be stored. Must be non-NULL. * "plContext" @@ -3156,7 +3156,7 @@ fatal: * * This function initiates the search for a BuildChain, using the parameters * provided in "procParams" and, if continuing a search that was suspended - * for I/O, using the ForwardBuilderState pointed to by "state". + * for I/O, using the ForwardBuilderState pointed to by "pState". * * If a successful chain is built, this function stores the BuildResult at * "pBuildResult". Alternatively, if an operation using non-blocking I/O @@ -3231,7 +3231,6 @@ pkix_Build_InitiateBuildChain( PKIX_ValidateResult *valResult = NULL; PKIX_BuildResult *buildResult = NULL; PKIX_List *certList = NULL; - PKIX_TrustAnchor *matchingAnchor = NULL; PKIX_ForwardBuilderState *state = NULL; PKIX_CertStore_CheckTrustCallback trustCallback = NULL; PKIX_CertSelector_MatchCallback selectorCallback = NULL; @@ -3333,6 +3332,7 @@ pkix_Build_InitiateBuildChain( PKIX_LISTGETITEMFAILED); } PKIX_DECREF(firstHintCert); + firstHintCert = NULL; } } @@ -3346,9 +3346,6 @@ pkix_Build_InitiateBuildChain( &trusted, plContext), PKIX_CERTISCERTTRUSTEDFAILED); - /* future: look at the |trusted| flag and force success. We only - * want to do this if we aren't validating against a policy (like - * EV). */ PKIX_CHECK(PKIX_PL_Cert_GetAllSubjectNames (targetCert, @@ -3406,6 +3403,36 @@ pkix_Build_InitiateBuildChain( goto cleanup; } } + + /* If the EE cert is trusted, force success. We only want to do + * this if we aren't validating against a policy (like EV). */ + if (trusted && procParams->initialPolicies == NULL) { + if (pVerifyNode != NULL) { + PKIX_Error *tempResult = + pkix_VerifyNode_Create(targetCert, 0, NULL, + pVerifyNode, + plContext); + if (tempResult) { + pkixErrorResult = tempResult; + pkixErrorCode = PKIX_VERIFYNODECREATEFAILED; + pkixErrorClass = PKIX_FATAL_ERROR; + goto cleanup; + } + } + PKIX_CHECK(pkix_ValidateResult_Create + (targetPubKey, NULL /* anchor */, + NULL /* policyTree */, &valResult, plContext), + PKIX_VALIDATERESULTCREATEFAILED); + PKIX_CHECK( + pkix_BuildResult_Create(valResult, tentativeChain, + &buildResult, plContext), + PKIX_BUILDRESULTCREATEFAILED); + *pBuildResult = buildResult; + /* Note that *pState is NULL. The only side effect is that + * the cert chain won't be cached in PKIX_BuildChain, which + * is fine. */ + goto cleanup; + } PKIX_CHECK(PKIX_ProcessingParams_GetCertStores (procParams, &certStores, plContext), @@ -3443,6 +3470,7 @@ pkix_Build_InitiateBuildChain( } PKIX_DECREF(certStore); + certStore = NULL; } } @@ -3579,11 +3607,9 @@ pkix_Build_InitiateBuildChain( state->status = BUILD_INITIAL; - if (!matchingAnchor) { - pkixErrorResult = - pkix_BuildForwardDepthFirstSearch(&nbioContext, state, - &valResult, plContext); - } + pkixErrorResult = + pkix_BuildForwardDepthFirstSearch(&nbioContext, state, + &valResult, plContext); /* non-null nbioContext means the build would block */ if (pkixErrorResult == NULL && nbioContext != NULL) { @@ -3628,7 +3654,6 @@ cleanup: PKIX_DECREF(tentativeChain); PKIX_DECREF(valResult); PKIX_DECREF(certList); - PKIX_DECREF(matchingAnchor); PKIX_DECREF(trustedCert); PKIX_DECREF(state); PKIX_DECREF(aiaMgr); |