Bug 946984: Callers of pkix_CheckChain should check reasonCode only if

pkix_CheckChain fails. r=ryan.sleevi.
author: Wan-Teh Chang <wtc@google.com> 2014-01-03 14:30:52 -0800
committer: Wan-Teh Chang <wtc@google.com> 2014-01-03 14:30:52 -0800
commit: 175bf9d1e646fb0e156df8e153f78ecf19e99607 (patch)
tree: d7928805529a8156d64213b0c5a5c3230245ca44
parent: e94e2447f11c37dd4d72a4f9e07d64079cda67f1 (diff)
download: nss-hg-175bf9d1e646fb0e156df8e153f78ecf19e99607.tar.gz
3 files changed, 12 insertions, 6 deletions
diff --git a/lib/libpkix/include/pkix_errorstrings.h b/lib/libpkix/include/pkix_errorstrings.h
index 2416195fe..dedf98c5b 100755
--- a/lib/libpkix/include/pkix_errorstrings.h
+++ b/lib/libpkix/include/pkix_errorstrings.h
@@ -238,7 +238,6 @@ PKIX_ERRORENTRY(CERTTOSTRINGHELPERFAILED,pkix_pl_Cert_ToString_Helper failed,0),
 PKIX_ERRORENTRY(CERTVERIFYCERTTYPEFAILED,PKIX_PL_Cert_VerifyCertAndKeyType failed,0),
 PKIX_ERRORENTRY(CERTVERIFYKEYUSAGEFAILED,PKIX_PL_Cert_VerifyKeyUsage failed,0),
 PKIX_ERRORENTRY(CERTVERIFYSIGNATUREFAILED,PKIX_PL_Cert_VerifySignature failed,0),
-PKIX_ERRORENTRY(CHAINREJECTEDBYREVOCATIONCHECKER,Chain rejected by Revocation Checker,0),
 PKIX_ERRORENTRY(CHAINVERIFYCALLBACKFAILED,Chain rejected by Application Callback,SEC_ERROR_APPLICATION_CALLBACK_ERROR),
 PKIX_ERRORENTRY(CHECKCERTAGAINSTANCHORFAILED,pkix_CheckCertAgainstAnchor failed,0),
 PKIX_ERRORENTRY(CHECKCERTFAILED,pkix_CheckCert failed,0),
diff --git a/lib/libpkix/pkix/top/pkix_build.c b/lib/libpkix/pkix/top/pkix_build.c
index c35163a48..c50b4c2fa 100755
--- a/lib/libpkix/pkix/top/pkix_build.c
+++ b/lib/libpkix/pkix/top/pkix_build.c
@@ -1348,9 +1348,8 @@ pkix_Build_ValidateEntireChain(
 
         ERROR_CHECK(PKIX_CHECKCHAINFAILED);
 
-        if (state->reasonCode != 0) {
-                PKIX_ERROR(PKIX_CHAINREJECTEDBYREVOCATIONCHECKER);
-        }
+        /* XXX Remove this assertion after 2014-12-31. See bug 946984. */
+        PORT_Assert(state->reasonCode == 0);
 
         PKIX_CHECK(pkix_ValidateResult_Create
                 (subjPubKey, anchor, policyTree, &valResult, plContext),
diff --git a/lib/libpkix/pkix/top/pkix_validate.c b/lib/libpkix/pkix/top/pkix_validate.c
index edee9f32e..1e5dec795 100755
--- a/lib/libpkix/pkix/top/pkix_validate.c
+++ b/lib/libpkix/pkix/top/pkix_validate.c
@@ -1113,7 +1113,7 @@ PKIX_ValidateChain(
                         pVerifyTree,
                         plContext);
 
-                if (chainFailed || (reasonCode != 0)) {
+                if (chainFailed) {
 
                         /* cert chain failed to validate */
 
@@ -1129,6 +1129,10 @@ PKIX_ValidateChain(
 
                 } else {
 
+                        /* XXX Remove this assertion after 2014-12-31.
+                         * See bug 946984. */
+                        PORT_Assert(reasonCode == 0);
+
                         /* cert chain successfully validated! */
                         PKIX_CHECK(pkix_ValidateResult_Create
                                 (finalPubKey,
@@ -1393,7 +1397,7 @@ PKIX_ValidateChain_NB(
                         goto cleanup;
                 }
 
-                if (chainFailed || (reasonCode != 0)) {
+                if (chainFailed) {
 
                         /* cert chain failed to validate */
 
@@ -1409,6 +1413,10 @@ PKIX_ValidateChain_NB(
 
                 } else {
 
+                        /* XXX Remove this assertion after 2014-12-31.
+                         * See bug 946984. */
+                        PORT_Assert(reasonCode == 0);
+
                         /* cert chain successfully validated! */
                         PKIX_CHECK(pkix_ValidateResult_Create
                                 (finalPubKey,
author	Wan-Teh Chang <wtc@google.com>	2014-01-03 14:30:52 -0800
committer	Wan-Teh Chang <wtc@google.com>	2014-01-03 14:30:52 -0800
commit	175bf9d1e646fb0e156df8e153f78ecf19e99607 (patch)
tree	d7928805529a8156d64213b0c5a5c3230245ca44
parent	e94e2447f11c37dd4d72a4f9e07d64079cda67f1 (diff)
download	nss-hg-175bf9d1e646fb0e156df8e153f78ecf19e99607.tar.gz