diff options
author | Wan-Teh Chang <wtc@google.com> | 2014-01-03 14:30:52 -0800 |
---|---|---|
committer | Wan-Teh Chang <wtc@google.com> | 2014-01-03 14:30:52 -0800 |
commit | 175bf9d1e646fb0e156df8e153f78ecf19e99607 (patch) | |
tree | d7928805529a8156d64213b0c5a5c3230245ca44 | |
parent | e94e2447f11c37dd4d72a4f9e07d64079cda67f1 (diff) | |
download | nss-hg-175bf9d1e646fb0e156df8e153f78ecf19e99607.tar.gz |
Bug 946984: Callers of pkix_CheckChain should check reasonCode only if
pkix_CheckChain fails. r=ryan.sleevi.
-rwxr-xr-x | lib/libpkix/include/pkix_errorstrings.h | 1 | ||||
-rwxr-xr-x | lib/libpkix/pkix/top/pkix_build.c | 5 | ||||
-rwxr-xr-x | lib/libpkix/pkix/top/pkix_validate.c | 12 |
3 files changed, 12 insertions, 6 deletions
diff --git a/lib/libpkix/include/pkix_errorstrings.h b/lib/libpkix/include/pkix_errorstrings.h index 2416195fe..dedf98c5b 100755 --- a/lib/libpkix/include/pkix_errorstrings.h +++ b/lib/libpkix/include/pkix_errorstrings.h @@ -238,7 +238,6 @@ PKIX_ERRORENTRY(CERTTOSTRINGHELPERFAILED,pkix_pl_Cert_ToString_Helper failed,0), PKIX_ERRORENTRY(CERTVERIFYCERTTYPEFAILED,PKIX_PL_Cert_VerifyCertAndKeyType failed,0), PKIX_ERRORENTRY(CERTVERIFYKEYUSAGEFAILED,PKIX_PL_Cert_VerifyKeyUsage failed,0), PKIX_ERRORENTRY(CERTVERIFYSIGNATUREFAILED,PKIX_PL_Cert_VerifySignature failed,0), -PKIX_ERRORENTRY(CHAINREJECTEDBYREVOCATIONCHECKER,Chain rejected by Revocation Checker,0), PKIX_ERRORENTRY(CHAINVERIFYCALLBACKFAILED,Chain rejected by Application Callback,SEC_ERROR_APPLICATION_CALLBACK_ERROR), PKIX_ERRORENTRY(CHECKCERTAGAINSTANCHORFAILED,pkix_CheckCertAgainstAnchor failed,0), PKIX_ERRORENTRY(CHECKCERTFAILED,pkix_CheckCert failed,0), diff --git a/lib/libpkix/pkix/top/pkix_build.c b/lib/libpkix/pkix/top/pkix_build.c index c35163a48..c50b4c2fa 100755 --- a/lib/libpkix/pkix/top/pkix_build.c +++ b/lib/libpkix/pkix/top/pkix_build.c @@ -1348,9 +1348,8 @@ pkix_Build_ValidateEntireChain( ERROR_CHECK(PKIX_CHECKCHAINFAILED); - if (state->reasonCode != 0) { - PKIX_ERROR(PKIX_CHAINREJECTEDBYREVOCATIONCHECKER); - } + /* XXX Remove this assertion after 2014-12-31. See bug 946984. */ + PORT_Assert(state->reasonCode == 0); PKIX_CHECK(pkix_ValidateResult_Create (subjPubKey, anchor, policyTree, &valResult, plContext), diff --git a/lib/libpkix/pkix/top/pkix_validate.c b/lib/libpkix/pkix/top/pkix_validate.c index edee9f32e..1e5dec795 100755 --- a/lib/libpkix/pkix/top/pkix_validate.c +++ b/lib/libpkix/pkix/top/pkix_validate.c @@ -1113,7 +1113,7 @@ PKIX_ValidateChain( pVerifyTree, plContext); - if (chainFailed || (reasonCode != 0)) { + if (chainFailed) { /* cert chain failed to validate */ @@ -1129,6 +1129,10 @@ PKIX_ValidateChain( } else { + /* XXX Remove this assertion after 2014-12-31. + * See bug 946984. */ + PORT_Assert(reasonCode == 0); + /* cert chain successfully validated! */ PKIX_CHECK(pkix_ValidateResult_Create (finalPubKey, @@ -1393,7 +1397,7 @@ PKIX_ValidateChain_NB( goto cleanup; } - if (chainFailed || (reasonCode != 0)) { + if (chainFailed) { /* cert chain failed to validate */ @@ -1409,6 +1413,10 @@ PKIX_ValidateChain_NB( } else { + /* XXX Remove this assertion after 2014-12-31. + * See bug 946984. */ + PORT_Assert(reasonCode == 0); + /* cert chain successfully validated! */ PKIX_CHECK(pkix_ValidateResult_Create (finalPubKey, |