diff options
author | nelson%bolyard.com <devnull@localhost> | 2008-07-22 02:40:11 +0000 |
---|---|---|
committer | nelson%bolyard.com <devnull@localhost> | 2008-07-22 02:40:11 +0000 |
commit | 9e90d808e6952645c2271162f8ea8d52dca7f00c (patch) | |
tree | 8eb8e0f91609154016fe720d235de40a432b8220 /security/nss/lib/pki/pki3hack.c | |
parent | a434258e91f9de4294355506b4c4cee3ac4de449 (diff) | |
download | nss-hg-9e90d808e6952645c2271162f8ea8d52dca7f00c.tar.gz |
Bug 384459, ignore issuer and serial number components of authority key ID
extension when they don't match. Don't report them in certutil either.
r=rrelyea, sr=wtc
Diffstat (limited to 'security/nss/lib/pki/pki3hack.c')
-rw-r--r-- | security/nss/lib/pki/pki3hack.c | 43 |
1 files changed, 15 insertions, 28 deletions
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index 33eb61684..5e42bc157 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -319,19 +319,18 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id) nssCertIDMatch match = nssCertIDMatch_Unknown; /* keyIdentifier */ - if (authKeyID->keyID.len > 0) { - if (CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) { - PRBool skiEqual; - skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid); - PORT_Free(skid.data); - if (skiEqual) { - /* change the state to positive match, but keep going */ - match = nssCertIDMatch_Yes; - } else { - /* exit immediately on failure */ - return nssCertIDMatch_No; - } - } /* else fall through */ + if (authKeyID->keyID.len > 0 && + CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) { + PRBool skiEqual; + skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid); + PORT_Free(skid.data); + if (skiEqual) { + /* change the state to positive match, but keep going */ + match = nssCertIDMatch_Yes; + } else { + /* exit immediately on failure */ + return nssCertIDMatch_No; + } } /* issuer/serial (treated as pair) */ @@ -342,27 +341,15 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id) caName = (SECItem *)CERT_GetGeneralNameByType( authKeyID->authCertIssuer, certDirectoryName, PR_TRUE); - if (caName == NULL) { - /* this is some kind of error, so treat it as unknown */ - return nssCertIDMatch_Unknown; - } - if (SECITEM_ItemsAreEqual(&c->derIssuer, caName) && + if (caName != NULL && + SECITEM_ItemsAreEqual(&c->derIssuer, caName) && SECITEM_ItemsAreEqual(&c->serialNumber, caSN)) { - /* change the state to positive match, but keep going */ match = nssCertIDMatch_Yes; } else { - /* exit immediately on failure */ - return nssCertIDMatch_No; + match = nssCertIDMatch_Unknown; } } - - /* If the issued cert has a keyIdentifier field with a value, but - * this issuer cert does not have a subjectKeyID extension, and - * the issuer/serial number fields of the authKeyID extension - * are empty, the state will be Unknown. Otherwise it should have - * been set to Yes. - */ return match; } |