diff options
-rw-r--r-- | security/nss/lib/certhigh/certvfypkix.c | 7 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/pkix/top/pkix_build.c | 10 |
2 files changed, 11 insertions, 6 deletions
diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c index 44adef837..705d9ef25 100644 --- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -679,6 +679,7 @@ cert_PkixToNssCertsChain( } PR_INIT_CLIST(&validChain->list); validChain->arena = arena; + arena = NULL; PKIX_CHECK( PKIX_List_GetLength(pkixCertChain, &length, plContext), @@ -706,7 +707,6 @@ cert_PkixToNssCertsChain( PR_INSERT_BEFORE(&node->links, &validChain->list); node->cert = nssCert; - nssCert = NULL; PKIX_DECREF(certItem); @@ -725,8 +725,8 @@ cleanup: CERT_DestroyCertificate(nssCert); } } - PKIX_DECREF(certItem); + PKIX_RETURN(CERTVFYPKIX); } @@ -2142,8 +2142,9 @@ do { cleanup: if (verifyNode) { + /* Return validation log only upon error. */ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog); - if (oparam != NULL) { + if (r && oparam != NULL) { PKIX_Error *tmpError = cert_GetLogFromVerifyNode(oparam->value.pointer.log, verifyNode, plContext); diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index ad11aec72..7f6446b78 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -1124,9 +1124,13 @@ pkix_Build_VerifyCertificate( PKIX_INCREF(state->candidateCert); candidateCert = state->candidateCert; - PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted - (candidateCert, &trusted, plContext), - PKIX_CERTISCERTTRUSTEDFAILED); + /* If user defined trust anchor list is not empty, do not + * trust any certs except to the ones that are in the list */ + if (!state->buildConstants.numAnchors) { + PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted + (candidateCert, &trusted, plContext), + PKIX_CERTISCERTTRUSTEDFAILED); + } *pTrusted = trusted; |