From 2046160fdc4b8b79b769e7516f1a141dc7f0dc55 Mon Sep 17 00:00:00 2001 From: "julien.pierre.boogz%sun.com" Date: Fri, 1 Feb 2008 22:09:09 +0000 Subject: [PATCH] Fix for bug 232392 . Fix erroneous root CA tests in NSS libraries . r=nelson git-svn-id: svn://10.0.0.236/trunk@244749 18797224-902f-48f8-a5cc-f745e15eee43 --- mozilla/security/nss/lib/certhigh/certvfy.c | 6 ++---- mozilla/security/nss/lib/cryptohi/seckey.c | 4 +--- mozilla/security/nss/lib/pk11wrap/pk11cert.c | 3 +-- mozilla/security/nss/lib/ssl/cmpcert.c | 4 ++-- 4 files changed, 6 insertions(+), 11 deletions(-) diff --git a/mozilla/security/nss/lib/certhigh/certvfy.c b/mozilla/security/nss/lib/certhigh/certvfy.c index fbdecce19bb..d6a44ed2c5f 100644 --- a/mozilla/security/nss/lib/certhigh/certvfy.c +++ b/mozilla/security/nss/lib/certhigh/certvfy.c @@ -1043,8 +1043,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, /* make sure that the issuer is not self signed. If it is, then * stop here to prevent looping. */ - rvCompare = SECITEM_CompareItem(&cert->derSubject, &cert->derIssuer); - if (rvCompare == SECEqual) { + if (cert->isRoot) { PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); LOG_ERROR(log, cert, 0, 0); goto loser; @@ -1973,8 +1972,7 @@ CERT_GetCertChainFromCert(CERTCertificate *cert, int64 time, SECCertUsage usage) return chain; } - if (SECITEM_CompareItem(&cert->derIssuer, &cert->derSubject) - == SECEqual) { + if (cert->isRoot) { /* return complete chain */ return chain; } diff --git a/mozilla/security/nss/lib/cryptohi/seckey.c b/mozilla/security/nss/lib/cryptohi/seckey.c index a184f68cbd2..d1e345c1ee3 100644 --- a/mozilla/security/nss/lib/cryptohi/seckey.c +++ b/mozilla/security/nss/lib/cryptohi/seckey.c @@ -502,9 +502,7 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) } /* check if the cert is self-signed */ - rvCompare = (SECStatus)SECITEM_CompareItem(&subjectCert->derSubject, - &subjectCert->derIssuer); - if (rvCompare == SECEqual) { + if (subjectCert->isRoot) { /* fail since cert is self-signed and has no pqg params. */ return SECFailure; } diff --git a/mozilla/security/nss/lib/pk11wrap/pk11cert.c b/mozilla/security/nss/lib/pk11wrap/pk11cert.c index 3c7030ef0ef..4a76afb61b3 100644 --- a/mozilla/security/nss/lib/pk11wrap/pk11cert.c +++ b/mozilla/security/nss/lib/pk11wrap/pk11cert.c @@ -354,8 +354,7 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID, * valid CA's which are self-signed here. They must have an object * ID of '0'. */ if (pk11_isID0(slot,certID) && - SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer) - == SECEqual) { + cert->isRoot) { trustflags |= CERTDB_TRUSTED_CA; /* is the slot a fortezza card? allow the user or * admin to turn on objectSigning, but don't turn diff --git a/mozilla/security/nss/lib/ssl/cmpcert.c b/mozilla/security/nss/lib/ssl/cmpcert.c index 7d278d28c3e..269a429fb31 100644 --- a/mozilla/security/nss/lib/ssl/cmpcert.c +++ b/mozilla/security/nss/lib/ssl/cmpcert.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: cmpcert.c,v 1.5 2007-07-06 03:16:54 julien.pierre.bugs%sun.com Exp $ */ +/* $Id: cmpcert.c,v 1.6 2008-02-01 22:09:09 julien.pierre.boogz%sun.com Exp $ */ #include #include @@ -79,7 +79,7 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames) /* compute an alternate issuer name for compatibility with 2.0 * enterprise server, which send the CA names without - * the outer layer of DER hearder + * the outer layer of DER header */ rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen); if ( rv == SECSuccess ) {