summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/certverifier/CertVerifier.cpp3
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.cpp6
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust.js28
-rw-r--r--security/nss/lib/softoken/sftkpwd.c4
4 files changed, 33 insertions, 8 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index 61d8fcdb8..2957a269f 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -224,8 +224,7 @@ CertVerifier::VerifySignedCertificateTimestamps(
CERTCertListNode* issuerNode = CERT_LIST_NEXT(endEntityNode);
if (!issuerNode || CERT_LIST_END(issuerNode, builtChain)) {
// Issuer certificate is required for SCT verification.
- // TODO(bug 1294580): change this to Result::FATAL_ERROR_INVALID_ARGS
- return Success;
+ return Result::FATAL_ERROR_INVALID_ARGS;
}
CERTCertificate* endEntity = endEntityNode->cert;
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index 1fe27b760..b4e12fe9c 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -245,7 +245,11 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
// For TRUST, we only use the CERTDB_TRUSTED_CA bit, because Goanna hasn't
// needed to consider end-entity certs to be their own trust anchors since
// Goanna implemented nsICertOverrideService.
- if (flags & CERTDB_TRUSTED_CA) {
+ // Of course, for this to work as expected, we need to make sure we're
+ // inquiring about the trust of a CA and not an end-entity. If an end-entity
+ // has the CERTDB_TRUSTED_CA bit set, Gecko does not consider it to be a
+ // trust anchor; it must inherit its trust.
+ if (flags & CERTDB_TRUSTED_CA && endEntityOrCA == EndEntityOrCA::MustBeCA) {
if (policy.IsAnyPolicy()) {
trustLevel = TrustLevel::TrustAnchor;
return Success;
diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js
index 622678c7a..bf081f1bd 100644
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -208,9 +208,31 @@ function run_test() {
setCertTrust(ca_cert, ",,");
setCertTrust(int_cert, ",,");
- // It turns out that if an end-entity certificate is manually trusted, it can
- // be the root of its own verified chain. This will be removed in bug 1294580.
- setCertTrust(ee_cert, "C,,");
+ // If an end-entity certificate is manually trusted, it may not be the root of
+ // its own verified chain. In general this will cause "unknown issuer" errors
+ // unless a CA trust anchor can be found.
+ setCertTrust(ee_cert, "CTu,CTu,CTu");
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageObjectSigner);
+
+ // Now make a CA trust anchor available.
+ setCertTrust(ca_cert, "CTu,CTu,CTu");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageObjectSigner);
}
diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
index e0d2df9ab..07b6922dc 100644
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -273,7 +273,7 @@ sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey,
RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len);
param = nsspkcs5_NewParam(cipherValue.alg, HASH_AlgSHA1, &cipherValue.salt,
- 1);
+ 30000);
if (param == NULL) {
rv = SECFailure;
goto loser;
@@ -444,7 +444,7 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
RNG_GenerateGlobalRandomBytes(saltData, prfLength);
/* initialize our pkcs5 parameter */
- param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 1);
+ param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 30000);
if (param == NULL) {
rv = SECFailure;
goto loser;