Bug 946984: Callers of pkix_CheckChain should check reasonCode only if
pkix_CheckChain fails. r=ryan.sleevi.
--- a/lib/libpkix/include/pkix_errorstrings.h
+++ b/lib/libpkix/include/pkix_errorstrings.h
@@ -233,17 +233,16 @@ PKIX_ERRORENTRY(CERTSTOREGETCRLCALLBACKF
PKIX_ERRORENTRY(CERTSTOREGETLOCALFLAGFAILED,PKIX_CertStore_GetLocalFlag failed,0),
PKIX_ERRORENTRY(CERTSTOREGETTRUSTCALLBACKFAILED,PKIX_CertStore_GetTrustCallback failed,0),
PKIX_ERRORENTRY(CERTSTOREHASHCODEFAILED,pkix_CertStore_Hashcode failed,0),
PKIX_ERRORENTRY(CERTTOSTRINGFAILED,PKIX_PL_Cert_ToString failed,0),
PKIX_ERRORENTRY(CERTTOSTRINGHELPERFAILED,pkix_pl_Cert_ToString_Helper failed,0),
PKIX_ERRORENTRY(CERTVERIFYCERTTYPEFAILED,PKIX_PL_Cert_VerifyCertAndKeyType failed,0),
PKIX_ERRORENTRY(CERTVERIFYKEYUSAGEFAILED,PKIX_PL_Cert_VerifyKeyUsage failed,0),
PKIX_ERRORENTRY(CERTVERIFYSIGNATUREFAILED,PKIX_PL_Cert_VerifySignature failed,0),
-PKIX_ERRORENTRY(CHAINREJECTEDBYREVOCATIONCHECKER,Chain rejected by Revocation Checker,0),
PKIX_ERRORENTRY(CHAINVERIFYCALLBACKFAILED,Chain rejected by Application Callback,SEC_ERROR_APPLICATION_CALLBACK_ERROR),
PKIX_ERRORENTRY(CHECKCERTAGAINSTANCHORFAILED,pkix_CheckCertAgainstAnchor failed,0),
PKIX_ERRORENTRY(CHECKCERTFAILED,pkix_CheckCert failed,0),
PKIX_ERRORENTRY(CHECKCHAINFAILED,pkix_CheckChain failed,0),
PKIX_ERRORENTRY(CHECKTRUSTCALLBACKFAILED,CheckTrustCallback failed,0),
PKIX_ERRORENTRY(COLLECTIONCERTSTOREPOPULATECERTFAILED,pkix_pl_CollectionCertStoreContext_PopulateCert failed,0),
PKIX_ERRORENTRY(COLLECTIONCERTSTOREPOPULATECRLFAILED,pkix_pl_CollectionCertStoreContext_PopulateCrl failed,0),
PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTCREATECERTFAILED,pkix_pl_CollectionCertStoreContext_CreateCert failed,0),
--- a/lib/libpkix/pkix/top/pkix_build.c
+++ b/lib/libpkix/pkix/top/pkix_build.c
@@ -1343,19 +1343,18 @@ pkix_Build_ValidateEntireChain(
if (nbioContext != NULL) {
*pNBIOContext = nbioContext;
goto cleanup;
}
ERROR_CHECK(PKIX_CHECKCHAINFAILED);
- if (state->reasonCode != 0) {
- PKIX_ERROR(PKIX_CHAINREJECTEDBYREVOCATIONCHECKER);
- }
+ /* XXX Remove this assertion after 2014-12-31. See bug 946984. */
+ PORT_Assert(state->reasonCode == 0);
PKIX_CHECK(pkix_ValidateResult_Create
(subjPubKey, anchor, policyTree, &valResult, plContext),
PKIX_VALIDATERESULTCREATEFAILED);
*pValResult = valResult;
valResult = NULL;
--- a/lib/libpkix/pkix/top/pkix_validate.c
+++ b/lib/libpkix/pkix/top/pkix_validate.c
@@ -1108,32 +1108,36 @@ PKIX_ValidateChain(
&revChecking,
&reasonCode,
&nbioContext,
&finalPubKey,
&validPolicyTree,
pVerifyTree,
plContext);
- if (chainFailed || (reasonCode != 0)) {
+ if (chainFailed) {
/* cert chain failed to validate */
PKIX_DECREF(chainFailed);
PKIX_DECREF(anchor);
PKIX_DECREF(checkers);
PKIX_DECREF(validPolicyTree);
/* if last anchor, we fail; else, we try next anchor */
if (i == (numAnchors - 1)) { /* last anchor */
PKIX_ERROR(PKIX_VALIDATECHAINFAILED);
}
} else {
+ /* XXX Remove this assertion after 2014-12-31.
+ * See bug 946984. */
+ PORT_Assert(reasonCode == 0);
+
/* cert chain successfully validated! */
PKIX_CHECK(pkix_ValidateResult_Create
(finalPubKey,
anchor,
validPolicyTree,
&valResult,
plContext),
PKIX_VALIDATERESULTCREATEFAILED);
@@ -1388,32 +1392,36 @@ PKIX_ValidateChain_NB(
*pCheckerIndex = checkerIndex;
*pRevChecking = revChecking;
PKIX_INCREF(checkers);
*pCheckers = checkers;
*pNBIOContext = nbioContext;
goto cleanup;
}
- if (chainFailed || (reasonCode != 0)) {
+ if (chainFailed) {
/* cert chain failed to validate */
PKIX_DECREF(chainFailed);
PKIX_DECREF(anchor);
PKIX_DECREF(checkers);
PKIX_DECREF(validPolicyTree);
/* if last anchor, we fail; else, we try next anchor */
if (i == (numAnchors - 1)) { /* last anchor */
PKIX_ERROR(PKIX_VALIDATECHAINFAILED);
}
} else {
+ /* XXX Remove this assertion after 2014-12-31.
+ * See bug 946984. */
+ PORT_Assert(reasonCode == 0);
+
/* cert chain successfully validated! */
PKIX_CHECK(pkix_ValidateResult_Create
(finalPubKey,
anchor,
validPolicyTree,
&valResult,
plContext),
PKIX_VALIDATERESULTCREATEFAILED);