Bug 946984: Callers of pkix_CheckChain should check reasonCode only if
authorWan-Teh Chang <wtc@google.com>
Fri, 03 Jan 2014 14:30:52 -0800
changeset 10990 0e4e58e97971ae9b5221e6e409f056e91d06e116
parent 10989 4c81bf12335f9c1af8fb5d8f7aef847018fa6189
child 10991 1b97dd5ae003e33fd18b50ee14b0aee3aeeac403
push id264
push userwtc@google.com
push dateFri, 03 Jan 2014 22:30:58 +0000
bugs946984
Bug 946984: Callers of pkix_CheckChain should check reasonCode only if pkix_CheckChain fails. r=ryan.sleevi.
lib/libpkix/include/pkix_errorstrings.h
lib/libpkix/pkix/top/pkix_build.c
lib/libpkix/pkix/top/pkix_validate.c
--- a/lib/libpkix/include/pkix_errorstrings.h
+++ b/lib/libpkix/include/pkix_errorstrings.h
@@ -233,17 +233,16 @@ PKIX_ERRORENTRY(CERTSTOREGETCRLCALLBACKF
 PKIX_ERRORENTRY(CERTSTOREGETLOCALFLAGFAILED,PKIX_CertStore_GetLocalFlag failed,0),
 PKIX_ERRORENTRY(CERTSTOREGETTRUSTCALLBACKFAILED,PKIX_CertStore_GetTrustCallback failed,0),
 PKIX_ERRORENTRY(CERTSTOREHASHCODEFAILED,pkix_CertStore_Hashcode failed,0),
 PKIX_ERRORENTRY(CERTTOSTRINGFAILED,PKIX_PL_Cert_ToString failed,0),
 PKIX_ERRORENTRY(CERTTOSTRINGHELPERFAILED,pkix_pl_Cert_ToString_Helper failed,0),
 PKIX_ERRORENTRY(CERTVERIFYCERTTYPEFAILED,PKIX_PL_Cert_VerifyCertAndKeyType failed,0),
 PKIX_ERRORENTRY(CERTVERIFYKEYUSAGEFAILED,PKIX_PL_Cert_VerifyKeyUsage failed,0),
 PKIX_ERRORENTRY(CERTVERIFYSIGNATUREFAILED,PKIX_PL_Cert_VerifySignature failed,0),
-PKIX_ERRORENTRY(CHAINREJECTEDBYREVOCATIONCHECKER,Chain rejected by Revocation Checker,0),
 PKIX_ERRORENTRY(CHAINVERIFYCALLBACKFAILED,Chain rejected by Application Callback,SEC_ERROR_APPLICATION_CALLBACK_ERROR),
 PKIX_ERRORENTRY(CHECKCERTAGAINSTANCHORFAILED,pkix_CheckCertAgainstAnchor failed,0),
 PKIX_ERRORENTRY(CHECKCERTFAILED,pkix_CheckCert failed,0),
 PKIX_ERRORENTRY(CHECKCHAINFAILED,pkix_CheckChain failed,0),
 PKIX_ERRORENTRY(CHECKTRUSTCALLBACKFAILED,CheckTrustCallback failed,0),
 PKIX_ERRORENTRY(COLLECTIONCERTSTOREPOPULATECERTFAILED,pkix_pl_CollectionCertStoreContext_PopulateCert failed,0),
 PKIX_ERRORENTRY(COLLECTIONCERTSTOREPOPULATECRLFAILED,pkix_pl_CollectionCertStoreContext_PopulateCrl failed,0),
 PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTCREATECERTFAILED,pkix_pl_CollectionCertStoreContext_CreateCert failed,0),
--- a/lib/libpkix/pkix/top/pkix_build.c
+++ b/lib/libpkix/pkix/top/pkix_build.c
@@ -1343,19 +1343,18 @@ pkix_Build_ValidateEntireChain(
 
         if (nbioContext != NULL) {
                 *pNBIOContext = nbioContext;
                 goto cleanup;
         }
 
         ERROR_CHECK(PKIX_CHECKCHAINFAILED);
 
-        if (state->reasonCode != 0) {
-                PKIX_ERROR(PKIX_CHAINREJECTEDBYREVOCATIONCHECKER);
-        }
+        /* XXX Remove this assertion after 2014-12-31. See bug 946984. */
+        PORT_Assert(state->reasonCode == 0);
 
         PKIX_CHECK(pkix_ValidateResult_Create
                 (subjPubKey, anchor, policyTree, &valResult, plContext),
                 PKIX_VALIDATERESULTCREATEFAILED);
 
         *pValResult = valResult;
         valResult = NULL;
 
--- a/lib/libpkix/pkix/top/pkix_validate.c
+++ b/lib/libpkix/pkix/top/pkix_validate.c
@@ -1108,32 +1108,36 @@ PKIX_ValidateChain(
                         &revChecking,
                         &reasonCode,
                         &nbioContext,
                         &finalPubKey,
                         &validPolicyTree,
                         pVerifyTree,
                         plContext);
 
-                if (chainFailed || (reasonCode != 0)) {
+                if (chainFailed) {
 
                         /* cert chain failed to validate */
 
                         PKIX_DECREF(chainFailed);
                         PKIX_DECREF(anchor);
                         PKIX_DECREF(checkers);
                         PKIX_DECREF(validPolicyTree);
 
                         /* if last anchor, we fail; else, we try next anchor */
                         if (i == (numAnchors - 1)) { /* last anchor */
                                 PKIX_ERROR(PKIX_VALIDATECHAINFAILED);
                         }
 
                 } else {
 
+                        /* XXX Remove this assertion after 2014-12-31.
+                         * See bug 946984. */
+                        PORT_Assert(reasonCode == 0);
+
                         /* cert chain successfully validated! */
                         PKIX_CHECK(pkix_ValidateResult_Create
                                 (finalPubKey,
                                 anchor,
                                 validPolicyTree,
                                 &valResult,
                                 plContext),
                                 PKIX_VALIDATERESULTCREATEFAILED);
@@ -1388,32 +1392,36 @@ PKIX_ValidateChain_NB(
                         *pCheckerIndex = checkerIndex;
                         *pRevChecking = revChecking;
                         PKIX_INCREF(checkers);
                         *pCheckers = checkers;
                         *pNBIOContext = nbioContext;
                         goto cleanup;
                 }
 
-                if (chainFailed || (reasonCode != 0)) {
+                if (chainFailed) {
 
                         /* cert chain failed to validate */
 
                         PKIX_DECREF(chainFailed);
                         PKIX_DECREF(anchor);
                         PKIX_DECREF(checkers);
                         PKIX_DECREF(validPolicyTree);
 
                         /* if last anchor, we fail; else, we try next anchor */
                         if (i == (numAnchors - 1)) { /* last anchor */
                                 PKIX_ERROR(PKIX_VALIDATECHAINFAILED);
                         }
 
                 } else {
 
+                        /* XXX Remove this assertion after 2014-12-31.
+                         * See bug 946984. */
+                        PORT_Assert(reasonCode == 0);
+
                         /* cert chain successfully validated! */
                         PKIX_CHECK(pkix_ValidateResult_Create
                                 (finalPubKey,
                                 anchor,
                                 validPolicyTree,
                                 &valResult,
                                 plContext),
                                 PKIX_VALIDATERESULTCREATEFAILED);