Bug 1047792: Rely on mozilla::pkix to filter out expired certs instead of CERT_CreateSubjectCertList, r=keeler
authorBrian Smith <brian@briansmith.org>
Fri, 01 Aug 2014 23:16:21 -0700
changeset 14641 34706feaf2be580dc3ccdc51872932b6fcc7aa56
parent 14640 7981db8aab34f4acb07a27ab629cc952dad6a47e
child 14642 d641b9be5414ca0cd4387bc516b8f0cfd848e336
push id3202
push userfranziskuskiefer@gmail.com
push dateMon, 01 Oct 2018 08:30:12 +0000
reviewerskeeler
bugs1047792
Bug 1047792: Rely on mozilla::pkix to filter out expired certs instead of CERT_CreateSubjectCertList, r=keeler
lib/mozpkix/include/pkix/Result.h
lib/mozpkix/lib/pkixbuild.cpp
lib/mozpkix/lib/pkixnss.cpp
--- a/lib/mozpkix/include/pkix/Result.h
+++ b/lib/mozpkix/include/pkix/Result.h
@@ -67,19 +67,19 @@ MOZILLA_PKIX_ENUM_CLASS Result
   ERROR_OCSP_SERVER_ERROR = 29,
   ERROR_OCSP_TRY_SERVER_LATER = 30,
   ERROR_OCSP_UNAUTHORIZED_REQUEST = 31,
   ERROR_OCSP_UNKNOWN_RESPONSE_STATUS = 32,
   ERROR_OCSP_UNKNOWN_CERT = 33,
   ERROR_OCSP_FUTURE_RESPONSE = 34,
 
   ERROR_UNKNOWN_ERROR = 35,
-
   ERROR_INVALID_KEY = 36,
   ERROR_UNSUPPORTED_KEYALG = 37,
+  ERROR_EXPIRED_ISSUER_CERTIFICATE = 38,
 
   // Keep this in sync with MAP_LIST in pkixnss.cpp
 
   FATAL_ERROR_INVALID_ARGS = FATAL_ERROR_FLAG | 1,
   FATAL_ERROR_INVALID_STATE = FATAL_ERROR_FLAG | 2,
   FATAL_ERROR_LIBRARY_FAILURE = FATAL_ERROR_FLAG | 3,
   FATAL_ERROR_NO_MEMORY = FATAL_ERROR_FLAG | 4,
 
--- a/lib/mozpkix/lib/pkixbuild.cpp
+++ b/lib/mozpkix/lib/pkixbuild.cpp
@@ -88,16 +88,18 @@ private:
   void operator=(const PathBuildingStep&) /*= delete*/;
 };
 
 Result
 PathBuildingStep::RecordResult(Result newResult, /*out*/ bool& keepGoing)
 {
   if (newResult == Result::ERROR_UNTRUSTED_CERT) {
     newResult = Result::ERROR_UNTRUSTED_ISSUER;
+  } else if (newResult == Result::ERROR_EXPIRED_CERTIFICATE) {
+    newResult = Result::ERROR_EXPIRED_ISSUER_CERTIFICATE;
   }
 
   if (resultWasSet) {
     if (result == Success) {
       PR_NOT_REACHED("RecordResult called after finding a chain");
       return Result::FATAL_ERROR_INVALID_STATE;
     }
     // If every potential issuer has the same problem (e.g. expired) and/or if
--- a/lib/mozpkix/lib/pkixnss.cpp
+++ b/lib/mozpkix/lib/pkixnss.cpp
@@ -227,16 +227,17 @@ DigestBuf(Input item, /*out*/ uint8_t* d
     MAP(Result::ERROR_OCSP_SERVER_ERROR, SEC_ERROR_OCSP_SERVER_ERROR) \
     MAP(Result::ERROR_OCSP_TRY_SERVER_LATER, SEC_ERROR_OCSP_TRY_SERVER_LATER) \
     MAP(Result::ERROR_OCSP_UNAUTHORIZED_REQUEST, SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST) \
     MAP(Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS) \
     MAP(Result::ERROR_OCSP_UNKNOWN_CERT, SEC_ERROR_OCSP_UNKNOWN_CERT) \
     MAP(Result::ERROR_OCSP_FUTURE_RESPONSE, SEC_ERROR_OCSP_FUTURE_RESPONSE) \
     MAP(Result::ERROR_INVALID_KEY, SEC_ERROR_INVALID_KEY) \
     MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \
+    MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
     MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \
     MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \
     MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \
     MAP(Result::FATAL_ERROR_NO_MEMORY, SEC_ERROR_NO_MEMORY) \
     /* nothing here */
 
 Result
 MapPRErrorCodeToResult(PRErrorCode error)