436599 - PKIX: AIA extension is not used in some Bridge CA / known certs configuration. r=nelson
authoralexei.volkov.bugs%sun.com
Wed, 09 Jul 2008 00:02:50 +0000
changeset 8663 53e2ff6da3ca2d08d8c945e8ee9393d6750c15d2
parent 8662 0a98c641b697d9cc3b47af1b8b85bbd2863d21ce
child 8664 c5112c5703c95a5ea366fc2e26b79b626a9c7699
push idunknown
push userunknown
push dateunknown
reviewersnelson
bugs436599
436599 - PKIX: AIA extension is not used in some Bridge CA / known certs configuration. r=nelson
security/nss/lib/libpkix/include/pkix_errorstrings.h
security/nss/lib/libpkix/pkix/top/pkix_build.c
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -568,17 +568,17 @@ PKIX_ERRORENTRY(HTTPDEFAULTCLIENTSENDFAI
 PKIX_ERRORENTRY(HTTPSERVERERROR,HTTP Server Error,0),
 PKIX_ERRORENTRY(ILLEGALCHARACTERINESCAPEDASCII,Illegal character in Escaped ASCII String,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(ILLEGALCHARACTERINOID,Illegal character in OID,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(ILLEGALDOTINOID,Illegal period in OID,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(ILLEGALSURROGATEPAIR,Illegal surrogate pair in EscapedASCII,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(ILLEGALUNICODECHARACTER,Illegal Unicode character in EscapedASCII,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(ILLEGALUSEOFAMP,Illegal use of ampersand character,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(IMPOSSIBLECRITERIONFORCRLQUERY,Impossible criterion for Crl Query,SEC_ERROR_INVALID_ARGS),
-PKIX_ERRORENTRY(INDEXOUTOFBOUNDS,Index out of bounds,0),
+PKIX_ERRORENTRY(INDEXOUTOFBOUNDS,Index out of bounds,SEC_ERROR_LIBPKIX_INTERNAL),
 PKIX_ERRORENTRY(INESCAPEDASCII,in EscapedASCII,0),
 PKIX_ERRORENTRY(INFOACCESSCREATEFAILED,pkix_pl_InfoAccess_Create failed,0),
 PKIX_ERRORENTRY(INFOACCESSCREATELISTFAILED,pkix_pl_InfoAccess_CreateList failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETLOCATIONFAILED,PKIX_PL_InfoAccess_GetLocation failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETLOCATIONTYPEFAILED,PKIX_PL_InfoAccess_GetLocationType failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETMETHODFAILED,PKIX_PL_InfoAccess_GetMethod failed,0),
 PKIX_ERRORENTRY(INFOACCESSPARSELOCATIONFAILED,pkix_pl_InfoAccess_ParseLocation failed,0),
 PKIX_ERRORENTRY(INFOACCESSPARSETOKENSFAILED,pkix_pl_InfoAccess_ParseTokens failed,0),
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -2464,16 +2464,17 @@ pkix_BuildForwardDepthFirstSearch(
                         /* Are we still within range of the partial chain? */
                         if (certsSoFar >= state->buildConstants.numHintCerts) {
                                 state->status = BUILD_TRYAIA;
                         } else {
                                 /*
                                  * If we already have n certs, we want the n+1th
                                  * (i.e., index = n) from the list of hints.
                                  */
+                                PKIX_DECREF(state->candidateCert);
                                 PKIX_CHECK(PKIX_List_GetItem
                                     (state->buildConstants.hintCerts,
                                     certsSoFar,
                                     (PKIX_PL_Object **)&state->candidateCert,
                                     plContext),
                                     PKIX_LISTGETITEMFAILED);
 
                                 PKIX_CHECK(PKIX_List_AppendItem
@@ -2584,18 +2585,18 @@ pkix_BuildForwardDepthFirstSearch(
                         PKIX_DEBUG_ARG("filteredCerts = %s\n", unAscii);
                         PKIX_DECREF(unString);
                         PKIX_FREE(unAscii);
                 }
 #endif
 
                         PKIX_DECREF(state->candidateCerts);
                         state->candidateCerts = filteredCerts;
+                        state->certIndex = 0;
                         filteredCerts = NULL;
-
                 }
 
                 /* Are there any Certs to try? */
                 if (state->numCerts > 0) {
                         state->status = BUILD_CERTVALIDATING;
                 } else {
                         state->status = BUILD_COLLECTINGCERTS;
                 }
@@ -3303,16 +3304,24 @@ pkix_BuildForwardDepthFirstSearch(
                         canBeCached = state->canBeCached;
 
                         /* Are there any more Certs to try? */
                         if (++(state->certIndex) < (state->numCerts)) {
                                 state->status = BUILD_CERTVALIDATING;
                                 PKIX_DECREF(state->candidateCert);
                                 break;
                         }
+                        if (state->useOnlyLocal == PKIX_TRUE) {
+                            /* Clean up and go for AIA round. */
+                            state->useOnlyLocal = PKIX_FALSE;
+                            state->certStoreIndex = 0;
+                            state->numFanout = state->buildConstants.maxFanout;
+                            state->status = BUILD_TRYAIA;
+                            break;
+                        }
                 }
                 PKIX_DECREF(state->candidateCert);
             } while (outOfOptions == PKIX_FALSE);
 
         } /* while (outOfOptions == PKIX_FALSE) */
 
 cleanup: