Bug 384459, ignore issuer and serial number components of authority key ID NSS_3_11_BRANCH
authornelson%bolyard.com
Tue, 29 Jul 2008 03:45:05 +0000
branchNSS_3_11_BRANCH
changeset 8682 c34e5c3b276045d266c3af5c43ea8cbae2e3ccc0
parent 8661 7eee8c409b69a4c5dd790eb98809380304b84588
child 8683 fd30ef8b106fd2ce5296075fb68c94345968937d
push idunknown
push userunknown
push dateunknown
bugs384459
Bug 384459, ignore issuer and serial number components of authority key ID extension when they don't match. Don't report them in certutil either. r=rrelyea, sr=wtc
security/nss/cmd/lib/secutil.c
security/nss/lib/pki/pki3hack.c
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -1805,24 +1805,16 @@ secu_PrintAuthKeyIDExtension(FILE *out, 
 	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
 	SECU_PrintAny(out, value, "Data", level);
     } else {
 	int keyIDPresent  = (kid->keyID.data && kid->keyID.len);
 	int issuerPresent = kid->authCertIssuer != NULL;
 	int snPresent = (kid->authCertSerialNumber.data &&
 	                 kid->authCertSerialNumber.len);
 
-        if ((keyIDPresent && !issuerPresent && !snPresent) ||
-	    (!keyIDPresent && issuerPresent && snPresent)) {
-	    /* all is well */
-	} else {
-	    SECU_Indent(out, level);
-	    fprintf(out, 
-	    "Error: KeyID OR (Issuer AND Serial) must be present, not both.\n");
-	}
 	if (keyIDPresent)
 	    SECU_PrintAsHex(out, &kid->keyID, "Key ID", level);
 	if (issuerPresent)
 	    secu_PrintGeneralName(out, kid->authCertIssuer, "Issuer", level);
 	if (snPresent)
 	    SECU_PrintInteger(out, &kid->authCertSerialNumber, 
 	                    "Serial Number", level);
     }
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -313,60 +313,47 @@ static nssCertIDMatch
 nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id)
 {
     CERTCertificate *c = (CERTCertificate *)dc->data;
     CERTAuthKeyID *authKeyID = (CERTAuthKeyID *)id;
     SECItem skid;
     nssCertIDMatch match = nssCertIDMatch_Unknown;
 
     /* keyIdentifier */
-    if (authKeyID->keyID.len > 0) {
-	if (CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
-	    PRBool skiEqual;
-	    skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
-	    PORT_Free(skid.data);
-	    if (skiEqual) {
-		/* change the state to positive match, but keep going */
-		match = nssCertIDMatch_Yes;
-	    } else {
-		/* exit immediately on failure */
-		return nssCertIDMatch_No;
-	    }
-	} /* else fall through */
+    if (authKeyID->keyID.len > 0 &&
+	CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
+	PRBool skiEqual;
+	skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
+	PORT_Free(skid.data);
+	if (skiEqual) {
+	    /* change the state to positive match, but keep going */
+	    match = nssCertIDMatch_Yes;
+	} else {
+	    /* exit immediately on failure */
+	    return nssCertIDMatch_No;
+	}
     }
 
     /* issuer/serial (treated as pair) */
     if (authKeyID->authCertIssuer) {
 	SECItem *caName = NULL;
 	SECItem *caSN = &authKeyID->authCertSerialNumber;
 
 	caName = (SECItem *)CERT_GetGeneralNameByType(
 	                                        authKeyID->authCertIssuer,
 						certDirectoryName, PR_TRUE);
-	if (caName == NULL) {
-	    /* this is some kind of error, so treat it as unknown */
-	    return nssCertIDMatch_Unknown;
-	}
-	if (SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
+	if (caName != NULL &&
+	    SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
 	    SECITEM_ItemsAreEqual(&c->serialNumber, caSN)) 
 	{
-	    /* change the state to positive match, but keep going */
 	    match = nssCertIDMatch_Yes;
 	} else {
-	    /* exit immediately on failure */
-	    return nssCertIDMatch_No;
+	    match = nssCertIDMatch_Unknown;
 	}
     }
-
-    /* If the issued cert has a keyIdentifier field with a value, but
-     * this issuer cert does not have a subjectKeyID extension, and
-     * the issuer/serial number fields of the authKeyID extension
-     * are empty, the state will be Unknown.  Otherwise it should have
-     * been set to Yes.
-     */
     return match;
 }
 
 static PRBool
 nss3certificate_isValidIssuer(nssDecodedCert *dc)
 {
     CERTCertificate *c = (CERTCertificate *)dc->data;
     unsigned int ignore;