Closed Bug 1063276 Opened 10 years ago Closed 5 years ago

Pass entire cert chain to CertVerifier::VerifySSLServerCert

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: briansmith, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file, 1 obsolete file)

bug 1063276 - include the peer cert chain from the TLS handshake when verifying server certificates r?kjacobs
(deleted), text/x-phabricator-request
Details
Attached patch pass-cert-chain-to-VerifySSLServerCert.patch (obsolete) (deleted) — Splinter Review
I wrote this patch as part of some work I'm probably not going to finish. However, I think it is still useful, because it is progress towards removing some of the implicit state assumed by CertVerifier and NSSCertDBTrustDomain, and I don't want it to bitrot (again), so here it is.
Attachment #8484678 - Flags: review?(dkeeler)
Comment on attachment 8484678 [details] [diff] [review] pass-cert-chain-to-VerifySSLServerCert.patch Review of attachment 8484678 [details] [diff] [review]: ----------------------------------------------------------------- This looks good. r=me with comments and TODOs addressed. ::: security/certverifier/CertVerifier.cpp @@ +194,5 @@ > + ScopedCERTCertList certChain(CERT_NewCertList()); > + if (!certChain) { > + return SECFailure; > + } > + ScopedCERTCertificate certCopy(CERT_DupCertificate(cert)); Looks like if CERT_DupCertificate is passed a null pointer, it'll return NULL without setting an error code. We should either do that ourselves (and set some invalid args error code) or PR_ASSERT(cert) like we used to. ::: security/certverifier/CertVerifier.h @@ +25,5 @@ > static const Flags FLAG_MUST_BE_EV; > > // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV > // Only one usage per verification is supported. > + SECStatus VerifyCert(const CERTCertList& certChain, It would be good to document that the head of the list is the peer cert. ::: security/manager/ssl/src/SSLServerCertVerification.cpp @@ +550,5 @@ > MOZ_ASSERT(infoObject); > + > + nsCOMPtr<nsIX509CertList> certChain; > + if (NS_FAILED(infoObject->GetFailedCertChain(getter_AddRefs(certChain)))) { > + // TODO: set error code So, when are these todos going to happen? @@ +965,5 @@ > AccumulateSubjectCommonNameTelemetry(commonName.get(), > commonNameInSubjectAltNames); > } > > +// Ownership of peerCertChain may be transfered from peerCertChain Looks like it's called certList, below. ::: security/manager/ssl/src/nsNSSIOLayer.cpp @@ +383,5 @@ > const nsACString& hostname, > int32_t port, > bool* _retval) > { > + // TODO: assert that we're on the socket transport service thread. I'm pretty sure there's pre-existing code to do this in SSLServerCertVerification.cpp.
Attachment #8484678 - Flags: review?(dkeeler) → review+
Assignee: brian → nobody
Keywords: helpwanted
Status: ASSIGNED → NEW
Keywords: helpwanted
Whiteboard: [psm-backlog]
Priority: -- → P3
Assignee: nobody → dkeeler
Priority: P3 → P1
Whiteboard: [psm-backlog] → [psm-assigned]
Target Milestone: mozilla35 → ---
Attachment #8484678 - Attachment is obsolete: true
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/63f999fa8c19 include the peer cert chain from the TLS handshake when verifying server certificates r=kjacobs

https://hg.mozilla.org/mozilla-central/rev/63f999fa8c19

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: