Open Bug 695268 Opened 13 years ago Updated 2 years ago

Allow callers of CERT_PKIXVerifyCert to control which cert signature algorithms, key sizes, and ECC curves are acceptable

Categories

(NSS :: Libraries, enhancement)

enhancement

Tracking

(Not tracked)

People

(Reporter: briansmith, Unassigned)

References

Details

We can use NSS_SetAlgorithmPolicy to disable specific algorithms but it can't control key sizes or ECC curves, and it has blacklist semantics (algorithms are enabled by default). It would be better if we could implement whitelist semantics and control which key sizes and/or ECC curves are acceptable. This will be needed to implement some Mozilla policies regarding key sizes and algorithms and to properly implement ECC Suite B, AFAICT. It would be possible to enforce these constraints post-validation by walking the generated cert chain and checking each cert manually; however, this would not work perfectly if two certs had the same subject DN but one of them had a non-conformant signature curve/key-size.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.