Open
Bug 695268
Opened 13 years ago
Updated 2 years ago
Allow callers of CERT_PKIXVerifyCert to control which cert signature algorithms, key sizes, and ECC curves are acceptable
Categories
(NSS :: Libraries, enhancement)
NSS
Libraries
Tracking
(Not tracked)
NEW
People
(Reporter: briansmith, Unassigned)
References
Details
We can use NSS_SetAlgorithmPolicy to disable specific algorithms but it can't control key sizes or ECC curves, and it has blacklist semantics (algorithms are enabled by default). It would be better if we could implement whitelist semantics and control which key sizes and/or ECC curves are acceptable. This will be needed to implement some Mozilla policies regarding key sizes and algorithms and to properly implement ECC Suite B, AFAICT.
It would be possible to enforce these constraints post-validation by walking the generated cert chain and checking each cert manually; however, this would not work perfectly if two certs had the same subject DN but one of them had a non-conformant signature curve/key-size.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•