On 09/06/12 06:03, Wan-Teh Chang wrote:
Rob,
Please fix the bug in the "old" certificate verification library. Thanks.
Are you going to use the approach outlined by Nelson in bug 479508 and
bug 482153?
>
> Wan-Teh
Hi Wan-Teh.
I'm afraid I have nowhere near enough knowledge of NSS internals to turn
Nelson's "disgusting hack" [1] into something that the NSS team would,
under normal circumstances, "contemplate committing" [2].
I've just tested Nelson's 2 patches ([1] and [3]) against
mozilla-inbound, and they appear to fix the problem. IMHO, a
"disgusting hack" fix is much better than a non-disgusting,
significantly delayed fix.
So, how would Mozilla and the NSS Team feel about committing Nelson's 2
patches?
[1] https://bugzilla.mozilla.org/attachment.cgi?id=366236
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=482153#c1
[3] https://bugzilla.mozilla.org/attachment.cgi?id=366225
P.S. An alternative idea, for which I am willing to write a patch (if
you think this would be preferable to Nelson's "disgusting hack"):
- Define a certHashesToAvoidUsing[] array in
nssCertificateArray_FindBestCertificate(). Populate this array with the
hashes of all of the UTN->AddTrust and AddTrust->UTN cross-certificates.
Make the code consult this list: if a match is found, do not consider
this cert to be the best match.
P.P.S. 2 other ideas which didn't appear to work...
1. I tried adding the affected UTN<-->AddTrust cross-certificates as
distrusted built-ins, but this didn't help. Presumably "distrust" is
only evaluated after the "best" certificate chain has been chosen,
rather than during the process of chain selection.
2. I tried removing one of the affected UTN root-certificates and then
adding the relevant AddTrust->UTN cross-certificate as a built-in. This
didn't work either, presumably because the UTN root-certificate was for
some reason still listed as a Software Security Device.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto