On 04/26/2014 01:44 AM, Erwann Abalea wrote: > Took a quick look at the code, it looks like KU/EKU checks is ok, > BasicConstraints checks are weirdly done, NameConstraints checks are hard to > follow, CertificatePolicies checks is a joke. I now notice that I didn't see > date checks (I may have missed it). Init part of the validation code follows > RFC5280 algorithm, but that's all. > Revocation checking is done by OCSP only. > And there's a LOT of magic values everywhere; I noticed them first for OID > comparisons, but there's little to no use of an ASN.1/DER parser (IIRC, > there's already 2 implementations in NSS).
Erwann, It would be a great help if you could either expand on the issues you found here or file bugs in bugzilla. The sooner we catch and deal with issues the better. Date checks are done here: https://mxr.mozilla.org/mozilla-central/source/security/pkix/lib/pkixcheck.cpp#29 There's a minimal DER decoder here: https://mxr.mozilla.org/mozilla-central/source/security/pkix/lib/pkixder.h that implements what is needed for this library and nothing more (for example, https://mxr.mozilla.org/mozilla-central/source/security/pkix/lib/pkixocsp.cpp makes heavy use of it). Thank you, David -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
