David Stutzman wrote:
PK11_ImportCert has the following signature:
SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust)
Looking at the implementation in
nss-3.11.2/mozilla/security/nss/lib/pk11wrap/pk11cert.c, line 790, I
don't see "includeTrust" being used anywhere in the function. At line
855 when the function nssToken_ImportCertificate is called, no trust
information is passed. Is this a bug?
Ignoring the "includeTrust" argument is a bug. I don't
know why it's ignored. NSS itself always passes includeTrust=PR_FALSE
to PK11_ImportCert, except in this call sequence:
nss/lib/pkcs12/p12d.c: sec_pkcs12_add_cert
calls PK11_ImportCertForKeyToSlot with addCertUsage=PR_TRUE
nss/lib/pk11wrap/pk11cert.c: PK11_ImportCertForKeyToSlot
calls PK11_ImportCert with includeTrust=addCertUsage
This bug seems to have been introduced in NSS 3.4. (The core of
the NSS certificate handling code was rewritten in NSS 3.4.) In
NSS 3.3.2, PK11_ImportCert has the following code:
if(includeTrust && PK11_IsInternal(slot)) {
attrs++;
certUsage = (SECCertUsage*)PORT_Alloc(sizeof(SECCertUsage));
if(!certUsage) {
SECITEM_FreeItem(keyID,PR_TRUE);
PORT_SetError(SEC_ERROR_NO_MEMORY);
return rv;
}
*certUsage = certUsageUserCertImport;
PK11_SETATTRS(attrs,CKA_NETSCAPE_TRUST, certUsage,
sizeof(SECCertUsage))
;
} else {
What's the general procedure in cases like this? Should I just file the
bug and let you guys close it if it's not an issue or post here first
and ask like I just did?
It's better to file a bug report so that we only need to
write once.
Wan-Teh
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
