Paul Hoffman wrote: > Ah! We are in agreement. If a cert says "I expire on this date in the > past", we both would prefer that NSS would use the information and > not use it as a trust anchor. > > I still cannot find the code that would or would not implement this, however.
It's in cert_VerifyCertChain(), I would say, cf. http://lxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c#755 and http://lxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c#820 In the first case, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE is set when checking the signature of a cert and the issuer cert is expired (calls CERT_VerifySignedData(), which in turn has a check based on CERT_CheckCertValidTimes()): > 745 /* verify the signature on the cert */ > 746 if ( checkSig ) { > 747 rv = CERT_VerifySignedData(&subjectCert->signatureWrap, > 748 issuerCert, t, wincx); > 749 > 750 if ( rv != SECSuccess ) { > 751 if (sigerror) { > 752 *sigerror = PR_TRUE; > 753 } > 754 if ( PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE ) { > 755 PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE); > 756 LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); > 757 } else { > 758 PORT_SetError(SEC_ERROR_BAD_SIGNATURE); > 759 LOG_ERROR_OR_EXIT(log,subjectCert,count,0); > 760 } > 761 } > 762 } If this test is skipped (because the caller explicitly choose not to check signatures by setting checkSig to false), then there's still the CRL check where an expired trust anchor would be rejected, IINM: > 819 /* check revoked list (issuer) */ > 820 rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx); This will call CERT_CheckCRL() in turn, which again has a check for the validity of the issuing cert by calling CERT_CheckCertValidTimes() - cf. http://lxr.mozilla.org/security/source/security/nss/lib/certdb/crl.c#2570. Kaspar _______________________________________________ dev-tech-crypto mailing list [EMAIL PROTECTED] https://lists.mozilla.org/listinfo/dev-tech-crypto
