From df14c5d1d101b52d412067bbe9df11394ff11bf5 Mon Sep 17 00:00:00 2001 From: Camilo Viecco Date: Fri, 6 Dec 2013 13:42:44 -0800 Subject: [PATCH] Bug 945349 - CertVerifier should check early for bad usages. r=briansmith --- security/manager/ssl/src/CertVerifier.cpp | 15 +++++++++++++++ security/manager/ssl/src/CertVerifier.h | 1 + 2 files changed, 16 insertions(+) diff --git a/security/manager/ssl/src/CertVerifier.cpp b/security/manager/ssl/src/CertVerifier.cpp index 5d35d9b2491..39b54c403a7 100644 --- a/security/manager/ssl/src/CertVerifier.cpp +++ b/security/manager/ssl/src/CertVerifier.cpp @@ -138,6 +138,21 @@ CertVerifier::VerifyCert(CERTCertificate * cert, *evOidPolicy = SEC_OID_UNKNOWN; } + switch(usage){ + case certificateUsageSSLClient: + case certificateUsageSSLServer: + case certificateUsageSSLCA: + case certificateUsageEmailSigner: + case certificateUsageEmailRecipient: + case certificateUsageObjectSigner: + case certificateUsageStatusResponder: + break; + default: + NS_WARNING("Calling VerifyCert with invalid usage"); + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + ScopedCERTCertList trustAnchors; SECStatus rv; SECOidTag evPolicy = SEC_OID_UNKNOWN; diff --git a/security/manager/ssl/src/CertVerifier.h b/security/manager/ssl/src/CertVerifier.h index 470cdde977e..4eb267f0fce 100644 --- a/security/manager/ssl/src/CertVerifier.h +++ b/security/manager/ssl/src/CertVerifier.h @@ -25,6 +25,7 @@ public: // XXX: The localonly flag is ignored in the classic verification case // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV + // Only one usage per verification is supported. SECStatus VerifyCert(CERTCertificate * cert, const SECCertificateUsage usage, const PRTime time,