This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 445050 - All subsystems should use libPKIX path discovery and validation in NSS
All subsystems should use libPKIX path discovery and validation in NSS
Status: NEW
Product: Dogtag Certificate System
Classification: Community
Component: CA (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Christina Fu
Ben Levenson
:
Depends On:
Blocks: 530474
  Show dependency treegraph
 
Reported: 2008-05-02 19:02 EDT by Bob Lord
Modified: 2015-01-04 19:08 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Bob Lord 2008-05-02 19:02:39 EDT
Description of problem:
Recent builds of NSS contain sophisticated cert path discovery and validation
routines.  That feature is currently not on by default, but it should be.
Comment 1 Chandrasekar Kannan 2008-08-28 14:13:05 EDT
per bug council on 08/27/2008 - removing from CS8.0 list
Comment 2 Chandrasekar Kannan 2008-08-28 14:32:40 EDT
per bug council on 08/27/2008 - removing from CS8.0 list
Comment 3 Chandrasekar Kannan 2008-08-28 14:49:28 EDT
Adding to tracking Bug CS8.1
Comment 4 Christina Fu 2010-01-15 19:41:04 EST
On 01/15/2010 11:45 AM, Christina Fu wrote:
> > Bob,
> >
> > Do you know what these "sophisticated cert path discovery and
> > validation routines" are called in the following bug filed by Bob Lord?
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=445050
> >
> > He said in the bug that it is not called by default.
> >
> > But I want to check in JSS to see if we maybe automatically picked
> > that up for RHCS 8.x.

There are 2 ways to get the new validation routines:

1) call the new pkix API. This is the only way to use advanced features
of lib pkix (including setting the PKIX policy oid, defining the
revocation semantics, etc).
    This function is: CERT_PKIXVerifyCert and is documentented in the
nss cert.h and certt.h header files.

2) Use the existing API, but ask for the pkix engine. This is
accomplished with in either of the following ways:
     2a) call CERT_SetUsePKIXForValidation(PR_TRUE);
     2b) set the NSS_ENABLE_PKIX_VERIFY environment variable to 1 (well
any non-empty value).

bob

Note You need to log in before you can comment on or make changes to this bug.