Red Hat Bugzilla – Bug 445050
All subsystems should use libPKIX path discovery and validation in NSS
Last modified: 2015-01-04 19:08:13 EST
Description of problem:
Recent builds of NSS contain sophisticated cert path discovery and validation
routines. That feature is currently not on by default, but it should be.
per bug council on 08/27/2008 - removing from CS8.0 list
Adding to tracking Bug CS8.1
On 01/15/2010 11:45 AM, Christina Fu wrote:
> > Bob,
> > Do you know what these "sophisticated cert path discovery and
> > validation routines" are called in the following bug filed by Bob Lord?
> > https://bugzilla.redhat.com/show_bug.cgi?id=445050
> > He said in the bug that it is not called by default.
> > But I want to check in JSS to see if we maybe automatically picked
> > that up for RHCS 8.x.
There are 2 ways to get the new validation routines:
1) call the new pkix API. This is the only way to use advanced features
of lib pkix (including setting the PKIX policy oid, defining the
revocation semantics, etc).
This function is: CERT_PKIXVerifyCert and is documentented in the
nss cert.h and certt.h header files.
2) Use the existing API, but ask for the pkix engine. This is
accomplished with in either of the following ways:
2a) call CERT_SetUsePKIXForValidation(PR_TRUE);
2b) set the NSS_ENABLE_PKIX_VERIFY environment variable to 1 (well
any non-empty value).