101566 - BasicConstraints (pathLenConstraint) not checked

Status: RESOLVED DUPLICATE of bug 221644

(NSS :: Libraries, defect, P2)

Description

[Christina Fu]

N6 2001092403
To emulate a rogue ca, I built a chain of CAs, where the CAs 2nd level down the
chain have pathLenConstraint set to 0, which effectively makes the ca after the
1st ca with plc==0 a rogue ca.  When checking validity or building up the chain,
the browser is supposed to notice such discrepency.  The steps to create this
environment is in my test plan.  For the time being, you can do the following:
1. go to http://cfu2000:1028, [Retrieval], [Import CA Cert Chain], import it
into your browser
2. go to "Manage Certificates" and you can see the bad chain in your "Authority"
3. visit https://cfu2000:1029

expected to see some kind of warning but no.  The environment is best done with
a web server rather than a CMS.

Comment 1

[John G. Myers]

--> NSS

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

We know that basic constraings path length IS checked.  
Recently a competing product had a big security vulnerability publicly 
reported because it did not check, and at that time, the reporters 
confirmed that mozilla did this correctly.  

I suppose it is possible that we have an off-by-one error in this code.

Christina, 
there are no certs attached to this bug with which to reproduce it.
can you reproduce this now? 
Can you attach the relevant certs to this bug?

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

There is another bug about path length constraint problems, and I am going to 
dup this one onto that one.  If you can find the certs for this case involving
CMS, please attach them to this bug anyway.

*** This bug has been marked as a duplicate of 221644 ***