CERT_VerifyCert returns failure when verify encryption cert.

RESOLVED FIXED in 3.4

Status

NSS
Libraries
P1
normal
RESOLVED FIXED
16 years ago
16 years ago

People

(Reporter: David P. Drinan, Assigned: Ian McGreer)

Tracking

x86
Windows NT

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: add new test)

(Reporter)

Description

16 years ago
I call CERT_VerifyCert to verify my encryption cert (issued by internal AOL CA). 
The function returns failure. I traced the problem into CERT_VerifyCertChain. 
The first call to CERT_FindCertIssuer works i.e. it returns cert with 
CN=Intranet Certificate Authority. However the second call to 
CERT_FindCertIssuer to get the root cert (CN=GTE CyberTrust Root) returns NULL. 
Since it cannot find the root cert, the function returns failure. I checked 
the built in roots for my profile and the GTE CyberTrust Root is there and is 
trusted.

Maybe I'm initializing NSS incorrectly? Here is how I do that:

  int hasRoot = 0;
  PK11SlotListElement *listElement;
  PK11SlotList *slotList;
  PK11SlotInfo *slot;

  PK11_ConfigurePKCS11("Netscape", "Internal Crypto Services", "Generic Crypto 
Services",
                       "Software Security Device", "PSM Internal Cryptographic 
Services", 
                       "PSM Private Keys", "PSM Internal FIPS-140-1 
Cryptographic Services", 
                       "PSM FIPS-140-1 User Private Key Services", 0, 0);
  
  NSS_InitReadWrite(".");
  NSS_Init(".");
  NSS_SetDomesticPolicy();

  //
  //
  // Initialize NSS callbacks
  //
  PK11_SetPasswordFunc(PK11PasswordPrompt);

  slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, 
                                             PR_FALSE, PR_FALSE, NULL); 
  if (slotList) {
    for (listElement=slotList->head; listElement != NULL; 
         listElement = listElement->next) {
      if (PK11_HasRootCerts(listElement->slot)) {
        hasRoot = 1;
        break;
      }    
    }
    PK11_FreeSlotList(slotList);
  }
  if (!hasRoot) {
    int modType;
    char *fullModuleName = PR_GetLibraryName(".", "nssckbi");
    SECMOD_DeleteModule("Build in Roots", &modType);
    SECMOD_AddNewModule("Build in Roots", fullModuleName, 0, 0);    
    free(fullModuleName);
    
  }

  slot = PK11_GetInternalKeySlot();
  if (slot && PK11_NeedUserInit(slot))
  {
    PK11_InitPin(slot, 0, 0);
  }

  PK11_FreeSlot(slot);

  return 1;
(Assignee)

Comment 1

16 years ago
You only need to call NSS_InitReadWrite (not NSS_Init).

But that's not the problem.  The problem is that some internal module stuff is
not being updated (the Stan module list, specifically).  I'm working on that now.

Comment 2

16 years ago
I checked in some changes where modules loaded after update were not getting
reflected in the trust domain correctly (they were added to the list, but the
iterater used for the list wasn't being updated). This cause new tokens not to
get searched. Make sure your tree is up-to-data as of Monday.

bob
(Reporter)

Comment 3

16 years ago
I just updated my NSS tree and the problem still exists.
(Assignee)

Comment 4

16 years ago
I made checkins at 10:08am PST and 12:22pm PST that might have affected this,
but I don't know.  Sounds like you pulled after that.  Unfortunately, I can't
test this directly since I don't have an AOL cert :)  Bob, can you try it?

Updated

16 years ago
Priority: -- → P1
Target Milestone: --- → 3.4

Comment 5

16 years ago
Should this block bug 116334 ?
(Reporter)

Comment 6

16 years ago
Adding Kai to cc-list.

Is this happening in PSM when doing S/MIME? When signing a message, the 
encryption cert is also included in the CMS message and is verified before it's 
added. If this is not happening in PSM, then there may be something wrong with 
my cert db.

Comment 7

16 years ago
I traced this, when I try to send a signed mail (from the same CA) using a NSS
3.4 build, CERT_VerifyCert is reached (called from
NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs) but succeeds. It arrives in the chain
verification code, which works.
(Assignee)

Comment 8

16 years ago
Bob,

did the checkin to cmssiginfo.c you made yesterday relate to this?  Is this fixed?

Comment 9

16 years ago
David, can you verify this is fixed yet? Thanks,

bob

Comment 10

16 years ago
David, can you verify this is fixed yet? Thanks,

bob
Whiteboard: add new test
(Reporter)

Comment 11

16 years ago
This is fixed.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.