CA certs loaded but not shown in cert manager.

RESOLVED FIXED in 3.4

Status

NSS
Libraries
P1
normal
RESOLVED FIXED
16 years ago
11 years ago

People

(Reporter: Stephane Saux, Assigned: Robert Relyea)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

16 years ago
This is the NSS bug for PSM bug 121487
(Reporter)

Comment 1

16 years ago
blocks 121487
Blocks: 121487
Priority: -- → P1
Target Milestone: --- → 3.4
(Reporter)

Updated

16 years ago
No longer blocks: 121487

Comment 2

16 years ago
Bob, could you take a look at this bug?
Assignee: wtc → relyea
(Assignee)

Comment 3

16 years ago
Created attachment 68210 [details] [diff] [review]
Don't use the trust bits if none are sset.

This single patch may fix the whole problem. I have an additional suggested
patch for PSM as well.

Comment 4

16 years ago
Comment on attachment 68210 [details] [diff] [review]
Don't use the trust bits if none are sset.

>-    if ( cert->trust ) {
>+    if ( cert->trust && (cert->trust->sslFlags|cert->trust->emailFlags|
>+				cert->trust->objectSigningFlags)) {

Just curious, why are you using | as opposed to || here?
(Assignee)

Comment 5

16 years ago
Because they're bit fields, not Booleans. The test is 'if all the bits in all
the trust flags are '0' then treat the trust field and non-existant and use the
extensions in the cert to determine if this is a CA cert or not'

More accurately ((sslflags|emailflags|objectSigningFlags) == 0).

It's also slightly more efficent code (the C compilier doesn't have to to the
implicit cast to bool for each single element, just the final cast of the whole
thing).

Comment 6

16 years ago
So it is just a terse way of saying
sslflags == 0 && emailflags == 0 && objectSigningFlags == 0 ?

(Assignee)

Comment 7

16 years ago
Yes

Comment 8

16 years ago
Adding "blocks 121487" (see comment 1).
Blocks: 121487

Comment 9

16 years ago
Bob had checked this patch in to the tip of NSS (1.24), but is not yet used by
Mozilla (client tag currently on 1.23). I'm testing whether this fixes bug 121487.

Updated

16 years ago
No longer blocks: 121487

Comment 10

16 years ago
(Re adding "blocks 121487". Is that a bugzilla bug or what?).
Blocks: 121487
(Assignee)

Comment 11

16 years ago
This is now on the client tag.

I was unable to reproduce 121487 with the cert in question, however I have found
another bug 125557. The problem occurs if you have at least 16 certs in your
database, some (random) certs would not show up in your listing. Which certs and
how many depends on your dbsize mod 16. Fix for this second problem should be in
NSS by this evening, and in PSM by Monday.

bob
(Assignee)

Comment 12

16 years ago
BTW resolving this problem fixed (since the tag has moved).
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
Revision 1.23 of certdb/certdb.c claims that it was committed to fix this bug 
and bug 121487.  See 
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/security/nss/lib/certdb&command=DIFF_FRAMESET&file=certdb.c&rev2=1.23&rev1=1.22

That change had the effect that any certs imported by CERT_ImportCerts have
the VALID_PEER or VALID_CA trust flags set.  

Those trust flags are OVERRIDES.  They cause a lot of cert validity checking 
to be skipped during cert verification.  One consequence of setting the 
VALID_CA trust bit is that it turns any intermediate CA into a valid object 
signing CA, completely defeating the logic that checks for an EKU extension 
to enable object signing.

These OVERRIDE trust bits should NEVER be set routinely.  They should ONLY 
be set when necessary to make a badly constructed cert work. 

So, this "fix" actually introduced a serious bug into NSS, turning all
imported CA certs into object signing CA certs.  

The original problem of PSM not displaying some CA certs should have been
fixed without necessitating that the VALID_CA override be set in all CA
certs.  Perhaps PSM remains dependent on this incorrect behavior.

This NSS flaw needs to be fixed.  I will file a new bug about this.
QA Contact: sonja.mirtitsch → libraries
Blocks: 376737
You need to log in before you can comment on or make changes to this bug.