NSS accepts an invalid version 1 certificate with subject UID

UNCONFIRMED
Unassigned

Status

NSS
Tools
UNCONFIRMED
11 months ago
11 months ago

People

(Reporter: chenchu, Unassigned)

Tracking

3.27
x86_64
Linux

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

11 months ago
Created attachment 8836548 [details]
The attached RAR file contains basicCA.pem and 5.pem.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Steps to reproduce:

VERSIONS:
		NSS Version: [3.27]
		Operating System: [Ubuntu v1604-LTS x64] 

	REPRODUCTION STEPS:
	  1. Open the terminal of Unbuntu and create a certificate database:
		 certutil -N -d ./
		 (Note: press Enter to skip inputing password)
	  2. Add a CA certificate to the new certificate database:
		 certutil -A -i basicCA.pem -n ca -t "CT,C,C" -d ./
		 (Note: basiceCa.pem is one of attachements)
	  3. Add a end entity certificate (EEC) to the the new certificate database:
		 certutil -A -i 5.pem -n 1 -t ",," -d ./
		 (Note: 5.pem is another of attachements)
	  4. Verify the EEC:
		 certutil -V -n 5 -d ./ -u S


Actual results:

certutil: certificate is valid


Expected results:

As for the certificate "5.pem", it has the field "subject unique identifier". Therefore, its version should be v2 or v3 but its version is v1. Hence, it should be rejected.
(Reporter)

Updated

11 months ago
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
(Reporter)

Comment 1

11 months ago
The third step to reproduce should be: certutil -A -i 5.pem -n 5 -t ",," -d ./
You need to log in before you can comment on or make changes to this bug.