NSS accepts a version 2 certificate with issuer UID and extensions

RESOLVED INACTIVE

Status

NSS
Tools
RESOLVED INACTIVE
a year ago
3 days ago

People

(Reporter: chenchu, Unassigned)

Tracking

3.27
x86_64
Linux

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8836549 [details]
The attached RAR file contains basicCA.pem and 7.pem.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Steps to reproduce:

VERSIONS:
		NSS Version: [3.27]
		Operating System: [Ubuntu v1604-LTS x64] 

	REPRODUCTION STEPS:
	  1. Open the terminal of Unbuntu and create a certificate database:
		 certutil -N -d ./
		 (Note: press Enter to skip inputing password)
	  2. Add a CA certificate to the new certificate database:
		 certutil -A -i basicCA.pem -n ca -t "CT,C,C" -d ./
		 (Note: basiceCa.pem is one of attachements)
	  3. Add a end entity certificate (EEC) to the the new certificate database:
		 certutil -A -i 7.pem -n 7 -t ",," -d ./
		 (Note: 7.pem is another one of attachements)
	  4. Verify the EEC:
		 certutil -V -n 7 -d ./ -u S


Actual results:

certutil: certificate is valid


Expected results:

As for the certificate "7.pem", it has the field "issuer unique identifier" and extensions. Therefore, its version should be v3 but its version is v2. Hence, it should be rejected.
(Reporter)

Updated

a year ago
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
(Reporter)

Updated

a year ago
Summary: NSS accepts a version 2 certificate with subject UID and extensions → NSS accepts a version 2 certificate with issuer UID and extensions

Comment 1

3 days ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 days ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.