Closed Bug 1687632 Opened 4 years ago Closed 4 years ago

NameConstraints.ocsp1.cert: Peer's Certificate has expired.

Categories

(NSS :: Test, defect)

3.60
defect

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1686134

People

(Reporter: yi.zhao, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

Run test scripts:
$ cd nss/tests/
$ HOST=localhost DOMSUF=localdomain ./all.sh

Actual results:

Error log:
chains.sh: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10
vfychain -d trustanchorsDB -pp -vv -u 10 /opt/nss/tests/libpkix/certs/NameConstraints.ocsp1.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=OCSP Subsystem,O=IPA.LOCAL 201901211552 :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1057: TrustAnchors: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10 - FAILED

chains.sh: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10
vfychain -d trustanchorsDB -pp -vv -u 10 /opt/nss/tests/libpkix/certs/NameConstraints.ocsp1.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=OCSP Subsystem,O=IPA.LOCAL 201901211552 :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1896: TrustAnchors: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10 - FAILED

Expected results:

Expected results:

chains.sh: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10
vfychain -d trustanchorsDB -pp -vv -u 10 /opt/wr-test/testcases/userspace/nss/regression_test/nss/tests/libpkix/certs/NameConstraints.ocsp1.cert
Chain is good!
Root Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:d1:8b:53:69:d4:7b:9f:8e
Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
Issuer: "CN=Test CA,O=Red Hat,L=Brisbane,ST=Queensland,C=AU"
Validity:
Not Before: Mon Jan 21 06:03:26 2019
Not After : Thu Jan 18 06:03:26 2029
Subject: "CN=Certificate Authority,O=IPA.LOCAL 201901211552"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c2:8d:ec:9a:83:bf:44:d6:80:fe:be:5b:47:5c:ab:b7:
87:a4:7d:04:37:de:8a:eb:39:3d:50:99:e8:47:c3:55:
b9:38:ca:9f:a4:9a:fc:9d:0f:b6:dc:c0:d2:02:da:1c:
39:c1:57:eb:5c:0d:4c:74:90:8d:c3:79:43:7a:60:24:
e8:df:f0:3b:b1:44:82:3d:c7:a6:b4:8f:be:48:63:2e:
fe:dd:af:1e:6e:ec:f7:bb:b3:3d:ff:e6:93:f1:e7:e0:
9c:d8:5b:6b:9e:89:ae:6e:da:23:e3:4f:db:64:1c:31:
5e:41:d3:07:9f:10:e1:9a:86:0b:6a:60:33:c4:d6:ea:
cb:22:fa:61:ba:85:ad:4a:d0:73:72:05:c8:5a:05:a6:
f2:d0:54:70:65:19:82:e9:dc:c9:b6:c5:45:30:ed:ef:
bc:d9:80:3b:bb:c1:d9:4c:92:b9:f2:52:86:11:7f:8c:
3d:c7:96:74:ff:03:ac:2d:15:ee:a2:2c:64:95:ca:dc:
ca:6a:0f:15:9b:b1:dc:18:d4:3a:fa:ef:82:f3:b8:4f:
aa:f7:0f:04:21:cd:05:50:36:bb:45:a2:93:3c:d4:82:
07:2a:a1:75:de:cf:f9:59:37:18:36:3e:14:57:a4:5a:
c6:4e:fb:92:73:07:ca:94:82:9d:e9:92:5d:48:13:cd
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.

        Name: Certificate Subject Key ID
        Data:
            6f:58:66:af:0b:a3:a1:20:90:2e:c8:b8:97:d5:0f:fb:
            28:ed:42:b8

        Name: Certificate Authority Key Identifier
        Key ID:
            48:5b:7b:d3:ed:03:b0:38:58:aa:73:ef:0f:57:6e:d7:
            23:1c:05:2d

        Name: Certificate Key Usage
        Critical: True
        Usages: Digital Signature
                Non-Repudiation
                Certificate Signing
                CRL Signing

        Name: Certificate Name Constraints
        Permitted Subtree:
            DNS name: "ipa.local"
            DNS name: ".ipa.local"
            Directory Name: "O=IPA.LOCAL 201901211552"

Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
Signature:
    4a:e5:27:bb:70:f4:56:01:ca:29:59:70:6f:77:58:29:
    cf:ea:84:4f:9e:0d:dc:17:60:0c:5e:be:0a:7b:eb:5e:
    be:0d:08:34:55:09:d3:51:23:77:42:03:7f:96:29:bc:
    57:70:79:f1:f8:5c:e5:2f:5e:2a:0d:91:67:09:a6:7a:
    b6:5d:04:e1:5a:3b:30:00:6f:b5:b2:74:7f:6e:3e:92:
    2c:a9:40:fe:70:c8:f9:f9:67:2c:1c:1d:4a:2c:ad:e3:
    16:01:63:90:42:8c:b2:8b:fa:19:72:84:0a:ca:d9:d2:
    0a:36:44:07:9f:bc:c9:bb:2e:0d:a0:13:db:35:8f:c9:
    75:71:d6:3f:ee:5f:a0:8e:04:4f:67:95:b7:ef:04:34:
    34:86:bb:b8:91:cf:04:79:bb:45:45:ef:47:e4:ef:22:
    da:88:d3:21:2a:7b:eb:7d:a7:77:c6:4e:b9:43:b0:3d:
    eb:49:6a:1e:29:66:14:c1:03:b3:bb:47:8a:35:fe:7c:
    d2:96:f0:43:29:ab:b5:45:ef:6b:3d:22:2e:1a:22:e3:
    bb:5e:84:de:2f:0b:18:e8:cf:e9:bc:cb:44:c5:9d:65:
    2f:fb:ad:7c:91:32:a6:f6:99:fd:ca:ab:70:21:82:53:
    b8:d5:fa:ce:5e:6d:0a:38:00:b1:82:37:11:1a:34:15
Fingerprint (SHA-256):
    48:E6:BD:34:BB:C2:AA:1A:35:FB:24:85:22:89:96:B5:10:70:E4:1D:EF:F0:9A:DD:E6:33:2F:2E:B1:1D:26:0E
Fingerprint (SHA1):
    D2:85:FF:A1:92:67:76:4F:CE:66:6D:45:43:38:0E:84:A2:B0:33:EE

Mozilla-CA-Policy: false (attribute missing)
Certificate Trust Flags:
    SSL Flags:
        Valid CA
        Trusted CA
        Trusted Client CA
    Email Flags:
        Valid CA
        Trusted CA
    Object Signing Flags:
        Valid CA
        Trusted CA

Certificate 1 Subject: "CN=OCSP Subsystem,O=IPA.LOCAL 201901211552"
Returned value is 0, expected result is pass
chains.sh: #1057: TrustAnchors: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10 - PASSED

chains.sh: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10
vfychain -d trustanchorsDB -pp -vv -u 10 /opt/wr-test/testcases/userspace/nss/regression_test/nss/tests/libpkix/certs/NameConstraints.ocsp1.cert
Chain is good!
Root Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:d1:8b:53:69:d4:7b:9f:8e
Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
Issuer: "CN=Test CA,O=Red Hat,L=Brisbane,ST=Queensland,C=AU"
Validity:
Not Before: Mon Jan 21 06:03:26 2019
Not After : Thu Jan 18 06:03:26 2029
Subject: "CN=Certificate Authority,O=IPA.LOCAL 201901211552"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c2:8d:ec:9a:83:bf:44:d6:80:fe:be:5b:47:5c:ab:b7:
87:a4:7d:04:37:de:8a:eb:39:3d:50:99:e8:47:c3:55:
b9:38:ca:9f:a4:9a:fc:9d:0f:b6:dc:c0:d2:02:da:1c:
39:c1:57:eb:5c:0d:4c:74:90:8d:c3:79:43:7a:60:24:
e8:df:f0:3b:b1:44:82:3d:c7:a6:b4:8f:be:48:63:2e:
fe:dd:af:1e:6e:ec:f7:bb:b3:3d:ff:e6:93:f1:e7:e0:
9c:d8:5b:6b:9e:89:ae:6e:da:23:e3:4f:db:64:1c:31:
5e:41:d3:07:9f:10:e1:9a:86:0b:6a:60:33:c4:d6:ea:
cb:22:fa:61:ba:85:ad:4a:d0:73:72:05:c8:5a:05:a6:
f2:d0:54:70:65:19:82:e9:dc:c9:b6:c5:45:30:ed:ef:
bc:d9:80:3b:bb:c1:d9:4c:92:b9:f2:52:86:11:7f:8c:
3d:c7:96:74:ff:03:ac:2d:15:ee:a2:2c:64:95:ca:dc:
ca:6a:0f:15:9b:b1:dc:18:d4:3a:fa:ef:82:f3:b8:4f:
aa:f7:0f:04:21:cd:05:50:36:bb:45:a2:93:3c:d4:82:
07:2a:a1:75:de:cf:f9:59:37:18:36:3e:14:57:a4:5a:
c6:4e:fb:92:73:07:ca:94:82:9d:e9:92:5d:48:13:cd
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.

        Name: Certificate Subject Key ID
        Data:
            6f:58:66:af:0b:a3:a1:20:90:2e:c8:b8:97:d5:0f:fb:
            28:ed:42:b8

        Name: Certificate Authority Key Identifier
        Key ID:
            48:5b:7b:d3:ed:03:b0:38:58:aa:73:ef:0f:57:6e:d7:
            23:1c:05:2d

        Name: Certificate Key Usage
        Critical: True
        Usages: Digital Signature
                Non-Repudiation
                Certificate Signing
                CRL Signing

        Name: Certificate Name Constraints
        Permitted Subtree:
            DNS name: "ipa.local"
            DNS name: ".ipa.local"
            Directory Name: "O=IPA.LOCAL 201901211552"

Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
Signature:
    4a:e5:27:bb:70:f4:56:01:ca:29:59:70:6f:77:58:29:
    cf:ea:84:4f:9e:0d:dc:17:60:0c:5e:be:0a:7b:eb:5e:
    be:0d:08:34:55:09:d3:51:23:77:42:03:7f:96:29:bc:
    57:70:79:f1:f8:5c:e5:2f:5e:2a:0d:91:67:09:a6:7a:
    b6:5d:04:e1:5a:3b:30:00:6f:b5:b2:74:7f:6e:3e:92:
    2c:a9:40:fe:70:c8:f9:f9:67:2c:1c:1d:4a:2c:ad:e3:
    16:01:63:90:42:8c:b2:8b:fa:19:72:84:0a:ca:d9:d2:
    0a:36:44:07:9f:bc:c9:bb:2e:0d:a0:13:db:35:8f:c9:
    75:71:d6:3f:ee:5f:a0:8e:04:4f:67:95:b7:ef:04:34:
    34:86:bb:b8:91:cf:04:79:bb:45:45:ef:47:e4:ef:22:
    da:88:d3:21:2a:7b:eb:7d:a7:77:c6:4e:b9:43:b0:3d:
    eb:49:6a:1e:29:66:14:c1:03:b3:bb:47:8a:35:fe:7c:
    d2:96:f0:43:29:ab:b5:45:ef:6b:3d:22:2e:1a:22:e3:
    bb:5e:84:de:2f:0b:18:e8:cf:e9:bc:cb:44:c5:9d:65:
    2f:fb:ad:7c:91:32:a6:f6:99:fd:ca:ab:70:21:82:53:
    b8:d5:fa:ce:5e:6d:0a:38:00:b1:82:37:11:1a:34:15
Fingerprint (SHA-256):
    48:E6:BD:34:BB:C2:AA:1A:35:FB:24:85:22:89:96:B5:10:70:E4:1D:EF:F0:9A:DD:E6:33:2F:2E:B1:1D:26:0E
Fingerprint (SHA1):
    D2:85:FF:A1:92:67:76:4F:CE:66:6D:45:43:38:0E:84:A2:B0:33:EE

Mozilla-CA-Policy: false (attribute missing)
Certificate Trust Flags:
    SSL Flags:
        Valid CA
        Trusted CA
        Trusted Client CA
    Email Flags:
        Valid CA
        Trusted CA
    Object Signing Flags:
        Valid CA
        Trusted CA

Certificate 1 Subject: "CN=OCSP Subsystem,O=IPA.LOCAL 201901211552"
Returned value is 0, expected result is pass
chains.sh: #1896: TrustAnchors: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10 - PASSED

Thanks for the report, this has been fixed.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Target Milestone: --- → 3.62
You need to log in before you can comment on or make changes to this bug.