Closed Bug 1688825 Opened 5 years ago Closed 5 years ago

Only NSS rejects a cert while OpenSSL, GnuTLS, mbedTLS, and wolfSSL accept it.

Categories

(NSS :: Tools, defect)

Product:
NSS
Component:
Tools
Version:
3.49
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: goodpwdcetcsz, Unassigned)

Details

Attachments

(1 file)

05-11110 only nss reject it.rar
3.47 KB, application/vnd.rar
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

Steps to reproduce:

1. certutil -N -d ./ --empty-password 
2. certutil -A -i ca.pem -n 0 -t "C,C,C" -d ./
3. certuitl -A -i seed-4s18-12s35-36s19-158s25-252s37.pem -n 1 -t ",," -d ./
4. certutil -V -e -n 1 -d ./ -u C

Actual results:

certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

Expected results:

Consistent verification results among the TLS implementations.

I get a different result:

 ../dist/Debug/bin/certutil -V -e -n 1 -d db -u C
certutil: certificate is invalid: Certificate key usage inadequate for attempted operation.

You're trying to verify this as a client cert (-u C), which is incompatible with the KeyUsage field, which allows certificate signing. For CA usage:

../dist/Debug/bin/certutil -V -e -n 1 -d db -u A
certutil: certificate is valid
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: