Closed Bug 1689508 Opened 3 years ago Closed 3 years ago

NSS 3.61: chain.sh test failure

Categories

(NSS :: Test, defect)

Product:
NSS
Component:
Test
Version:
3.61
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1686134

People

(Reporter: congdanhqx, Unassigned)

Details

Attachments

(1 file)

nss__do_check.log.zst
1.12 MB, application/octet-stream
Details
Attached file nss__do_check.log.zst

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

  • Build nss 3.61 with system nspr 4.29 on Linux 5.10
  • run tests/all.sh or tests/chains/chain.sh
  • gcc 10.2.1 with patches to fix memcpy issues

export NSPR_INCLUDE_DIR=/usr/include/nspr
export NSPR_LIB_DIR=/usr/lib
export XCFLAGS="${CFLAGS}"
export USE_64=1
export HOST=localhost
export DOMSUF=localdomain
export NATIVE_CC="cc"
export NATIVE_FLAGS="$CFLAGS"
export NS_USE_GCC=1
export LIBRUNPATH=
export BUILD_OPT=1
export NSS_USE_SYSTEM_SQLITE=1
export NSS_ENABLE_WERROR=0
export NSS_ENABLE_ECC=1
export FREEBL_NO_DEPEND=1
export CFLAGS="-02 -g -pipe -fstack-clash-protection -D_FORTIFY_SOURCE=2 -mtune=generic -fno-common"
export CXXFLAGS="$CFLAGS"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro -Wl,--as-needed"
export XCFLAGS="$CFLAGS"

make USE_64=1 all

Actual results:

chain.sh test failure on #1057 and #1896

chains.sh: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10
vfychain -d trustanchorsDB -pp -vv -u 10 /builddir/nss-3.61/nss/tests/libpkix/certs/NameConstraints.ocsp1.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=OCSP Subsystem,O=IPA.LOCAL 201901211552 :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1057: TrustAnchors: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10 - FAILED

chains.sh: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10
vfychain -d trustanchorsDB -pp -vv -u 10 /builddir/nss-3.61/nss/tests/libpkix/certs/NameConstraints.ocsp1.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=OCSP Subsystem,O=IPA.LOCAL 201901211552 :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1896: TrustAnchors: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10 - FAILED

There's another problem with ZFS (since I can't reproduce this on our CI), it seems:

dbdir selected is /builddir/nss-3.61/tests_results/security/localhost.2/ronlydir

ERROR: Directory "/builddir/nss-3.61/tests_results/security/localhost.2/ronlydir" is not writeable.
database checked is /builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/secmod.db
ERROR: File "/builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/secmod.db" does not exist.
database checked is /builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/cert8.db
ERROR: File "/builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/cert8.db" does not exist.
database checked is /builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/key3.db
ERROR: File "/builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/key3.db" does not exist.
dbtests.sh: #10: Dbtest r/w succeeded in a readonly directory 0 - FAILED

Expected results:

All tests should pass

Anway, I carry a patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1688374 with this build

$ openssl x509 -inform der -noout -enddate <NameConstraints.ocsp1.cert
notAfter=Jan 11 11:02:40 2021 GMT

I guess the cert is expired.

This is fixed by https://hg.mozilla.org/projects/nss/rev/3ddcd845704cd1e382eba63ac4487f038cc46ca0, which will be in 3.62.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: