NSS 3.61: chain.sh test failure
Categories
(NSS :: Test, defect)
Tracking
(Not tracked)
People
(Reporter: congdanhqx, Unassigned)
Details
Attachments
(1 file)
1.12 MB,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Steps to reproduce:
- Build nss 3.61 with system nspr 4.29 on Linux 5.10
- run tests/all.sh or tests/chains/chain.sh
- gcc 10.2.1 with patches to fix memcpy issues
export NSPR_INCLUDE_DIR=/usr/include/nspr
export NSPR_LIB_DIR=/usr/lib
export XCFLAGS="${CFLAGS}"
export USE_64=1
export HOST=localhost
export DOMSUF=localdomain
export NATIVE_CC="cc"
export NATIVE_FLAGS="$CFLAGS"
export NS_USE_GCC=1
export LIBRUNPATH=
export BUILD_OPT=1
export NSS_USE_SYSTEM_SQLITE=1
export NSS_ENABLE_WERROR=0
export NSS_ENABLE_ECC=1
export FREEBL_NO_DEPEND=1
export CFLAGS="-02 -g -pipe -fstack-clash-protection -D_FORTIFY_SOURCE=2 -mtune=generic -fno-common"
export CXXFLAGS="$CFLAGS"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro -Wl,--as-needed"
export XCFLAGS="$CFLAGS"
make USE_64=1 all
Actual results:
chain.sh test failure on #1057 and #1896
chains.sh: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10
vfychain -d trustanchorsDB -pp -vv -u 10 /builddir/nss-3.61/nss/tests/libpkix/certs/NameConstraints.ocsp1.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=OCSP Subsystem,O=IPA.LOCAL 201901211552 :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1057: TrustAnchors: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10 - FAILED
chains.sh: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10
vfychain -d trustanchorsDB -pp -vv -u 10 /builddir/nss-3.61/nss/tests/libpkix/certs/NameConstraints.ocsp1.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=OCSP Subsystem,O=IPA.LOCAL 201901211552 :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1896: TrustAnchors: Verifying certificate(s) NameConstraints.ocsp1.cert with flags -d trustanchorsDB -pp -u 10 - FAILED
There's another problem with ZFS (since I can't reproduce this on our CI), it seems:
dbdir selected is /builddir/nss-3.61/tests_results/security/localhost.2/ronlydir
ERROR: Directory "/builddir/nss-3.61/tests_results/security/localhost.2/ronlydir" is not writeable.
database checked is /builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/secmod.db
ERROR: File "/builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/secmod.db" does not exist.
database checked is /builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/cert8.db
ERROR: File "/builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/cert8.db" does not exist.
database checked is /builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/key3.db
ERROR: File "/builddir/nss-3.61/tests_results/security/localhost.2/ronlydir/key3.db" does not exist.
dbtests.sh: #10: Dbtest r/w succeeded in a readonly directory 0 - FAILED
Expected results:
All tests should pass
Anway, I carry a patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1688374 with this build
$ openssl x509 -inform der -noout -enddate <NameConstraints.ocsp1.cert
notAfter=Jan 11 11:02:40 2021 GMT
I guess the cert is expired.
Comment 3•3 years ago
|
||
This is fixed by https://hg.mozilla.org/projects/nss/rev/3ddcd845704cd1e382eba63ac4487f038cc46ca0, which will be in 3.62.
Description
•