Closed Bug 180688 Opened 22 years ago Closed 22 years ago

p7sign reports problem signing data : Peer's Certificate Issuer is not recognised

Categories

(NSS :: Libraries, defect)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 174634

People

(Reporter: jan.noppen, Assigned: wtc)

Details

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461; .NET CLR 1.0.3705) Build Identifier: Certificate chain of the signing certificate is not traversed correctly when signing when signing with a certificate issued by a MS CA, subordinate of another CA. There are three Certificates in my Security Database. TheRoot : The root CA BankB : The subordinate CA of TheRoot testnss1 : a user certificate issued by BankB The details of the three certificates can be found in Additional Information. This is the relevant call stack until the Issuer is found to be not trusted: nss3certificate_matchIdentifier(nssDecodedCertStr * 0x00a59068, void * 0x010065f0) line 266 filter_subject_certs_for_id(NSSCertificateStr * * 0x010010c8, void * 0x010065f0) line 300 + 14 bytes find_cert_issuer(NSSCertificateStr * 0x01004600, NSSTimeStr * 0x00a58e68, NSSUsageStr * 0x0012e5c4, NSSPoliciesStr * 0x00000000) line 402 + 13 bytes nssCertificate_BuildChain(NSSCertificateStr * 0x01004600, NSSTimeStr * 0x00a58e68, NSSUsageStr * 0x0012e630, NSSPoliciesStr * 0x00000000, NSSCertificateStr * * 0x0012e63c, unsigned int 2, NSSArenaStr * 0x00000000, int * 0x0012e62c) line 473 + 21 bytes NSSCertificate_BuildChain(NSSCertificateStr * 0x01004600, NSSTimeStr * 0x00a58e68, NSSUsageStr * 0x0012e630, NSSPoliciesStr * 0x00000000, NSSCertificateStr * * 0x0012e63c, unsigned int 2, NSSArenaStr * 0x00000000, int * 0x0012e62c) line 510 + 37 bytes CERT_FindCertIssuer(CERTCertificateStr * 0x01005e68, __int64 1037616458212000, int 4) line 379 + 31 bytes cert_VerifyCertChain(NSSTrustDomainStr * 0x00a3c698, CERTCertificateStr * 0x01005e68, int 1, int * 0x00000000, int 4, __int64 1037616458212000, void * 0x00000000, CERTVerifyLogStr * 0x00000000, int 1, int * 0x00000000) line 734 + 21 bytes CERT_VerifyCertChain(NSSTrustDomainStr * 0x00a3c698, CERTCertificateStr * 0x01005e68, int 1, int 4, __int64 1037616458212000, void * 0x00000000, CERTVerifyLogStr * 0x00000000) line 965 + 43 bytes CERT_VerifyCert(NSSTrustDomainStr * 0x00a3c698, CERTCertificateStr * 0x01005e68, int 1, int 4, __int64 1037616458212000, void * 0x00000000, CERTVerifyLogStr * 0x00000000) line 1574 + 37 bytes sec_pkcs7_add_signer(SEC_PKCS7ContentInfoStr * 0x01002b48, CERTCertificateStr * 0x01005e68, int 4, NSSTrustDomainStr * 0x00a3c698, int 4, SECItemStr * 0x0012e86c) line 230 + 36 bytes SEC_PKCS7CreateSignedData(CERTCertificateStr * 0x01005e68, int 4, NSSTrustDomainStr * 0x00a3c698, int 4, SECItemStr * 0x0012e86c, void * (void *, void *)* 0x00000000, void * 0x00000000) line 424 + 29 bytes In nss3certificate_matchIdentifier a call to CERT_GetGeneralNameByType returns the CAName of "TheRoot" which is then compared on line 277 of pki3hack.c to the c->derSubject of "BankB". This test obviously fails, which causes the Unknown Issuer error to be returned. If I add the "Trusted Peer" value to the TrustFlags of the testnss1 certificate, the signing is successful since the certificate chain is not checked anymore. However I think there probably is an error in the checking of the chain that might need correction. If you want I can send you the Security Database Files. Please provide me with an email address I can send them to. Reproducible: Always Steps to Reproduce: 1. 2. 3. Here are the details of all three certificates. Certificate: Data: Version: 3 (0x2) Serial Number: 980160044 (0x3a6c0e2c) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: O=Bolero International Ltd., C=GB Validity: Not Before: Mon Jan 22 10:10:45 2001 Not After: Fri Jan 22 10:40:45 2021 Subject: O=Bolero International Ltd., C=GB Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 00:cf:2e:f6:f8:eb:7f:7f:58:f8:86:56:18:30:cd: 42:e2:58:6d:b1:ba:d2:22:b0:e6:ce:9f:fe:d7:04: 23:87:de:56:5a:6d:90:04:cc:e7:7d:01:f4:c1:51: b2:30:9c:a1:00:5c:16:f1:43:f7:05:ef:73:bd:c4: e2:31:ad:9e:c8:e3:9b:a4:dc:1f:28:20:4f:2d:82: 46:2e:d8:df:ac:11:5f:9a:d7:f1:7c:9f:05:44:f8: a7:be:31:1c:ab:12:93:59:d5:7e:d0:6e:e6:07:33: bc:46:ea:ac:61:7f:5d:1d:aa:3d:e4:32:b3:d1:d8: ea:75:4d:75:34:89:e4:ec:0d Exponent: 3 (0x3) Signed Extensions: Name: Certificate Type Data: <SSL CA,S/MIME CA,ObjectSigning CA> Name: CRL Distribution Points Data: Sequence { Sequence { Option 0 a0:44:a4:42:30:40:31:0b:30:09:06:03:55:04: 06:13:02:47:42:31:22:30:20:06:03:55:04:0a: 13:19:42:6f:6c:65:72:6f:20:49:6e:74:65:72: 6e:61:74:69:6f:6e:61:6c:20:4c:74:64:2e:31: 0d:30:0b:06:03:55:04:03:13:04:43:52:4c:31 } } Name: Certificate Private Key Usage Period Data: Sequence { Option 0 32:30:30:31:30:31:32:32:31:30:31:30:34:35:5a 20010122101045Z Option 1 32:30:32:31:30:31:32:32:31:30:31:30:34:35:5a 20210122101045Z } Name: Certificate Key Usage Data: 03:02:01:06 Name: Certificate Authority Key Identifier Data: Sequence { Option 0 96:c5:3f:7e:bb:24:b9:8b:05:5e:15:09:0f:c7:0f: 0f:83:0a:ed:4e } Name: Certificate Subject Key ID Data: 04:14:96:c5:3f:7e:bb:24:b9:8b:05:5e:15:09:0f:c7: 0f:0f:83:0a:ed:4e Name: Certificate Basic Constraints Data: Is a CA with a maximum path length of -2. Name: 2a:86:48:86:f6:7d:07:41:00 Data: Sequence { 1b:04:56:34:2e:30 03:02:04:90 } Fingerprint (MD5): D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E Fingerprint (SHA1): DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: c1:71:7f:0e:f3:28:e7:d7:d9:6f:3e:00:2e:41:53:7b:2d:a1: 7c:ff:42:c7:af:be:95:0e:0c:0d:63:84:45:a6:07:c3:38:d2: da:28:f2:f5:af:47:e0:ad:04:4f:71:7c:a5:20:f9:69:08:36: 67:43:37:bd:78:b2:cc:3d:fd:74:72:db:e8:23:2e:5e:8a:7e: 61:5d:4b:eb:b9:39:1d:6b:b8:99:e4:a3:85:94:6a:8d:5c:76: d4:ae:43:4e:29:ef:55:c1:18:29:1d:5c:b3:cd:e8:15:84:eb: d5:89:0e:60:91:5c:8c:fc:9f:80:e7:71:6e:bb:ee:e7:9d:ca: 8a:25 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Trusted Client CA Email Flags: Valid CA Trusted CA Object Signing Flags: Valid CA Trusted CA Certificate: Data: Version: 3 (0x2) Serial Number: 980160044 (0x3a6c0e2c) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: O=Bolero International Ltd., C=GB Validity: Not Before: Mon Jan 22 10:10:45 2001 Not After: Fri Jan 22 10:40:45 2021 Subject: O=Bolero International Ltd., C=GB Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 00:cf:2e:f6:f8:eb:7f:7f:58:f8:86:56:18:30:cd: 42:e2:58:6d:b1:ba:d2:22:b0:e6:ce:9f:fe:d7:04: 23:87:de:56:5a:6d:90:04:cc:e7:7d:01:f4:c1:51: b2:30:9c:a1:00:5c:16:f1:43:f7:05:ef:73:bd:c4: e2:31:ad:9e:c8:e3:9b:a4:dc:1f:28:20:4f:2d:82: 46:2e:d8:df:ac:11:5f:9a:d7:f1:7c:9f:05:44:f8: a7:be:31:1c:ab:12:93:59:d5:7e:d0:6e:e6:07:33: bc:46:ea:ac:61:7f:5d:1d:aa:3d:e4:32:b3:d1:d8: ea:75:4d:75:34:89:e4:ec:0d Exponent: 3 (0x3) Signed Extensions: Name: Certificate Type Data: <SSL CA,S/MIME CA,ObjectSigning CA> Name: CRL Distribution Points Data: Sequence { Sequence { Option 0 a0:44:a4:42:30:40:31:0b:30:09:06:03:55:04: 06:13:02:47:42:31:22:30:20:06:03:55:04:0a: 13:19:42:6f:6c:65:72:6f:20:49:6e:74:65:72: 6e:61:74:69:6f:6e:61:6c:20:4c:74:64:2e:31: 0d:30:0b:06:03:55:04:03:13:04:43:52:4c:31 } } Name: Certificate Private Key Usage Period Data: Sequence { Option 0 32:30:30:31:30:31:32:32:31:30:31:30:34:35:5a 20010122101045Z Option 1 32:30:32:31:30:31:32:32:31:30:31:30:34:35:5a 20210122101045Z } Name: Certificate Key Usage Data: 03:02:01:06 Name: Certificate Authority Key Identifier Data: Sequence { Option 0 96:c5:3f:7e:bb:24:b9:8b:05:5e:15:09:0f:c7:0f: 0f:83:0a:ed:4e } Name: Certificate Subject Key ID Data: 04:14:96:c5:3f:7e:bb:24:b9:8b:05:5e:15:09:0f:c7: 0f:0f:83:0a:ed:4e Name: Certificate Basic Constraints Data: Is a CA with a maximum path length of -2. Name: 2a:86:48:86:f6:7d:07:41:00 Data: Sequence { 1b:04:56:34:2e:30 03:02:04:90 } Fingerprint (MD5): D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E Fingerprint (SHA1): DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: c1:71:7f:0e:f3:28:e7:d7:d9:6f:3e:00:2e:41:53:7b:2d:a1: 7c:ff:42:c7:af:be:95:0e:0c:0d:63:84:45:a6:07:c3:38:d2: da:28:f2:f5:af:47:e0:ad:04:4f:71:7c:a5:20:f9:69:08:36: 67:43:37:bd:78:b2:cc:3d:fd:74:72:db:e8:23:2e:5e:8a:7e: 61:5d:4b:eb:b9:39:1d:6b:b8:99:e4:a3:85:94:6a:8d:5c:76: d4:ae:43:4e:29:ef:55:c1:18:29:1d:5c:b3:cd:e8:15:84:eb: d5:89:0e:60:91:5c:8c:fc:9f:80:e7:71:6e:bb:ee:e7:9d:ca: 8a:25 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Trusted Client CA Email Flags: Valid CA Trusted CA Object Signing Flags: Valid CA Trusted CA Certificate: Data: Version: 3 (0x2) Serial Number: 1e:d7:c5:90:00:00:00:00:00:e1 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: CN=Bank B, OU=TrustAct dev, O=SWIFT, C=BE Validity: Not Before: Mon Nov 18 09:57:32 2002 Not After: Tue Nov 18 10:07:32 2003 Subject: CN=testnss1, O=TrustAct, C=BE Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 00:ad:4b:d4:b9:54:4d:9a:14:29:13:53:dd:fb:a0: de:f3:af:78:67:d6:56:d8:13:45:40:36:a4:34:9a: cd:5a:65:e2:55:c6:fd:d3:4b:70:b6:69:6a:46:39: 93:b4:5b:50:c7:3d:97:5e:97:fb:19:9f:82:5e:ad: 63:40:3a:d6:e6:01:ae:4f:b2:83:43:8b:4e:5b:15: f4:62:16:c7:3b:75:cc:36:a4:91:c6:a8:bc:fe:a4: 83:e1:8c:08:53:3c:f3:5a:41:57:d2:86:9a:8a:a7: a8:b7:82:4f:83:60:d4:89:0d:e8:18:ec:00:49:d3: 58:43:3b:71:98:a1:32:87:d1 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Key ID Data: 04:14:5a:6a:62:a5:c8:22:d5:cc:e7:ae:73:75:7f:22: 62:13:78:3a:44:0d Name: Certificate Authority Key Identifier Data: Sequence { Option 0 82:a2:fd:19:8e:4d:54:5a:30:96:b2:99:2b:cf:a4: 77:8a:b8:6e:4c Option 1 a4:33:30:31:31:0b:30:09:06:03:55:04:06:13:02: 47:42:31:22:30:20:06:03:55:04:0a:13:19:42:6f: 6c:65:72:6f:20:49:6e:74:65:72:6e:61:74:69:6f: 6e:61:6c:20:4c:74:64:2e Option 2 3a:6c:11:26 } Name: CRL Distribution Points Data: Sequence { Sequence { Option 0 a0:33:86:31:68:74:74:70:3a:2f:2f:62:6f:6c: 64:65:76:39:32:2e:73:77:69:66:74:2e:63:6f: 6d:2f:43:65:72:74:45:6e:72:6f:6c:6c:2f:42: 61:6e:6b:25:32:30:42:2e:63:72:6c } Sequence { Option 0 a0:35:86:33:66:69:6c:65:3a:2f:2f:5c:5c:62: 6f:6c:64:65:76:39:32:2e:73:77:69:66:74:2e: 63:6f:6d:5c:43:65:72:74:45:6e:72:6f:6c:6c: 5c:42:61:6e:6b:25:32:30:42:2e:63:72:6c } } Name: Authority Information Access Data: Sequence { Sequence { 06:08:2b:06:01:05:05:07:30:02 Option 6 68:74:74:70:3a:2f:2f:62:6f:6c:64:65:76:39: 32:2e:73:77:69:66:74:2e:63:6f:6d:2f:43:65: 72:74:45:6e:72:6f:6c:6c:2f:62:6f:6c:64:65: 76:39:32:2e:73:77:69:66:74:2e:63:6f:6d:5f: 42:61:6e:6b:25:32:30:42:2e:63:72:74 http://boldev92.swift.com/CertEnroll/boldev92.swift.c om_Bank%20B.crt } Sequence { 06:08:2b:06:01:05:05:07:30:02 Option 6 66:69:6c:65:3a:2f:2f:5c:5c:62:6f:6c:64:65: 76:39:32:2e:73:77:69:66:74:2e:63:6f:6d:5c: 43:65:72:74:45:6e:72:6f:6c:6c:5c:62:6f:6c: 64:65:76:39:32:2e:73:77:69:66:74:2e:63:6f: 6d:5f:42:61:6e:6b:25:32:30:42:2e:63:72:74 file://\\boldev92.swift.com\CertEnroll\boldev92.swift .com_Bank%20B.crt } } Fingerprint (MD5): D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E Fingerprint (SHA1): DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: 49:42:8d:f7:33:37:ec:cd:40:bb:e2:51:83:58:c7:33:39:06: 6f:8f:a6:c9:7e:04:7b:0f:fa:17:90:d6:62:c6:49:a3:bb:07: 8b:69:19:6c:a7:3f:7e:8a:59:14:e2:e1:24:29:88:4e:fe:f6: 34:a7:7a:9c:0c:b8:64:d5:e4:e4:30:b7:25:82:2a:5f:ae:f6: 20:ed:4b:94:23:9b:91:56:57:0a:a2:6a:20:2b:dc:45:b5:99: 5f:db:0e:84:2a:a2:e6:3a:1b:00:dd:b0:f9:5b:51:6f:75:f1: cd:90:93:46:f3:6b:de:6c:d2:e5:42:28:7e:d5:74:96:4a:e9: 78:6d Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User
Version: unspecified → 3.6
*** This bug has been marked as a duplicate of 174634 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.