Closed
Bug 180688
Opened 22 years ago
Closed 22 years ago
p7sign reports problem signing data : Peer's Certificate Issuer is not recognised
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 174634
People
(Reporter: jan.noppen, Assigned: wtc)
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461; .NET CLR 1.0.3705)
Build Identifier:
Certificate chain of the signing certificate is not traversed correctly when
signing when signing with a certificate issued by a MS CA, subordinate of
another CA.
There are three Certificates in my Security Database.
TheRoot : The root CA
BankB : The subordinate CA of TheRoot
testnss1 : a user certificate issued by BankB
The details of the three certificates can be found in Additional Information.
This is the relevant call stack until the Issuer is found to be not trusted:
nss3certificate_matchIdentifier(nssDecodedCertStr * 0x00a59068, void *
0x010065f0) line 266
filter_subject_certs_for_id(NSSCertificateStr * * 0x010010c8, void *
0x010065f0) line 300 + 14 bytes
find_cert_issuer(NSSCertificateStr * 0x01004600, NSSTimeStr * 0x00a58e68,
NSSUsageStr * 0x0012e5c4, NSSPoliciesStr * 0x00000000) line 402 + 13 bytes
nssCertificate_BuildChain(NSSCertificateStr * 0x01004600, NSSTimeStr *
0x00a58e68, NSSUsageStr * 0x0012e630, NSSPoliciesStr * 0x00000000,
NSSCertificateStr * * 0x0012e63c, unsigned int 2, NSSArenaStr * 0x00000000, int
* 0x0012e62c) line 473 + 21 bytes
NSSCertificate_BuildChain(NSSCertificateStr * 0x01004600, NSSTimeStr *
0x00a58e68, NSSUsageStr * 0x0012e630, NSSPoliciesStr * 0x00000000,
NSSCertificateStr * * 0x0012e63c, unsigned int 2, NSSArenaStr * 0x00000000, int
* 0x0012e62c) line 510 + 37 bytes
CERT_FindCertIssuer(CERTCertificateStr * 0x01005e68, __int64 1037616458212000,
int 4) line 379 + 31 bytes
cert_VerifyCertChain(NSSTrustDomainStr * 0x00a3c698, CERTCertificateStr *
0x01005e68, int 1, int * 0x00000000, int 4, __int64 1037616458212000, void *
0x00000000, CERTVerifyLogStr * 0x00000000, int 1, int * 0x00000000) line 734 +
21 bytes
CERT_VerifyCertChain(NSSTrustDomainStr * 0x00a3c698, CERTCertificateStr *
0x01005e68, int 1, int 4, __int64 1037616458212000, void * 0x00000000,
CERTVerifyLogStr * 0x00000000) line 965 + 43 bytes
CERT_VerifyCert(NSSTrustDomainStr * 0x00a3c698, CERTCertificateStr *
0x01005e68, int 1, int 4, __int64 1037616458212000, void * 0x00000000,
CERTVerifyLogStr * 0x00000000) line 1574 + 37 bytes
sec_pkcs7_add_signer(SEC_PKCS7ContentInfoStr * 0x01002b48, CERTCertificateStr *
0x01005e68, int 4, NSSTrustDomainStr * 0x00a3c698, int 4, SECItemStr *
0x0012e86c) line 230 + 36 bytes
SEC_PKCS7CreateSignedData(CERTCertificateStr * 0x01005e68, int 4,
NSSTrustDomainStr * 0x00a3c698, int 4, SECItemStr * 0x0012e86c, void * (void *,
void *)* 0x00000000, void * 0x00000000) line 424 + 29 bytes
In nss3certificate_matchIdentifier a call to CERT_GetGeneralNameByType returns
the CAName of "TheRoot" which is then compared on line 277 of pki3hack.c to the
c->derSubject
of "BankB". This test obviously fails, which causes the Unknown Issuer error to
be returned.
If I add the "Trusted Peer" value to the TrustFlags of the testnss1
certificate, the signing is successful since the certificate chain is not
checked anymore.
However I think there probably is an error in the checking of the chain that
might need correction.
If you want I can send you the Security Database Files. Please provide me with
an email address I can send them to.
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Here are the details of all three certificates.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 980160044 (0x3a6c0e2c)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: O=Bolero International Ltd., C=GB
Validity:
Not Before: Mon Jan 22 10:10:45 2001
Not After: Fri Jan 22 10:40:45 2021
Subject: O=Bolero International Ltd., C=GB
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:cf:2e:f6:f8:eb:7f:7f:58:f8:86:56:18:30:cd:
42:e2:58:6d:b1:ba:d2:22:b0:e6:ce:9f:fe:d7:04:
23:87:de:56:5a:6d:90:04:cc:e7:7d:01:f4:c1:51:
b2:30:9c:a1:00:5c:16:f1:43:f7:05:ef:73:bd:c4:
e2:31:ad:9e:c8:e3:9b:a4:dc:1f:28:20:4f:2d:82:
46:2e:d8:df:ac:11:5f:9a:d7:f1:7c:9f:05:44:f8:
a7:be:31:1c:ab:12:93:59:d5:7e:d0:6e:e6:07:33:
bc:46:ea:ac:61:7f:5d:1d:aa:3d:e4:32:b3:d1:d8:
ea:75:4d:75:34:89:e4:ec:0d
Exponent: 3 (0x3)
Signed Extensions:
Name:
Certificate Type
Data: <SSL CA,S/MIME CA,ObjectSigning CA>
Name:
CRL Distribution Points
Data: Sequence {
Sequence {
Option 0
a0:44:a4:42:30:40:31:0b:30:09:06:03:55:04:
06:13:02:47:42:31:22:30:20:06:03:55:04:0a:
13:19:42:6f:6c:65:72:6f:20:49:6e:74:65:72:
6e:61:74:69:6f:6e:61:6c:20:4c:74:64:2e:31:
0d:30:0b:06:03:55:04:03:13:04:43:52:4c:31
}
}
Name:
Certificate Private Key Usage Period
Data: Sequence {
Option 0
32:30:30:31:30:31:32:32:31:30:31:30:34:35:5a
20010122101045Z
Option 1
32:30:32:31:30:31:32:32:31:30:31:30:34:35:5a
20210122101045Z
}
Name:
Certificate Key Usage
Data:
03:02:01:06
Name:
Certificate Authority Key Identifier
Data: Sequence {
Option 0
96:c5:3f:7e:bb:24:b9:8b:05:5e:15:09:0f:c7:0f:
0f:83:0a:ed:4e
}
Name:
Certificate Subject Key ID
Data:
04:14:96:c5:3f:7e:bb:24:b9:8b:05:5e:15:09:0f:c7:
0f:0f:83:0a:ed:4e
Name:
Certificate Basic Constraints
Data: Is a CA with a maximum path length of -2.
Name:
2a:86:48:86:f6:7d:07:41:00
Data: Sequence {
1b:04:56:34:2e:30
03:02:04:90
}
Fingerprint (MD5):
D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
Fingerprint (SHA1):
DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
c1:71:7f:0e:f3:28:e7:d7:d9:6f:3e:00:2e:41:53:7b:2d:a1:
7c:ff:42:c7:af:be:95:0e:0c:0d:63:84:45:a6:07:c3:38:d2:
da:28:f2:f5:af:47:e0:ad:04:4f:71:7c:a5:20:f9:69:08:36:
67:43:37:bd:78:b2:cc:3d:fd:74:72:db:e8:23:2e:5e:8a:7e:
61:5d:4b:eb:b9:39:1d:6b:b8:99:e4:a3:85:94:6a:8d:5c:76:
d4:ae:43:4e:29:ef:55:c1:18:29:1d:5c:b3:cd:e8:15:84:eb:
d5:89:0e:60:91:5c:8c:fc:9f:80:e7:71:6e:bb:ee:e7:9d:ca:
8a:25
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
Object Signing Flags:
Valid CA
Trusted CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 980160044 (0x3a6c0e2c)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: O=Bolero International Ltd., C=GB
Validity:
Not Before: Mon Jan 22 10:10:45 2001
Not After: Fri Jan 22 10:40:45 2021
Subject: O=Bolero International Ltd., C=GB
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:cf:2e:f6:f8:eb:7f:7f:58:f8:86:56:18:30:cd:
42:e2:58:6d:b1:ba:d2:22:b0:e6:ce:9f:fe:d7:04:
23:87:de:56:5a:6d:90:04:cc:e7:7d:01:f4:c1:51:
b2:30:9c:a1:00:5c:16:f1:43:f7:05:ef:73:bd:c4:
e2:31:ad:9e:c8:e3:9b:a4:dc:1f:28:20:4f:2d:82:
46:2e:d8:df:ac:11:5f:9a:d7:f1:7c:9f:05:44:f8:
a7:be:31:1c:ab:12:93:59:d5:7e:d0:6e:e6:07:33:
bc:46:ea:ac:61:7f:5d:1d:aa:3d:e4:32:b3:d1:d8:
ea:75:4d:75:34:89:e4:ec:0d
Exponent: 3 (0x3)
Signed Extensions:
Name:
Certificate Type
Data: <SSL CA,S/MIME CA,ObjectSigning CA>
Name:
CRL Distribution Points
Data: Sequence {
Sequence {
Option 0
a0:44:a4:42:30:40:31:0b:30:09:06:03:55:04:
06:13:02:47:42:31:22:30:20:06:03:55:04:0a:
13:19:42:6f:6c:65:72:6f:20:49:6e:74:65:72:
6e:61:74:69:6f:6e:61:6c:20:4c:74:64:2e:31:
0d:30:0b:06:03:55:04:03:13:04:43:52:4c:31
}
}
Name:
Certificate Private Key Usage Period
Data: Sequence {
Option 0
32:30:30:31:30:31:32:32:31:30:31:30:34:35:5a
20010122101045Z
Option 1
32:30:32:31:30:31:32:32:31:30:31:30:34:35:5a
20210122101045Z
}
Name:
Certificate Key Usage
Data:
03:02:01:06
Name:
Certificate Authority Key Identifier
Data: Sequence {
Option 0
96:c5:3f:7e:bb:24:b9:8b:05:5e:15:09:0f:c7:0f:
0f:83:0a:ed:4e
}
Name:
Certificate Subject Key ID
Data:
04:14:96:c5:3f:7e:bb:24:b9:8b:05:5e:15:09:0f:c7:
0f:0f:83:0a:ed:4e
Name:
Certificate Basic Constraints
Data: Is a CA with a maximum path length of -2.
Name:
2a:86:48:86:f6:7d:07:41:00
Data: Sequence {
1b:04:56:34:2e:30
03:02:04:90
}
Fingerprint (MD5):
D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
Fingerprint (SHA1):
DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
c1:71:7f:0e:f3:28:e7:d7:d9:6f:3e:00:2e:41:53:7b:2d:a1:
7c:ff:42:c7:af:be:95:0e:0c:0d:63:84:45:a6:07:c3:38:d2:
da:28:f2:f5:af:47:e0:ad:04:4f:71:7c:a5:20:f9:69:08:36:
67:43:37:bd:78:b2:cc:3d:fd:74:72:db:e8:23:2e:5e:8a:7e:
61:5d:4b:eb:b9:39:1d:6b:b8:99:e4:a3:85:94:6a:8d:5c:76:
d4:ae:43:4e:29:ef:55:c1:18:29:1d:5c:b3:cd:e8:15:84:eb:
d5:89:0e:60:91:5c:8c:fc:9f:80:e7:71:6e:bb:ee:e7:9d:ca:
8a:25
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
Object Signing Flags:
Valid CA
Trusted CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1e:d7:c5:90:00:00:00:00:00:e1
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: CN=Bank B, OU=TrustAct dev, O=SWIFT, C=BE
Validity:
Not Before: Mon Nov 18 09:57:32 2002
Not After: Tue Nov 18 10:07:32 2003
Subject: CN=testnss1, O=TrustAct, C=BE
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:ad:4b:d4:b9:54:4d:9a:14:29:13:53:dd:fb:a0:
de:f3:af:78:67:d6:56:d8:13:45:40:36:a4:34:9a:
cd:5a:65:e2:55:c6:fd:d3:4b:70:b6:69:6a:46:39:
93:b4:5b:50:c7:3d:97:5e:97:fb:19:9f:82:5e:ad:
63:40:3a:d6:e6:01:ae:4f:b2:83:43:8b:4e:5b:15:
f4:62:16:c7:3b:75:cc:36:a4:91:c6:a8:bc:fe:a4:
83:e1:8c:08:53:3c:f3:5a:41:57:d2:86:9a:8a:a7:
a8:b7:82:4f:83:60:d4:89:0d:e8:18:ec:00:49:d3:
58:43:3b:71:98:a1:32:87:d1
Exponent: 65537 (0x10001)
Signed Extensions:
Name:
Certificate Subject Key ID
Data:
04:14:5a:6a:62:a5:c8:22:d5:cc:e7:ae:73:75:7f:22:
62:13:78:3a:44:0d
Name:
Certificate Authority Key Identifier
Data: Sequence {
Option 0
82:a2:fd:19:8e:4d:54:5a:30:96:b2:99:2b:cf:a4:
77:8a:b8:6e:4c
Option 1
a4:33:30:31:31:0b:30:09:06:03:55:04:06:13:02:
47:42:31:22:30:20:06:03:55:04:0a:13:19:42:6f:
6c:65:72:6f:20:49:6e:74:65:72:6e:61:74:69:6f:
6e:61:6c:20:4c:74:64:2e
Option 2
3a:6c:11:26
}
Name:
CRL Distribution Points
Data: Sequence {
Sequence {
Option 0
a0:33:86:31:68:74:74:70:3a:2f:2f:62:6f:6c:
64:65:76:39:32:2e:73:77:69:66:74:2e:63:6f:
6d:2f:43:65:72:74:45:6e:72:6f:6c:6c:2f:42:
61:6e:6b:25:32:30:42:2e:63:72:6c
}
Sequence {
Option 0
a0:35:86:33:66:69:6c:65:3a:2f:2f:5c:5c:62:
6f:6c:64:65:76:39:32:2e:73:77:69:66:74:2e:
63:6f:6d:5c:43:65:72:74:45:6e:72:6f:6c:6c:
5c:42:61:6e:6b:25:32:30:42:2e:63:72:6c
}
}
Name:
Authority Information Access
Data: Sequence {
Sequence {
06:08:2b:06:01:05:05:07:30:02
Option 6
68:74:74:70:3a:2f:2f:62:6f:6c:64:65:76:39:
32:2e:73:77:69:66:74:2e:63:6f:6d:2f:43:65:
72:74:45:6e:72:6f:6c:6c:2f:62:6f:6c:64:65:
76:39:32:2e:73:77:69:66:74:2e:63:6f:6d:5f:
42:61:6e:6b:25:32:30:42:2e:63:72:74
http://boldev92.swift.com/CertEnroll/boldev92.swift.c
om_Bank%20B.crt
}
Sequence {
06:08:2b:06:01:05:05:07:30:02
Option 6
66:69:6c:65:3a:2f:2f:5c:5c:62:6f:6c:64:65:
76:39:32:2e:73:77:69:66:74:2e:63:6f:6d:5c:
43:65:72:74:45:6e:72:6f:6c:6c:5c:62:6f:6c:
64:65:76:39:32:2e:73:77:69:66:74:2e:63:6f:
6d:5f:42:61:6e:6b:25:32:30:42:2e:63:72:74
file://\\boldev92.swift.com\CertEnroll\boldev92.swift
.com_Bank%20B.crt
}
}
Fingerprint (MD5):
D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
Fingerprint (SHA1):
DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
49:42:8d:f7:33:37:ec:cd:40:bb:e2:51:83:58:c7:33:39:06:
6f:8f:a6:c9:7e:04:7b:0f:fa:17:90:d6:62:c6:49:a3:bb:07:
8b:69:19:6c:a7:3f:7e:8a:59:14:e2:e1:24:29:88:4e:fe:f6:
34:a7:7a:9c:0c:b8:64:d5:e4:e4:30:b7:25:82:2a:5f:ae:f6:
20:ed:4b:94:23:9b:91:56:57:0a:a2:6a:20:2b:dc:45:b5:99:
5f:db:0e:84:2a:a2:e6:3a:1b:00:dd:b0:f9:5b:51:6f:75:f1:
cd:90:93:46:f3:6b:de:6c:d2:e5:42:28:7e:d5:74:96:4a:e9:
78:6d
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
Reporter | ||
Updated•22 years ago
|
Version: unspecified → 3.6
Reporter | ||
Comment 1•22 years ago
|
||
*** This bug has been marked as a duplicate of 174634 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•