Open Bug 1940379 Opened 1 month ago Updated 1 month ago

If a non-self-signed certificate to be verified appears in the trust store, NSS does not trust this certificate.

Categories

(NSS :: Libraries, enhancement)

3.97
enhancement

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: tengyajun, Unassigned)

Details

Attachments

(1 file)

45.50 KB, application/zip
Details
Attached file NSS.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0

Steps to reproduce:

Run our testing client, with "./a.out -c cert.pem -u certs.pem -t trust_list.pem", the program read certificates in these file and validate the certificate in "cert.pem".

Testing Input
To-be-validated Certificate (3/cert.pem):
▲ subject: CN=1, issuer: CN=2.
Certificate List (3/certs.pem): empty
Trust Store (3/trust_list.pem): one certificate
▲ subject: CN=1, issuer: CN=2.

Actual results:

The validator returns "reject" with an error -8179, which means "Peer's Certificate issuer is not recognized" in the first certificate of the chain.

Expected results:

The validator should accept the certificate with a chain of a single certificate ((1, 2)).

Based on extensive testing, we believe that NSS does not need to build a complete certificate chain, that is, the last certificate in the certificate chain may not be a self-signed certificate. Furthermore, we find that when the input consists only of a self-signed certificate and it is in the trust store, NSS will also accept this certificate. Naturally, NSS should also accept this case.
This case has practical significance. For instance, a client that fully trusts the website might directly add the certificate to the trust list if it fails to find the issuer's certificate.

Summary: chain building → If a non-self-signed certificate to be verified appears in the trust store, NSS does not trust this certificate.

The testing interface is :
SECStatus CERT_PKIXVerifyCert(CERTCertificate *cert,
SECCertificateUsage usages,
CERTValInParam *paramsIn,
CERTValOutParam *paramsOut, void *wincx);

According to the Informational RFC4158, a robust certificate chain construction should be not only efficient, but also suitable for most complex scenarios, such as a mesh structure by cross-signing certificates.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: