NSS fails NIST path length constraint tests

VERIFIED FIXED in 3.9.1

Status

NSS
Libraries
P2
major
VERIFIED FIXED
14 years ago
13 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

PKITS tests, section 4.3

    NSS fails 4 test cases:  13, 14, 15, 17
    NSS reports "Cert path length constraint is invalid" for all.
    NIST says all 4 tests are valid chains.

This is a crucial aspect of chain validation
(Assignee)

Updated

14 years ago
Assignee: wchang0222 → MisterSSL
Priority: -- → P2
Target Milestone: --- → 3.9.1
(Assignee)

Comment 1

14 years ago
Bishakha,  Please confirm that these are the proper commands for test cases
13 and 14, and please add a comment here with the proper commands for test
cases 15 and 17.  Thanks.

vfychain -d d:/tmp/pkits ValidpathLenConstraintTest13EE.crt \
  pathLenConstraint6subsubsubCA41XCert.crt \
  pathLenConstraint6subsubCA41Cert.crt \
  pathLenConstraint6subCA4Cert.crt \
  pathLenConstraint6CACert.crt \
  TrustAnchorRootCertificate.crt

vfychain -d d:/tmp/pkits ValidpathLenConstraintTest14EE.crt \
  pathLenConstraint6subsubsubCA41XCert.crt \
  pathLenConstraint6subsubCA41Cert.crt \
  pathLenConstraint6subCA4Cert.crt \
  pathLenConstraint6CACert.crt \
  TrustAnchorRootCertificate.crt
(Assignee)

Updated

14 years ago
Depends on: 231025
(Assignee)

Comment 2

14 years ago
Created attachment 139170 [details] [diff] [review]
patch v1

With thit patch, the test commands given above for test cases 13 and 14 pass.

This patch accomplshes the following:
1. detects and rejects negative path lengths in basic constraints extensions.
2. corrects the path length processing (except that there are still issues
with self-issued intermediate CA certs, which is the subject of another bug).
(Assignee)

Comment 3

14 years ago
Adding potential reviewers to cc list.  
I will wait and ask for review after this patch has been tested against 
test cases 15 and 17.  
This bug is waiting for the instructions for those test cases to be added as
comments.
(Assignee)

Comment 4

14 years ago
*** Bug 101566 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

14 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 5

14 years ago
The command for case 15 is apparently

vfychain -d d:/tmp/pkits -u 4 \
  ValidSelfIssuedpathLenConstraintTest15EE.crt \
  pathLenConstraint0SelfIssuedCACert.crt \
  pathLenConstraint0CACert.crt \
  TrustAnchorRootCertificate.crt

The command for case 17 is apparently 

vfychain -v -d d:/tmp/pkits -u 4  \
  ValidSelfIssuedpathLenConstraintTest17EE.crt \
  pathLenConstraint1SelfIssuedsubCACert.crt \
  pathLenConstraint1subCACert.crt \
  pathLenConstraint1SelfIssuedCACert.crt \
  pathLenConstraint1CACert.crt \
  TrustAnchorRootCertificate.crt

These tests involve self-issued subordinate CA certs, and NSS fails them.
However, the failure is not unrecognized issuer or untrusted issuer, 
but rather is invalid path length, so I will research this some more.
(Assignee)

Comment 6

14 years ago
Created attachment 139175 [details] [diff] [review]
patch v2

With this patch all the above test cases pass, including the ones containing
self-issued intermediate CA certs!
Attachment #139170 - Attachment is obsolete: true
(Assignee)

Comment 7

14 years ago
Comment on attachment 139175 [details] [diff] [review]
patch v2

Julien, please review. Thanks.
Attachment #139175 - Flags: review?(jpierre)

Comment 8

14 years ago
Comment on attachment 139175 [details] [diff] [review]
patch v2

Nelson,

The patch looks good. Based on our discussion of this problem, there may be
some other serious test failures that we should have seen and that the patch
fixes.
Attachment #139175 - Flags: review?(jpierre) → review+

Comment 9

14 years ago
Nelson, I did not use the -u option while doing the tests, used vfychain -d <DB>
cert1.crt cert2.crt cert3.crt..
Results were as notified to you.
(Assignee)

Comment 10

14 years ago
Bishakha,

The vfychain command defaults to SSL Client usage.  But many of the PKITS
test certs are explicitly not approved for that usage, and so they will
experience errors.  Please use -u 4 in all the PKITS tests.  Thanks.
BTW, -u 4 means usage of "email signature" (really digital signature of 
any kind).
(Assignee)

Comment 11

14 years ago
Checked in this part of the fix.  

/cvsroot/mozilla/security/nss/lib/certdb/xbsconst.c,v  <--  xbsconst.c
new revision: 1.4; previous revision: 1.3
(Assignee)

Comment 12

14 years ago
Checked in the rest of the fix.

/cvsroot/mozilla/security/nss/lib/certhigh/certvfy.c,v  <--  certvfy.c
new revision: 1.38; previous revision: 1.37
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED

Updated

13 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.