Last Comment Bug 221644 - NSS fails NIST path length constraint tests
: NSS fails NIST path length constraint tests
Status: VERIFIED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.8
: All All
: P2 major (vote)
: 3.9.1
Assigned To: Nelson Bolyard (seldom reads bugmail)
: Bishakha Banerjee
Mentors:
: 101566 (view as bug list)
Depends on: 231025
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-08 19:09 PDT by Nelson Bolyard (seldom reads bugmail)
Modified: 2004-07-15 15:24 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch v1 (4.74 KB, patch)
2004-01-15 18:32 PST, Nelson Bolyard (seldom reads bugmail)
no flags Details | Diff | Splinter Review
patch v2 (3.66 KB, patch)
2004-01-15 20:13 PST, Nelson Bolyard (seldom reads bugmail)
julien.pierre: review+
Details | Diff | Splinter Review

Description Nelson Bolyard (seldom reads bugmail) 2003-10-08 19:09:27 PDT
PKITS tests, section 4.3

    NSS fails 4 test cases:  13, 14, 15, 17
    NSS reports "Cert path length constraint is invalid" for all.
    NIST says all 4 tests are valid chains.

This is a crucial aspect of chain validation
Comment 1 Nelson Bolyard (seldom reads bugmail) 2004-01-15 17:23:44 PST
Bishakha,  Please confirm that these are the proper commands for test cases
13 and 14, and please add a comment here with the proper commands for test
cases 15 and 17.  Thanks.

vfychain -d d:/tmp/pkits ValidpathLenConstraintTest13EE.crt \
  pathLenConstraint6subsubsubCA41XCert.crt \
  pathLenConstraint6subsubCA41Cert.crt \
  pathLenConstraint6subCA4Cert.crt \
  pathLenConstraint6CACert.crt \
  TrustAnchorRootCertificate.crt

vfychain -d d:/tmp/pkits ValidpathLenConstraintTest14EE.crt \
  pathLenConstraint6subsubsubCA41XCert.crt \
  pathLenConstraint6subsubCA41Cert.crt \
  pathLenConstraint6subCA4Cert.crt \
  pathLenConstraint6CACert.crt \
  TrustAnchorRootCertificate.crt
Comment 2 Nelson Bolyard (seldom reads bugmail) 2004-01-15 18:32:15 PST
Created attachment 139170 [details] [diff] [review]
patch v1

With thit patch, the test commands given above for test cases 13 and 14 pass.

This patch accomplshes the following:
1. detects and rejects negative path lengths in basic constraints extensions.
2. corrects the path length processing (except that there are still issues
with self-issued intermediate CA certs, which is the subject of another bug).
Comment 3 Nelson Bolyard (seldom reads bugmail) 2004-01-15 18:34:49 PST
Adding potential reviewers to cc list.  
I will wait and ask for review after this patch has been tested against 
test cases 15 and 17.  
This bug is waiting for the instructions for those test cases to be added as
comments.
Comment 4 Nelson Bolyard (seldom reads bugmail) 2004-01-15 18:37:58 PST
*** Bug 101566 has been marked as a duplicate of this bug. ***
Comment 5 Nelson Bolyard (seldom reads bugmail) 2004-01-15 19:54:08 PST
The command for case 15 is apparently

vfychain -d d:/tmp/pkits -u 4 \
  ValidSelfIssuedpathLenConstraintTest15EE.crt \
  pathLenConstraint0SelfIssuedCACert.crt \
  pathLenConstraint0CACert.crt \
  TrustAnchorRootCertificate.crt

The command for case 17 is apparently 

vfychain -v -d d:/tmp/pkits -u 4  \
  ValidSelfIssuedpathLenConstraintTest17EE.crt \
  pathLenConstraint1SelfIssuedsubCACert.crt \
  pathLenConstraint1subCACert.crt \
  pathLenConstraint1SelfIssuedCACert.crt \
  pathLenConstraint1CACert.crt \
  TrustAnchorRootCertificate.crt

These tests involve self-issued subordinate CA certs, and NSS fails them.
However, the failure is not unrecognized issuer or untrusted issuer, 
but rather is invalid path length, so I will research this some more.
Comment 6 Nelson Bolyard (seldom reads bugmail) 2004-01-15 20:13:23 PST
Created attachment 139175 [details] [diff] [review]
patch v2

With this patch all the above test cases pass, including the ones containing
self-issued intermediate CA certs!
Comment 7 Nelson Bolyard (seldom reads bugmail) 2004-01-15 20:14:24 PST
Comment on attachment 139175 [details] [diff] [review]
patch v2

Julien, please review. Thanks.
Comment 8 Julien Pierre 2004-01-15 21:26:22 PST
Comment on attachment 139175 [details] [diff] [review]
patch v2

Nelson,

The patch looks good. Based on our discussion of this problem, there may be
some other serious test failures that we should have seen and that the patch
fixes.
Comment 9 Bishakha Banerjee 2004-01-16 00:20:09 PST
Nelson, I did not use the -u option while doing the tests, used vfychain -d <DB>
cert1.crt cert2.crt cert3.crt..
Results were as notified to you.
Comment 10 Nelson Bolyard (seldom reads bugmail) 2004-01-16 13:10:19 PST
Bishakha,

The vfychain command defaults to SSL Client usage.  But many of the PKITS
test certs are explicitly not approved for that usage, and so they will
experience errors.  Please use -u 4 in all the PKITS tests.  Thanks.
BTW, -u 4 means usage of "email signature" (really digital signature of 
any kind).
Comment 11 Nelson Bolyard (seldom reads bugmail) 2004-01-16 13:33:44 PST
Checked in this part of the fix.  

/cvsroot/mozilla/security/nss/lib/certdb/xbsconst.c,v  <--  xbsconst.c
new revision: 1.4; previous revision: 1.3
Comment 12 Nelson Bolyard (seldom reads bugmail) 2004-01-20 21:33:04 PST
Checked in the rest of the fix.

/cvsroot/mozilla/security/nss/lib/certhigh/certvfy.c,v  <--  certvfy.c
new revision: 1.38; previous revision: 1.37

Note You need to log in before you can comment on or make changes to this bug.