232478 - NIST PKITS test 4.7.4 and 4.7.5: Key Usage

Status: RESOLVED FIXED

(NSS :: Test, defect, P2)

Description

[Bishakha Banerjee]

From the new batch of NIST tests: section 4.7 (Key Usage), the following
negative (Invalid) tests fail:

  VFY_ACTION="Invalid keyUsage Critical cRLSign False Test4"
  certImport -n keyUsageCriticalcRLSignFalseCACert -i \
      $certs/keyUsageCriticalcRLSignFalseCACert.crt
  crlImport $crls/keyUsageCriticalcRLSignFalseCACRL.crl
  pkitsn $certs/InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt \
      $certs/keyUsageCriticalcRLSignFalseCACert.crt

  VFY_ACTION="Invalid keyUsage Not Critical cRLSign False Test5"
  certImport -n keyUsageNotCriticalcRLSignFalseCACert -i \
      $certs/keyUsageNotCriticalcRLSignFalseCACert.crt
  crlImport $crls/keyUsageNotCriticalcRLSignFalseCACRL.crl
  pkitsn $certs/InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt \
      $certs/keyUsageNotCriticalcRLSignFalseCACert.crt


The output log states:

./pkits.sh: certutil -d PKITSdb -A -n keyUsageCriticalcRLSignFalseCACert -i
/share/builds/sbstools/nsstools/tmp/PKITS_data/certs/keyUsageCriticalcRLSignFalseCACert.crt
./pkits.sh: crlutil -d PKITSdb -I -i
/share/builds/sbstools/nsstools/tmp/PKITS_data/crls/keyUsageCriticalcRLSignFalseCACRL.crl
./pkits.sh: Invalid keyUsage Critical cRLSign False Test4 --------------------------
vfychain -d PKITSdb -u 4
/share/builds/sbstools/nsstools/tmp/PKITS_data/certs/InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
/share/builds/sbstools/nsstools/tmp/PKITS_data/certs/keyUsageCriticalcRLSignFalseCACert.crt
Chain is good!
./pkits.sh ERROR: Invalid keyUsage Critical cRLSign False Test4 failed 0
ERROR: Invalid keyUsage Critical cRLSign False Test4 failed 0
./pkits.sh: certutil -d PKITSdb -A -n keyUsageNotCriticalcRLSignFalseCACert -i
/share/builds/sbstools/nsstools/tmp/PKITS_data/certs/keyUsageNotCriticalcRLSignFalseCACert.crt
./pkits.sh: crlutil -d PKITSdb -I -i
/share/builds/sbstools/nsstools/tmp/PKITS_data/crls/keyUsageNotCriticalcRLSignFalseCACRL.crl
./pkits.sh: Invalid keyUsage Not Critical cRLSign False Test5
--------------------------
vfychain -d PKITSdb -u 4
/share/builds/sbstools/nsstools/tmp/PKITS_data/certs/InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
/share/builds/sbstools/nsstools/tmp/PKITS_data/certs/keyUsageNotCriticalcRLSignFalseCACert.crt
Chain is good!
./pkits.sh ERROR: Invalid keyUsage Not Critical cRLSign False Test5 failed 0
ERROR: Invalid keyUsage Not Critical cRLSign False Test5 failed 0

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Bishakha,  

The first certutil command shown in above output log excerpt fails.  
certutil outputs the message 
    certutil -A: trust is required for this command (-t).
But that message does now show up in your output log, and the failure of
certutil is apparently ignored by the script.  

I gather that you have a new script function named cert_Import.
Please change it so that it takes a single argument that serves as the 
nickname, and from which the file name can be derived.  e.g.

Instead of 

certImport -n keyUsageCriticalcRLSignFalseCACert -i \
      $certs/keyUsageCriticalcRLSignFalseCACert.crt

You would have simply

certImport keyUsageCriticalcRLSignFalseCACert 

Also, please change that function so that the output of the certutil
command appears in the output log, and so that any failure of the 
certutil command is noted in the log.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

I observe that the script runs certutil to import certs with the following 
code:

certImport()
{
  echo "$SCRIPTNAME: certutil -d PKITSdb -A $*"
  certutil -d $PKITSdb -A -t ",," $* >  ${PKITSDIR}/cmdout.txt 2>&1
}

There are several problems there.  
1) the command echoed does not match the command that is run.
2) the output is written to a file where it is never examined, and from 
which it is never copied back into the main log output.
3) the return value of the certutil command is ignored.

I'm going to reopen this, as reassign it to Bishakha to fix those issues.
Then, if this problem remains unresolved, I can look at it again.

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

Bishakha, please attach the script that produces the output cited above
to this script with all due haste.

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Bishakha,

I have modified pkits.sh to not ignore and discard the output of 
certutil and crlutil.  Then I added the snippets of test script
shown above to my own pkits.sh (since the script from which they
come is not available to me), and reran the test.

crlutil output the following error message that was being IGNORED by pkit.sh
when you reported this bug:

crlutil: unable to import CRL: Certificate usages field is invalid.

This is the heart of the matter, and pkits.sh was IGNORING IT!!

In truth, the outcome you see there is the DESIRED OUTCOME.
It is correct.  It passes the test.

The test is a negative test, to see if the code rejects the CRL because
the CA cert lacks the key usage to sign CRLs.  
The error message shown above demonstrates the the code DID detect the
problem with the usage, and rejected the CRL because of it.

So, this is a care where a negative result from crlutil is precisely the
desired outcome.  This is why I suggested that you need two script 
functions, crlImport and crlImportn (n for negative), just as you now
have pkits and pkitsn.  This is a case where crlImportN is the function
that is needed.  

This is a script error, not a library error.  When the script is right,
the result will be correct.

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

I am opening antoher separate bug about test case 4.7.5.
When that bug is fixed, it will still appear in the test results to have
failed, because of this bug, bug 232478.  They are separate bugs.

Comment 6

[Bishakha Banerjee]

a crlImportn function has been created to fix the problems described here.
Marking this bug FIXED.