255136 - mm.jpmorgan.com's certificate is not authorized for serving web sites

Status: RESOLVED WORKSFORME

(Tech Evangelism Graveyard :: English US, defect)

Description

[timeless]

http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html

SEC_ERROR_INADEQUATE_CERT_TYPE

	-8101 	Certificate type not approved for application.

	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
	    requiredCertType = NS_CERT_TYPE_SSL_SERVER;
	requiredKeyUsage	0x00004000	unsigned int
	requiredCertType	0x00000040	unsigned int

-	cert	0x02bd41c0 {arena=0x02bdbf20 {first={next=0x02bd41b0 {next=0x02bd49f8
base=0x02bd41c0 limit=0x02bd49c7 ...} base=0x02bdbf30 limit=0x02bdbf30 ...}
current=0x02bd49f8 {next=0x00000000 {next=??? base=??? limit=??? ...}
base=0x02bd4a08 limit=0x02bd520f ...} arenasize=0x00000800 ...}
subjectName=0x02bd4a08 "CN=mm.jpmorgan.com,OU=ETS,O=JPMorgan Chase,L=New
York,ST=New York,C=US" issuerName=0x02bd4a50 "OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class
3,OU="VeriSign, Inc.",O=VeriSign Trust Network" ...}	CERTCertificateStr *
+	arena	0x02bdbf20 {first={next=0x02bd41b0 {next=0x02bd49f8 {next=0x00000000
base=0x02bd4a08 limit=0x02bd520f ...} base=0x02bd41c0 limit=0x02bd49c7 ...}
base=0x02bdbf30 limit=0x02bdbf30 ...} current=0x02bd49f8 {next=0x00000000
{next=??? base=??? limit=??? ...} base=0x02bd4a08 limit=0x02bd520f ...}
arenasize=0x00000800 ...}	PLArenaPool *
+	subjectName	0x02bd4a08 "CN=mm.jpmorgan.com,OU=ETS,O=JPMorgan Chase,L=New
York,ST=New York,C=US"	char *
+	issuerName	0x02bd4a50 "OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU="VeriSign,
Inc.",O=VeriSign Trust Network"	char *
+	signatureWrap	{data={type=siBuffer data=0x02bd434c "0‚“ dôÎ;ô‘Óÿâ"
len=0x00000297 } signatureAlgorithm={algorithm={type=siBuffer data=0x02bd45e7 "*†H†÷
" len=0x00000009 } parameters={type=siBuffer data=0x02bd45f0 ""
len=0x00000002 } }
signature={type=siBuffer data=0x02bd45f6
",ÑÊ?1ÝsR€|O‘[TE½
06(‹¾J,„¸#™Rœ8Á´EÅ™©¸ý%F)ËoÓÕz~÷ŽÇ¨ªˆŠÈ’Õ¬C†|^<ç`·<<Ëýf„I퀪ÚÊ]{ÑRŽïNu0Ii¹èùº!ašh¦\h§f2ÈŽó0|ÊÕE#ŸÚÚŒF½F½”F½˜F½"
len=0x00000400 } }	CERTSignedDataStr
+	derCert	{type=siBuffer data=0x02bd4348 "0‚*0‚“ dôÎ;ô‘Óÿâ"
len=0x0000032e }	SECItemStr
+	derIssuer	{type=siBuffer data=0x02bd4376 "0º10U
VeriSign Trust Network10UVeriSign, Inc.1301U*VeriSign
International Server CA - Class 31I0GU@www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign0
040512000000Z
050512235959Z0t10	UUS10UNew York10UNew York10U
JPMorgan Chase10
UETS10Umm.jpmorgan.com0Ÿ0
	*†H†÷
" len=0x000000bd }	SECItemStr
+	derSubject	{type=siBuffer
data=0x02bd4453 "0t10	UUS10UNew York10UNew York10U
JPMorgan Chase10
UETS10Umm.jpmorgan.com0Ÿ0
	*†H†÷
" len=0x00000076 }	SECItemStr
+	derPublicKey	{type=siBuffer data=0x02bd44c9 "0Ÿ0
	*†H†÷
" len=0x000000a2 }	SECItemStr
+	certKey	{type=siBuffer data=0x02bd48c0 "dôÎ;ô‘Óÿâ" len=0x000000cd }	SECItemStr
+	version	{type=siBuffer data=0x02bd4354 "dôÎ;ô‘Óÿâ" len=0x00000001 }
SECItemStr
+	serialNumber	{type=siBuffer data=0x02bd4357 "dôÎ;ô‘Óÿâ" len=0x00000010 }
SECItemStr
+	signature	{algorithm={type=siBuffer data=0x02bd436b "*†H†÷
" len=0x00000009 } parameters={type=siBuffer data=0x02bd4374 ""
len=0x00000002 } }	SECAlgorithmIDStr
+	issuer	{arena=0x00000000 {first={next=??? base=??? limit=??? ...} current=???
arenasize=??? ...} rdns=0x02bd4678 }	CERTNameStr
+	validity	{arena=0x00000000 {first={next=??? base=??? limit=??? ...}
current=??? arenasize=??? ...} notBefore={type=siUTCTime data=0x02bd4437
"040512000000Z
050512235959Z0t10	UUS10UNew York10UNew York10U
JPMorgan Chase10
UETS10Umm.jpmorgan.com0Ÿ0
	*†H†÷
" len=0x0000000d } notAfter={type=siUTCTime
data=0x02bd4446
"050512235959Z0t10	UUS10UNew York10UNew York10U
JPMorgan Chase10
UETS10Umm.jpmorgan.com0Ÿ0
	*†H†÷
" len=0x0000000d } }	CERTValidityStr
+	subject	{arena=0x00000000 {first={next=??? base=??? limit=??? ...} current=???
arenasize=??? ...} rdns=0x02bd4720 }	CERTNameStr
+	subjectPublicKeyInfo	{arena=0x00000000 {first={next=??? base=??? limit=???
...} current=??? arenasize=??? ...} algorithm={algorithm={type=siBuffer
data=0x02bd44d0 "*†H†÷
" len=0x00000009 } parameters={type=siBuffer data=0x02bd44d9 ""
len=0x00000002 } } subjectPublicKey={type=siBuffer data=0x02bd44df "0‰"
len=0x00000460 } }	CERTSubjectPublicKeyInfoStr
+	issuerID	{type=siBuffer data=0x00000000 <Bad Ptr> len=0x00000000 }	SECItemStr
+	subjectID	{type=siBuffer data=0x00000000 <Bad Ptr> len=0x00000000 }	SECItemStr
+	extensions	0x02bd4818	CERTCertExtensionStr * *
+	emailAddr	0x00000000 <Bad Ptr>	char *
+	dbhandle	0x02b8aa88 {refCount=0x00000001 arena=0x02b97f48
{pool={first={next=0x02b8aa70 base=0x02b97f58 limit=0x02b97f58 ...}
current=0x02b8aa70 {next=0x00000000 base=0x02b8aa80 limit=0x02b8b287 ...}
arenasize=0x00000800 ...} lock=0x02b97fb0 marking_thread=0x00000000 ...}
defaultCallback=0x00000000 {getInitPW=??? getNewPW=??? getPW=??? ...} ...}
NSSTrustDomainStr *
+	subjectKeyID	{type=siBuffer data=0x02bd4990
"q=]¥’¬ÏyhšÉJy6hÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚÚýýýýÝÝÝÝÝ		
" len=0x00000014 }	SECItemStr
	keyIDGenerated	0x00000000	int
	keyUsage	0x000080a0	unsigned int
	rawKeyUsage	0x000080a0	unsigned int
	keyUsagePresent	0x00000001	int
	nsCertType	0x00000000	unsigned int
	keepSession	0x00000000	int
	timeOK	0x00000000	int
+	domainOK	0x00000000 {next=??? name=0x00000004 <Bad Ptr> }	CERTOKDomainNameStr *
	isperm	0x00000000	int
	istemp	0x00000001	int
+	nickname	0x00000000 <Bad Ptr>	char *
+	dbnickname	0x00000000 <Bad Ptr>	char *
+	nssCertificate	0x02bdc5d8 {object={arena=0x02bdbd58 {pool={first={...}
current=0x02bdc598 arenasize=0x00000800 ...} lock=0x02bdbdc0
marking_thread=0x00000000 ...} refCount=0x00000001 lock=0x02bdbe70 ...}
type=NSSCertificateType_Unknown id={data=0x00000000 size=0x00000000 } ...}
NSSCertificateStr *
+	trust	0x00000000 {sslFlags=??? emailFlags=??? objectSigningFlags=??? }
CERTCertTrustStr *
	referenceCount	0x00000001	int
+	subjectList	0x00000000 {arena=??? ncerts=??? emailAddr=??? ...}
CERTSubjectListStr *
+	authKeyID	0x00000000 {keyID={type=??? data=??? len=??? } authCertIssuer=???
authCertSerialNumber={type=??? data=??? len=??? } ...}	CERTAuthKeyIDStr *
	isRoot	0x00000000	int
	authsocketlist	0x00000000	SECSocketNode *
	series	0x00000000	int
+	slot	0x00000000 {functionList=??? module=??? needTest=??? ...}	PK11SlotInfoStr *
	pkcs11ID	0x00000000	unsigned long
	ownSlot	0x00000000	int


>	nss3.dll!CERT_KeyUsageAndTypeForCertUsage(SECCertUsageEnum
usage=certUsageSSLServer, int ca=0x00000000, unsigned int *
retKeyUsage=0x0140fb14, unsigned int * retCertType=0x0140fb2c)  Line 1163	C
 	nss3.dll!CERT_VerifyCert(NSSTrustDomainStr * handle=0x02b8aa88,
CERTCertificateStr * cert=0x02bd41c0, int checkSig=0x00000001, SECCertUsageEnum
certUsage=certUsageSSLServer, __int64 t=0x0003e15989b4a7b3, void *
wincx=0x02d0b868, CERTVerifyLogStr * log=0x00000000)  Line 1513 + 0x13	C
 	nss3.dll!CERT_VerifyCertNow(NSSTrustDomainStr * handle=0x02b8aa88,
CERTCertificateStr * cert=0x02bd41c0, int checkSig=0x00000001, SECCertUsageEnum
certUsage=certUsageSSLServer, void * wincx=0x02d0b868)  Line 1671 + 0x23	C
 	ssl3.dll!SSL_AuthCertificate(void * arg=0x02b8aa88, PRFileDesc *
fd=0x02ce1b80, int checkSig=0x00000001, int isServer=0x00000000)  Line 251 + 0x22	C
 	pipnss.dll!AuthCertificateCallback(void * client_data=0x00000000, PRFileDesc *
fd=0x02ce1b80, int checksig=0x00000001, int isServer=0x00000000)  Line 301 +
0x15	C++

Comment 1

[Christian :Biesinger (don't email me, ping me on IRC)]

this might be bug 231775

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

This is an evanglism bug.  
(We don't usually have stack dumps in evangelism bugs.)

It's an evangelism bug because a certain CA occasionally issues certs
that have an extension that causes this problem.  AFAIK, most of their
certs do not have this problem, but a few do.  I think this bug wishes
that we "evangelize" them into ensuring that none of their certs have
this problem.

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

The cert in question was apparently replaced on or before 2004-05-11.
New cert looks and works jut fine.