Closed Bug 384719 Opened 17 years ago Closed 17 years ago

PSM's OCSP checks fail (NSS's work OK) with Startcom CA

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: KaiE)

References

(
URL
)

Details

Attachments

(5 files, 1 obsolete file)

signed SMIME email message demonstrates behavior
13.50 KB, text/plain
Details
Wrong message
43.48 KB, image/png
Details
Wrong message
26.53 KB, image/png
Details
Patch v1
603 bytes, patch
Details | Diff | Splinter Review
OCSP Class 3 Email Responder Certificate
7.08 KB, text/plain
Details 
This affects trunk builds dated 20070515 through today.
I received a signed email from Eddy Nigg of Startcom (the CA). 
If I view it with OCSP disabled, it appears to have a valid signature.

If I view it with OCSP enabled, but with the (new) preference that says 
"When an OCSP server connection fails, treat the certificate as invalid"
unchecked (the default condition), the signature appears valid.  

But If I view it with OCSP enabled, but with the (new) preference that says 
"When an OCSP server connection fails, treat the certificate as invalid"
checked, or if I view it in the slightly older SM 2.0a1 builds that didn't
have this new option, and always behaved as if it was checked, the signature
appears INVALID.  

Clicking on the broken pen icon brings up a dialog that says:
   Digital Signature Is Not Valid
   This message includes a digital signature, but the signature is invalid.
   The certificate used to sign the message was issued by a certificate 
   authority that you do not trust for issuing this kind of certificate.

That is utterly WRONG.  The problem is OCSP verification failure.

I wasted HOURS and HOURS trying to figure out why this CA was considered
untrusted before I realized that the error text was lying to me.  

So, then I tested the signature cert chain with NSS'c ocspclnt program.
The command I used was:
    ocspclnt -S eddy_nigg@startcom.org -u E
It reported:
   Check of certificate "eddy_nigg@startcom.org" succeeded.

So, this tells me that NSS's built-in OCSP client works OK with startcom's
OCSP server, but apparently PSM's OCSP client does not.  Therefore, I believe
this is a bug in PSM's OCSP client.

While trying to get to the bottom of the untrusted CA issue, I found another
problem that is a consequence of these OCSP failures.  When viewing Eddy's
cert in cert manager, or viewing the intermediate CA cert that issued Eddy's
cert in cert manager, cert manager told me, consistently, this:
  Could not verify this certificate for unknown reasons.

Unknown reasons?  I think not.  
I thought those "unknown reason" messages had been eliminated. 
Apparently not.
Flags: blocking1.9?
Attached image Wrong message 
I found more inconsistent/wrong messages in current Thunderbird. This is an expired certificate, but the message is the same message that Nelson reported for OCSP failure. Obviously the CA is "trusted", only the certificate expired.
Attached image Wrong message 

    
    

    
  
Mr. OCSP, would you be willing to help diagnose this failure?

    
    

    
  
Nelson,

It would seem that the problem is in PSM, given that things work OK with ocspclnt. So Kai is the right person to look at this first. I will help if any NSS issues come up.


    
    

    
  
comment 3 sounds like an entirely different bug.

Comment 1 is close to derailing this bug into "fix PSM error messages" when the real problem at hand is getting OCSP to work right.

bug morph is evil, it'll result in partial fixes

    
    

    
  
Categorizing this bug as "major".  Turning on OCSP by default with PSM has
made all certs issued by this CA stop working.  

Except for the fact that NSS's own OCSP test client program reports 
successful OCSP results, we might think this is merely a problem with 
the OCSP responder.  But since this seems to be a difference between 
the two separate OCSP clients (actually the two separate http front ends
for the one OCSP client), it's looking like a PSM bug.

OTOH, if NSS's ocspclnt test client program is lying to us, and the NSS
test requests are not having success, then ...
Severity: normal → major

    
    

    
  
Just a by-note, but current releases of both FF and TB _work_ with OCSP turned _on_. I understand that this covers both NSS and PSM. Using S/Mime and SSL for signature, encryption, IMAPS and POP3S.

    
    

    
  
Yeah, this problem is on trunk builds.  (Note the bug version: trunk)

    
    

    
  
Nelson,

the problem you report in comment 0 is related to a bad error message.

You say, you assume that we fixed all error messages in PSM.

Unfortunately that is not true.

As of today, we only fixed the error messages "during SSL connections" to be more descriptive.

Because of separate bug 353535, I believe this bug is a request to improve the error message to indicate the real reason for saying "invalid signature" is because "cert is revoked".


    
    

    
  
> Therefore, I believe
> this is a bug in PSM's OCSP client.

PSM does not have an internal OCSP client.
IINM PSM only does OCSP implicitly by calling NSS' cert verification functions.

    
    

    
  
I was able to reproduce the bug.

NSS 3.11.7 fails in CERT_VerifyOCSPResponseSignature and sets SEC_ERROR_OCSP_INVALID_SIGNING_CERT

Being more specific, it fails while calling CERT_VerifyCACertForUsage, in the following code block:

1077        if (!validCAOverride) {
1078            /*
1079             * Make sure that if this is an intermediate CA in the chain that
1080             * it was given permission by its signer to be a CA.
1081             */
1082            /*
1083             * if basicConstraints says it is a ca, then we check the
1084             * nsCertType.  If the nsCertType has any CA bits set, then
(gdb)
1085             * it must have the right one.
1086             */
1087            if (!isca || (cert->nsCertType & NS_CERT_TYPE_CA)) {
1088                isca = (cert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
1089            }


The failure is in line 1088. isca is PR_FALSE

(gdb) print cert->nsCertType
$66 = 16384
(gdb) print caCertType
$67 = 7


The certificate which signed the OCSP response has the subject:
"E=admin@startcom.org,CN=StartCom Class3 Email Revocation Authority,O=StartCom Ltd.,C=IL"


Eddy, could you easily attach a dump of that cert?


    
    

    
  
Sigh. Looks like we unnecessarily wasted a lot of time on this bug...

Mozilla trunk was still using NSS_3_11_7_BETA1.

The same issue got fixed in bug 381317...

I updated my tree to pull NSS_3_11_7_RTM and it works fine now :-/ :-/


    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v1Splinter Review
      

    


  
While we haven't landed 3.12 yet, let's land latest 3.11.7 in the meantime, which will fix this bug...

    
    

    
  

      
      
      
      

        Attached file
          
        S/MIME cert (obsolete)
        — 
      

    


  
As requested.

    
    

    
  


  
The OCSP responder cert which was requested originally. Attaching for completeness of this bug.

        Attachment #269214 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 269213 [details] [diff] [review]
Patch v1

I approve of this patch, whole heartedly!

    
    

    
  
Patch checked into trunk, marking fixed.

Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: