Closed
Bug 399152
Opened 17 years ago
Closed 8 years ago
cross certificate issue where one CA has expired
Categories
(Core :: Security: PSM, defect, P2)
Core
Security: PSM
Tracking
()
RESOLVED
INVALID
People
(Reporter: Lindemann, Unassigned)
Details
(Whiteboard: PKIX)
Attachments
(6 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7 Build Identifier: 2.0.0.6 Using the following certificate chain leads to "certificate invalid" after expiration of Root I. Root I (not valid after 2011) --> L1CA (not valid after 2025) --> EE (not valid after 2015) Root II (not valid after 2025) --> Cross2 (not valid after 2025) --> L1CA The EE certificate can be verified using EE --> L1CA --> Root I and EE --> L1CA --> Cross2 --> Root II Reproducible: Always Steps to Reproduce: 1. Import Root I 2. Import L1CA 3. verify EE certificate (at time < 2011) --> success with chain EE --> L1CA --> Root I 4. Import Root II 5. verify EE certificate (at time < 2011) --> success with chain EE --> L1CA --> Root I 6. Import cross2 7. verify EE certificate (at time < 2011) --> success with chain EE --> L1CA --> Root I 8. set time to 2012 9. verify EE certificate (at time > 2011) --> expected success EE --> L1CA --> Cross2 --> Root II but get failure Actual Results: at Step 9: Thunderbird shows a valid signed (incoming) email, but when showing the details it says: "Dieses Zertifikat konnte aus unbekannten Gründen nicht verifiziert werden". (could not verify certificate for unknown reasons) Expected Results: Thunderbird should show a valid signed email and in the details view the valid chain to Root I: EE --> L1CA --> Cross2 --> Root II After expiration of Root I the existing chain to the Root II should be used (EE --> L1CA --> Cross2 --> Root II).
Reporter | ||
Comment 1•17 years ago
|
||
Reporter | ||
Comment 2•17 years ago
|
||
Reporter | ||
Comment 3•17 years ago
|
||
Reporter | ||
Comment 4•17 years ago
|
||
Reporter | ||
Comment 5•17 years ago
|
||
Reporter | ||
Comment 6•17 years ago
|
||
After Removing Root I from the store (which is impossible for builtin roots) the EE certiifcate is correctly being verified (EE --> L1CA --> Cross2 --> Root II).
Updated•17 years ago
|
Whiteboard: PKIX
Comment 7•16 years ago
|
||
This looks like a good test case for our NSS 3.12 release.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → 3.12
Version: unspecified → 3.11
Updated•16 years ago
|
Assignee: nobody → julien.pierre.boogz
Status: ASSIGNED → NEW
Comment 8•16 years ago
|
||
Comment 9•16 years ago
|
||
Rolf, I could not reproduce your failure at step 9 using our NSS command-line tools certutil and vfychain rather than Thunderbird. When you imported root 2, did you trust it or not ? The problems you may run into are related to the cross-certificate, Cross2. It has the same subject as Root1. Currently, in NSS 3.11, NSS will choose the newest cert when constructing paths. Cross2 is newer than Root1, so it will be chosen if present. So, if you import Cross2 untrusted, and don't import Root2, or don't trust Root2, your chains will stop verifying. As long as you import and trust both Root1 and Root2, NSS will verify your chains with either path. The certs you attached still provide a good basis for test cases - just not the exact failure case you provided.
Updated•16 years ago
|
Assignee: julien.pierre.boogz → kaie
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries → psm
Target Milestone: 3.12 → ---
Version: 3.11 → unspecified
Comment 10•16 years ago
|
||
This bug says that when the MUA system clock is set ahead, Tbird says the signature is valid, but the cert is not valid "for unknown reasons". The "unknown reasons" problem is a PSM problem. Kai, if you determine that there is an NSS bug here, let us know.
Reporter | ||
Comment 11•16 years ago
|
||
We could reproduce the issue a few days ago. In our tests we didn't explicitly import the Cross2 certificate. The implicit "import" was done by viewing an appropriately signed email (containing the Cross2 certificate as part of the PKCS#7 object).
Looks like this isn't a valid bug. In any case, Firefox/Thunderbird uses mozilla::pkix now, so if this is a problem with NSS' certificate verification, this should move to that component instead of PSM.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•