399152 - cross certificate issue where one CA has expired

Status: RESOLVED INVALID

(Core :: Security: PSM, defect, P2)

Description

[Rolf Lindemann]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Build Identifier: 2.0.0.6

Using the following certificate chain leads to "certificate invalid" after expiration of Root I.


Root I (not valid after 2011)  --> L1CA (not valid after 2025) --> EE (not valid after 2015)

Root II (not valid after 2025) --> Cross2 (not valid after 2025) --> L1CA

The EE certificate can be verified using 
EE --> L1CA --> Root I
and
EE --> L1CA --> Cross2 --> Root II



Reproducible: Always

Steps to Reproduce:
1. Import Root I
2. Import L1CA
3. verify EE certificate (at time < 2011)  
--> success with chain  EE --> L1CA --> Root I
4. Import Root II
5. verify EE certificate (at time < 2011)  
--> success with chain  EE --> L1CA --> Root I
6. Import cross2
7. verify EE certificate (at time < 2011)  
--> success with chain  EE --> L1CA --> Root I      
8. set time to 2012
9. verify EE certificate (at time > 2011)  
--> expected success EE --> L1CA --> Cross2 --> Root II
    but get failure
    
Actual Results:  
at Step 9: 
Thunderbird shows a valid signed (incoming) email, but when showing the details it says: "Dieses Zertifikat konnte aus unbekannten Gründen nicht verifiziert werden".
(could not verify certificate for unknown reasons)

Expected Results:  
Thunderbird should show a valid signed email
and in the details view the valid chain to Root I:
     EE --> L1CA --> Cross2 --> Root II

After expiration of Root I the existing chain to the Root II should be used
(EE --> L1CA --> Cross2 --> Root II).

Comment 1

[Rolf Lindemann]

Attachment: Root I

Comment 2

[Rolf Lindemann]

Attachment: Root II

Comment 3

[Rolf Lindemann]

Attachment: L1CA

Comment 4

[Rolf Lindemann]

Attachment: Cross2

Comment 5

[Rolf Lindemann]

Attachment: EE certificate

Comment 6

[Rolf Lindemann]

After Removing Root I from the store (which is impossible for builtin roots) the EE certiifcate is correctly being verified (EE --> L1CA --> Cross2 --> Root II).

Comment 7

[Julien Pierre]

This looks like a good test case for our NSS 3.12 release.

Comment 8

[Julien Pierre]

Attachment: ZIP of binary DER files

Comment 9

[Julien Pierre]

Rolf,

I could not reproduce your failure at step 9 using our NSS command-line tools certutil and vfychain rather than Thunderbird. When you imported root 2, did you trust it or not ?

The problems you may run into are related to the cross-certificate, Cross2. It has the same subject as Root1. Currently, in NSS 3.11, NSS will choose the newest cert when constructing paths. Cross2 is newer than Root1, so it will be chosen if present. So, if you import Cross2 untrusted, and don't import Root2, or don't trust Root2, your chains will stop verifying. As long as you import and trust both Root1 and Root2, NSS will verify your chains with either path.

The certs you attached still provide a good basis for test cases - just not the exact failure case you provided.

Comment 10

[Nelson Bolyard (seldom reads bugmail)]

This bug says that when the MUA system clock is set ahead, Tbird says the 
signature is valid, but the cert is not valid "for unknown reasons".  
The "unknown reasons" problem is a PSM problem.  

Kai, if you determine that there is an NSS bug here, let us know.

Comment 11

[Rolf Lindemann]

We could reproduce the issue a few days ago. In our tests we didn't explicitly import the Cross2 certificate. The implicit "import" was done by viewing an appropriately signed email (containing the Cross2 certificate as part of the PKCS#7 object).

Comment 12

[Kai Engert (:KaiE:)]

reassign bug owner.
mass-update-kaie-20120918

Comment 13

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Looks like this isn't a valid bug. In any case, Firefox/Thunderbird uses mozilla::pkix now, so if this is a problem with NSS' certificate verification, this should move to that component instead of PSM.