Closed
Bug 399326
Opened 17 years ago
Closed 15 years ago
libpkix is unable to validate cert for certUsageStatusResponder
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.10
People
(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)
Details
(Whiteboard: PKIX NSS312B2)
Attachments
(2 files, 1 obsolete file)
6.45 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
3.16 KB,
patch
|
julien.pierre
:
review+
nelson
:
superreview+
|
Details | Diff | Splinter Review |
old nss validation code deals with verifying certUsageStatusResponder as with exceptional case: function returns a success if detected that a cert has some trust. Here is the code: 815 if ( issuerCert->trust ) { ... 821 if (certUsage == certUsageStatusResponder) { 822 /* XXX NSS has done this for years, but it seems incorrect. */ 823 rv = rvFinal; 824 goto done; 825 } 826 IMO, it is incorrect, since it allow cert to be chained to an untrusted cert. Never the less, libpkix trust verification function does not address the problem of validating cert for certUsageStatusResponder, certUsageVerifyCA nor certUsageAnyCA usages at all. The bug is the reason why ocsp designated responder and ocsp designated responder CA tests failed and were commented out from nightly and tinderbox run until a resolution to this bug is found.
Assignee | ||
Updated•17 years ago
|
Whiteboard: PKIX
Comment 1•17 years ago
|
||
P1, Beta1, if this means that OCSP checks won't work with libpKIX. If OCSP generally works with libPKIX, then this is P2 or less, and not a NSS 3.12 Beta1 blocker
Priority: -- → P1
Whiteboard: PKIX → PKIX NSS312B1
Updated•17 years ago
|
Whiteboard: PKIX NSS312B1 → PKIX NSS312B2
Updated•17 years ago
|
Version: 3.12 → trunk
Assignee | ||
Comment 2•17 years ago
|
||
Check if a cert is a valid/trusted CA of any type when checking cert for AnyCA and StatusResponder usages.
Attachment #290772 -
Flags: review?(nelson)
Comment 3•17 years ago
|
||
Comment on attachment 290772 [details] [diff] [review] Patch v1 I htink there are two problems. >Index: lib/certhigh/certvfy.c >+ } else { >+ /* Check if we have any valid trust when cheching for certUsageAnyCA or >+ * certUsageStatusResponder. */ >+ for (trustType = trustSSL; trustType < trustTypeNone; >+ trustType++) { >+ flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType); >+ if ((flags & requiredFlags) == requiredFlags) { >+ rv = rvFinal; >+ goto done; >+ } >+ } >+ validCAOverride = PR_TRUE; I believe this code should not set validCAOverride unless (flags & CERTDB_VALID_CA) is true. I suggest this change: >+ flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType); >+ if ((flags & requiredFlags) == requiredFlags) { >+ rv = rvFinal; >+ goto done; >+ } >+ if (flags & CERTDB_VALID_CA) >+ validCAOverride = PR_TRUE; >+ } >Index: lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c > rv = CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, &trustType); > if (rv == SECSuccess) { > rv = CERT_GetCertTrust(cert->nssCert, &trust); > } > >+ if (rv == SECSuccess && >+ certUsage != certUsageAnyCA && >+ certUsage != certUsageStatusResponder) { >+ unsigned int certFlags; >+ CERTCertificate *nssCert = cert->nssCert; >+ >+ if (certUsage == certUsageVerifyCA) { >+ if (nssCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) { >+ trustType = trustEmail; >+ } else if (nssCert->nsCertType & NS_CERT_TYPE_SSL_CA) { >+ trustType = trustSSL; >+ } else { >+ trustType = trustObjectSigning; >+ } >+ } >+ >+ certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType); >+ if ((certFlags & requiredFlags) == requiredFlags) { >+ trusted = PKIX_TRUE; >+ } >+ } else { If rv != SECSuccess, this else case will be executed. I think that's wrong. I think you want the if (rv == SECSuccess) to be a separate test which, if true, executes a block of code that includes the if (certUsage != certUsageAnyCA ... and this else case. >+ for (trustType = trustSSL; trustType < trustTypeNone; >+ trustType++) { >+ unsigned int certFlags = >+ SEC_GET_TRUST_FLAGS((&trust), trustType); > if ((certFlags & requiredFlags) == requiredFlags) { >+ trusted = PKIX_TRUE; >+ break; > } >+ } > } > > *pTrusted = trusted; > > PKIX_RETURN(CERTSTORE); > }
Attachment #290772 -
Flags: review?(nelson) → review-
Assignee | ||
Comment 4•17 years ago
|
||
Implementing suggested changes.
Attachment #290772 -
Attachment is obsolete: true
Attachment #291696 -
Flags: review?(nelson)
Assignee | ||
Updated•17 years ago
|
Attachment #291696 -
Attachment mime type: application/octet-stream → text/plain
Assignee | ||
Updated•17 years ago
|
Attachment #291696 -
Attachment is patch: true
Comment 5•17 years ago
|
||
Comment on attachment 291696 [details] [diff] [review] Patch v2 (checked in on trunk) r=nelson Thanks
Attachment #291696 -
Flags: review?(nelson) → review+
Assignee | ||
Updated•17 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•16 years ago
|
||
Attachment #351209 -
Flags: review?
Assignee | ||
Updated•16 years ago
|
Attachment #351209 -
Flags: superreview?(nelson)
Attachment #351209 -
Flags: review?(julien.pierre.boogz)
Attachment #351209 -
Flags: review?
Assignee | ||
Comment 8•16 years ago
|
||
Comment on attachment 351209 [details] [diff] [review] Port the bug fix to the branch Identity Mgr customer reported an issuer related to the bug. Need to port the fix. Requesting two reviews for it.
Updated•16 years ago
|
Attachment #351209 -
Flags: review?(julien.pierre.boogz) → review+
Updated•16 years ago
|
Attachment #291696 -
Attachment description: Patch v2. → Patch v2 (checked in on trunk)
Updated•16 years ago
|
Attachment #351209 -
Flags: superreview?(nelson) → superreview+
Comment 9•16 years ago
|
||
Comment on attachment 351209 [details] [diff] [review] Port the bug fix to the branch r=nelson, but let's discuss this before you check it in.
Updated•16 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 3.12 → 3.11.10
Assignee | ||
Comment 10•15 years ago
|
||
Comment on attachment 351209 [details] [diff] [review] Port the bug fix to the branch This patch is not needed. Closing the bug.
Assignee | ||
Updated•15 years ago
|
Status: REOPENED → RESOLVED
Closed: 17 years ago → 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•