The default bug view has changed. See this FAQ.

pkix: need a way to enable/disable AIA cert fetching

RESOLVED FIXED in 3.12.1

Status

NSS
Libraries
P2
normal
RESOLVED FIXED
10 years ago
8 years ago

People

(Reporter: Alexei Volkov, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX)

Attachments

(2 attachments)

(Assignee)

Description

10 years ago
User may not want to use AIA cert extension to fetch issuer certs from the net and thus rely only on the set of certs in the local database.

New libpkix API (tracking bug 294531) should support transferring this additional argument into libpkix.
Whiteboard: PKIX
Version: 3.12 → trunk
(Assignee)

Updated

9 years ago
Priority: -- → P2
(Assignee)

Comment 1

9 years ago
Created attachment 314708 [details] [diff] [review]
Patch v1

The patch sets AIA cert fetching off by default. Also it makes modification to the library to switch it on by user request. The patch also changes vfychain code to support new feature.
Attachment #314708 - Flags: review?(nelson)
Comment on attachment 314708 [details] [diff] [review]
Patch v1

r=Nelson, with one change shown below.
I'm not sure if this can be checked in now, or if we consider the tree 
to be "frozen" at this time.  

>+        case cert_pi_useAIACertFetch:
>+            if (param->value.scalar.b) {
>+                error =
>+                    PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
>+                                                                   PKIX_TRUE,
>+                                                                   plContext);
>+            }
>+            break;

This lets the caller enable it, but not disable it.  I suggest instead this:

>+        case cert_pi_useAIACertFetch:
>+            error = PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
>+                             (PRBool)(param->value.scalar.b != 0), plContext);
>+            break;
Attachment #314708 - Flags: review?(nelson) → review+
Summary: pkix: need to have a way to flip on/off switch for AIA cert fetching. → pkix: need a way to enable/disable AIA cert fetching
The trunk is now unfrozen for 3.12.1 checkins.  
The patch reviewed above can be checked in with the one change I suggested
in comment 2.

I did a test today, to see if AIA cert fetching works in libPKIX.
I ran the vfyserv program twice, testing the cert of a server that is 
presently misconfigured (not sending out its intermediate CA certs).
I ran it once with the old cert lib, and once with libPKIX.  
The old cert lib reported unknown issuer.
With libPKIX, vfyserv reported the server is correctly configured.
The commands I used were:

vfyserv webmail.unicas.it
NSS_ENABLE_PKIX_VERIFY=1 SOCKETTRACE=off vfyserv webmail.unicas.it

The output was:

+ vfyserv webmail.unicas.it
Connecting to host webmail.unicas.it (addr 193.205.60.133) on port 443
PROBLEM WITH THE CERT CHAIN:
CERT 0. mario.diture@unicas.it :
  ERROR -8179: Peer's Certificate issuer is not recognized.
    CN=Cybertrust Educational CA,OU=Educational CA,O=Cybertrust,C=BE
Error in function PR_Write: -8179
 - Peer's Certificate issuer is not recognized.

+ NSS_ENABLE_PKIX_VERIFY=1 SOCKETTRACE=off vfyserv webmail.unicas.it
Connecting to host webmail.unicas.it (addr 193.205.60.133) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
   bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
   subject DN:
 E=mario.diture@unicas.it,CN=webmail.unicas.it,OU=UNICAS,O=GARR,C=IT
   issuer  DN:
 CN=Cybertrust Educational CA,OU=Educational CA,O=Cybertrust,C=BE
   0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 472 bytes total.
Whiteboard: PKIX → PKIX awaiting checkin by NSS team member
Target Milestone: 3.12 → 3.12.1
Alexei, please check in this reviewed patch on the trunk ASAP,
and remove the term "awaiting checkin" from the status whiteboard.
(Assignee)

Comment 5

9 years ago
The patch was checked in on 04/21/08. Closing the bug...
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Whiteboard: PKIX awaiting checkin by NSS team member → PKIX

Comment 6

8 years ago
Created attachment 378747 [details] [diff] [review]
Document when cert_pi_useAIACertFetch was added

This info is useful to people who develop NSS-based
apps on Ubuntu 8.04, a long-term support release,
because it's still using NSS 3.12.0.3, which doesn't
have the cert_pi_useAIACertFetch flag.
Attachment #378747 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Updated

8 years ago
Attachment #378747 - Flags: review?(alexei.volkov.bugs) → review+

Comment 7

8 years ago
Comment on attachment 378747 [details] [diff] [review]
Document when cert_pi_useAIACertFetch was added

I checked in this comment patch on the NSS trunk (NSS 3.12.4).

Checking in certt.h;
/cvsroot/mozilla/security/nss/lib/certdb/certt.h,v  <--  certt.h
new revision: 1.51; previous revision: 1.50
done
You need to log in before you can comment on or make changes to this bug.