Last Comment Bug 403543 - pkix: need a way to enable/disable AIA cert fetching
: pkix: need a way to enable/disable AIA cert fetching
Status: RESOLVED FIXED
PKIX
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P2 normal (vote)
: 3.12.1
Assigned To: Alexei Volkov
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-12 15:03 PST by Alexei Volkov
Modified: 2009-05-21 21:32 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Patch v1 (11.66 KB, patch)
2008-04-09 15:23 PDT, Alexei Volkov
nelson: review+
Details | Diff | Splinter Review
Document when cert_pi_useAIACertFetch was added (1.31 KB, patch)
2009-05-20 17:47 PDT, Wan-Teh Chang
alvolkov.bgs: review+
Details | Diff | Splinter Review

Description Alexei Volkov 2007-11-12 15:03:35 PST
User may not want to use AIA cert extension to fetch issuer certs from the net and thus rely only on the set of certs in the local database.

New libpkix API (tracking bug 294531) should support transferring this additional argument into libpkix.
Comment 1 Alexei Volkov 2008-04-09 15:23:19 PDT
Created attachment 314708 [details] [diff] [review]
Patch v1

The patch sets AIA cert fetching off by default. Also it makes modification to the library to switch it on by user request. The patch also changes vfychain code to support new feature.
Comment 2 Nelson Bolyard (seldom reads bugmail) 2008-04-10 15:33:31 PDT
Comment on attachment 314708 [details] [diff] [review]
Patch v1

r=Nelson, with one change shown below.
I'm not sure if this can be checked in now, or if we consider the tree 
to be "frozen" at this time.  

>+        case cert_pi_useAIACertFetch:
>+            if (param->value.scalar.b) {
>+                error =
>+                    PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
>+                                                                   PKIX_TRUE,
>+                                                                   plContext);
>+            }
>+            break;

This lets the caller enable it, but not disable it.  I suggest instead this:

>+        case cert_pi_useAIACertFetch:
>+            error = PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
>+                             (PRBool)(param->value.scalar.b != 0), plContext);
>+            break;
Comment 3 Nelson Bolyard (seldom reads bugmail) 2008-04-18 12:32:21 PDT
The trunk is now unfrozen for 3.12.1 checkins.  
The patch reviewed above can be checked in with the one change I suggested
in comment 2.

I did a test today, to see if AIA cert fetching works in libPKIX.
I ran the vfyserv program twice, testing the cert of a server that is 
presently misconfigured (not sending out its intermediate CA certs).
I ran it once with the old cert lib, and once with libPKIX.  
The old cert lib reported unknown issuer.
With libPKIX, vfyserv reported the server is correctly configured.
The commands I used were:

vfyserv webmail.unicas.it
NSS_ENABLE_PKIX_VERIFY=1 SOCKETTRACE=off vfyserv webmail.unicas.it

The output was:

+ vfyserv webmail.unicas.it
Connecting to host webmail.unicas.it (addr 193.205.60.133) on port 443
PROBLEM WITH THE CERT CHAIN:
CERT 0. mario.diture@unicas.it :
  ERROR -8179: Peer's Certificate issuer is not recognized.
    CN=Cybertrust Educational CA,OU=Educational CA,O=Cybertrust,C=BE
Error in function PR_Write: -8179
 - Peer's Certificate issuer is not recognized.

+ NSS_ENABLE_PKIX_VERIFY=1 SOCKETTRACE=off vfyserv webmail.unicas.it
Connecting to host webmail.unicas.it (addr 193.205.60.133) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
   bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
   subject DN:
 E=mario.diture@unicas.it,CN=webmail.unicas.it,OU=UNICAS,O=GARR,C=IT
   issuer  DN:
 CN=Cybertrust Educational CA,OU=Educational CA,O=Cybertrust,C=BE
   0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 472 bytes total.
Comment 4 Nelson Bolyard (seldom reads bugmail) 2008-06-11 12:09:26 PDT
Alexei, please check in this reviewed patch on the trunk ASAP,
and remove the term "awaiting checkin" from the status whiteboard.
Comment 5 Alexei Volkov 2008-06-12 14:21:03 PDT
The patch was checked in on 04/21/08. Closing the bug...
Comment 6 Wan-Teh Chang 2009-05-20 17:47:46 PDT
Created attachment 378747 [details] [diff] [review]
Document when cert_pi_useAIACertFetch was added

This info is useful to people who develop NSS-based
apps on Ubuntu 8.04, a long-term support release,
because it's still using NSS 3.12.0.3, which doesn't
have the cert_pi_useAIACertFetch flag.
Comment 7 Wan-Teh Chang 2009-05-21 21:32:16 PDT
Comment on attachment 378747 [details] [diff] [review]
Document when cert_pi_useAIACertFetch was added

I checked in this comment patch on the NSS trunk (NSS 3.12.4).

Checking in certt.h;
/cvsroot/mozilla/security/nss/lib/certdb/certt.h,v  <--  certt.h
new revision: 1.51; previous revision: 1.50
done

Note You need to log in before you can comment on or make changes to this bug.