403543 - pkix: need a way to enable/disable AIA cert fetching

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Alexei Volkov]

User may not want to use AIA cert extension to fetch issuer certs from the net and thus rely only on the set of certs in the local database.

New libpkix API (tracking bug 294531) should support transferring this additional argument into libpkix.

Comment 1

[Alexei Volkov]

Attachment: Patch v1

The patch sets AIA cert fetching off by default. Also it makes modification to the library to switch it on by user request. The patch also changes vfychain code to support new feature.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 314708 [details] [diff] [review]
Patch v1

r=Nelson, with one change shown below.
I'm not sure if this can be checked in now, or if we consider the tree 
to be "frozen" at this time.  

>+        case cert_pi_useAIACertFetch:
>+            if (param->value.scalar.b) {
>+                error =
>+                    PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
>+                                                                   PKIX_TRUE,
>+                                                                   plContext);
>+            }
>+            break;

This lets the caller enable it, but not disable it.  I suggest instead this:

>+        case cert_pi_useAIACertFetch:
>+            error = PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
>+                             (PRBool)(param->value.scalar.b != 0), plContext);
>+            break;

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

The trunk is now unfrozen for 3.12.1 checkins.  
The patch reviewed above can be checked in with the one change I suggested
in comment 2.

I did a test today, to see if AIA cert fetching works in libPKIX.
I ran the vfyserv program twice, testing the cert of a server that is 
presently misconfigured (not sending out its intermediate CA certs).
I ran it once with the old cert lib, and once with libPKIX.  
The old cert lib reported unknown issuer.
With libPKIX, vfyserv reported the server is correctly configured.
The commands I used were:

vfyserv webmail.unicas.it
NSS_ENABLE_PKIX_VERIFY=1 SOCKETTRACE=off vfyserv webmail.unicas.it

The output was:

+ vfyserv webmail.unicas.it
Connecting to host webmail.unicas.it (addr 193.205.60.133) on port 443
PROBLEM WITH THE CERT CHAIN:
CERT 0. mario.diture@unicas.it :
  ERROR -8179: Peer's Certificate issuer is not recognized.
    CN=Cybertrust Educational CA,OU=Educational CA,O=Cybertrust,C=BE
Error in function PR_Write: -8179
 - Peer's Certificate issuer is not recognized.

+ NSS_ENABLE_PKIX_VERIFY=1 SOCKETTRACE=off vfyserv webmail.unicas.it
Connecting to host webmail.unicas.it (addr 193.205.60.133) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
   bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
   subject DN:
 E=mario.diture@unicas.it,CN=webmail.unicas.it,OU=UNICAS,O=GARR,C=IT
   issuer  DN:
 CN=Cybertrust Educational CA,OU=Educational CA,O=Cybertrust,C=BE
   0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 472 bytes total.

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Alexei, please check in this reviewed patch on the trunk ASAP,
and remove the term "awaiting checkin" from the status whiteboard.

Comment 5

[Alexei Volkov]

The patch was checked in on 04/21/08. Closing the bug...

Comment 6

[Wan-Teh Chang]

Attachment: Document when cert_pi_useAIACertFetch was added

This info is useful to people who develop NSS-based
apps on Ubuntu 8.04, a long-term support release,
because it's still using NSS 3.12.0.3, which doesn't
have the cert_pi_useAIACertFetch flag.

Comment 7

[Wan-Teh Chang]

Comment on attachment 378747 [details] [diff] [review]
Document when cert_pi_useAIACertFetch was added

I checked in this comment patch on the NSS trunk (NSS 3.12.4).

Checking in certt.h;
/cvsroot/mozilla/security/nss/lib/certdb/certt.h,v  <--  certt.h
new revision: 1.51; previous revision: 1.50
done